EU AI Act Article 6: How High-Risk AI Systems Are Classified

Article 6 of Regulation (EU) 2024/1689 is the classification engine of the EU AI Act. Everything downstream — the risk management system, the technical documentation pack, the conformity assessment, the registration obligation — flows from a single determination: does this AI system qualify as high-risk? Get the classification wrong, and you either carry an unnecessary compliance burden or, worse, face enforcement with the full penalty ceiling of €15 million or 3% of worldwide annual turnover.

The Article creates two distinct routes into the high-risk tier, plus one important escape hatch. Understanding the logic of each is the first task for any provider or deployer trying to figure out what the Act actually requires of them.

---

The Two Routes into High-Risk: Article 6(1) and Article 6(2)

Article 6 says an AI system is high-risk in one of two situations.

Under Article 6(1), the system is a safety component of — or is itself — a product covered by Union harmonisation legislation listed in Annex I, and that product is required to undergo third-party conformity assessment under that same legislation.

Under Article 6(2), the system is listed in Annex III — the EU AI Act's own enumerated catalogue of high-risk application areas.

These are not two ways to arrive at the same place. They lead to different conformity pathways, different deadlines, and different documentation obligations. Conflating them is one of the most common classification errors in practice.

---

Article 6(1): Safety Components Embedded in Regulated Products

What the rule actually says

For Article 6(1) to apply, both conditions must be satisfied simultaneously:

1. The AI system functions as a safety component of a product — or is itself that product — covered by one of the sectoral laws listed in Annex I.
2. That product is required to undergo a third-party conformity assessment under the applicable Annex I legislation.

Neither condition alone is sufficient. An AI system embedded in a product that only requires a manufacturer's self-declaration under its sectoral law does not fall under Article 6(1), even if the AI has safety implications. The third-party assessment requirement is the trigger.

Which products are covered

Annex I lists the Union harmonisation legislation whose products can produce an Article 6(1) classification. The most commercially significant are:

• Medical Devices Regulation (MDR, EU 2017/745) — Class IIa, IIb, and III devices require notified-body involvement, making AI components in those classes automatically high-risk under Article 6(1).
• In Vitro Diagnostic Regulation (IVDR, EU 2017/746) — Class C and D IVDs require notified-body assessment.
• Machinery Regulation (EU 2023/1230) — replaces the old Machinery Directive; certain machine categories require third-party assessment.
• Toy Safety Directive (2009/48/EC) — though most toys use self-declaration, those requiring notified-body involvement trigger Article 6(1) for embedded AI.
• Lift Directive (2014/33/EU) — lifts and their safety components are subject to notified-body conformity assessment; an AI-driven control system would be caught.
• Radio Equipment Directive (RED, 2014/53/EU) — certain radio equipment categories.
• General Product Safety Regulation (GPSR, EU 2023/988) — where third-party assessment applies.
• Pressure Equipment Directive (PED, 2014/68/EU), Recreational Craft Directive (2013/53/EU), and several others.

A worked example: pathology imaging in an MDR device

A 45-person diagnostics company embeds an AI system into a Class IIb medical device that assists pathologists in detecting malignant tissue. The MDR requires Class IIb devices to undergo notified-body conformity assessment. The AI performs a safety-critical function — a false negative delays cancer diagnosis. Both conditions of Article 6(1) are satisfied. The AI system is automatically high-risk.

The company cannot argue its way out of this classification. There is no Article 6(3) exemption for Article 6(1) systems. The sectoral legislation's third-party assessment requirement is determinative.

A contrasting case: the same company deploys an AI tool that auto-populates administrative fields in patient records — no safety function, no connection to clinical outputs. Even if the underlying device is a Class IIb medical device, the AI component is not a safety component and Article 6(1) does not apply. It would need separate assessment under Article 6(2) to determine whether any Annex III category catches it.

The compliance deadline for Article 6(1) systems

Under the Digital Omnibus agreed in May 2026, high-risk AI embedded as safety components in Annex I products must comply by 2 August 2028. The original 2 August 2026 date has been deferred. This is not an invitation to delay documentation work — notified-body capacity is already strained and lead times for MDR assessments regularly exceed twelve months.

---

Article 6(2): The Annex III Catalogue

Eight areas, each carrying full high-risk obligations

An AI system intended to be used in any of the following areas is high-risk under Article 6(2) — unless the Article 6(3) exemption applies (covered below).

