EU AI Act Annex III: The High-Risk Use Cases, Explained

Annex III is the list that determines whether your AI system triggers the EU AI Act's full compliance stack. If your system falls inside it, you are looking at a risk management system under Article 9, technical documentation under Article 11, human oversight under Article 14, a conformity assessment under Article 43, and a registration requirement under Article 49 — before you can put the system into service. If it falls outside, the obligations drop sharply.

This guide walks through all eight Annex III areas, the Article 6(3) filter that can exclude a system even when it touches a listed domain, the Commission's power to amend the list under Article 7, and the compliance obligations that attach once you are in scope. A short checklist at the end helps you run the first-pass analysis on your own system.

---

How Annex III works with Article 6(2)

The classification mechanism sits in Article 6 of Regulation (EU) 2024/1689. Article 6(1) covers AI systems that are safety components of products regulated under EU product law — medical devices, machinery, vehicles, and so on. Article 6(2) is what most software companies need to read: it classifies as high-risk any AI system that is listed in Annex III, unless the Article 6(3) filter applies (more on that below).

The structure is deliberate. Annex III identifies application domains and use cases, not technical architectures. It does not matter whether your system uses a large language model, a gradient-boosted tree, or a rules engine. What matters is what the system does and in which context.

---

The eight Annex III areas

Area 1 — Biometrics

Annex III covers biometric identification (real-time and post-event remote identification of natural persons in public spaces), biometric categorisation (assigning individuals to groups based on biometric data — such as inferred ethnicity, political views, or sexual orientation), and emotion recognition systems.

This is one of the most tightly controlled areas in the Act. Real-time remote biometric identification in publicly accessible spaces by law enforcement is itself a prohibited practice under Article 5 except in narrowly defined circumstances. For the purposes of Annex III, the high-risk category captures the broader set of biometric systems that are not outright banned but still carry significant risk — for instance, a workforce management system that uses facial recognition to track employee attendance, or a retail system that infers shopper emotion from camera feeds.

One practical note: the Article 6(3) filter does not save you if your system profiles natural persons. That carve-out has an explicit exception for profiling (see below).

Area 2 — Critical infrastructure

AI systems intended as safety components in the management and operation of critical digital infrastructure, road traffic, and the supply of water, gas, heating, or electricity are Annex III high-risk systems.

"Safety component" is the operative phrase. A predictive maintenance tool that flags anomalies in a power grid's equipment for human engineers to review is in scope; a general analytics dashboard used by the same utility for commercial forecasting is not. The system must actually sit in the safety chain — its failure or malfunction must be capable of compromising the physical safety or continuity of the infrastructure.

Area 3 — Education and vocational training

AI systems used to determine access to and assignment to educational institutions, evaluate students, assess examination conduct (including detecting academic dishonesty), and determine whether learners can access vocational training fall in this area.

A 40-person ed-tech company selling an AI admissions scoring tool to universities is a provider of a high-risk system. A university deploying that tool to rank applicants is a deployer subject to the deployer obligations under Article 26, including human oversight, record-keeping, and — for certain public-body deployers — the Fundamental Rights Impact Assessment under Article 27.

Area 4 — Employment, worker management, and access to self-employment

This covers the widest slice of what HR-tech companies actually build: recruitment and selection (including screening, filtering, and ranking of applicants), decisions about promotion, termination, performance evaluation and monitoring, and task allocation and monitoring of performance in the context of employment.

Access to self-employment is also in scope — a gig-economy app that decides whether to onboard or suspend a freelancer, or that allocates work based on algorithmic scoring, is touching this area.

A concrete example: a mid-market SaaS company that sells AI-assisted resume screening to recruiters is a provider. Its customers — the recruiters and HR departments that run job candidates through the tool — are deployers. Both must understand their role, because the obligations differ significantly.

Area 5 — Access to essential private and public services

This area breaks into several sub-categories, and the scoping matters:

Creditworthiness assessment and credit scoring — AI systems used to evaluate creditworthiness, including scoring used for consumer or SME lending decisions, are high-risk. The Act explicitly excludes fraud detection from this category. A model trained to flag fraudulent loan applications is not covered by this provision; a model that predicts default probability and feeds into an approval or pricing decision is.

