Annex III high-risk AI explained

Annex III of Regulation (EU) 2024/1689 lists the eight categories of standalone high-risk AI systems. Falling into one of these categories triggers the full Article 8-49 obligation stack: data governance, technical documentation, human oversight, transparency, registration, and post-market monitoring.

Annex III is where most of the operational pain in the EU AI Act lives for deployers. The eight categories cover biometric ID, critical infrastructure, education, employment, essential services, law enforcement, migration, and justice. Article 6(2) makes any AI in scope automatically high-risk unless the Article 6(3) exception applies. The new deadline after the 7 May 2026 Digital Omnibus is 2 December 2027 for full obligations; Article 4 literacy + Article 5 prohibitions are live today since 2 February 2025.

1. 1
   16 min

   Is Your AI Tool High-Risk? How to Classify AI Under the EU AI Act

   Find out if your AI tools are high-risk under the EU AI Act. Annex III categories explained with real examples: ChatGPT, Copilot, Salesforce, and more.

   Read article
2. 2
   14 minFeatured

   EU AI Act for HR Teams: What Recruitment, Performance Review, and Worker Management AI Needs

   Recruitment AI, CV screening, performance scoring, promotion and termination AI, gig allocation, and worker monitoring all sit in Annex III(4) high-risk territory under the EU AI Act. This guide covers what HR teams need to do under Article 26, when an Article 27 FRIA is required, and how to scope a 90-day HR AI compliance ramp.

   Read article
3. 3
   14 minFeatured

   EU AI Act for Credit Scoring AI: Annex III(5)(b), Article 27 FRIA, and Consumer Credit Law

   Credit-scoring AI is one of the few use cases that REQUIRES an Article 27 FRIA under the EU AI Act. This guide covers Annex III(5)(b) classification, the FRIA process, GDPR Article 22 automated-decision rights, the Consumer Credit Directive interaction, and the 2 December 2027 deadline.

   Read article
4. 4
   15 minFeatured

   EU AI Act for Healthcare AI: Medical Devices, Diagnostics, and Clinical Decision Support

   Healthcare AI sits at the intersection of two regimes: the EU AI Act + sectoral product law (MDR / IVDR). This guide covers Annex I embedded high-risk classification, the dual conformity assessment route, Article 73 incident reporting on top of MDR vigilance, and the 2 August 2028 deadline post-Omnibus.

   Read article
5. 5
   14 minFeatured

   EU AI Act Article 27 FRIA: How to Run a Fundamental Rights Impact Assessment

   Article 27 requires certain deployers of high-risk AI systems to run a fundamental rights impact assessment (FRIA) before deployment. Who's actually in scope is narrower than most read it. This guide covers the 6 things a FRIA must cover, how it differs from a GDPR DPIA, the notification step, and how to scope your first FRIA without over-engineering it.

   Read article
6. 6
   14 min

   EU AI Act Compliance Checklist: 10 Steps Before the High-Risk Deadline

   A practical 10-step compliance checklist for the EU AI Act. From AI inventory to ongoing monitoring: everything your business needs before enforcement begins.

   Read article