EU AI Act Annex III: Classifying High-Risk AI
By AgentWorks Team · AI agents for European teams
The team behind AgentWorks — building EU-compliant AI agents and multi-LLM workflows for European teams.
Reviewed June 6, 2026
TL;DR
This article walks through the eight EU AI Act Annex III categories that trigger high-risk classification, with particular focus on employment and essential-services use cases that business AI teams often underestimate. It includes the Article 6(3) exception and a practical checklist for classifying AI agents before deployment.
EU AI Act Annex III: Classifying High-Risk AI Systems
Most teams building AI agents assume the EU AI Act's toughest rules apply to someone else, usually a defense contractor or a biometric surveillance vendor. Then they look closely at Annex III and find their HR screening bot or credit-scoring assistant sitting squarely inside a high-risk category they had not considered.
Annex III is the list that decides which AI systems trigger the AI Act's heaviest obligations: conformity assessments, mandatory logging, human oversight design, and registration in an EU database, among others. Getting the classification right at the design stage is far cheaper than retrofitting compliance onto a system already in production.
The eight Annex III categories
Under Article 6(2), an AI system intended for one of these purposes is classified as high-risk, unless a narrow exception applies:
- Biometrics — remote biometric identification, biometric categorization based on sensitive attributes, and emotion recognition systems
- Critical infrastructure — safety components in the management of critical digital infrastructure, road traffic, or water, gas, heating, and electricity supply
- Education and vocational training — systems that determine access to institutions, or assess and evaluate students
- Employment and worker management — recruitment, hiring, promotion, termination, task allocation, or performance monitoring
- Essential private and public services — creditworthiness evaluation, insurance risk assessment and pricing for life and health insurance, and eligibility for public assistance benefits
- Law enforcement — risk assessment, evidence evaluation, and profiling in criminal contexts
- Migration, asylum, and border control — risk assessment, examination of applications, and detection of specific individuals
- Administration of justice and democratic processes — systems assisting judicial authorities in researching or interpreting facts and law
The category that catches most business software builders off guard
Employment and worker management is the one companies underestimate most often, because it does not sound like the dramatic "high-risk AI" the headlines describe. But an agent that screens résumés, ranks candidates, drafts performance review language, or flags employees for termination review falls inside this category almost by definition, regardless of how conversational or "assistive" the tool feels to the person using it.
The same applies to essential services. A support agent that only answers billing questions is low risk. The moment that same agent's output feeds into a decision about credit terms, insurance pricing, or loan eligibility, even as one input among several, the system it's embedded in likely needs high-risk classification. The trigger is the purpose the output serves, not how autonomous the AI feels.
The exception clause most guidance skips
Article 6(3) carves out a narrow exception: a system in an Annex III category is not high-risk if it does not materially influence the outcome of the decision, performs a narrow procedural task, improves the result of a previously completed human activity, or detects patterns without replacing human assessment. This exception does not apply, however, if the system profiles natural persons — profiling automatically pulls the system back into high-risk status regardless of how narrow its stated task is.
This exception matters because it means not every AI touching an Annex III domain is automatically high-risk. A tool that pre-sorts résumés by keyword match for a human recruiter to review, without scoring or ranking candidates, may fall under this carve-out. A tool that assigns each candidate a fit score does not, because scoring is squarely the kind of evaluative output the exception excludes. The line is thin enough that most legal teams treat borderline cases as high-risk by default rather than betting on the exception holding up under review.
What high-risk classification actually requires
Once a system is classified as high-risk, the obligations are substantial, not just paperwork:
- A risk management system covering the full lifecycle
- Data governance ensuring training, validation, and testing data meets quality criteria
- Technical documentation demonstrating compliance before market placement
- Automatic logging throughout operation (Article 12)
- Transparency and instructions for use enabling deployers to operate the system correctly
- Human oversight measures built into the system design, not bolted on afterward
- Accuracy, robustness, and cybersecurity requirements appropriate to the system's purpose
Providers bear most of this burden, but deployers (the companies actually running the system) inherit real obligations too, including ensuring human oversight is exercised in practice and monitoring the system's operation.
A practical classification checklist
Before building or buying an AI agent for any employment, credit, insurance, education, or public-service use case:
- Identify what decision or output the AI feeds into, not just what task it performs
- Check whether that decision area appears in the eight Annex III categories
- If it does, test the Article 6(3) exception carefully: does the system score, rank, or profile individuals, or does it only assist a human who retains full judgment
- If borderline, document the reasoning either way, because the classification decision itself needs to be defensible
- If high-risk, build logging, human oversight, and documentation into the system from day one rather than retrofitting them before a deadline
Building on infrastructure that assumes this from the start
Retrofitting Article 12 logging, human oversight gates, and documentation onto a system already in production is a multi-month project most teams underestimate. Choosing a platform where audit trails, approval gates, and role-based access are default behavior rather than features you bolt on later removes that risk before it exists. See how AgentWorks approaches AI Act readiness for agents touching employment, credit, and other Annex III domains.
Classification is not a one-time exercise either. Adding a new capability to an existing agent, such as letting an HR assistant also rank candidates instead of just summarizing applications, can move a system from low-risk to high-risk overnight. Re-check the classification every time the agent's scope changes, not just when it launches.
About the author
AgentWorks Team · AI agents for European teams
AgentWorks is an AI agent platform purpose-built for European teams that need EU AI Act-ready governance, multi-LLM choice across OpenAI, Anthropic, Google and Mistral, and transparent per-token € pricing.
Read more about AgentWorksRelated articles
Read article: PII Masking for LLMs: Keep Personal Data Out of Prompts ComplianceJuly 6, 20266 min readPII Masking for LLMs: Keep Personal Data Out of Prompts
Learn how gateway-level PII masking strips personal data from prompts before it reaches any model, and why it belongs in your AI stack by default.
Read more →Read article: No-Training, Zero-Retention AI & Your Data ComplianceJuly 6, 20266 min readNo-Training, Zero-Retention AI & Your Data
What no-training and zero-retention model contracts really mean, how they differ from consumer AI tools, and why they matter for your business data.
Read more →Read article: EU vs US AI Tools: Data Sovereignty for Business ComplianceJuly 6, 20266 min readEU vs US AI Tools: Data Sovereignty for Business
Why EU data residency and EU model endpoints matter when your data can't leave the bloc, and how to evaluate AI tools against that constraint.
Read more →