Health and life insurance risk and pricing — AI systems used to assess risk and set pricing for health insurance and life insurance policies are in scope. This reflects the potential for discriminatory outcomes when health and mortality risk is algorithmically modelled.

Emergency dispatch — AI systems that dispatch emergency services or assess the priority of calls to emergency services are Annex III systems.

Public-benefits eligibility — AI used to determine eligibility for public assistance, social security benefits, and similar public services is covered here.

One area that generates confusion: housing. The original Commission proposal included housing eligibility, but the final text narrowed the scope. Read the adopted Regulation text (EUR-Lex, OJ L 2024/1689) directly if you are operating in this space.

Area 6 — Law enforcement

AI systems used by or on behalf of competent authorities for the purpose of:

• Assessing the risk of an individual committing, or re-offending, or being a victim of a criminal offence
• Polygraphs and similar tools to detect the emotional or mental state of a person during questioning
• Evaluating the reliability of evidence in criminal proceedings
• Predicting the occurrence of criminal offences (predictive policing)
• Profiling natural persons in the context of detecting, investigating, or prosecuting criminal offences

The law enforcement category is one where notified-body conformity assessment applies rather than the default self-assessment route.

Area 7 — Migration, asylum, and border control

AI systems used by competent authorities to assess the risk profile or immigration status of natural persons, to assist in examining and deciding on applications for asylum, visa, and residence permits, and to detect, recognise, or identify persons at border crossings.

This area has significant overlap with biometrics (Area 1) — a border-control system that uses facial recognition for identity verification may be covered by both headings.

Area 8 — Administration of justice and democratic processes

AI systems that assist judicial authorities in researching and interpreting facts and law and in applying the law to a specific set of facts, and AI systems used to influence the outcome of elections or referenda or the voting behaviour of natural persons, are Annex III high-risk systems.

This is a deliberately broad formulation on the democratic-processes side. A tool that micro-targets voters with personalised political messaging would fall here. The judicial-assistance carve-in covers legal research AI that is used within judicial proceedings, not general legal research tools sold to law firms.

---

The Article 6(3) exemption filter

Being listed in an Annex III area does not automatically make a system high-risk. Article 6(3) creates an exclusion for systems that do not pose a significant risk of harm to health, safety, or fundamental rights, even when they sit in a covered domain. The Article identifies four conditions, any of which can support the exclusion:

1. Narrow procedural task — the system performs a limited procedural function without making or materially influencing a substantive decision about individuals.
2. Improves the result of a previously completed human activity — the system reviews or quality-checks output that a human has already produced, rather than generating an independent output that feeds into a decision.
3. Detects decision-making patterns or deviations without replacing or influencing human assessment — monitoring or audit tools that surface anomalies for human attention but do not generate recommendations about individuals.
4. Preparatory task — the system does something preparatory to a human decision but has no direct influence on what that decision is.

The profiling exception is absolute. Any AI system that profiles natural persons — assembles inferences about an individual from observed behaviours, location, or other data — is high-risk, regardless of whether one of the four conditions would otherwise apply. Providers who believe the Article 6(3) filter applies to their system must document that assessment and register it. The exemption is not self-executing.

In practice, the filter is narrower than it looks. A recruitment tool that ranks candidates is not doing a preparatory task in any meaningful sense — the ranking is the decision. A scheduling algorithm that assigns shifts to warehouse workers based on productivity scores is not merely detecting patterns; it is materially influencing access to hours and income. When in doubt, the safer assumption is that the system is high-risk.

---

Article 7: The Commission can expand the list

Annex III is not static. Article 7 gives the Commission the power to amend it through delegated acts — adding new high-risk areas, modifying the scope of existing ones, or (in principle) removing areas that no longer warrant the designation. The Commission must take into account the severity of potential harm, the number of affected persons, irreversibility, the dependency of vulnerable groups on the technology, and the extent to which existing sector law already addresses the risk.

Providers with systems that currently sit just outside Annex III should monitor Article 7 activity. The Commission has already signalled interest in extending the list as AI deployment patterns become clearer — notably in healthcare diagnostics (currently outside Annex III except as a safety component of a regulated medical device) and financial market infrastructure.

