Annex III of the EU AI Act defines 8 categories of standalone high-risk AI systems. Providers and deployers must comply by 2 December 2027 (extended from August 2026 by the 2026 omnibus). This covers recruitment AI, credit scoring, biometric categorisation, critical infrastructure AI, and more.
What Annex III covers — 8 categories of high-risk AI
Annex III of the EU AI Act defines standalone high-risk AI systems across 8 areas. The deadline for compliance is 2 December 2027 (extended by the 2026 Digital Omnibus from the original 2 August 2026).
"Standalone" means the AI system is not a safety component of an Annex I regulated product — it is itself placed on the market or put into service as the primary product or service.
The 8 Annex III categories
1. Biometric identification and categorisation Real-time and post-hoc remote biometric identification systems, AI-based systems for categorising individuals by biometric data into groups based on sensitive characteristics (ethnicity, political views, religion, etc.).
Note: Real-time biometric identification of natural persons in publicly accessible spaces by law enforcement is prohibited under Art. 5, not just high-risk.
2. Critical infrastructure AI systems used as safety components in the management and operation of critical infrastructure — road traffic, water supply, gas, heating, electricity grid.
3. Education and vocational training AI that determines access to educational establishments, allocates students, assesses examination performance, monitors students during exams, or evaluates learning achievement that affects opportunities.
4. Employment, workers management, self-employment AI used for recruitment and selection (CV screening, personality tests, job application filtering), decisions on promotion, termination, performance evaluation, task allocation in gig work, and monitoring employee behaviour.
5. Essential private and public services AI used for creditworthiness assessment, credit scoring, insurance risk assessment and pricing, health risk scoring for insurance, evaluation of eligibility for public benefits and services, emergency dispatch decisions.
6. Law enforcement AI for risk assessment of individuals (recidivism risk, crime likelihood), lie detection, evidence reliability evaluation, profiling in criminal investigations, crime prediction for geographic areas.
7. Migration, asylum, border control AI for risk assessment of asylum seekers, verification of travel documents, examination of applications for asylum, visa, or residence permits, detecting irregular migration patterns.
8. Administration of justice and democratic processes AI for researching and interpreting facts and law in judicial proceedings, AI influencing elections, AI used in voting systems.
Provider obligations by 2 December 2027
| Obligation | Article | Description |
|---|---|---|
| Risk management | Art. 9 | Continuous process across the AI lifecycle |
| Data governance | Art. 10 | Training/validation/test data quality requirements |
| Technical documentation | Art. 11 | Comprehensive documentation before market placement |
| Transparency | Art. 13 | Instructions for deployers; automatic logging capability |
| Human oversight | Art. 14 | Design measures enabling human monitoring and intervention |
| Accuracy & robustness | Art. 15 | Appropriate performance levels; resilience to errors |
| Quality management | Art. 17 | QMS covering design through post-market monitoring |
| Conformity assessment | Art. 43 | Self-assessment (most systems) or third-party (biometrics, critical infrastructure) |
| Registration | Art. 71 | EU AI database registration before market placement |
| CE marking | Art. 48 | Required before placing on the EU market |
Deployer obligations by 2 December 2027
Organisations that use (deploy) Annex III AI systems — even if they did not build them — must:
- Use the system in accordance with the provider's instructions
- Implement human oversight measures
- Monitor system performance and report serious incidents
- For public bodies: complete a Fundamental Rights Impact Assessment (FRIA)
- Inform workers or their representatives when AI affects employment decisions
- Not use the system for purposes other than those assessed as high-risk
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Annex III of the EU AI Act lists 8 areas of standalone high-risk AI systems. These are AI systems that, when used as intended, pose significant risks to health, safety, or fundamental rights. Providers of Annex III systems must complete conformity assessments and comply with a full set of obligations by 2 December 2027.
Yes. AI systems used for recruitment decisions — including CV screening, candidate ranking, interview video analysis, and employment contract decisions — fall under Annex III point 4 (employment, workers management and access to self-employment). However, the Art. 6(3) exception applies: the system must pose a significant risk of harm to be high-risk.
Most Annex III systems use internal conformity assessment (self-assessment by the provider against harmonised standards). Biometric categorisation and AI for critical infrastructure requiring third-party assessment. The assessment must be documented, and the system registered in the EU AI database before being placed on the market.
Yes, under Art. 6(3). An AI system in an Annex III area is not high-risk if it does not pose a significant risk of harm to health, safety, or fundamental rights. Providers must document this assessment. Narrowly scoped decision-support tools used under human oversight, with low impact on individuals, may qualify for exclusion.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.