PowerQuantEUSend your AI questionnaire

Annex III to the EU AI Act (Regulation (EU) 2024/1689) identifies the use areas in which AI systems are classified as high-risk. Understanding these categories is the starting point for every provider's risk assessment. The Regulation applies directly; no separate national implementing act is required for the AI Act itself.

The eight categories

Annex III covers the following areas:

  • Biometrics – certain systems for biometric identification, categorisation and emotion recognition.
  • Critical infrastructure – AI as a safety component in the management and operation of critical infrastructure.
  • Education and vocational training – for example access, admission and assessment.
  • Employment and workers – recruitment, selection and decisions affecting working conditions.
  • Essential services – access to essential private and public services and benefits.
  • Law enforcement – certain uses of AI within law enforcement activities.
  • Migration, asylum and border control – certain systems within these procedures.
  • Administration of justice and democratic processes – support for judicial authorities and certain systems relating to elections.

The fact that a system is used within one of these overarching areas does not automatically make it high-risk; the specific use cases and any exemptions in Annex III must be assessed on a case-by-case basis.

The provider perspective

The Regulation distinguishes between the provider and the deployer. Most organisations that put a purchased high-risk system into use are deployers. The obligations for deployers follow from Article 26 and include, among other things:

  • using the system in accordance with the provider's instructions for use
  • ensuring human oversight by competent personnel (cf. Article 14)
  • monitoring operation and reporting serious incidents
  • ensuring that input data are relevant for the intended purpose

In certain cases the deployer must carry out a fundamental rights impact assessment (FRIA) under Article 27. Note that Article 25 can reclassify a deployer as a provider, for example on a substantial modification or applying its own name – which triggers the more extensive provider obligations.

When the obligations apply

  • 2 February 2025: Article 4 (AI literacy) and Article 5 (prohibited practices) apply from this date.
  • 2 August 2026: The Annex III obligations for deployers apply from this date under the original timeline. On the same date, Article 50 (transparency) and Annex III become applicable.
  • 2 December 2027: A deferral of the Annex III obligations has been proposed via the Digital Omnibus (approved by the European Parliament on 16 June 2026; the Council is awaiting publication in the Official Journal). This is a Digital Omnibus proposal and is not yet in force.

Because the deferral is not yet in force, planning should proceed from the current date of 2 August 2026, while developments around the Digital Omnibus are monitored.

Penalties

Fines are governed by Article 99. Prohibited practices under Article 5 can give rise to up to EUR 35 million or 7 % of global annual turnover. Infringements of, among other things, the high-risk obligations and Article 50 can give rise to up to EUR 15 million or 3 %. Incorrect or misleading information can give rise to up to EUR 7.5 million or 1 %.

Before procurement

  • Determine whether the system's use case falls within one of the eight Annex III categories.
  • Assess the specific use cases and exemptions, not just the overarching area.
  • Establish your role: deployer or provider – and monitor Article 25.
  • Prepare Article 26 compliance: instructions for use, human oversight, monitoring and incident reporting.
  • Assess whether a FRIA under Article 27 is required.
  • Plan towards 2 August 2026 and monitor the Digital Omnibus proposal on 2 December 2027.

PowerQuant is delivered as documentation support: Module 1 (AI inventory + Article 4 register) and Module 2 (Provider documentation package).

This page is general information about the AI Act and does not constitute legal advice.