1. Biometrics — Remote biometric identification systems; biometric categorisation systems attributing characteristics (race, political opinion, religion, etc.); emotion recognition systems. Subject to use-within-permitted-conditions requirements under Article 5 as well.

2. Critical infrastructure — AI used as safety components in the management and operation of road traffic, supply of water, gas, heating, and electricity, and digital infrastructure.

3. Education and vocational training — AI that determines access to, or assigns people to, educational and vocational training institutions; evaluates learning outcomes; monitors prohibited behaviour during exams; assesses the appropriate level of education.

4. Employment, workers management, and access to self-employment — AI used for recruitment and selection (including CV screening and shortlisting), promotion or termination decisions, task allocation, monitoring of performance, and evaluation of conduct.

5. Access to essential private and public services and benefits — Creditworthiness assessment and credit scoring (explicitly excluding fraud detection, which is not listed); risk assessment and pricing in health and life insurance; emergency services dispatch prioritisation; assessment of eligibility for public benefits and services.

6. Law enforcement — AI used to assess the risk of offending or re-offending; polygraphs; evaluation of evidence reliability in criminal investigations; assessment and profiling of individuals in the context of law enforcement.

7. Migration, asylum, and border control — Risk assessment of persons; examination of asylum applications; lie-detection in border crossing; document verification; assistance in examination of applications.

8. Administration of justice and democratic processes — AI assisting judicial authorities in researching or interpreting facts and applying the law; AI intended to influence elections or referenda or the voting behaviour of natural persons.

This list is not permanent. Article 7 grants the Commission power to amend Annex III by delegated act where AI systems in a given area pose risks comparable to those already listed. In practice this means the catalogue can expand, and any provider building in adjacent spaces should monitor Commission delegated acts.

What Annex III does not catch: an important boundary

The Annex III list is more precise than it looks. Credit scoring is listed; fraud detection is not. Recruitment screening is listed; a payroll automation tool is not. Biometric categorisation is listed; a voice assistant that adapts tone to detected mood is a separate question that the Act handles under Article 50 (limited-risk transparency), not Article 6.

The compliance deadline for stand-alone Annex III systems is 2 December 2027 under the Digital Omnibus. That gives organisations roughly eighteen months from today — enough time to run a proper classification and build the documentation, but not enough time to treat this as a future problem.

---

Article 6(3): The Exemption — and Its Hard Limit

When an Annex III system is not high-risk

A system that falls within an Annex III area is not high-risk if it does not pose a significant risk of harm to the health, safety, or fundamental rights of persons — including by not materially influencing the outcome of decision-making. Article 6(3) sets out four qualifying conditions, any one of which can support a finding of non-high-risk:

(i) Narrow procedural task. The system performs a task with a tightly constrained scope: it does not make, or feed into, substantive decisions about a person, and the range of outputs is limited to mechanical steps in a defined process.

(ii) Improving the result of a previously completed human activity. The AI post-processes something a human has already done — correcting grammar in a completed assessment, for example — without altering the underlying human judgment.

(iii) Detecting decision-making patterns or deviations without replacing or influencing the previously completed human assessment. The system monitors for anomalies in decisions humans have already made, as an audit tool, without feeding back into those decisions.

(iv) Preparatory task. The system performs preliminary work — gathering information, formatting data — that a human will use as raw input before making their own assessment.

In practice these conditions describe systems that sit well outside the decision chain: they neither produce outputs that humans tend to follow, nor process the kind of personal data that enables individual profiling.

The absolute carve-out: profiling is always high-risk

There is one bright-line rule that overrides all four qualifying conditions. If the AI system performs profiling of natural persons — as defined in Article 3(4) of the GDPR, meaning any form of automated processing of personal data to evaluate personal aspects, predict behaviour, or assess personal characteristics — the Article 6(3) exemption does not apply. Full stop. The system is high-risk.

This matters practically because many systems that seem procedural actually perform profiling. A tool that ingests CV text and generates a "fit score" by analysing writing style, word choice, and inferred characteristics is profiling, even if the vendor labels it a "screening aid." A fraud-detection tool that builds individual risk profiles from transaction history is profiling. Neither can claim the Article 6(3) exemption.

Borderline examples

CV-ranking tool vs. spell-checker. An HR tool that reads a cover letter and suggests corrections to grammar and spelling, with no scoring of the candidate, performs a narrow procedural task with no output that influences a hiring decision. If it genuinely does nothing more, condition (i) is plausible. Contrast that with a CV-ranking system that generates candidate scores and presents a ranked shortlist to a recruiter. The recruiter may technically "decide," but if the ranking materially influences who gets an interview, the system is not merely preparatory — it is shaping the outcome. The exemption fails. The system is high-risk under Annex III area 4 (employment).

