EU AI Act · Annex III

High-risk AI under Annex III: are you affected?

Whether the strict EU AI Act obligations apply to you from 2 August 2026 hinges on one question: does your AI system fall into a high-risk category? This guide explains the four risk classes, the eight Annex III areas and the important Art. 6(3) exception.

The four risk classes

EU AI Act: risk tiers Unacceptable / Prohibited; High risk; Limited risk / Transparency duty; Minimal risk EU AI Act: risk tiers Unacceptable / Prohibited e.g. social scoring High risk e.g. hiring, credit scoring, biometrics Limited risk / Transparency duty e.g. chatbots, labelling AI content Minimal risk e.g. spam filters, AI in video games High-risk deadline: 02 Aug 2026

Prohibited

Practices under Art. 5 (e.g. social scoring, manipulative AI) — banned since February 2025.

High-risk

Annex III or a safety component of regulated products — the full obligations from 2 Aug 2026.

Limited risk

Transparency duties under Art. 50 (e.g. labelling chatbots and AI-generated content).

Minimal risk

Most AI (e.g. spam filters) — no specific obligations under the AI Act.

The eight high-risk areas of Annex III

The exception: Art. 6(3)

A system in an Annex III area is not automatically high-risk. Under Art. 6(3) the classification falls away if the system poses no significant risk to health, safety or fundamental rights — for example because it performs only a narrow procedural task or merely improves a human result. This exception must be documented and never applies where the system performs profiling.

What about general-purpose AI (GPAI)?

Foundation models (e.g. large language models) follow their own regime (Art. 51 ff.) with transparency and, where systemic risk exists, additional obligations since August 2025. Anyone embedding a GPAI model into an Annex III system remains responsible for the high-risk obligations.

Frequently asked questions

Is every chatbot high-risk?
No. A pure customer-service chatbot is usually “limited risk” with a transparency duty (Art. 50) — it must disclose that you are talking to an AI. It only becomes high-risk if it decides on Annex III matters such as creditworthiness or applicant selection.
Does KI-powered HR software count as high-risk?
Usually yes: AI for applicant screening, performance evaluation or promotion and termination decisions falls under Annex III (employment). Also check the GDPR — such systems often engage Art. 22 (automated decisions).
Does this apply to purchased AI too?
Yes. As a deployer you have your own duties under Art. 26 — use as intended, human oversight, log retention — even if a third party built the system.

Factual orientation, not legal advice. Citations: Regulation (EU) 2024/1689.