Back to Insights

    6 May 2026

    What Counts as High-Risk AI Under the EU AI Act?

    Not all AI is treated equally. Here's how the EU AI Act classifies high-risk systems — and what it means for your business.

    SH

    Sam Hawkins

    Syntra Automate

    Not all AI carries the same regulatory weight. A chatbot that helps customers find your opening hours is treated very differently from an AI system that decides who gets a loan, who gets shortlisted for a job, or whether a student passes an exam.

    The EU AI Act — Regulation (EU) 2024/1689 — draws clear lines between these categories. And for UK businesses that fall within scope, understanding where your AI systems sit on the risk scale is the single most important compliance question you need to answer before 2 August 2026.

    The four risk tiers

    The EU AI Act organises AI systems into four tiers:

    Unacceptable risk — Banned outright. This includes social scoring by governments, AI systems that exploit vulnerable groups, and most real-time biometric identification in public spaces. These prohibitions have applied since February 2025.

    High risk — Permitted, but subject to extensive obligations. This is where most of the compliance effort concentrates, and it is the category most relevant to UK businesses.

    Limited risk — Subject to transparency obligations only. If you deploy a chatbot, for example, users must be told they are interacting with AI. Providers of AI-generated content must ensure it is machine-detectable.

    Minimal risk — No specific obligations beyond existing law. Spam filters, AI in video games, and similar low-stakes applications fall here.

    The critical tier for most businesses is high risk. That is where the obligations — and the enforcement — are concentrated.

    What makes an AI system high-risk?

    High-risk classification comes through two routes under the EU AI Act.

    Route 1: Safety components. AI systems that serve as safety components in products already covered by existing EU harmonised legislation — such as medical devices, machinery, toys, or vehicles — are classified as high risk under Article 6(1).

    Route 2: Annex III categories. AI systems used in specific high-stakes areas listed in Annex III of the Act are classified as high risk under Article 6(2). This is the route that catches most UK businesses.

    Annex III: the categories explained

    Annex III lists eight areas where AI systems are deemed high risk. Here is what each means in practical terms that UK business leaders will recognise.

    1. Biometrics

    AI systems used for remote biometric identification, categorisation based on biometric data, or emotion recognition in workplaces and educational settings. If your business uses facial recognition for access control or monitors employee emotions via AI, this applies.

    2. Critical infrastructure

    AI used as safety components in the management and operation of critical digital infrastructure, road traffic, and the supply of water, gas, heating, or electricity. Energy companies, utilities, and transport operators should pay close attention.

    3. Education and vocational training

    AI that determines access to education or vocational training, evaluates learning outcomes, or assesses the appropriate level of education for an individual. Universities, training providers, and e-learning platforms with EU-facing services are in scope.

    4. Employment, workers management, and access to self-employment

    This is one of the broadest and most relevant categories for UK businesses. It covers AI used for:

    • Placing job advertisements and screening or filtering applications
    • Evaluating candidates during recruitment
    • Making decisions on promotion, termination, or task allocation
    • Monitoring and evaluating worker performance and behaviour

    If you use any AI-powered recruitment tool — CV screening software, automated interview scoring, or algorithmic shortlisting — this is high risk. Full stop.

    5. Access to and enjoyment of essential private services and public services

    AI used to evaluate creditworthiness or establish credit scores. AI used in risk assessment and pricing for life and health insurance. AI used to evaluate and classify emergency calls. AI used to assess eligibility for public assistance benefits.

    For UK financial services firms with EU customers, credit scoring tools and insurance pricing algorithms are squarely in this category.

    6. Law enforcement

    AI used for risk assessments of natural persons (such as polygraph tools), as well as AI used in profiling, crime analytics, or assessing the reliability of evidence. This is primarily relevant to law enforcement agencies and their technology suppliers.

    7. Migration, asylum, and border control management

    AI used in processing asylum applications, border control, or risk assessments related to irregular migration. Relevant mainly to government bodies and their contractors.

