Back to Blog
Explainer

High-Risk AI Systems: The Complete List Under EU AI Act

May 10, 20267 min read

High-Risk AI Systems: The Complete List Under EU AI Act

The EU AI Act classifies AI systems into four risk levels. High-risk systems face the strictest requirements — technical documentation, audit logging, human oversight, conformity assessment, and more.

Annex III of the EU AI Act defines exactly which AI systems are legally classified as high-risk. Here is the complete list with practical examples.

Annex III: The 8 High-Risk Categories

1. Biometric Identification and Categorisation

AI systems used to:

  • Identify natural persons using biometric data (face, fingerprint, voice, gait)
  • Categorise people by sensitive attributes (race, gender, political opinion, religion) based on biometric data
  • Real-world examples: Facial recognition login, biometric employee attendance, emotion detection in video interviews

    Exception: Real-time remote biometric identification in public spaces is prohibited entirely (Annex I), not just high-risk.

    ---

    2. Critical Infrastructure Management

    AI systems used as safety components in:

  • Road traffic management
  • Water, gas, heating, or electricity supply
  • Digital infrastructure
  • Real-world examples: Predictive maintenance in power grids, autonomous traffic signal control, anomaly detection in water treatment

    ---

    3. Education and Vocational Training

    AI systems that:

  • Determine access to educational institutions
  • Assess students in learning contexts
  • Monitor students during exams
  • Real-world examples: AI-powered university admission scoring, exam monitoring software (proctoring), adaptive learning systems that grade students

    ---

    4. Employment, Worker Management, and Access to Self-Employment

    AI systems used for:

  • Recruitment and candidate selection
  • CV screening and ranking
  • Monitoring and evaluating employees
  • Allocating tasks in the gig economy
  • Real-world examples: Applicant tracking systems with AI scoring, AI-powered interview analysis, Uber/Deliveroo driver assignment algorithms

    This is the category most relevant to HR Tech companies in Germany.

    ---

    5. Access to Essential Private and Public Services

    AI systems that determine or significantly influence access to:

  • Public assistance and benefits
  • Credit scores and insurance risk
  • Emergency services
  • Healthcare services
  • Real-world examples: AI credit scoring used by banks, automated welfare eligibility assessment, AI-powered insurance underwriting

    ---

    6. Law Enforcement

    AI systems used by police and law enforcement for:

  • Assessing the risk of criminal offending
  • Evaluating evidence reliability
  • Predicting crime locations
  • Emotion detection during investigations
  • Real-world examples: Predictive policing tools, lie detection systems, facial recognition for criminal suspect identification

    ---

    7. Migration, Asylum, and Border Control

    AI systems used in:

  • Visa application risk assessment
  • Asylum claim evaluation
  • Passenger risk assessment
  • Real-world examples: Automated border control gates, AI visa processing, traveller behaviour analysis

    ---

    8. Administration of Justice and Democratic Processes

    AI systems that assist courts in:

  • Researching and interpreting facts or law
  • Influencing elections or voting behaviour
  • Real-world examples: AI-powered legal research assistants used by judges, political microtargeting systems

    ---

    Am I Affected?

    You are likely affected if you sell software used in HR, healthcare, banking, education, or critical infrastructure — especially if AI is involved in any decision that affects people.

    The test is not what you call your product. The EU AI Act looks at what your system does, not what your marketing says. An "AI assistant" that ranks job candidates is treated as a high-risk employment AI.

    What High-Risk Classification Means in Practice

    If your system is high-risk, before August 2, 2026 you must have:

  • Annex IV technical documentation
  • Risk management system
  • Audit logging
  • Human oversight mechanism
  • Transparency notice for users
  • Conformity assessment (self-assessment or third-party)
  • EU Declaration of Conformity
  • Check your system's risk level for free →