Fraud-flagging vs. credit-scoring. A fraud-detection tool that flags transactions as suspicious for a human investigator to review — and where the flag does not result in an automatic action against the customer — is not listed in Annex III (credit scoring is listed; fraud detection is explicitly excluded). So the question for the fraud tool is not Article 6(3) at all; it never entered Annex III in the first place. A credit-scoring model that produces a score used directly in lending decisions is listed in Annex III area 5 and cannot plausibly claim the Article 6(3) exemption: it profiles natural persons and materially influences the outcome of the lending decision.

The documentation duty and registration requirement

A provider that concludes its Annex III system qualifies for the Article 6(3) exemption does not simply walk away from the Act. Two obligations survive:

1. Document the assessment. The provider must record the reasoning — which qualifying condition applies, why profiling is absent, how the system's design ensures it does not materially influence decision-making. That record needs to be audit-ready; a competent authority can ask to see it.

2. Register the system under Article 49. The system must be entered in the EU database before it is placed on the market or put into service, even though it is not classified as high-risk. Registration is not contingent on high-risk status for providers invoking Article 6(3); it is a separate, standalone requirement.

Skipping registration while claiming the exemption is not a defensible position. The system is visible in the market; if a national authority queries it, the absence of a registration record is the first problem you will face.

Commission guidelines and Article 6(4)

Article 6(4) tasks the Commission with issuing guidelines to assist providers in applying the Article 6(3) exemption, including with practical examples. As of June 2026 the Commission has issued initial guidance through the AI Office but the definitive delegated guidance under Article 6(4) is still in development. Providers making exemption arguments should monitor the EU AI Office's published materials at digital-strategy.ec.europa.eu and treat any Commission guidance as authoritative once published.

---

How the Two Pathways Differ: A Comparison

Both pathways, once confirmed as high-risk, attach the same obligation set: risk management system (Article 9), data governance (Article 10), technical documentation (Article 11 and Annex IV), record-keeping (Article 12), transparency to deployers (Article 13), human oversight (Article 14), accuracy and robustness (Article 15), conformity assessment (Article 43), EU declaration of conformity (Article 47), CE marking where applicable (Article 48), and registration (Article 49).

---

What Providers Must Do After Classification

If the system is high-risk

Classification is the starting gun, not the finish line. After confirming high-risk status, a provider must:

• Open an Article 9 risk management file and document risks through the system's entire lifecycle — design, testing, deployment, post-deployment.
• Compile the Article 11 / Annex IV technical documentation package: training data governance, architecture, performance metrics, known limitations, human oversight design.
• Ensure the Article 14 human oversight mechanisms are built into the system itself — not bolted on as a usage instruction.
• Run the Article 43 conformity assessment (self-assessment is available for most Annex III systems; some biometric systems require notified-body involvement).
• Issue an Article 47 EU Declaration of Conformity.
• Register in the EU database under Article 49 before placing the system on the market.
• Set up the Article 72 post-market monitoring system before launch.

This is months of work, not days. Organisations that treat the 2 December 2027 deadline as the start date for documentation will not be ready in time.

If the system claims the Article 6(3) exemption

The provider must document the exemption assessment and register in the EU database under Article 49. If the system later changes — if, for example, a profiling feature is added, or the output begins to materially influence decisions — the provider must re-classify and initiate the full high-risk compliance workflow.

Penalties for getting it wrong

Non-compliance with the high-risk obligations — including misclassification — attracts fines of up to €15 million or 3% of total worldwide annual turnover, whichever is higher. For SMBs and start-ups, Article 99(6) provides a proportionality protection: the fine is capped at the lower of the percentage or the fixed amount. That is still a potentially company-ending number for a small operator. Incorrect information provided to notified bodies or competent authorities — for example, a fraudulent Article 6(3) exemption record — carries a separate ceiling of €7.5 million or 1% of turnover.

---

Practical Classification Checklist

Apply these questions in order before spending time on full compliance documentation:

1. Is the AI system a safety component of a product on the Annex I list, and does that product require third-party conformity assessment under its sectoral legislation? If yes → Article 6(1), high-risk, deadline 2 August 2028, no exemption.

