Is Your AI System High-Risk Under the EU AI Act? A Plain-English Classification Guide
The most important thing to know before you start: the vast majority of AI systems are not high-risk. Most fall into the minimal-risk or limited-risk (transparency) tiers, which carry light or no mandatory obligations. High-risk is a specific legal designation with two narrow entry points, and there is even an escape hatch for some systems that technically land inside one of them.
This guide walks you through the classification logic step by step, so you can reach a defensible answer - not just a guess.
The Two Routes Into High-Risk
Article 6 of the EU AI Act sets out classification rules for high-risk AI systems, stating that high-risk AI systems fall within two categories: safety components of products or products themselves regulated by existing EU product safety laws (listed in Annex I), or systems used in specified areas listed in Annex III.
Think of them as two separate gates. Your system only needs to pass through one to be high-risk.
Route 1 - Annex I: Safety Components of Regulated Products
If the system is intended to be used as a safety component of a product, or the AI system itself is a product, covered by the EU harmonisation legislation listed in Annex I, and the product is required to undergo a third-party conformity assessment, the system will be classified as high-risk pursuant to Article 6(1).
Two conditions must both be true:
The product is covered by Annex I harmonisation legislation. These laws cover a wide range of areas, including machinery, toy safety, recreational watercraft, lifts, equipment for potentially explosive atmospheres, radio equipment, pressure equipment, medical devices, civil aviation security, two- or three-wheel vehicles, agricultural and forestry vehicles, marine equipment, rail systems, motor vehicles, and aircraft. Annex I contains more than 30 directives and regulations.
The AI system performs a safety function within that product. Article 3(14) defines a "safety component" as a component of a product which fulfils a safety function for that product or AI system, or the failure or malfunctioning of which endangers the health and safety of persons or property. All other AI system functions that are not intended to prevent and mitigate safety risks do not fall within the notion of "safety function" - this includes functions related to performance optimisation, service efficiency, automation, comfort, convenience, or quality control operations of non-safety-related aspects.
Practical example: An AI module in a medical device that recommends a drug dosage is a safety component. An AI module in the same device that schedules maintenance reminders is not.
Timing note: The high-risk obligations for Annex I (safety-component) systems apply from 2 August 2027 under the current implementation timeline — later than the August 2026 deadline for standalone Annex III systems. But classification analysis should start now, since conformity assessment preparation takes time.
Route 2 - Annex III: The Eight High-Risk Use-Case Areas
Annex III lists use cases that qualify an AI system as "high-risk" according to the AI Act, and such systems are subject to additional obligations under the Act. The AI Act contains, in its Annex III, a list of AI systems that must be considered high-risk - this list currently contains AI systems in eight different categories.
The question to ask is: what is this system intended to do, and in which domain? Intended purpose - not actual deployment - is what the Act looks at.
| Area | What counts as high-risk |
|---|---|
| 1. Biometrics | Remote biometric identification; biometric categorisation by sensitive attributes; emotion recognition systems |
| 2. Critical infrastructure | AI as a safety component in management or operation of road traffic, water, gas, heating, electricity, or critical digital infrastructure |
| 3. Education & vocational training | Determining access or admission; evaluating learning outcomes; assessing students; monitoring prohibited behaviour during exams |
| 4. Employment & worker management | Recruitment and CV screening; automated job matching and ranking; monitoring performance; task allocation; promotion/termination decisions |
| 5. Access to essential private/public services | Credit scoring; life and health insurance pricing; eligibility for public benefits; emergency services dispatch; creditworthiness assessment |
| 6. Law enforcement | Individual risk assessment for criminal offending; polygraph-style tools; evidence reliability evaluation; crime analytics for profiling |
| 7. Migration, asylum & border control | Risk assessment of persons crossing borders; examination of asylum applications; detection of undeclared movement |
| 8. Administration of justice & democratic processes | Assisting courts in researching and interpreting facts and law; influencing election outcomes or voter behaviour |
The Article 6(3) Filter: A Genuine (But Narrow) Escape Hatch
Landing in one of the eight Annex III areas does not automatically make your system high-risk. By derogation from paragraph 2, an AI system referred to in Annex III shall not be considered to be high-risk where it does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons, including by not materially influencing the outcome of decision making.
The Commission's draft guidelines provide detail on four exhaustive but alternative scenarios in which the filter may apply: (i) where the system performs a narrow procedural task; (ii) where it improves the result of a previously completed human activity; (iii) where it is used to detect patterns or deviations in past decision-making; or (iv) where it carries out a preparatory function in support of a human-led assessment.
What "narrow procedural" actually means
An AI system can be filtered out of high-risk if it performs a "narrow procedural task" - tasks that categorise, reformat, structure, or deduplicate data without making a value judgement about content. A CV parser that extracts structured fields from a PDF is a candidate. An AI that ranks candidates by suitability is not.
The hard stop: profiling
Any system performing profiling is always high-risk regardless of exemptions. If an Annex III system performs profiling within the meaning of Article 4(4) GDPR, it is always high-risk - this is a hard rule. A system that uses automated processing of personal data to evaluate, analyse, or predict certain personal aspects of a natural person falls within profiling. Even if it looks narrow and procedural in architecture, it remains high-risk once it crosses that threshold.
Watch out for component-splitting
Individual components cannot rely on the Article 6(3) filter in isolation unless they are genuinely separable and do not contribute to a high-risk purpose. Even if a component performs only a narrow procedural or preparatory task, it may still be classified as high-risk where, as part of a complex or agentic AI system, it contributes to outputs that materially influence an Annex III use case.
You still have to document it
Providers who believe their AI system isn't high-risk must document their assessment before selling or using it. You must prepare a written assessment before marketing the system, justify why it does not pose a significant risk, keep that documentation available for national regulators upon request, and register in the EU database indicating that you are using the exception.
Putting It All Together: Your Classification Checklist
Before anything else, confirm your system does not fall under Article 5's eight banned practices (social scoring, real-time remote biometric ID in public, manipulative subliminal techniques, etc.). These have been enforceable since 2 February 2025.
Is your AI a safety component (or the product itself) covered by EU harmonisation legislation in Annex I — machinery, medical devices, toys, vehicles, lifts, aircraft, etc.? And does that product require third-party conformity assessment? If both answers are yes → high-risk.
Does your system's intended purpose fall within one of the eight listed use-case areas (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice/democracy)? If yes → provisionally high-risk, proceed to step 4.
Does the system only perform a narrow procedural or preparatory task, and does it not materially influence the outcome of a decision? If yes — and it does not profile people — it may not be high-risk. Document your reasoning in writing before you go to market.
Are you the provider (you developed or branded the system) or the deployer (you use it under your own authority)? Providers carry the heavier compliance burden. Putting your name on a third-party high-risk system, or substantially modifying it, makes you its provider.
If you land in high-risk, the obligations include risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11), logging (Art. 12), transparency to deployers (Art. 13), human oversight (Art. 14), and accuracy/robustness/cybersecurity (Art. 15).
Free tools on AI Act Navigator:
- Risk-Tier Classifier — answer a short questionnaire and get a provisional tier assessment with a plain-English rationale you can share with stakeholders.
- High-Risk Obligations Guide — once you know you're high-risk, this page maps every Article 9–15 obligation to practical compliance steps for both providers and deployers.
The classification question is genuinely the hardest part of EU AI Act compliance - not because the law is vague, but because the answer depends entirely on what your system is intended to do, not what it happens to do in practice. Get the intended-purpose analysis right, document it carefully, and the rest of the compliance journey becomes much more tractable.