    8. Administration of justice and democratic processes

    AI used to research and interpret facts and law, or to apply the law to facts. Legal technology providers should assess their products carefully against this category.

    What UK businesses should actually worry about

    For the majority of UK commercial organisations, the categories that will matter most are employment (category 4) and essential services (category 5).

    Take a concrete example. Your HR team uses a recruitment platform that includes AI-powered CV screening. The platform scores candidates and surfaces the top matches. Some of those candidates are based in EU member states — or you have an office in Dublin, Amsterdam, or Berlin.

    That AI system is high risk under Annex III, category 4. From 2 August 2026, you must comply with the full suite of high-risk obligations — or face fines of up to EUR 35 million or 7% of worldwide annual turnover.

    Another example. Your business offers consumer lending and uses an automated credit scoring model. If any of your customers are EU-based, that model is high risk under category 5.

    These are not unusual or exotic scenarios. They describe tools that thousands of UK businesses already use every day.

    What obligations come with high-risk classification?

    Being classified as high risk triggers a substantial set of requirements under the EU AI Act. The core obligations include:

    Risk management system. You must establish, implement, document, and maintain a risk management system that operates throughout the AI system's lifecycle. This is not a one-time assessment — it must be continuous.

    Data governance. Training, validation, and testing data must meet quality criteria. You need processes to examine data for biases and to ensure data sets are relevant, representative, and as error-free as possible.

    Technical documentation. Detailed documentation must be drawn up before the system is placed on the market or put into service, and kept up to date.

    Record-keeping and logging. High-risk AI systems must be designed to automatically log events during operation, enabling traceability.

    Transparency and information to deployers. Users must receive clear instructions for use, including the system's capabilities, limitations, intended purpose, and known risks.

    Human oversight. The system must be designed to allow effective oversight by natural persons during the period it is in use. This means real, meaningful human involvement in decisions — not a rubber stamp.

    Accuracy, robustness, and cybersecurity. The system must achieve appropriate levels of accuracy and be resilient to errors and attempts to manipulate it.

    Conformity assessment. Depending on the category, systems may need to undergo conformity assessment procedures before deployment.

    EU database registration. High-risk AI systems must be registered in the EU database before being placed on the market or put into service.

    The 2 August 2026 deadline

    The obligations for high-risk AI systems listed in Annex III apply from 2 August 2026. That is the compliance cliff edge.

    If you are deploying high-risk AI systems with EU-facing output on or after that date, you need to have your risk management system in place, your documentation complete, your human oversight processes established, and your conformity assessment done.

    Working backwards from August 2026, that means the time to start is now — not in six months, not next quarter. Governance frameworks, risk assessments, and documentation take time to build properly.

    How to determine your exposure

    Start with three questions:

    1. What AI systems does your organisation use? Include everything — procurement tools, HR platforms, customer service automation, analytics, marketing tools. Do not forget tools adopted informally by teams.
    2. Do any of those systems produce outputs that affect people in the EU? If you have EU customers, EU employees, or EU-facing operations, the answer is likely yes.
    3. Do any of those systems fall into an Annex III category? Map each system against the eight categories above. Pay particular attention to employment and essential services.

    If the answer to all three is yes, you have high-risk AI systems that need to be compliant by August 2026.

    The bottom line

    High-risk classification under the EU AI Act is not a theoretical exercise. It applies to real AI tools that real UK businesses use every day — recruitment software, credit scoring models, performance monitoring systems, and more.

    The obligations are substantial but manageable if you start early. The penalties for getting it wrong are not: up to EUR 35 million or 7% of total worldwide annual turnover.

    Know what you have. Know where it sits on the risk scale. And start building compliance now.

    Not sure where you stand? Request a free AI audit at syntraautomate.com/resources

    Want to know where your business stands?

    Request a free AI audit. Personally reviewed, delivered to your inbox within 5 business days.

    Get a free AI audit