EU AI Act Annex III: The Eight Categories That Define High-Risk AI

Annex III of the EU AI Act lists the eight categories of AI systems classified as high-risk under Article 6(2). Inclusion in Annex III triggers the full operational regime: Article 12 record-keeping, Article 13 transparency, Article 14 human oversight, Article 15 accuracy and cybersecurity, Article 26 deployer obligations, and the Article 99 penalty exposure of €15 million or 3% of global annual turnover. The regime takes effect on August 2, 2026. Many enterprise teams I talk to are inside the scope of Annex III through use cases they did not classify as high-risk on first reading.

I want to walk through what the eight Annex III categories actually cover, where the common mis-classifications sit, and what the scope test means for compliance work.

Mandate

Annex III enumerates the categories of AI systems that are high-risk by virtue of the use case. The categories are listed by application domain. A system that falls within a listed category is high-risk regardless of the underlying model architecture or the technical sophistication of the system.

The Commission has authority to amend Annex III to add new high-risk categories and to remove categories where the risk profile has changed. The list is therefore not static. The current list is the operational starting point for compliance scoping.

Category 1: Biometric systems

Biometric identification systems used for remote identification of natural persons fall under Annex III, along with biometric categorization systems based on sensitive attributes and emotion recognition systems. Real-time remote biometric identification in publicly accessible spaces for law enforcement is separately prohibited under Article 5. Annex III covers the post-incident and non-law-enforcement uses that remain permitted but high-risk.

Category 2: Critical infrastructure

AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic, water supply, gas, heating, and electricity fall under Annex III. The scope test turns on whether the system is a safety component of the infrastructure. A monitoring tool that produces advisory output may not qualify. A system that makes operational control decisions does.

Category 3: Education and vocational training

AI systems used to determine access to educational and vocational training institutions, to evaluate learning outcomes, to assess the level of education a person will achieve, and to monitor and detect prohibited behavior during tests fall under Annex III. The scope reaches admissions tools, automated grading systems, and proctoring software.

Category 4: Employment, workers management, and access to self-employment

AI systems used for recruitment, selection, hiring decisions, work-related decisions affecting career progression, work allocation, and performance evaluation fall under Annex III. The scope covers resume screening tools, automated hiring decision support, and any AI system that participates in promotions, terminations, or task assignments.

Category 5: Access to essential private and public services

AI systems used for eligibility evaluation of access to public benefits and services, credit scoring of natural persons (other than fraud detection), risk assessment and pricing of life and health insurance, and emergency call dispatching fall under Annex III. The credit scoring inclusion is the broadest. Most consumer lending AI in the EU is high-risk under Annex III.

Category 6: Law enforcement

AI systems used by law enforcement authorities for risk assessment of natural persons, polygraph-equivalent systems, evaluation of the reliability of evidence, profiling of natural persons in the course of detection or investigation, and crime analytics fall under Annex III. The category is constrained to law enforcement use and overlaps with Article 5 prohibitions for some use cases.

Category 7: Migration, asylum, and border control management

AI systems used by competent authorities for risk assessment of natural persons entering or seeking to enter the territory, to examine applications for asylum, visa, or residence, and for verification of authenticity of travel documents fall under Annex III. The category covers both decision-making and decision-support tools.

Category 8: Administration of justice and democratic processes

AI systems used by a judicial authority or arbitral body to research and interpret facts and law and to apply law to a concrete set of facts fall under Annex III. AI systems intended to be used to influence the outcome of elections or referenda or the voting behavior of natural persons also fall under the category.

Compliance gap

Most enterprise teams I look at have built compliance scoping for some Annex III categories and missed others.

The credit scoring inclusion is the largest

Category 5 includes credit scoring of natural persons. The scope reaches B2C lending, BNPL, credit card underwriting, and any consumer financial decision that depends on an automated risk score. The vendor SaaS tools that produce these scores under the hood are inside Annex III. The deployer is the financial institution that uses them.

The recruitment inclusion catches HR tooling

Category 4 includes resume screening, hiring decision support, and any AI system that participates in employment decisions. The scope reaches third-party recruiting platforms, internal HR tooling that uses LLMs for candidate evaluation, and performance management systems that use AI to inform reviews. Many HR teams have rolled out AI features in the past eighteen months without classifying the system as high-risk.

Cross-category overlap is common

A single system can fall under multiple Annex III categories. An AI tool used in a hospital may be high-risk under Category 5 (access to essential services) and under the medical device regulation that interacts with the AI Act. A workforce-analytics tool may be high-risk under Category 4 (workers management) and under GDPR's automated decision-making provisions. The compliance posture must address each applicable category independently.

How to scope a system against Annex III

The scope test runs in three steps. First, identify the use case the system is deployed for, not the underlying technology. A general-purpose LLM used for resume screening is high-risk under Category 4. The same LLM used to summarize internal documents is not high-risk.

Second, check whether the use case is enumerated in any of the eight Annex III categories or in Article 5. Annex III triggers the high-risk regime. Article 5 prohibits the use outright.

Third, check whether the Article 6(3) carve-out applies. The carve-out removes a system from the high-risk regime if the system is intended to perform a narrow procedural task, to improve the result of a previously completed human activity, to detect decision-making patterns without replacing or influencing the human assessment, or to perform a preparatory task. The carve-out is narrow and intentionally so. It does not remove systems that materially influence a decision.

DeepInspect

The Annex III scope is the entry point. The infrastructure to satisfy the regime applies uniformly across the eight categories. DeepInspect sits as a stateless proxy between the application and the LLM, applying identity-bound policy and producing per-decision audit records. The same proxy works for a credit scoring deployment, an HR system, a healthcare decision-support tool, and a public benefits eligibility system.

For Annex III scoping, the operational answer is to apply the high-risk infrastructure to every system that touches the listed categories, not to debate scope at the margin. The cost of over-applying is operational. The cost of under-applying is the Article 99 penalty multiplier.

If you have AI deployments that touch credit, employment, education, healthcare, public services, law enforcement, migration, or judicial work, your Annex III readiness is a scope-and-evidence question, not a model question.

Book a demo today.