EU AI Act by Sector — Industry-Specific Compliance Guide

Sector-specific EU AI Act compliance guides for healthcare, HR, public sector, transport, insurance, retail, SMEs, and education.

How Sector Shapes EU AI Act Exposure

The EU AI Act is horizontal legislation — it applies to AI systems placed on the market or put into service across every sector of the economy in the European Union. However, the practical compliance burden is not uniform. Sector determines which Annex III high-risk categories are relevant, which pre-existing regulatory frameworks create overlapping obligations, and which national or EU-level supervisory authorities will have jurisdiction over AI deployments.

The Act establishes a tiered risk architecture: prohibited practices under Art. 5, high-risk AI under Art. 6 and Annex III, General Purpose AI (GPAI) obligations under Art. 51 to Art. 55, and transparency obligations under Art. 50. All sectors face the prohibited practices prohibition and the Art. 50 transparency layer. The Annex III high-risk obligations fall selectively, depending on what AI the organisation deploys and for what purpose.

Understanding sector exposure begins with mapping operational AI use cases against Annex III categories. Organisations must also assess whether deployed AI constitutes a GPAI model under Art. 3(63), and whether any supplier relationships create obligations as a GPAI deployer or provider.

Understanding Annex III by Sector

Annex III of the EU AI Act defines 8 categories of standalone high-risk AI. Each category maps to specific industries and AI use cases.

Category 1 — Biometrics (Cross-Sector)

Art. 6 read with Annex III point 1 covers AI systems for biometric identification and biometric categorisation of natural persons. Real-time remote biometric identification in publicly accessible spaces by law enforcement is prohibited under Art. 5(1)(h), not merely high-risk. Post-hoc biometric identification and biometric categorisation systems used in employment, border control, law enforcement (within permitted limits), and access control remain in the high-risk category. Any organisation deploying facial recognition, fingerprint matching, voice recognition, or similar systems for consequential decisions is within scope.

Category 2 — Critical Infrastructure (Transport, Energy, Water)

Annex III point 2 covers AI used as safety components in the management and operation of critical digital infrastructure, road traffic, water supply, gas, heating, and electricity. Transport operators, energy grid managers, water utilities, and digital infrastructure providers must assess whether their AI systems qualify. Annex I of the AI Act also intersects here: AI safety components embedded within Annex I regulated products (machinery, vehicles, civil aviation equipment, rail systems) are high-risk under Art. 6(1), not Annex III.

Category 3 — Education and Vocational Training

Annex III point 3 covers AI that determines access to educational establishments, allocates students to educational pathways, assesses examination or test performance, evaluates learning achievement that substantially affects future opportunities, and monitors student behaviour during assessments. EdTech platforms, universities, vocational training providers, and examination bodies must assess their AI-driven tools against these criteria.

Category 4 — Employment and HR

Annex III point 4 covers AI used in recruitment and selection (CV screening, candidate ranking, automated interview analysis), decisions on promotion, termination, task allocation for platform workers, monitoring of employee behaviour, and performance evaluation. This category is among the broadest in scope — virtually every organisation using AI-assisted HR processes must assess compliance. The obligation applies to AI used by employers, staffing agencies, and gig-economy platforms.

Category 5 — Essential Private and Public Services (Finance, Insurance, Healthcare-Adjacent, Benefits)

Annex III point 5 is the broadest category, encompassing AI used in creditworthiness assessment and credit scoring for natural persons, insurance risk assessment and pricing, evaluation of eligibility for public benefits and social services, and emergency dispatch decisions. This category directly affects banks, insurers, public administrations, and social service providers. Health-related AI that scores individuals for insurance eligibility also falls here, creating overlap between financial services and healthcare obligations.

Categories 6, 7, and 8 — Law Enforcement, Migration, Justice

Annex III points 6, 7, and 8 target public sector authorities and their technology suppliers. Law enforcement AI (risk scoring, recidivism prediction, crime prediction, evidence evaluation), migration and border control AI (asylum risk assessment, document verification, application processing), and justice and democratic process AI (judicial research tools, election-related AI) are all high-risk. These categories primarily affect police authorities, border agencies, immigration tribunals, courts, and their contracted AI providers.

