====== EU AI Act High-Risk Classification ======

The EU AI Act (Regulation EU 2024/1689) uses a risk-based regulatory framework that places high-risk AI systems at the center of its compliance structure, subjecting them to the most stringent requirements and oversight mechanisms. ((Source: [[https://euairisk.com/resources/eu-ai-act-high-risk-classification-guide|EU AI Risk — High-Risk Classification Guide]])) The classification decision determines an organization's entire compliance journey, from development requirements to market access procedures.

===== The Risk-Based Architecture =====

The EU AI Act establishes four tiers of risk:

  * **Prohibited AI** (Article 5): Practices banned outright, in force since 2 February 2025
  * **High-Risk AI** (Annex II and Annex III): Subject to extensive compliance obligations
  * **Limited-Risk AI**: Transparency obligations (e.g., chatbot disclosure)
  * **Minimal-Risk AI**: No mandatory requirements, voluntary codes of conduct

This graduated structure applies the proportionality principle, matching regulatory intensity to the severity of potential harm. ((Source: [[https://wcr.legal/eu-ai-act-classification-ai-systems/|WCR Legal — EU AI Act Classification]]))

===== Two-Path Classification System =====

An AI system qualifies as high-risk through either of two distinct paths:

  - **Annex II (Product Safety)**: The system is a safety component in products covered by existing EU harmonization legislation such as medical devices, machinery, vehicles, toys, or aviation systems. ((Source: [[https://euairisk.com/resources/eu-ai-act-high-risk-classification-guide|EU AI Risk — High-Risk Classification Guide]]))
  - **Annex III (Specific Use Cases)**: The system falls within one of eight designated sectors with specific high-risk use cases.

Article 6(3) provides a filter mechanism allowing some systems to avoid high-risk classification if they do not pose a significant risk of harm. ((Source: [[https://wcr.legal/eu-ai-act-classification-ai-systems/|WCR Legal — EU AI Act Classification]]))

===== The Eight Annex III Sectors =====

  - **Biometrics**: Remote biometric identification and categorization of persons
  - **Critical Infrastructure**: AI managing safety of road traffic, water, gas, heating, and electricity supply
  - **Education and Vocational Training**: Systems determining access to education or evaluating learning outcomes
  - **Employment and Workers Management**: AI for recruitment, hiring decisions, task allocation, and performance monitoring
  - **Access to Essential Services**: Credit scoring, insurance pricing, emergency services dispatch
  - **Law Enforcement**: Individual risk assessments, polygraphs, evidence evaluation
  - **Migration, Asylum, and Border Control**: Risk assessments for irregular migration, visa application processing
  - **Administration of Justice**: AI assisting judicial decisions, alternative dispute resolution

((Source: [[https://wcr.legal/eu-ai-act-classification-ai-systems/|WCR Legal — EU AI Act Classification]]))

===== Compliance Requirements for High-Risk AI =====

High-risk AI systems must satisfy six categories of mandatory requirements:

  * **Risk Management System** (Article 9): Continuous identification and mitigation of foreseeable risks including misuse and discrimination throughout the system lifecycle
  * **Data Governance** (Article 10): Training, validation, and testing datasets must be relevant, representative, and free from errors; bias examination and mitigation is mandatory
  * **Technical Documentation** (Article 11): Comprehensive documentation demonstrating conformity with all requirements
  * **Transparency** (Article 13): Clear instructions for deployers including system capabilities, limitations, and intended purpose
  * **Human Oversight** (Article 14): Systems must be designed to allow effective oversight by natural persons, including the ability to override or halt the system
  * **Accuracy, Robustness, and Cybersecurity** (Article 15): Appropriate levels of accuracy, resilience to errors, and protection against adversarial attacks

((Source: [[https://euairisk.com/resources/eu-ai-act-high-risk-requirements|EU AI Risk — High-Risk Requirements Guide]])) ((Source: [[https://www.orbiqhq.com/eu-regulations/eu-ai-act-compliance|Orbiq — EU AI Act Compliance Guide]]))

===== Conformity Assessment =====

Providers must conduct conformity assessments before placing high-risk AI systems on the market. Most Annex III systems allow self-assessment, while certain biometric systems require third-party assessment by notified bodies. Providers must draw up an EU Declaration of Conformity (Article 47) and register high-risk systems in the EU database. ((Source: [[https://www.orbiqhq.com/eu-regulations/eu-ai-act-compliance|Orbiq — EU AI Act Compliance Guide]]))

===== Timeline =====

  * **1 August 2024**: Regulation entered into force
  * **2 February 2025**: Prohibited AI practices enforced
  * **2 August 2025**: General-purpose AI model obligations apply
  * **2 August 2026**: High-risk AI system requirements (Annex III) become fully enforceable

((Source: [[https://legalnodes.com/article/eu-ai-act-2026-updates-compliance-requirements-and-business-risks|Legal Nodes — EU AI Act 2026 Updates]]))

===== Penalties =====

  * Prohibited AI violations: up to 35 million euros or 7 percent of global annual turnover
  * High-risk non-compliance: up to 15 million euros or 3 percent of global annual turnover
  * Incorrect information to authorities: up to 7.5 million euros or 1 percent of global annual turnover

((Source: [[https://www.orbiqhq.com/eu-regulations/eu-ai-act-compliance|Orbiq — EU AI Act Compliance Guide]]))

===== See Also =====

  * [[ai_accountability_mandates|AI Accountability Mandates]]
  * [[texas_traiga|Texas Responsible AI Governance Act (TRAIGA)]]
  * [[hitl_governance|Human-in-the-Loop (HITL) Governance]]

===== References =====