← auditaisdk.com  ·  All articles

EU AI Act High-Risk Classification: Is Your AI System Annex III? (2026 Decision Tree)

By Marc Dubois · May 2026 · 12 min read

TL;DR: Most B2B AI startups are not high-risk under the EU AI Act — but every CTO is asked the question by enterprise procurement. This article gives you the 2026 decision tree, the eight Annex III categories with concrete SaaS examples, the GPAI carve-out, and what changes if you turn out to be high-risk. If you reach the end and still are not sure, the €199 managed classification audit gives you a signed memo in 5 business days.

Why classification is the first question, not a detail

If you build or sell an AI system in the EU, the very first question every enterprise vendor assessment, every legal review and every Article 26 deployer report needs answered is the same: "Is your system high-risk under Annex III of the EU AI Act?"

The answer changes everything downstream:

A wrong "low-risk" call that procurement later overrules costs you the deal. A wrong "high-risk" call burns six months of engineering on documentation you did not need. Both happen weekly in 2026.

The 2026 decision tree (start here)

Walk this top-down. The first branch that resolves wins.

START │ ├─ Q1. Is the AI system prohibited under Article 5? │ (social scoring by public authorities, untargeted facial scraping, │ emotion recognition in workplace/education, predictive policing │ based solely on profiling, real-time remote biometric ID in │ public spaces with limited LE exceptions, exploitation of │ vulnerabilities, manipulative subliminal techniques) │ ├─ YES → PROHIBITED. You cannot place it on the EU market. Stop here. │ └─ NO → continue │ ├─ Q2. Is the system a safety component of a product │ already covered by EU harmonisation law in Annex I? │ (medical devices, machinery, toys, in-vitro diagnostics, │ radio equipment, aviation, automotive, marine, rail, lifts, etc.) │ ├─ YES → HIGH-RISK (Annex I path). Conformity assessment under the sectoral law applies. Applicable from Aug 2028 after the May 2026 Omnibus delay. │ └─ NO → continue │ ├─ Q3. Does the system fall into one of the eight Annex III │ use-case categories? (see table below) │ ├─ NO → NOT high-risk. Skip to Q5. │ └─ YES → continue to Q4 │ ├─ Q4. Does the Article 6(3) filter apply? │ The system performs a narrow procedural task, or improves a │ prior human activity, or detects deviation patterns without │ replacing/influencing the human assessment, or only prepares │ an assessment for a relevant use case — AND it does not │ profile natural persons. │ ├─ YES → NOT high-risk (filter exemption), but you MUST document the assessment and register the system in the EU database (Article 49(2)). │ └─ NO → HIGH-RISK (Annex III path). Annex III applies from December 2027 after the Omnibus delay. │ └─ Q5. Is the system a GPAI model (foundation model)? ├─ YES, with systemic risk (≥10²⁵ FLOPs training compute) → GPAI with systemic risk. Article 55 + Annex XI/XII obligations. Aug 2026. ├─ YES, without systemic risk → GPAI obligations only (Article 53, transparency + copyright policy). Aug 2026. └─ NO → Minimal-risk AI system. Article 50 transparency rules may still apply if you generate synthetic content or operate a chatbot.
2026 omnibus reminder: The May 2026 Omnibus pushed Annex III applicability to December 2027 and Annex I to August 2028. GPAI (August 2026) and prohibited practices (February 2026) kept their original dates. Classification is still required now for procurement, even if penalties only land later. See the 2026 deadlines guide for the full timeline.

The eight Annex III categories — with 2026 SaaS examples

Annex III is exhaustive: if your use case is not in it (and you are not a safety component under Annex I), you are not high-risk.

Annex III areaWhat countsConcrete SaaS examples
1. Biometrics Remote biometric identification, biometric categorisation by sensitive attributes, emotion recognition (outside Art. 5 prohibitions). Face verification SDKs for KYC at distance, voice-based emotion analytics sold to call centres.
2. Critical infrastructure Safety components for digital infrastructure, road traffic, water, gas, heating, electricity supply. AI-based grid load balancing, predictive maintenance that auto-actuates pipelines, traffic-light optimisation feeding directly to signals.
3. Education & vocational training Determining access, admission, assignment, evaluating outcomes, monitoring prohibited behaviour during tests. AI proctoring tools, automated essay scoring used in admissions, adaptive learning systems whose output drives placement.
4. Employment & worker management Recruitment screening, task allocation, performance/behaviour monitoring, promotion/termination decisions. CV-ranking ATS, AI interview scoring, gig-worker dispatch algorithms, productivity-monitoring software that flags individuals.
5. Essential private & public services Eligibility for public benefits, credit scoring (excl. fraud detection), life/health insurance risk pricing, emergency triage dispatching. Fintech credit decision engines, embedded BNPL underwriting, healthtech triage chatbots that route ambulances.
6. Law enforcement Risk-of-offending assessment of natural persons, polygraph-like tools, evidence reliability evaluation, profiling for criminal investigations. Almost always sold to public sector — niche for B2B AI startups.
7. Migration, asylum, border control Risk assessment of irregular migration, asylum/visa application examination, identity verification at borders. Public sector. Out of scope for most commercial SaaS.
8. Justice & democratic processes Assisting judicial authorities, influencing election outcomes or voter behaviour. Legal research tools that produce judgment recommendations, microtargeting platforms for political campaigns.

