In this guide
- What is high-risk AI?How systems are classified and the obligations that apply.
Key facts
| Definition | AI that can significantly affect people's safety or fundamental rights |
|---|---|
| Two routes | Annex III use-cases (e.g. recruitment, credit) and AI in Annex I regulated products |
| Obligations | Risk management, data governance, documentation, human oversight, accuracy and logging |
| Provider duties | Conformity assessment and CE-style marking before market placement |
| Deployer duties | Use as intended, ensure human oversight, monitor and, for some uses, run a FRIA |
| Deadlines | Provisionally 2 December 2027 (Annex III) and 2 August 2028 (Annex I), pending the Official Journal |
What makes an AI system high-risk?
There are two routes. A system is high-risk if it is listed as an Annex III use-case — areas such as recruitment, creditworthiness, education, essential services, law enforcement and critical infrastructure — or if it is a safety component of, or itself, a product already regulated under Annex I (such as medical devices or machinery). A narrow exception applies where an Annex III system does not pose a significant risk. See what is high-risk AI?
Obligations for providers of high-risk AI
Providers carry the heaviest load: a continuous risk-management system, data governance, detailed technical documentation, record-keeping and logging, transparency to deployers, human-oversight design, and appropriate accuracy, robustness and cybersecurity. Before placing the system on the market they must complete a conformity assessment and register it.
Obligations for deployers of high-risk AI
Deployers must use the system in line with its instructions, ensure competent human oversight, monitor its operation, keep logs, and inform people where required. Certain deployers — including public bodies and some others — must also carry out a Fundamental Rights Impact Assessment before use.
The deadlines and the Digital Omnibus
Most high-risk obligations were due in 2026 and 2027. Under the Digital Omnibus — a provisional political agreement reached in May 2026 — Annex III obligations are deferred to 2 December 2027 and Annex I product-embedded obligations to 2 August 2028. These take legal effect only once adopted and published in the EU Official Journal, so treat them as likely but not final. The full schedule is on the EU AI Act timeline.
How to prepare for high-risk obligations
Find your high-risk systems first: build an AI inventory and classify each system. For anything high-risk, stand up the risk-management, documentation and oversight controls now — the deferred dates buy time, not a reprieve. You can check your exposure to see where you stand.
Frequently asked questions
What is high-risk AI under the EU AI Act?
AI that can significantly affect people's safety or fundamental rights — for example systems used in recruitment, credit, education or critical infrastructure.
How is an AI system classified as high-risk?
Either it is an Annex III use-case, or it is a safety component of (or is) a product regulated under Annex I, unless a narrow no-significant-risk exception applies.
What obligations apply to high-risk AI?
Risk management, data governance, documentation, logging, transparency, human oversight and accuracy — plus conformity assessment for providers.
When do high-risk AI rules apply?
Provisionally 2 December 2027 for Annex III systems and 2 August 2028 for Annex I product-embedded AI, pending publication of the Digital Omnibus in the Official Journal.
What's the first step for high-risk AI?
Build an AI inventory and classify each system — you cannot meet high-risk obligations for systems you have not identified.
Related guides
Sources
Last updated 19 June 2026.