3.3 — High-Risk AI Systems (Articles 6–49)
High-risk AI systems are the most heavily regulated category under the EU AI Act. They are subject to comprehensive requirements including risk management, data governance, technical documentation, human oversight, accuracy, robustness, and cybersecurity standards. There are two distinct pathways for classifying an AI system as high-risk.
Category 1: AI systems that are safety components of products already covered by EU harmonization legislation (e.g., medical devices under MDR, machinery under the Machinery Regulation, toys, aviation systems) AND require a third-party conformity assessment under that legislation.
Category 2: AI systems listed in Annex III of the Act, covering specific high-risk use cases across eight areas. These standalone AI systems are considered high-risk regardless of whether they are embedded in a larger product.
| # | Area | Examples |
|---|---|---|
| 1 | Biometric Identification and Categorization | Remote biometric identification (non-real-time), biometric categorization by sensitive attributes |
| 2 | Critical Infrastructure Management | AI managing road traffic safety, water/gas/heating/electricity supply |
| 3 | Education and Vocational Training | AI determining access to education, evaluating learning outcomes, monitoring exam integrity |
| 4 | Employment and Worker Management | AI for recruitment, screening, interview evaluation, promotion decisions, task allocation, performance monitoring, termination |
| 5 | Access to Essential Services | AI assessing creditworthiness, evaluating insurance risk/pricing, evaluating eligibility for public benefits |
| 6 | Law Enforcement | AI for risk assessment of natural persons, polygraph/emotion detection, evidence analysis, crime prediction (at area level) |
| 7 | Migration, Asylum, and Border Control | AI for risk assessment of migrants, document authentication, application evaluation |
| 8 | Administration of Justice and Democracy | AI assisting judicial authorities in researching/interpreting facts and law, used in elections/referendums |
Provider vs Deployer Obligations
Exam questions frequently test the distinction between provider and deployer obligations. Key differentiators: Providers build the system and are responsible for design-time obligations (technical documentation, conformity assessment, CE marking). Deployers use the system and are responsible for use-time obligations (human oversight assignment, fundamental rights impact assessment, log retention, informing affected individuals). If a deployer modifies a high-risk AI system substantially, they become the provider.