The Article 6(3) filter — your single biggest get-out-of-jail card

This is where most enterprise vendor reviews go off the rails. Article 6(3) says that even if your use case is listed in Annex III, the system is not high-risk if at least one of these is true (for the full sub-paragraph-by-sub-paragraph breakdown with eleven worked SaaS examples, see the Article 6(3) exemption deep dive):

Caveat: profiling of natural persons always kicks you back into high-risk, regardless of the filter. If your product builds a per-person score or profile and that score influences an Annex III decision, you are high-risk — period.

You must document the filter assessment and keep it for ten years (Article 6(4)). You must register the system in the EU database before placing it on the market (Article 49(2)). The filter is not a free pass; it is a written argument with evidence.

Common false positives we see in 2026 vendor reviews

These are the four most frequent mistakes that get CTOs incorrectly stamped "high-risk" by their enterprise customer's legal team:

1. "Our chatbot answers HR questions, so we're in Annex III #4."

Not by itself. Annex III #4 is about decisions affecting workers: hiring, promotion, termination, task allocation, monitoring. A chatbot that surfaces policy text or routes tickets is a tool. The moment the same chatbot ranks candidates or flags employees for review, you are in Annex III #4.

2. "We help banks underwrite, so we're in Annex III #5."

Fraud detection is explicitly excluded from Annex III #5. Anti-money-laundering scoring, transaction monitoring and identity-fraud detection are not high-risk. Creditworthiness and credit scoring for natural persons (B2C consumer credit) are. B2B credit, where the borrower is a legal entity, is outside #5 entirely.

3. "Our AI looks at CVs, so we're high-risk."

If you summarise a CV for a human recruiter to read in full, Article 6(3)(a) or (d) usually applies — narrow procedural task or preparatory task. If you rank candidates and that rank drives interview decisions, you are high-risk under Annex III #4.

4. "We use a Llama-class model, so we're a GPAI provider."

No. A GPAI provider trains and places the model on the market (OpenAI, Anthropic, Mistral, Meta when distributed standalone). A company that uses a model in its product is a downstream provider or deployer, not a GPAI provider. The Article 53 obligations sit upstream with the model provider, not with you.

What happens if you turn out to be high-risk

If you exit the decision tree with "high-risk," you take on a recognisable list of obligations before the December 2027 Annex III applicability date. The headline items:

For Annex III(5)(b) credit scoring and Annex III(5)(c) life and health insurance pricing deployers, an additional duty layers on top: the Article 27 Fundamental Rights Impact Assessment (FRIA). The same applies to any deployer that is a public body or a private entity providing public services. The Article 27 FRIA template guide walks the six items and the notification flow.

Realistically, a 30-engineer AI startup that is correctly classified high-risk can reach a presentable Annex IV file in 4–8 weeks if it already has reasonable engineering hygiene. Without inference-level logging, that timeline doubles, because you cannot retroactively produce Article 12 records you never captured.

How to make this defensible

The output you need is not a verdict; it is a memo your customer's legal team can drop into their own file:

  1. One paragraph stating the system, its intended purpose, and its deployers.
  2. A walk-through of Q1 through Q5 above with the answer for each.
  3. For Annex III matches, the Article 6(3) analysis with which sub-paragraph applies and why.
  4. An explicit statement about profiling (yes/no, with reasoning).
  5. A retention statement: "This assessment will be kept for ten years and reviewed on substantial change."
  6. Signature, role, date.

That document is what unblocks an enterprise deal. Without it, procurement defaults to "treat as high-risk" and asks you for an Annex IV file you may not need.

Need a signed classification memo in 5 business days?

The €199 managed classification audit reviews your product against the 2026 decision tree, drafts the Article 6(3) analysis if relevant, and returns a signed memo your customer's legal team can accept directly. No retainer, no upsell.

Get the classification memo →

Frequently asked questions

Are LLM-based copilots automatically high-risk?

No. Copilots that assist a human author are usually outside Annex III, or covered by Article 6(3)(b) (improving a prior human activity). They typically only need Article 50 transparency — disclose the AI generation to the user.

If our model has fewer than 10²⁵ FLOPs, are we exempt from GPAI rules?

Only from the systemic-risk tier. Article 53 GPAI obligations still apply to all GPAI providers regardless of compute: maintain technical documentation (Annex XI), publish a sufficiently detailed summary of training data, and have a copyright policy. The Aug 2026 deadline is firm.

Our customer is asking for Annex IV documentation even though we're not high-risk. What do we send?

Send the classification memo plus a short statement: "Annex IV applies only to high-risk systems. This system is not high-risk for the reasons set out in the attached memo. We voluntarily provide the following adjacent evidence: [logs, data governance, security review]." Procurement usually accepts that bundle. Our vendor questionnaire guide walks through how to phrase it without sounding evasive.

Does open-source change anything?

For GPAI: yes — Article 53 obligations are reduced for open-source GPAI models released under a free and open licence (excluding systemic-risk models, which keep the full Article 55 obligations). For Annex III high-risk: open-source code does not change the classification of the system you place on the market.

We are based outside the EU. Does this still apply?

Yes if the output of the system is used in the EU (Article 2(1)(c)). A US-headquartered AI startup whose product is used by a Berlin customer is subject to the Act for that use. Practically, this is enforced through the deployer chain — your EU customer will ask you for the same documentation, regardless of where you are.

Related guides

Disclaimer: this article is informational and does not constitute legal advice. The classification memo produced by the auditai managed audit is reviewed against the consolidated text of Regulation (EU) 2024/1689 as amended by the May 2026 Omnibus. For binding legal interpretation in your jurisdiction, consult qualified counsel.