What is Annex III of the EU AI Act?
Annex III is the authoritative list in Regulation (EU) 2024/1689 that defines 8 areas where AI systems are presumed high-risk under Article 6(2). If your AI system is intended for use in one of these areas, it automatically falls into the high-risk tier and must comply with the full suite of Chapter III, Section 2 obligations—including conformity assessment (Article 43), risk management (Article 9), data governance (Article 10), technical documentation (Articles 11 & Annex IV), record-keeping (Article 12), transparency to deployers (Article 13), human oversight (Article 14), and accuracy/robustness/cybersecurity controls (Article 15).
Unlike generic "AI best practices," Annex III is a legal trigger. Being on this list means your system faces strict requirements and potential fines of up to EUR 15 million or 3% of global annual turnover for non-compliance with high-risk obligations (Article 99(4)). Under the May 7, 2026 political agreement on the AI Omnibus, rules for systems in certain high-risk areas are scheduled for December 2, 2027; product-integrated high-risk rules are scheduled for August 2, 2028. These revised dates remain subject to completion of the legal adoption process. (Sources: Regulation (EU) 2024/1689, EUR-Lex; European Commission timeline)
The 8 Annex III High-Risk Categories: Complete Overview
Below is a compact comparison table of all 8 categories. Each section that follows provides detailed examples, common misconceptions, and guidance on what is and is not caught.
| Category | Area | Typical SaaS Trigger | Common Misconception |
|---|---|---|---|
| §1 | Biometrics | Remote biometric ID, emotion recognition, categorization | Thinking Face ID login exempts you (it doesn't if remote or categorizing) |
| §2 | Critical Infrastructure | Safety components for utilities, traffic, digital infrastructure | Assuming SaaS never touches infrastructure (wrong if you manage utilities/traffic) |
| §3 | Education & Vocational Training | Admission decisions, exam grading, student assessment, supervision | Thinking only K-12 is covered (vocational training and corporate L&D also count) |
| §4 | Employment & Workers Management | Recruitment ranking, promotion decisions, performance monitoring, termination | Believing only fully automated hiring is caught (any ranking/filtering counts) |
| §5 | Essential Services & Benefits | Credit scoring, insurance pricing, benefit eligibility, emergency dispatch | Thinking fraud detection is high-risk (it's explicitly exempt for credit scoring) |
| §6 | Law Enforcement | Risk assessment, polygraph/lie detection, evidence evaluation, crime detection | Assuming this never applies to SaaS (wrong if you sell to police/prosecutors) |
| §7 | Migration, Asylum, Border Control | Visa/permit eligibility, risk assessment, lie detection | Believing only government systems are covered (SaaS sold to agencies counts) |
| §8 | Administration of Justice & Democratic Processes | Legal research influencing decisions, case outcome prediction, election management | Thinking generic legal research tools are exempt (they're high-risk if they influence outcomes) |
Category-by-Category Deep Dive
1. Biometrics (Annex III §1)
What's covered: AI systems for remote biometric identification (e.g., facial recognition from CCTV), biometric categorization (inferring race, gender, political views from biometric data), and emotion recognition from biometric data.
B2B SaaS examples — IS caught:
- A recruiting platform that analyzes video interview recordings to score candidate "confidence" or "enthusiasm" based on facial expressions → high-risk emotion recognition.
- An access control SaaS that remotely identifies employees walking into an office from networked cameras → high-risk remote biometric identification.
- A compliance tool sold to law enforcement that categorizes detained individuals by ethnicity using facial scans → high-risk biometric categorization.
B2B SaaS examples — NOT caught (or lower-risk):
- A local device unlock using fingerprint or Face ID where the biometric template never leaves the device and no remote server processes it → not remote, likely minimal risk.
- A tool that transcribes video interviews without analyzing facial expressions or body language → not biometric processing.
- A photo tagging feature that clusters faces without inferring sensitive attributes → depends; if it categorizes protected characteristics, it may be caught.
Key misconception: Many founders believe biometric authentication (like Face ID login) is always high-risk. It's not—unless it's remote (server-side identification across a network) or it categorizes sensitive characteristics. Local, device-bound biometrics generally fall outside Annex III §1.