Sector Guides

Each of the following dedicated guides maps the EU AI Act obligations to the specific regulatory context, typical AI use cases, and enforcement architecture of the sector.

Healthcare and Life Sciences

Healthcare AI operates at the intersection of the EU AI Act and the Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR). AI systems that qualify as medical devices are regulated primarily under MDR/IVDR but remain subject to the AI Act's fundamental rights and transparency obligations. Annex III point 5 captures AI used for health risk scoring in insurance and public benefit eligibility. Clinical decision support, diagnostic AI, patient triage tools, and drug discovery AI each carry specific obligations depending on their regulatory classification.

HR and Recruitment

Annex III point 4 places virtually all AI-assisted HR processes in the high-risk category. CV screening tools, psychometric assessment platforms, automated interview video analysis, performance management systems, and workforce scheduling AI must comply with provider and deployer obligations. This guide addresses the obligations of employers as deployers under Art. 26, data governance requirements under Art. 10, and the interaction with GDPR profiling restrictions.

Public Sector and Justice

Public authorities are simultaneously deployers of high-risk AI and the entities that national competent authorities will scrutinise most closely. Annex III points 5 through 8 collectively cover a large portion of public sector AI: benefit eligibility determination, emergency services AI, law enforcement tools, border management systems, and judicial AI. This guide addresses the specific obligations of public deployers, transparency mandates for automated decisions affecting citizens, and the intersection with the GDPR and the Law Enforcement Directive.

Transport and Critical Infrastructure

Transport operators must navigate both Annex III point 2 (safety components in critical infrastructure) and Annex I product safety regulation. AI in autonomous vehicle systems, railway traffic management, air traffic management, port operations, and logistics routing may trigger high-risk classification under multiple pathways. This guide addresses the interaction with EASA regulations, the Rail Safety Directive, and the role of notified bodies in conformity assessment.

SMEs

Small and medium-sized enterprises face the same EU AI Act obligations as large organisations when they are providers of high-risk AI or deployers using high-risk AI. However, the Act provides proportionality mechanisms. This guide explains simplified technical documentation options, access to regulatory sandboxes under Art. 57 to Art. 63, and how to structure a minimal but legally sufficient compliance programme. It also addresses SME exposure as deployers of third-party AI tools.

Insurance

Insurance AI is subject to Annex III point 5(b) (risk assessment and pricing for life and health insurance of natural persons) and intersects with Solvency II requirements for model governance and the use of internal models. Motor, health, property, and life insurance pricing AI, underwriting decision tools, and automated claims settlement systems all require assessment. This guide addresses the roles of EIOPA and national insurance supervisors alongside the AI Act's NCA framework.

Retail and Call Centres

Retail and customer service operations are primarily affected by the Art. 50 transparency obligations — AI-generated content disclosure, chatbot identification, and deepfake labelling — and by employment-related AI under Annex III point 4. Emotion recognition systems used in customer-facing contexts are explicitly regulated. This guide addresses online retail AI, recommendation engines, automated customer service, and workforce management in contact centres.

Education and EdTech

Annex III point 3 places educational AI in the high-risk category where it determines or substantially influences access to educational pathways or evaluates achievement. This guide addresses the obligations of EdTech providers, universities, vocational training bodies, and public examination authorities. It covers adaptive learning platforms, proctoring software, automated essay grading, and student risk prediction tools.

Financial Sector (Banking)

The banking sector guide addresses Annex III point 5(b) credit scoring and creditworthiness assessment, fraud detection AI, algorithmic trading systems, AML/KYC tools, and robo-advisory platforms. It examines the layering of EU AI Act obligations on top of DORA, MiFID II, CRR/CRD, and EBA guidelines. The intersection between the AI Act's model governance requirements and existing model risk management frameworks under EBA guidelines is a primary focus.

Cross-Cutting Obligations

Several EU AI Act obligations apply regardless of sector. Every organisation operating in the EU must understand these baseline requirements.