---

What obligations attach once you are in Annex III

Landing in Annex III triggers the full high-risk obligation stack. The main requirements, by Article:

• Article 9 — Risk management system: a continuous, documented process identifying and mitigating foreseeable risks to health, safety, and fundamental rights throughout the system's lifecycle.
• Article 10 — Data and data governance: training data must be relevant, sufficiently representative, and free of errors; providers must document the data governance measures they have applied.
• Article 11 — Technical documentation (as specified in Annex IV): the documentation pack that describes the system's design, purpose, capabilities, limitations, and performance. This is the foundation for conformity assessment.
• Article 12 — Logging: automatic logging of events during operation to support post-market monitoring and incident investigation.
• Article 13 — Transparency to deployers: instructions of use, limitations, and necessary human oversight measures must be documented and provided.
• Article 14 — Human oversight: the system must be designed to allow effective oversight, including the ability for operators to understand outputs, detect anomalies, and intervene or override.
• Article 15 — Accuracy, resilience, and cybersecurity: the system must achieve appropriate performance levels and be resilient to errors and adversarial manipulation.
• Article 17 — Quality management system (providers): a documented QMS covering design, development, testing, deployment, and post-market monitoring.
• Article 43 — Conformity assessment: the formal procedure (self-assessment or notified body, depending on system type) that must be completed before the system goes to market.
• Articles 47–49 — EU Declaration of Conformity (Article 47), CE marking where required (Article 48), and registration in the EU AI Act database (Article 49) before market placement.
• Article 72 — Post-market monitoring: providers must operate a continuous monitoring plan that tracks real-world performance and feeds findings back into the risk management system.
• Article 73 — Serious incident reporting: providers and deployers must report serious incidents and malfunctions to competent authorities.

Deployers carry a lighter but still significant load: following the provider's instructions, implementing human oversight, maintaining logs, conducting the Fundamental Rights Impact Assessment under Article 27 where required (public-body deployers and deployers in particularly sensitive areas), and reporting incidents under Article 73.

---

The compliance deadline

The deadline shifted significantly in 2026. Under the Digital Omnibus — Commission proposal of November 2025, political agreement between Parliament and Council reached 7 May 2026 — the application of high-risk obligations moved to fixed later dates:

• 2 December 2027 — stand-alone high-risk AI systems in Annex III (recruitment tools, credit-scoring models, biometric categorisation systems, etc.).
• 2 August 2028 — high-risk AI systems embedded as safety components in products covered by EU product law under Annex I (medical devices, machinery, vehicles).

The original date — 2 August 2026 — has been deferred for these systems. It still applies to limited-risk transparency obligations under Article 50. Formal adoption of the Omnibus amendment is expected before 2 August 2026.

Treat the extra time as a documentation runway, not permission to start late. Assembling the Article 11 technical documentation pack for a non-trivial AI system takes three to five months of focused work. A realistic compliance programme for an Annex III system starts now.

---

Is my system in Annex III? A first-pass checklist

Work through these questions in order. Stop and flag for detailed legal review as soon as you get a "yes."

Step 1 — Does it touch an Annex III domain?

• Does the system process biometric data to identify, categorise, or draw inferences about natural persons?
• Does it operate as a safety component in critical infrastructure (power, water, gas, road traffic, digital infrastructure)?
• Does it determine or influence access to education, or assess educational performance?
• Does it screen, rank, evaluate, or monitor people in an employment or self-employment context?
• Does it assess creditworthiness or set prices for credit, health insurance, or life insurance? (Exclude fraud detection.)
• Does it assess risk, profile, or detect behaviour in a law enforcement context?
• Does it assist in making decisions about visas, asylum applications, border control, or immigration status?
• Does it assist judicial authorities in applying the law, or is it used to influence electoral outcomes?

Step 2 — Does the Article 6(3) filter apply?

If you answered yes to any question in Step 1, ask:

• Does the system perform only a narrow procedural function, with no material influence on a decision about an individual?
• Does it review the output of a human activity that is already complete, rather than generating input to a decision?
• Does it detect patterns or anomalies without making any recommendation about an individual?
• Is it purely preparatory — no output that directly feeds a decision?
• And critically: does the system profile natural persons? If yes, the filter does not apply.