2. Critical Infrastructure (Annex III §2)
What's covered: AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating, or electricity.
B2B SaaS examples — IS caught:
- A traffic management SaaS that controls traffic light timing to optimize flow → high-risk safety component for road traffic.
- An energy grid optimization platform that adjusts power distribution to prevent blackouts → high-risk safety component for electricity supply.
- A cybersecurity platform that automatically isolates critical network segments in a hospital or utility → high-risk safety component for critical digital infrastructure.
B2B SaaS examples — NOT caught:
- A generic cybersecurity tool for corporate networks that does not manage critical infrastructure → not in scope of §2.
- An energy usage analytics dashboard that only visualizes data without controlling infrastructure → minimal risk.
- A logistics SaaS that optimizes delivery routes (not traffic lights or road infrastructure) → not a safety component for road traffic.
Key misconception: Most SaaS companies assume they never touch critical infrastructure. However, if you sell to utilities, municipalities, or transport authorities and your system directly manages safety-critical operations (not just analytics), you may be in scope.
3. Education and Vocational Training (Annex III §3)
What's covered: AI systems intended for admission or assignment to educational/vocational training institutions, evaluation of learning outcomes (including exam grading and plagiarism detection when influencing grades), assessment of appropriate level of education, monitoring and detecting prohibited behavior during tests, and assessing students.
B2B SaaS examples — IS caught:
- An admissions platform that ranks applicants for university placement → high-risk admission decision system.
- An automated essay grading tool used in K-12 or corporate training that determines pass/fail outcomes → high-risk evaluation of learning outcomes.
- A proctoring SaaS that uses AI to flag "suspicious behavior" during online exams and influences grading or disciplinary decisions → high-risk monitoring and behavior detection.
B2B SaaS examples — NOT caught:
- A plagiarism checker that only highlights potential issues but leaves the grading decision entirely to the instructor → potentially qualifies for Article 6(3) derogation as a narrow procedural task.
- A learning management system (LMS) that delivers course content and tracks completion without evaluating outcomes → minimal risk.
- A corporate training platform that recommends courses based on job role but does not influence performance reviews or promotions → not in scope of §3.
Key misconception: Many believe only K-12 and universities are covered. Vocational training explicitly includes corporate learning & development programs. If your SaaS is used to evaluate employees in training or assign certifications, it may be high-risk.
4. Employment, Workers Management, and Access to Self-Employment (Annex III §4)
What's covered: AI systems for recruitment/selection (targeting, analyzing, filtering, ranking candidates), making promotion/termination decisions, task allocation, and monitoring/evaluating performance and behavior of workers.
B2B SaaS examples — IS caught:
- An applicant tracking system (ATS) that scores and ranks resumes to shortlist candidates → high-risk recruitment system under §4(a).
- A performance management platform that uses AI to recommend employees for promotion or termination → high-risk promotion/termination decision system under §4(b).
- A warehouse productivity tool that monitors worker movements and flags "underperformers" for disciplinary action → high-risk monitoring/evaluation under §4(c).
- A freelance marketplace that uses AI to allocate gig assignments based on ratings and predicted performance → high-risk task allocation under §4(b).
B2B SaaS examples — NOT caught:
- A tool that only transcribes job interviews without analyzing content or ranking candidates → not evaluating or filtering candidates.
- A scheduling app that assigns shifts based on employee availability (not performance evaluation) → likely qualifies for Article 6(3) derogation as narrow procedural task.
- An internal Slack bot that suggests meeting times → minimal risk.
Key misconception: Some believe only fully automated hiring (zero human involvement) is high-risk. Wrong. Any AI-driven ranking, filtering, or scoring of candidates—even if a human makes the final call—is caught by §4. The regulation explicitly covers systems that "are intended to be used for" these purposes, not just those that make final decisions autonomously.
5. Access to and Enjoyment of Essential Private Services and Public Services and Benefits (Annex III §5)
What's covered: AI systems used to evaluate eligibility for essential public assistance benefits/services (including healthcare), to grant/reduce/revoke such benefits, to evaluate creditworthiness or establish credit scores (except fraud detection), to dispatch or prioritize emergency first responders, to evaluate/classify emergency calls, and to assess risk/pricing for life/health insurance.