2. Is the AI system's intended use case covered by one of the eight Annex III areas? If no → not high-risk under Article 6 (check Article 5 prohibitions and Article 50 limited-risk transparency separately).

3. If yes to question 2: does the system perform profiling of natural persons? If yes → high-risk, full stop, no exemption available.

4. If no profiling: does the system materially influence the outcome of decision-making, or does it pose a significant risk of harm to health, safety, or fundamental rights? If yes → high-risk; Article 6(3) exemption cannot be credibly claimed.

5. If the system genuinely only performs a narrow procedural task, improves a previously completed human activity, detects patterns in prior human decisions without feeding back into them, or prepares raw input for human assessment → Article 6(3) exemption may apply. Document the reasoning. Register under Article 49.

---

How Confir Handles Article 6 Classification

Confir's classification module runs plain-English intake questions through a deterministic, rule-based engine — the same logic every time, no model inference, no hallucination. The system applies the Article 6(1) two-condition test, maps the use case against all eight Annex III areas, and — if an Annex III match is found — runs the Article 6(3) exemption assessment including the profiling check.

If a provider concludes their system qualifies for the Article 6(3) exemption, Confir generates the documentation record required for audit purposes: the specific qualifying condition relied on, the reasoning, the profiling assessment, and the registration checklist. The same workflow feeds the Article 49 registration data.

Classification from the AI Risk Classification and Compliance (AIRC) module then gates the rest of the compliance workflow — only high-risk systems proceed into the full Article 9–15 documentation stack.

---

Frequently Asked Questions

Does Article 6(1) apply if the underlying product only needs a self-declaration of conformity? No. Both conditions must be met: the product must be covered by Annex I harmonisation legislation and it must be required to undergo third-party conformity assessment under that legislation. A product that self-certifies does not satisfy the second condition, so Article 6(1) does not apply to its AI components.

Our AI scores job applicants but human recruiters make the final call. Does Article 6(3) help us? Almost certainly not. If the scoring output influences which candidates get interviews or progresses in a selection process, it materially influences the outcome of decision-making. The Article 6(3) exemption requires that the system does not materially influence outcomes. A score that shapes a shortlist does. Add to that the profiling question: if the system processes applicants' personal data to evaluate characteristics, it is profiling — which removes the exemption entirely.

What is the difference between a fraud-detection tool and a credit-scoring system under Article 6(2)? Annex III area 5 explicitly lists creditworthiness assessment and credit scoring. Fraud detection is not listed. A fraud-detection tool that flags transactions for human review does not fall within Annex III under Article 6(2) — the question for it is whether it fits any other Annex III area or raises Article 50 transparency issues. A credit-scoring model that generates scores used in lending decisions is caught by Annex III area 5 and, because it profiles natural persons, cannot claim the Article 6(3) exemption.

If we claim the Article 6(3) exemption, do we still need to register? Yes. Article 49 requires registration in the EU database before the system is placed on the market or put into service — and this obligation applies to providers invoking the Article 6(3) exemption, not just to providers of confirmed high-risk systems. Failing to register is a separate compliance failure, regardless of how well-reasoned the exemption documentation is.

Can the Commission add new areas to Annex III? Yes. Article 7 authorises the Commission to amend Annex III by delegated act where AI systems in a given area pose a level of risk comparable to those already listed. Any provider in an adjacent domain — environmental risk scoring, health-related behavioural analytics, personalised insurance pricing not already covered — should monitor Commission delegated legislation and AI Office guidance.

What is the deadline for Annex III high-risk compliance after the Digital Omnibus? Stand-alone high-risk AI systems listed in Annex III must comply by 2 December 2027. High-risk AI embedded as safety components in Annex I products must comply by 2 August 2028. The original deadline of 2 August 2026 for high-risk systems was deferred under the Digital Omnibus (political agreement reached 7 May 2026; formal adoption expected before 2 August 2026).

What penalties apply for failing to classify correctly? Non-compliance with high-risk obligations — including misclassification — can result in fines of up to €15 million or 3% of total worldwide annual turnover, whichever is higher (Article 99). For SMBs and start-ups, Article 99(6) caps the fine at the lower of the two figures. Providing false information to a notified body or national authority carries a separate ceiling of €7.5 million or 1%.

---

Related guides

• risk classification levels guide
• EU AI Act compliance fundamentals
• AI governance software solutions
• AI system inventory management tools
• SMB compliance requirements under Article 6
• EU AI Act compliance software comparison