Table of contents

Get notified when this article is updated

The Two-Gate Classification System

The EU AI Act classifies AI systems as high-risk through two distinct pathways defined in Article 6.

Gate 1 — Article 6(1): AI systems that are themselves a safety component of a product covered by Union harmonisation legislation listed in Annex I (machinery, medical devices, vehicles, aviation, etc.), or are themselves such a product, and must undergo third-party conformity assessment.

Gate 2 — Article 6(2): AI systems listed in Annex III, across 8 specific domains. This is where most enterprise AI systems fall.

The 8 Annex III Domains

If your AI system falls into any of these domains, it is presumed high-risk:

Biometrics

Remote biometric identification, emotion recognition, biometric categorisation based on sensitive attributes.

Critical Infrastructure

AI used in management of critical infrastructure: water, gas, electricity, road traffic, digital infrastructure.

Education

AI that determines access to educational institutions, evaluates learning outcomes, assesses students.

Employment & HR

AI for recruitment, CV screening, promotion decisions, task allocation, performance monitoring, termination.

Essential Services

AI that evaluates creditworthiness, sets insurance premiums, or determines access to public benefits.

Law Enforcement

AI used by police for profiling, crime prediction, evidence evaluation, or lie detection.

Migration & Asylum

AI that assesses migration risk, verifies travel documents, or determines asylum eligibility.

Administration of Justice

AI that assists courts in researching facts and law, or influences legal proceedings.

The Article 6(3) Exception

Even if your system falls under Annex III, it may be exempt from high-risk classification if it does not pose a significant risk of harm to health, safety, or fundamental rights, and meets one of these four conditions:

It performs a narrow procedural task
It is intended to improve the result of a previously completed human activity
It detects decision-making patterns without replacing human assessment
It performs a preparatory task to an assessment relevant to the use cases listed in Annex III

Obligations for High-Risk Providers

If classified high-risk, Articles 9 through 15 impose mandatory obligations:

•Art. 9 — Risk management system (continuous, documented, iterative)

•Art. 10 — Data governance (training data requirements, bias mitigation)

•Art. 11 — Technical documentation (before market placement)

•Art. 12 — Record-keeping and logging (automatic, tamper-proof)

•Art. 13 — Transparency to deployers (instructions for use)

•Art. 14 — Human oversight (meaningful control mechanisms)

•Art. 15 — Accuracy, robustness, and cybersecurity standards

Penalties for Non-Compliance

For high-risk AI systems, penalties can reach 15 million euros or 3% of global annual turnover (Art. 99(4)), whichever is higher. For prohibited practices (Article 5), penalties rise to 35 million euros or 7%.

Post-Digital Omnibus (trilogue agreement of 7 May 2026): Annex III high-risk obligations (EP enumeration: biometrics, critical infrastructure, education, employment, law enforcement, border management; non-exhaustive) apply from 2 December 2027. Article 50 transparency obligations not affected by the omnibus delay (per EP IPR42011 + Reg. 2024/1689 baseline): 2 August 2026. The conformity assessment process for high-risk systems can take several months.

Not sure if your AI system is high-risk? The free Sprinkling Act diagnostic classifies your system in minutes, article by article.

Free diagnostic — instant See full report

Sources

[1]
EUR-Lex (July 12, 2024) — Regulation (EU) 2024/1689 — Artificial Intelligence Act (full text) eur-lex.europa.eu/eli
[2]
EU AI Act — Article 6 — Classification Rules for High-Risk AI Systems artificialintelligenceact.eu/article
[3]
EU AI Act — Annex III — High-Risk AI Systems Referred to in Article 6(2) artificialintelligenceact.eu/annex
[4]
EU AI Act — Article 9 — Risk Management System artificialintelligenceact.eu/article
[5]
EU AI Act — Article 99 — Penalties artificialintelligenceact.eu/article
[6]
EU AI Act — Articles 10–15 — Requirements for High-Risk AI Systems artificialintelligenceact.eu/article
[7]
EU AI Act — Implementation Timeline artificialintelligenceact.eu/implementation-timeline

ALREADY ENFORCEABLE

Art. 5 prohibitions and GPAI rules apply today. Article 50 transparency binds 2 August 2026. Annex III high-risk binds 2 December 2027 (post-Omnibus). The question is not when: it’s whether you’ve documented your position.

Free Diagnostic — 9 questions See pricing →

The Two-Gate Classification System

The EU AI Act classifies AI systems as high-risk through two distinct pathways defined in Article 6.

Gate 2 — Article 6(2): AI systems listed in Annex III, across 8 specific domains. This is where most enterprise AI systems fall.

The 8 Annex III Domains

If your AI system falls into any of these domains, it is presumed high-risk:

Biometrics

Remote biometric identification, emotion recognition, biometric categorisation based on sensitive attributes.

Critical Infrastructure

AI used in management of critical infrastructure: water, gas, electricity, road traffic, digital infrastructure.

Education

AI that determines access to educational institutions, evaluates learning outcomes, assesses students.

Employment & HR

AI for recruitment, CV screening, promotion decisions, task allocation, performance monitoring, termination.

Essential Services

AI that evaluates creditworthiness, sets insurance premiums, or determines access to public benefits.

Law Enforcement

AI used by police for profiling, crime prediction, evidence evaluation, or lie detection.

Migration & Asylum

AI that assesses migration risk, verifies travel documents, or determines asylum eligibility.

Administration of Justice

AI that assists courts in researching facts and law, or influences legal proceedings.

The Article 6(3) Exception

It performs a narrow procedural task

It is intended to improve the result of a previously completed human activity

It detects decision-making patterns without replacing human assessment

It performs a preparatory task to an assessment relevant to the use cases listed in Annex III

Obligations for High-Risk Providers

If classified high-risk, Articles 9 through 15 impose mandatory obligations:

•Art. 9 — Risk management system (continuous, documented, iterative)

•Art. 10 — Data governance (training data requirements, bias mitigation)

•Art. 11 — Technical documentation (before market placement)

•Art. 12 — Record-keeping and logging (automatic, tamper-proof)

•Art. 13 — Transparency to deployers (instructions for use)

•Art. 14 — Human oversight (meaningful control mechanisms)

•Art. 15 — Accuracy, robustness, and cybersecurity standards

Penalties for Non-Compliance

Sources

[1]

EUR-Lex (July 12, 2024) — Regulation (EU) 2024/1689 — Artificial Intelligence Act (full text) eur-lex.europa.eu/eli

[2]

EU AI Act — Article 6 — Classification Rules for High-Risk AI Systems artificialintelligenceact.eu/article

[3]

EU AI Act — Annex III — High-Risk AI Systems Referred to in Article 6(2) artificialintelligenceact.eu/annex

[4]

EU AI Act — Article 9 — Risk Management System artificialintelligenceact.eu/article

[5]

EU AI Act — Article 99 — Penalties artificialintelligenceact.eu/article

[6]

EU AI Act — Articles 10–15 — Requirements for High-Risk AI Systems artificialintelligenceact.eu/article

[7]

EU AI Act — Implementation Timeline artificialintelligenceact.eu/implementation-timeline

What Makes an AI System High-Risk Under the EU AI Act?

The Two-Gate Classification System

The 8 Annex III Domains

The Article 6(3) Exception

Obligations for High-Risk Providers

Penalties for Non-Compliance

Sources

What Makes an AI System High-Risk Under the EU AI Act?

The Two-Gate Classification System

The 8 Annex III Domains

The Article 6(3) Exception

Obligations for High-Risk Providers

Penalties for Non-Compliance

Sources