B2B SaaS examples — IS caught:
- A credit scoring SaaS that determines loan eligibility for consumers → high-risk under §5(b).
- An insurance underwriting platform that uses AI to set health insurance premiums → high-risk under §5(c).
- An emergency dispatch system that triages 911 calls and prioritizes ambulance deployment → high-risk under §5(d).
- A government benefit eligibility tool that determines who receives housing assistance → high-risk under §5(a).
B2B SaaS examples — NOT caught (or explicitly exempt):
- A fraud detection tool used by banks to flag suspicious transactions → explicitly exempt under §5(b) ("with the exception of AI systems used for the purpose of detecting financial fraud").
- A generic customer support chatbot for a SaaS product (not essential services) → limited-risk, not Annex III.
- A scheduling tool for non-emergency medical appointments → likely Article 6(3) derogation if it only handles scheduling logistics.
Key misconception: Many assume all financial AI is high-risk. Not true. Fraud detection is explicitly carved out of §5(b). However, credit scoring, loan decisioning, and insurance pricing are high-risk.
Ready to classify your AI system?
Use our free EU AI Act Deployer Assessment to determine if your system is high-risk under Annex III in under 2 minutes. Get a detailed classification report and next-step compliance guidance.
Start Free Assessment6. Law Enforcement (Annex III §6)
What's covered: AI systems for assessing risk of natural persons becoming crime victims or offenders, polygraphs and similar lie-detection tools, evaluating reliability of evidence, assessing risk of recidivism, profiling during crime detection/investigation/prosecution, and crime analytics predicting occurrence/reoccurrence.
B2B SaaS examples — IS caught:
- A predictive policing platform sold to police departments that identifies high-crime areas or individuals → high-risk under §6(e) and §6(f).
- A case management tool for prosecutors that uses AI to assess evidence reliability or recommend charges → high-risk under §6(c).
- A recidivism risk assessment tool used in parole decisions → high-risk under §6(b).
B2B SaaS examples — NOT caught:
- A generic document management system for police departments (no AI-driven decision-making) → minimal risk.
- A public records database with keyword search (no profiling or risk assessment) → not in scope.
Key misconception: "We're a SaaS company, not law enforcement." If you sell to police, prosecutors, or courts, and your AI performs any of the §6 functions, you are a provider of a high-risk system.
7. Migration, Asylum, and Border Control Management (Annex III §7)
What's covered: AI systems for assessing eligibility for asylum/visas/residence permits, examining applications, assessing risk/security/irregular immigration threats, lie detection for border control, and examining/assessing complaints regarding fundamental rights violations by border authorities.
B2B SaaS examples — IS caught:
- A visa processing platform sold to immigration agencies that scores applicants for approval likelihood → high-risk under §7(a).
- A border control tool that uses AI to detect "deceptive behavior" during interviews → high-risk lie detection under §7(c).
- A refugee case management system that assesses risk or eligibility → high-risk under §7(a) and §7(b).
B2B SaaS examples — NOT caught:
- A translation tool used by immigration officers (no decision-making) → likely Article 6(3) derogation or minimal risk.
- A scheduling system for visa interview appointments → narrow procedural task, likely not high-risk.
8. Administration of Justice and Democratic Processes (Annex III §8)
What's covered:AI systems to assist judicial authorities in researching and interpreting facts/law and applying law to concrete facts, or AI systems intended to influence the outcome of an election/referendum or voting behavior (excluding tools that don't influence outcomes, like vote counting or basic accessibility features).
B2B SaaS examples — IS caught:
- A legal research platform that uses AI to predict case outcomes and recommend strategies to judges or lawyers → high-risk under §8(a) if it influences judicial decision-making.
- An e-petition platform that uses AI to prioritize or filter which petitions officials see → high-risk under §8(b) if it influences democratic processes.
- An election management system that uses AI to detect voter fraud patterns and flag ballots → high-risk under §8(b).
B2B SaaS examples — NOT caught:
- A generic legal research database with keyword search (no predictive analysis or outcome recommendations) → likely not high-risk.
- A basic vote-counting tool that only tallies results without anomaly detection or interpretation → explicitly not in scope per §8(b).
