Zum Hauptinhalt springen
← Back to blog

Annex III: High-Risk AI Categories Explained

Share on LinkedIn

2 min read

Table of Contents

Annex III is the operational backbone for identifying high-risk AI contexts under the EU AI Act. Many teams misread it as a technical complexity list; in reality, it is an impact-context list. A relatively simple model can be high-risk if it influences employment, access to essential services, education outcomes, safety-related operations, or other rights-sensitive domains.

Why Annex III classification is critical

Classification affects compliance depth. If a use case is treated as high-risk candidate, teams need stronger governance: risk management, data quality controls, technical documentation, logging, oversight, and lifecycle monitoring. If classification is skipped, control design is usually under-scoped.

Practical SME interpretation by domain

Employment and worker management

Screening, ranking, and evaluation tools can materially affect opportunity and income. This is often the first high-risk exposure for SMEs.

Essential service access

Credit, insurance, and eligibility logic can affect inclusion and economic mobility. Decision transparency and review pathways are crucial.

Education and training

Assessment and progression-related AI can influence educational outcomes and long-term opportunity.

Safety and infrastructure-adjacent contexts

Systems that influence operational safety, critical process control, or high-consequence environments require heightened reliability and governance.

Sensitive public functions

Certain migration, law-enforcement, and justice-adjacent contexts carry elevated rights and due-process implications.

Annex III mapping workflow

  1. Document exact use context per AI workflow.
  2. Map workflow to candidate Annex III category.
  3. Record rationale with legal/compliance review notes.
  4. Assign control depth based on confirmed classification.
  5. Reassess after substantial modification or workflow expansion.

Classification quality controls

  • No category assignment without written rationale.
  • No high-impact deployment without oversight design.
  • No unresolved "unknown" category entries in production.
  • Quarterly review of Annex III mapping register.

Common misclassification errors

  1. Classifying by model type instead of use impact.
  2. Assuming vendor responsibility replaces deployer duties.
  3. Not reclassifying when business process changes.
  4. Ignoring rights impact in "advisory" outputs that shape decisions.

Final takeaway

Annex III should be embedded in product and procurement gates. Early mapping prevents both over-compliance on low-impact workflows and under-compliance on high-impact ones. For SMEs, this precision is the fastest path to efficient compliance.

Related resources

Compliance templates Fine calculator Glossary Risk quiz

Related articles

High-Risk AI Systems: Are You Affected?

Many companies are closer to Annex III obligations than they think. Here is how to assess your exposure.

Read article →

Conformity Assessment for High-Risk AI: Step by Step

How teams can prepare for high-risk AI conformity assessment with practical documentation and control workflows.

Read article →

Machen Sie unsere kostenlose Risikobewertung

Finden Sie in 2 Minuten heraus, wo Ihr Unternehmen unter der EU-KI-Verordnung steht.

Quiz starten