High-Risk AI Systems: Prepare for EU AI Act Annex III Compliance

High-risk AI systems are defined by Annex III of the EU AI Act (Regulation 2024/1689) as AI systems deployed in eight critical areas: biometrics, critical infrastructure management, education and vocational training, employment and worker management, access to essential private services (including credit scoring), law enforcement, migration and asylum management, and administration of justice and democratic processes. Providers of these systems must conduct a conformity assessment, maintain detailed technical documentation, implement a risk management system under Article 9, ensure human oversight, and register the system in the EU AI database before deployment. From August 2026, non-compliant high-risk AI systems cannot be lawfully placed on or used in the EU market, with fines reaching EUR 15 million or 3% of global turnover.

Our AI Act compliance team combines legal expertise in the Regulation with technical experience in machine learning systems, algorithmic risk assessment, and regulated product certification processes.

The Annex III Reality Check

Annex III of the AI Act is the list most companies need to know and fewest have read carefully. Eight categories of AI systems — from credit scoring to recruitment screening, critical infrastructure management, and biometric identification — are subject to an obligations regime substantially more demanding than the rest of the Regulation. The question is not theoretical: if your organisation uses AI to make or influence decisions about individuals in any of these contexts, the August 2026 obligations apply directly to you.

Classification Is Not Obvious

Classification as high-risk depends not only on the technology, but on the specific use made of it. A facial recognition system used internally for access control at a facility may not be high-risk; the same system used to identify individuals in public spaces likely is. A machine learning model that helps managers prepare performance evaluations may sit in a grey area; the same model generating scores that directly determine promotions or dismissals probably falls within Annex III. Classification confirmation is the first service we provide because it is the foundation for everything that follows.

The Technical Documentation Requirement

The technical documentation required by Annex IV is extensive and specific. It is not a generic descriptive document but a set of technical evidence covering how the system functions, on what data it was trained, how its performance was evaluated, what biases were detected and how they were mitigated, and how human oversight is guaranteed in operational use. Preparing this documentation requires collaboration between the legal team and the technical team that developed or integrated the system — a process we coordinate end to end.

Integrating AI Act and GDPR Obligations

For high-risk AI systems that process personal data — which includes virtually all recruitment screening, financial scoring, and biometric identification systems — AI Act compliance must be coordinated with GDPR and data protection obligations. The AI Act’s fundamental rights impact assessment and the GDPR’s data protection impact assessment (DPIA) are not redundant but do overlap: an integrated process avoids duplication and ensures the two compliance frameworks are mutually consistent.

Post-Market Monitoring as Ongoing Obligation

Post-market monitoring is perhaps the most underestimated AI Act obligation for high-risk systems. Compliance at the moment of deployment is not sufficient: the Regulation requires a continuous system for collecting and analysing data on actual system operation. This means defining performance and fairness indicators, establishing alert thresholds that trigger reviews, and maintaining records that demonstrate the system continues to operate in accordance with the original conformity assessment. We design these monitoring systems to be operationally viable without generating disproportionate burden on technical teams — and to provide the audit trail that both the AI Act and AI governance best practice require.