Is My AI System High-Risk Under the EU AI Act?

How high-risk is decided (Article 6)

Under the EU AI Act (Regulation (EU) 2024/1689), an AI system is high-risk if it meets either of two tests in Article 6. First test: the system is a safety component of a product covered by EU harmonisation law listed in Annex I (for example machinery, medical devices, lifts, toys), or it is itself such a product, and that product must undergo third-party conformity assessment. Second test: the system is used in one of the specific use cases listed in Annex III (Article 6(2)).

There is one important carve-out. Article 6(3) says an Annex III system is NOT high-risk if it does not pose a significant risk of harm to health, safety or fundamental rights, including where it only performs a narrow procedural task, improves the result of a prior human activity, detects decision patterns without replacing human judgement, or does preparatory work. That exception does not apply if the system performs profiling of individuals - profiling always keeps it high-risk. If you rely on the carve-out you must document your reasoning and register the system, so treat it as a decision to evidence, not a loophole.

Self-check: the Annex III categories an SMB is likely to hit

Go through these Annex III use cases. If your AI system is used for any of them, assume it is high-risk until you have documented otherwise.

• Recruitment and HR (Annex III, point 4): screening or filtering job applications, ranking or evaluating candidates, and AI used in promotion, termination, task allocation, or monitoring and evaluating performance of workers.
• Credit and insurance (Annex III, point 5): evaluating creditworthiness or producing a credit score (excluding detecting financial fraud), and risk assessment and pricing for life and health insurance.
• Education and vocational training (Annex III, point 3): deciding admission or assignment, evaluating learning outcomes, assessing the appropriate level of education, or monitoring and detecting prohibited behaviour during tests.
• Biometrics (Annex III, point 1): remote biometric identification, biometric categorisation by sensitive attributes, and emotion recognition (where not otherwise prohibited).
• Essential private and public services (Annex III, point 5): determining eligibility for public assistance benefits and services, and dispatching or prioritising emergency services.
• Critical infrastructure (Annex III, point 2): safety components in the management and operation of digital infrastructure, road traffic, or the supply of water, gas, heating and electricity.
• Law enforcement, migration and administration of justice (Annex III, points 6 to 8): typically relevant only if you sell into or operate in those sectors.

Are you the provider or the deployer?

Your obligations differ depending on your role, so classify that at the same time. A provider develops an AI system, or has one developed, and places it on the market or puts it into service under its own name or trademark. A deployer uses an AI system under its own authority in a professional context. Most SMBs are deployers of high-risk systems built by someone else; if you embed or ship an AI feature in your own product, you are likely a provider.

This matters because providers carry the heavier load (the Article 9 to 15 requirements, technical documentation, conformity assessment and CE marking), while deployers have a defined but lighter set of duties under Article 26, such as using the system per instructions, ensuring human oversight, monitoring operation, and keeping logs. Note that under Article 25 a deployer can become a provider, for example by putting its own name on a high-risk system or making a substantial modification.

What to do if your system is high-risk

Confirming high-risk is the start, not the verdict. Work the result into a documented compliance plan rather than a single yes or no.

1. Write down the classification and the legal basis: cite Article 6 and the exact Annex III point, and record whether the Article 6(3) carve-out applies and why.
2. Pin your role and the date the obligations bite: most high-risk obligations apply from 2 August 2026, and high-risk AI embedded in regulated products from 2 August 2027.
3. If you are a provider, build the evidence pack: a risk-management system (Article 9), data governance (Article 10), technical documentation per Annex IV (Article 11), logging (Article 12), transparency and human oversight (Articles 13 and 14), accuracy, robustness and cybersecurity (Article 15), then conformity assessment and the EU declaration of conformity (Article 47).
4. If you are a deployer, meet Article 26: follow the provider's instructions, assign competent human oversight, monitor the system, and keep the logs it generates.
5. Cover the duties already in force regardless of tier: prohibited practices and AI-literacy obligations have applied since 2 February 2025.

Get it right the first time

Misclassification cuts both ways: calling a high-risk system minimal leaves you exposed (penalties reach up to EUR 15M or 3% of global annual turnover for breaches of the high-risk rules, and up to EUR 35M or 7% for prohibited practices), while over-classifying buries a small team in documentation it never needed. The fix is a defensible, repeatable method that cites the law for every answer.

ComplyAgent runs a guided classification wizard that asks about each system, applies the Article 6 and Annex III tests, flags the Article 6(3) carve-out, and records the citation behind every decision so you have an audit trail. Because you classify once and comply across three frameworks, the same answer also feeds your NIST AI RMF and ISO/IEC 42001 work.

Note: a proposed EU Digital Omnibus would adjust some timelines, but it is PROPOSED and NOT yet adopted. Plan against the dates that are currently in force.