Key facts

  • Annex III lists specific high-risk use cases across eight broad areas.
  • Covers employment, credit/insurance, education, law enforcement, migration and justice, among others.
  • Falling into an Annex III category triggers the Act's most extensive compliance obligations.
  • The list can be updated by the European Commission as new risks emerge.
  • Even AI adjacent to these areas should be checked carefully against the Annex III wording.

The broad areas covered

Annex III spans biometric identification, critical infrastructure, education and vocational training, employment and worker management, access to essential public and private services, law enforcement, migration and border control, and the administration of justice and democratic processes.

Why the specifics matter

Within each area, Annex III defines specific use cases — not every AI system used in, say, employment is automatically high-risk. An AI tool used for internal scheduling is different from one used to screen job candidates, and only the latter is likely to be caught.

What triggers high-risk obligations

If an AI system's specific use case matches an Annex III entry, it is classed as high-risk (subject to certain narrow exceptions), triggering conformity assessment, technical documentation, human oversight and other extensive obligations.

Keeping the list current

The European Commission has the ability to update Annex III as new risks emerge, so organisations operating AI in these sensitive areas should periodically check whether their use case classification has changed.

Frequently asked questions

What is Annex III of the EU AI Act?

A list of specific AI use cases classed as high-risk, covering employment, credit scoring, education, law enforcement and more.

Does every AI system used in employment count as high-risk?

No — only specific use cases within that area, such as candidate screening, are likely to be caught.

What happens if my AI system matches an Annex III use case?

It is classed as high-risk, triggering the Act's most extensive compliance obligations.

Can the Annex III list change?

Yes — the European Commission can update it as new risks emerge.

What should I do if my AI use is close to an Annex III category?

Check the specific wording carefully, and seek advice if the classification is unclear.

Related pages

Sources

Last updated 19 June 2026.