Prohibited Practices — Art. 5

Art. 5 establishes absolute prohibitions effective from 2 February 2025. These apply to every sector without exception: subliminal manipulation techniques that cause harm, exploitation of vulnerabilities of natural persons, social scoring by public authorities, real-time remote biometric identification by law enforcement in public spaces (subject to narrow exceptions), emotion recognition in workplaces and educational institutions (outside specified uses), biometric categorisation using sensitive characteristics, and predictive policing based solely on profiling. No sector-specific exemption overrides these prohibitions.

Transparency Obligations — Art. 50

Art. 50 requires providers and deployers of AI systems that interact with natural persons to disclose the AI nature of the interaction. This applies to chatbots, virtual assistants, automated call centre systems, and any AI system designed to appear human. AI-generated content — synthetic media, deepfakes, text — must be machine-readable labelled. These obligations apply to retail, financial services, healthcare patient-facing tools, public sector citizen services, and every other sector deploying conversational or generative AI.

GPAI Model Obligations — Art. 51 to Art. 55

Organisations that deploy GPAI models — large language models, foundation models, multimodal AI — must assess whether they are deployers of a third-party GPAI model or providers of a GPAI-integrated system. GPAI providers bear obligations under Art. 53 (transparency to downstream providers, copyright policy, summary of training data). GPAI models with systemic risk bear additional obligations under Art. 55. Every sector using commercial foundation model APIs or self-hosted foundation models must assess these obligations.

SMEs and Proportionate Obligations

SMEs represent the majority of EU businesses and a growing proportion of AI system providers and deployers. The EU AI Act does not create a blanket SME exemption, but Art. 9(5), Art. 11, and Art. 16 require that provider obligations be proportionate to organisational size and capacity.

The regulatory sandbox framework (Art. 57 to Art. 63) is specifically designed to provide SMEs and startups with supervised development environments, reduced regulatory uncertainty, and direct access to national competent authority guidance. Participation does not guarantee compliance clearance, but it provides a structured path to market entry for innovative AI products.

For SMEs acting as deployers of high-risk AI provided by a third party, Art. 26 obligations — use-case assessment, human oversight implementation, fundamental rights impact assessment — apply. The scale of documentation and monitoring required is proportionate, but the legal obligations are not waived.

The dedicated SME guide provides a compliance roadmap tailored to smaller organisations, covering prioritisation, minimum viable documentation, supplier due diligence, and sandbox access procedures.

Enforcement

The EU AI Act creates a layered enforcement architecture with significant sector-specific dimensions.

National Competent Authorities

Each EU Member State designates one or more national competent authorities (NCAs) under Art. 70. NCAs are responsible for authorising regulatory sandboxes, conducting market surveillance, receiving post-market monitoring data from providers, investigating suspected violations, and imposing administrative fines under Art. 99 to Art. 101. Maximum fines reach €35 million or 7% of global annual turnover for violations of Art. 5 prohibited practices.

Sector Regulators as Market Surveillance Authorities

Art. 74(8) and Art. 74(9) provide for sector regulators to act as market surveillance authorities for AI in their domains. The European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), European Securities and Markets Authority (ESMA), European Medicines Agency (EMA), and European Union Aviation Safety Agency (EASA) each have roles in supervising AI within their regulatory perimeters. This creates dual-track enforcement exposure: a bank's credit scoring AI may be examined both by a national financial regulator applying Annex III obligations and by an NCA conducting AI Act market surveillance.

The European AI Office

The European AI Office, established under Art. 64 to Art. 70, holds direct enforcement authority over GPAI model providers. For organisations deploying GPAI models with systemic risk, the AI Office is the primary regulatory counterpart — not the national NCA. Sector regulators have no direct jurisdiction over GPAI models as such, though downstream AI systems integrating GPAI remain subject to national and sector supervision.

Enforcement Timeline

The prohibition on practices under Art. 5 has applied since 2 February 2025. GPAI obligations under Art. 51 to Art. 55 became effective 2 August 2025. Full obligations for Annex III high-risk AI systems — covering all eight categories and all provider and deployer duties — apply from 2 December 2027 (extended from the original 2 August 2026 deadline by the 2025 Digital Omnibus amendment). Organisations in all sectors should treat the period to December 2027 as an active compliance window, not a grace period.