← All EU AI Act guides

How to classify a high-risk AI system under the EU AI Act

How to Classify a High-Risk AI System Under the EU AI Act

TL;DR — The [EU AI Act][1] classifies AI systems as high-risk if they fall into specific categories listed in Annex III, including systems used in critical infrastructure, biometric identification, education, employment, law enforcement, and migration. You must assess your system against these criteria; if it matches, you face mandatory compliance obligations like risk assessment, documentation, human oversight, and quality management before deployment.

What are high-risk AI systems under the EU AI Act?

[High-risk AI systems][1] are applications that pose significant risks to fundamental rights, safety, or public interests. The EU AI Act establishes a tiered regulatory framework, and high-risk systems require the strictest compliance measures. These include systems used in critical infrastructure control, biometric identification and categorization, educational performance evaluation, employment decisions, law enforcement, migration and asylum processing, and other sensitive areas defined in [Annex III of the regulation][1].

How do I determine if my AI system is high-risk?

You must evaluate your system against the specific use cases listed in [Annex III of the EU AI Act][1]. The classification depends on:

  • The system's intended purpose — What is it designed to do?
  • The context of deployment — Where and how will it be used?
  • The potential impact — Could it affect fundamental rights or safety?

If your system matches any high-risk category, it is automatically classified as high-risk. There is no discretionary judgment here; the categories are exhaustive and legally binding.

What compliance obligations apply to high-risk systems?

If your AI system is classified as high-risk, you must:

  • Conduct and document a [risk assessment][1]
  • Implement a quality management system
  • Maintain technical documentation and records
  • Establish human oversight mechanisms
  • Ensure transparency and provide information to users
  • Monitor performance and address non-compliance
  • Report serious incidents to relevant authorities

These obligations apply before the system is placed on the market or put into service.

What is the timeline for compliance?

The EU AI Act enters into force at different stages. [Prohibited AI practices are banned immediately][1]; high-risk system obligations began in phases, with full enforcement expected by 2026. Check your national transposition timeline and the [official EU AI Act text][1] for specific deadlines in your jurisdiction.

Who is responsible for classifying a system as high-risk?

Providers of AI systems bear the primary responsibility for classifying their systems correctly. You must conduct an honest assessment against [Annex III criteria][1]. If you are unsure, consult with legal and technical experts, and consider guidance from your national competent authorities. Distributors, importers, and users also have obligations to flag risks they identify.

Frequently asked questions

Q: Can I avoid high-risk classification by limiting my system's use?
A: No. Classification depends on what the system does and could do, not how you choose to deploy it initially. If it meets the criteria, it is high-risk regardless of self-imposed restrictions.

Q: What happens if I misclassify my system?
A: Misclassification can result in substantial fines, suspension of your system, and enforcement action. Competent authorities may conduct audits. It is critical to classify correctly and document your reasoning.

Q: Are all AI systems in the EU AI Act regulated?
A: No. The Act uses a risk-based approach. Only prohibited systems and high-risk systems face mandatory compliance. Limited-risk systems have transparency obligations; low-risk systems are largely unregulated.

Q: Can I use a conformity assessment body to help?
A: Yes. [Third-party conformity assessment bodies][1] can audit and certify high-risk systems, though this is not mandatory in all cases. Check the specific requirements for your system type.

Q: Where can I find the full list of high-risk categories?
A: See [Annex III of Regulation (EU) 2024/1689][1] for the complete, legally binding list of high-risk AI system categories.

Sources

[1] Regulation (EU) 2024/1689 (EU AI Act) — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689

This article is informational and does not constitute legal advice. Consult qualified counsel for your specific situation.