EU AI Act High-Risk Classification

The EU AI Act (Regulation EU 2024/1689) uses a risk-based regulatory framework that places high-risk AI systems at the center of its compliance structure, subjecting them to the most stringent requirements and oversight mechanisms. ¹⁾ The classification decision determines an organization's entire compliance journey, from development requirements to market access procedures.

The EU AI Act establishes four tiers of risk:

• Prohibited AI (Article 5): Practices banned outright, in force since 2 February 2025
• High-Risk AI (Annex II and Annex III): Subject to extensive compliance obligations
• Limited-Risk AI: Transparency obligations (e.g., chatbot disclosure)
• Minimal-Risk AI: No mandatory requirements, voluntary codes of conduct

This graduated structure applies the proportionality principle, matching regulatory intensity to the severity of potential harm. ²⁾

An AI system qualifies as high-risk through either of two distinct paths:

1. Annex II (Product Safety): The system is a safety component in products covered by existing EU harmonization legislation such as medical devices, machinery, vehicles, toys, or aviation systems. ³⁾
2. Annex III (Specific Use Cases): The system falls within one of eight designated sectors with specific high-risk use cases.

Article 6(3) provides a filter mechanism allowing some systems to avoid high-risk classification if they do not pose a significant risk of harm. ⁴⁾

1. Biometrics: Remote biometric identification and categorization of persons
2. Critical Infrastructure: AI managing safety of road traffic, water, gas, heating, and electricity supply
3. Education and Vocational Training: Systems determining access to education or evaluating learning outcomes
4. Employment and Workers Management: AI for recruitment, hiring decisions, task allocation, and performance monitoring
5. Access to Essential Services: Credit scoring, insurance pricing, emergency services dispatch
6. Law Enforcement: Individual risk assessments, polygraphs, evidence evaluation
7. Migration, Asylum, and Border Control: Risk assessments for irregular migration, visa application processing
8. Administration of Justice: AI assisting judicial decisions, alternative dispute resolution

⁵⁾

High-risk AI systems must satisfy six categories of mandatory requirements:

• Risk Management System (Article 9): Continuous identification and mitigation of foreseeable risks including misuse and discrimination throughout the system lifecycle
• Data Governance (Article 10): Training, validation, and testing datasets must be relevant, representative, and free from errors; bias examination and mitigation is mandatory
• Technical Documentation (Article 11): Comprehensive documentation demonstrating conformity with all requirements
• Transparency (Article 13): Clear instructions for deployers including system capabilities, limitations, and intended purpose
• Human Oversight (Article 14): Systems must be designed to allow effective oversight by natural persons, including the ability to override or halt the system
• Accuracy, Robustness, and Cybersecurity (Article 15): Appropriate levels of accuracy, resilience to errors, and protection against adversarial attacks

^{6) 7)}

Providers must conduct conformity assessments before placing high-risk AI systems on the market. Most Annex III systems allow self-assessment, while certain biometric systems require third-party assessment by notified bodies. Providers must draw up an EU Declaration of Conformity (Article 47) and register high-risk systems in the EU database. ⁸⁾

• 1 August 2024: Regulation entered into force
• 2 February 2025: Prohibited AI practices enforced
• 2 August 2025: General-purpose AI model obligations apply
• 2 August 2026: High-risk AI system requirements (Annex III) become fully enforceable

⁹⁾

• Prohibited AI violations: up to 35 million euros or 7 percent of global annual turnover
• High-risk non-compliance: up to 15 million euros or 3 percent of global annual turnover
• Incorrect information to authorities: up to 7.5 million euros or 1 percent of global annual turnover

¹⁰⁾

• AI Accountability Mandates
• Texas Responsible AI Governance Act (TRAIGA)
• Human-in-the-Loop (HITL) Governance