The Article 6(3) Derogation: A Critical But Narrow Escape Hatch
Article 6(3) provides a filter: An AI system in an Annex III area is not considered high-risk if it does not pose a significant risk of harm to health, safety, or fundamental rights — including by not materially influencing the outcome of decision making.
That threshold applies where any one of these four conditions is fulfilled (they are alternatives, not cumulative requirements):
- The AI system is intended to perform a narrow procedural task (e.g., converting unstructured data into structured data, classifying incoming documents into categories, detecting duplicates among applications).
- The AI system is intended to improve the result of a previously completed human activity (e.g., polishing the language of a human-written assessment).
- The AI system is intended to detect decision-making patterns or deviations from prior patterns, without replacing or influencing the previously completed human assessment absent proper human review.
- The AI system is intended to perform a preparatory task to an assessment relevant to an Annex III use case (e.g., file handling or indexing before a human evaluation).
The overriding exception: regardless of the conditions above, an Annex III system that performs profiling of natural persons is always high-risk. If your system evaluates personal aspects of a person (work performance, economic situation, reliability, behavior), the derogation is off the table.
Critically: Even if you believe your system qualifies for the derogation, you have a documentation and registration duty. Under Article 6(4), you must document your assessment before placing the system on the market, register the system under Article 49(2), and provide the documentation to national competent authorities on request. (Source: Article 6(3)–(4), Regulation (EU) 2024/1689)
Examples where Article 6(3) may apply:
- A scheduling tool that only assigns interview time slots based on calendar availability (no candidate evaluation).
- An automated email responder that confirms receipt of job applications without analyzing content.
- A plagiarism checker that highlights potential issues but leaves all grading decisions to instructors.
Examples where Article 6(3) does NOT apply:
- A resume screening tool that ranks candidates—materially influences outcome.
- A proctoring system that flags suspicious behavior—materially influences grading/disciplinary decisions.
- A credit scoring model that only performs "narrow" risk calculation—still materially influences loan approval.
How to Determine If Your AI System is High-Risk: Decision Flow
Follow this ordered process to classify your AI system under the EU AI Act:
- Step 1: Check if your system is Prohibited. Does it perform social scoring, cognitive manipulation, exploit vulnerabilities, or conduct untargeted biometric scraping? If yes → banned, cannot be placed on the market. (Article 5)
- Step 2: Is it a product-safety AI system? Is your AI a safety component of a product covered by EU harmonization legislation (medical devices, machinery, toys, aviation, etc.)? If yes → high-risk under Article 6(1); under the May 2026 political agreement, the rules are scheduled for August 2, 2028.
- Step 3: Is it in an Annex III area? Check if your system's intended use falls under any of the 8 Annex III categories. If yes → presumed high-risk under Article 6(2); under the May 2026 political agreement, rules for systems in certain high-risk areas are scheduled for December 2, 2027. (Source: European Commission high-risk guidance)
- Step 4: Can you claim the Article 6(3) derogation? First check the exception: does your system perform profiling of natural persons? If yes → always high-risk, no derogation possible. If no profiling, does it avoid materially influencing outcomes because it performs a narrow procedural task, improves a completed human activity, detects decision patterns without replacing human assessment, or performs a preparatory task? If yes → document your assessment before market placement and register under Article 49(2); the documentation records the basis for treating the system as not high-risk. If no → you are high-risk.
- Step 5: Does Article 50 transparency apply? If your system interacts with natural persons (chatbots, generative AI, synthetic media), you must disclose AI use unless it's obvious from context. Article 50 applies from August 2, 2026. (Source: European Commission Article 50 FAQ)
- Step 6: If none of the above apply → your system is minimal or no risk. No formal obligations, though voluntary codes of conduct are encouraged.
Shortcut: Use our free EU AI Act Deployer Assessment tool to walk through this decision tree in 2 minutes and get a detailed classification report.
What High-Risk Classification Means: Key Obligations
If your AI system is high-risk under Annex III, you must comply with the following obligations (summarized from Chapter III, Section 2):
- Risk Management System (Article 9): Establish, implement, document, and maintain a continuous risk management process.
- Data Governance (Article 10): Ensure training, validation, and testing datasets are relevant, representative, free of errors, and complete. Document data provenance and quality controls.
