What is high-risk AI under the EU AI Act?

Key facts

• Definition: AI that can significantly affect people's safety or fundamental rights.
• Two routes to high-risk: Annex III use-cases, and AI in Annex I regulated products.
• Provider obligations: risk management, data governance, documentation, human oversight, accuracy, logging and conformity assessment.
• Deployer obligations: use as intended, ensure human oversight, monitor and (for some uses) run a FRIA.
• Deadlines are provisionally deferred to 2 December 2027 (Annex III) and 2 August 2028 (Annex I) under the Digital Omnibus.

What makes an AI system high-risk?

There are two routes. A system is high-risk if it is listed as an Annex III use-case — areas such as recruitment, creditworthiness, education, essential services, law enforcement and critical infrastructure — or if it is a safety component of, or itself, a product already regulated under Annex I (such as medical devices or machinery). A narrow exception applies where an Annex III system does not pose a significant risk.

What obligations apply to providers?

Providers carry the heaviest load: a continuous risk-management system, data governance, detailed technical documentation, record-keeping and logging, transparency to deployers, human-oversight design, and appropriate accuracy, robustness and cybersecurity — plus a conformity assessment before the system is placed on the market.

What obligations apply to deployers?

Deployers must use the system in line with its instructions, ensure competent human oversight, monitor its operation, keep logs, and inform people where required. Certain deployers — including public bodies and some others — must also carry out a Fundamental Rights Impact Assessment before use.

When do high-risk rules apply?

Most high-risk obligations were due in 2026 and 2027. Under the Digital Omnibus — a provisional political agreement reached in May 2026 — Annex III obligations are deferred to 2 December 2027 and Annex I product-embedded obligations to 2 August 2028. These take legal effect only once published in the EU Official Journal, so treat them as likely but not final. See the EU AI Act timeline.

How do you prepare?

Find your high-risk systems first: build an AI inventory and classify each system. For anything high-risk, stand up the risk-management, documentation and oversight controls now — the deferred dates buy time, not a reprieve. See our high-risk AI guide.

Frequently asked questions

What is high-risk AI under the EU AI Act?

AI that can significantly affect people's safety or fundamental rights — for example systems used in recruitment, credit, education or critical infrastructure.

How is an AI system classified as high-risk?

Either it is an Annex III use-case, or it is a safety component of (or is) a product regulated under Annex I, unless a narrow no-significant-risk exception applies.

What obligations apply to high-risk AI?

Risk management, data governance, documentation, logging, transparency, human oversight and accuracy — plus conformity assessment for providers.

When do high-risk AI rules apply?

Provisionally 2 December 2027 for Annex III systems and 2 August 2028 for Annex I product-embedded AI, pending publication of the Digital Omnibus.

What is a FRIA?

A Fundamental Rights Impact Assessment — required of certain deployers of high-risk AI before they put the system into use.

What's the first step for high-risk AI?

Build an AI inventory and classify each system — you cannot meet high-risk obligations for systems you have not identified.

Related pages

• High-risk AI: the complete guide
• What is the EU AI Act?
• EU AI Act timeline & key deadlines
• What is an AI inventory?

Sources

• Regulation (EU) 2024/1689 — EUR-Lex
• European Commission — AI Act

Last updated 19 June 2026.