Skip to main content
Is Your AI System High-Risk Under the EU AI Act?
Compliance Guides

Is Your AI System High-Risk Under the EU AI Act?

AI Comply HQ Team7 min read

The Short Answer: High-Risk Is About What Your AI Decides

The EU AI Act saves its heaviest obligations for one tier: high-risk. Land there, and you owe risk management, data governance, technical documentation, human oversight, and the list keeps going. Stay out of it, and the load is far lighter. This is the classification that decides your workload.

Two questions settle it. First, does your AI operate in one of the areas the Act lists in Annex III? Second, even if it does, does it qualify for the narrow exemption in Article 6(3) that pulls some systems back out? Most teams know the first question and have never heard of the second.

You can answer both in about 90 seconds. Run the free risk check and you will see your tier, with the reasoning behind it. No signup needed to see your result.

Check if your AI is high-risk (90 seconds)

Step One: Is Your AI in an Annex III Area?

Annex III lists the uses the Act treats as high-risk. The ones that turn up most in small and mid-sized businesses:

  • Employment and HR: recruitment, CV screening, candidate ranking, promotion and termination calls, task allocation, performance monitoring.
  • Access to essential services: credit scoring and creditworthiness, risk pricing for health and life insurance, eligibility for public benefits.
  • Education: admissions, scoring exams or assignments, proctoring during tests.
  • Biometrics: remote identification, biometric categorisation, and emotion recognition, where the law permits them at all.

The full list also covers critical infrastructure, law enforcement, migration and border control, and the administration of justice. For most companies, those first four are where the risk sits.

If your AI is nowhere near any of these, it is almost certainly limited or minimal risk, and your job is short. If it sits inside one, keep reading, because you are not automatically high-risk.

Step Two: The Exemption Almost Nobody Mentions (Article 6(3))

Here is the part the scare-pieces skip. Being in an Annex III area does not make you high-risk on its own. Article 6(3) says an Annex III system is not high-risk when it barely shapes the outcome of a decision. To qualify, it has to meet at least one of these:

  • it performs a narrow procedural task,
  • it improves the result of a task a human already finished,
  • it detects patterns or deviations from earlier decisions without replacing the human's own assessment,
  • it performs a preparatory task for an assessment.

There is one hard limit. If your system profiles people, it is always high-risk, exemption or not.

And there is a string attached. If you decide your Annex III system is not high-risk, Article 6(4) says you have to document that assessment before the system goes to market, and register it. The exemption is real, but it is not a shrug. You have to show your work.

High-Risk or Not: A Few Real Cases

Annex III systemHigh-risk?Why
A tool that scores and ranks job candidatesYesEmployment use that shapes the decision
A spam filter on the job-application inboxNoNarrow procedural task, Article 6(3)(a)
A tool that flags unusual expense claims for a human to reviewLikely noDetects deviations, the human still decides, Article 6(3)(c)
Any of these once it profiles the personYesProfiling is always high-risk

The line is finer than most teams expect, which is exactly why guessing is the expensive move. The risk check walks the same logic and hands you a documented answer.

Get your tier with the reasoning

What High-Risk Actually Demands

If your system is high-risk, the obligations are real. As the provider, you would:

  • run a risk management system (Article 9) and govern your training data (Article 10),
  • produce technical documentation (Article 11) and keep automatic logs (Article 12),
  • build in human oversight (Article 14) and meet accuracy and security targets (Article 15),
  • pass a conformity assessment and register the system before it goes live.

Deployers of high-risk systems carry their own duties under Article 26. Get it wrong and the penalties bite. Most breaches of these obligations reach €15 million or 3% of global turnover. For SMEs, the Act charges the lower of the two. See our full fines and penalties breakdown.

This is the work the August 2026 deadline is about. It is also why knowing your tier early pays off: the gap between "high-risk" and "not" is the gap between months of work and an afternoon.

Your Next 90 Seconds

  1. Classify. The risk check returns your tier and the Annex III or Article 6(3) reasoning behind it.
  2. Close the gaps. If you are high-risk, AI Comply HQ maps the obligations and drafts the documentation. A consultant charges €10,000 or more for the same scoping. Our plans start at $97 a month, and the check is free.
  3. Stay ready. One dashboard tracks every system, every deadline.
Start your free 7-day trial

Frequently Asked Questions

What makes an AI system high-risk? It sits in an Annex III area and does not qualify for the Article 6(3) exemption. Systems that profile people are always high-risk.

Is being listed in Annex III enough on its own? No. Article 6(3) can pull a system back out if it only plays a narrow or supporting role. But you have to document that judgment under Article 6(4).

We think our system is exempt. Is there anything to do? Yes. Document the Article 6(3) assessment before you go to market, and register the system. The exemption still comes with a paper trail.

What does a high-risk system actually require? Risk management, data governance, technical documentation, human oversight, accuracy and security measures, a conformity assessment, and registration.

For more, see whether small companies have to comply, how to tell if you are a provider or a deployer, what an AI chatbot owes, and our breakdown of prohibited practices.

Update: Where the Digital Omnibus Stands (June 12, 2026)

A quick note before you act on any date in this article. The Digital Omnibus is a simplification package the European Commission proposed on November 19, 2025. It would amend several EU digital laws at once, and for the AI Act it proposes two big changes: the high-risk obligations would apply later (December 2, 2027 for the stand-alone high-risk systems listed in Annex III, and August 2, 2028 for high-risk AI embedded in regulated products), and a number of requirements would be simplified along the way.

Here is the part that matters: none of this is law yet. The European Parliament and the Council reached a provisional agreement on May 7, 2026, and formal adoption is expected, but until the final text is adopted and published, nothing changes. The dates and obligations described in this article are the ones in force today. And the rules that already apply, like the prohibited practices and the AI literacy duty, stay exactly where they are no matter what happens to the Omnibus.

We are watching this closely. The moment the Omnibus is adopted, amended, or rejected, we will update this article to reflect the new EU AI compliance dates. Check back, or run the free 90-second risk check to see your obligations under the rules as they stand right now.

Ready to assess your EU AI Act compliance?

Start a guided compliance interview, get your AI system's risk classification, and generate an audit-ready report.

Start Your Free 7-Day Trial

Not ready to sign up? Take the free 90-second risk check →