- Technical Documentation (Articles 11 & Annex IV): Compile comprehensive documentation describing the system's design, development, and operation. Must be kept for 10 years after the system is placed on the market.
- Record-Keeping / Logging (Article 12): Automatically log events during operation to enable traceability, ex-post verification, and accountability.
- Transparency to Deployers (Article 13): Provide clear instructions for use, including the system's capabilities, limitations, level of accuracy, and known risks.
- Human Oversight (Article 14): Design the system to enable effective human oversight. Ensure deployers can intervene, override, or stop the system.
- Accuracy, Robustness, Cybersecurity (Article 15): Achieve appropriate levels of accuracy, robustness against errors/faults/attacks, and cybersecurity throughout the system's lifecycle.
- Conformity Assessment (Article 43): Undergo conformity assessment (internal control or third-party, depending on system type) before placing the system on the market.
For a complete step-by-step compliance roadmap, see our EU AI Act Compliance Checklist for B2B SaaS.
Common Questions and Misconceptions
Is my chatbot high-risk under the EU AI Act?
Most customer service chatbots are NOT high-risk under Annex III. They fall under limited-risk and must comply with Article 50 transparency requirements (disclose that the user is interacting with an AI system).
However, a chatbot becomes high-risk if it makes decisions in an Annex III area. Examples:
- A chatbot that evaluates and ranks job candidates → high-risk under §4 (employment).
- A chatbot that determines loan eligibility → high-risk under §5 (credit scoring).
- A chatbot that triages emergency calls and dispatches responders → high-risk under §5 (emergency dispatch).
Does Annex III apply to internal AI tools?
Yes. Annex III applies to AI systems "put into service" for professional use within the EU, regardless of whether they are customer-facing or internal.
For example:
- An internal AI tool that screens job candidates for your own hiring → high-risk under §4, even if no customer ever sees it.
- An internal performance monitoring system that flags employees for termination → high-risk under §4.
When do Annex III obligations apply?
Under the May 7, 2026 political agreement on the AI Omnibus, rules for systems in certain high-risk areas are scheduled to apply from December 2, 2027. Product-integrated high-risk rules are scheduled for August 2, 2028. These are agreed revisions to the implementation timeline, not dates in the original Regulation text, and remaining legal adoption steps are not yet complete. (Source: European Commission high-risk guidance)
The original Regulation's Article 111(2) contains transitional treatment for certain systems already placed on the market, while the political agreement changes the high-risk implementation schedule. Check the final amending text and system-specific transition rules before relying on grandfathering; routine model updates or feature changes can affect the analysis. (Source: Article 111, Regulation (EU) 2024/1689)
What if I'm only using third-party APIs like OpenAI?
You are likely a Deployer, not a Provider. Deployers have lighter obligations than Providers, but you still must:
- Ensure the AI system you deploy is compliant (check for CE marking and conformity documentation from the Provider).
- Assign human oversight to trained, competent people (Article 26(2)).
- Monitor the system's operation and report serious incidents (Article 26(5)).
- Conduct a fundamental rights impact assessment if required (Article 27).
- Comply with transparency obligations (Article 50) if the system interacts with natural persons.
For a detailed deployer compliance guide, use our free Deployer Assessment tool.
Next Steps: Prepare for Article 50 and the High-Risk Rules
Article 50 applies from August 2, 2026, while the revised high-risk dates under the May 2026 political agreement are scheduled later. Here's what you should do now:
- Classify every AI system in your product and organization. Use our free deployer assessment to determine which systems are high-risk under Annex III.
- Document your Article 6(3) analysis (if applicable). If you believe any system qualifies for the derogation, write down your justification now. Regulators may ask to see it.
- For high-risk systems, start conformity assessment immediately. Compile technical documentation, implement logging and human oversight, and prepare for internal or third-party conformity assessment.
- For limited-risk systems, implement Article 50 transparency. Add clear disclosures to chatbots, generative AI outputs, and synthetic media.
- Build a compliance package. Organize your risk classifications, policies, vendor assessments, and evidence in one place. Govarna automates this for you—get started free.
Get EU AI Act ready in weeks, not months
Govarna provides deterministic risk classification, technical documentation templates, and compliance evidence tracking in exportable preparation packages. Start implementing the controls that apply to your systems today.