If the filter does not apply, your system is provisionally high-risk and the full Article 9–15, 17, 43, 47–49, 72–73 stack is in scope. Document the analysis either way — regulators will ask.

Step 3 — Identify your role

Are you developing and placing the system on the EU market under your own name or trademark? You are a provider under Article 16. Are you using a third-party system in your own business processes? You are a deployer under Article 26. The obligations differ substantially, and the provider obligations are heavier. Article 25 describes the conditions under which a deployer becomes a provider — most commonly by substantially modifying the system's intended purpose.

---

How Confir helps

Confir's classification module encodes the Article 6(2) and Annex III logic as a deterministic rule-based questionnaire — no AI inference, no hallucination, same intake always produces the same finding. You answer plain-English questions about what your system does (not GRC vocabulary), and Confir derives your risk tier, your role, and the obligation set that follows.

Once a system is classified as Annex III high-risk, it structures the assessment across four areas — risk classification and compliance (AIRC), data and technical quality (AITR), transparency and human oversight (AITO), and governance and post-market monitoring (AIGM) — and generates the Article 11 / Annex IV technical documentation pack and the Article 47 Declaration of Conformity. The FRIA under Article 27 is pre-filled from your intake data for deployers who need it.

Self-serve, no consultants required, from €600 per year.

---

FAQ

What is Annex III of the EU AI Act? Annex III is the enumerated list of high-risk AI application domains in Regulation (EU) 2024/1689. It covers eight areas: biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services (including creditworthiness, health/life insurance, and emergency dispatch), law enforcement, migration and border control, and administration of justice and democratic processes. AI systems falling in these areas under Article 6(2) must meet the full high-risk obligation stack before going to market.

Does Annex III list every high-risk AI system by name? No. Annex III defines application domains and use cases, not specific products or model types. Whether your system is Annex III high-risk depends on what it does and where it is deployed — the technical architecture is irrelevant. The Commission can add new use cases through delegated acts under Article 7.

What is the Article 6(3) filter and when does it apply? Article 6(3) allows a provider to exclude a system from the high-risk designation even when it touches an Annex III area, if the system does not pose a significant risk of harm. Four conditions support the exclusion: narrow procedural task, improvement of a previously completed human activity, detection of patterns without influencing human assessment, or preparatory task only. However, any system that profiles natural persons is always high-risk regardless of these conditions. Providers claiming the filter must document the assessment.

What happens if I misclassify my system as limited-risk? Misclassification that results in placing an unassessed high-risk system on the market violates the provider obligations under Article 16 and the conformity assessment requirement under Article 43. Penalties under Article 99 for non-compliance with high-risk obligations reach €15 million or 3% of total worldwide annual turnover, whichever is higher. For SMEs and start-ups, fines are capped at the lower figure under Article 99(6) — but the compliance costs of a retroactive assessment are often more disruptive than the fine itself.

When do Annex III obligations apply? Under the Digital Omnibus agreed in May 2026, stand-alone Annex III systems must comply by 2 December 2027. High-risk AI embedded as safety components in Annex I products has until 2 August 2028. The original deadline of 2 August 2026 has been deferred for these systems.

Is fraud detection excluded from Annex III? Yes, specifically from the creditworthiness and credit-scoring sub-category in Area 5. The Act explicitly carves out fraud detection systems from this provision. A model that predicts whether a loan applicant is likely to commit fraud is not covered; a model that predicts whether the applicant will repay the loan is. Other fraud-related AI used in a law enforcement context (Area 6) may still be in scope depending on function.

Do deployers have the same obligations as providers for Annex III systems? No. Providers carry the heavier load: risk management under Article 9, technical documentation under Article 11, conformity assessment under Article 43, Declaration of Conformity under Article 47, and registration under Article 49. Deployers must use the system according to the provider's instructions, implement human oversight under Article 14, maintain records, and run the Article 27 FRIA where required. Both must report serious incidents under Article 73. An organisation becomes a provider under Article 25 if it substantially modifies a high-risk system or deploys it for a purpose outside the original intended use.

---

Related guides

• Article 6 risk classification requirements
• SaaS compliance requirements
• EU AI Act compliance fundamentals
• high-risk AI compliance obligations
• AI governance software comparison tools