-
Overclaiming high-risk status: Providers assume their system is high-risk because it uses sensitive data or makes important decisions. The EU AI Act is use-case-specific, not risk-based in the general sense. If your system is not in Annex III, it is not high-risk.
-
Underclaiming high-risk status: Providers assume their system is not high-risk because it "only assists" humans. If the system influences hiring, credit access, or law enforcement decisions, it is high-risk even if a human makes the final call.
-
Ignoring edge cases: A system used for internal HR analytics is not high-risk. The same system used to rank candidates for promotion is high-risk (Annex III.4).
Vigilia's risk classification engine checks your system's intended purpose, use case, and deployment context to determine whether Annex III applies.
How to Determine If Your System Is High-Risk
Follow this decision tree:
-
Does your system fall into any Annex III category?
- No → Your system is not high-risk. Check Article 52 for transparency obligations.
- Yes → Continue to step 2.
-
Is your system used for the specific purpose listed in Annex III?
- Example: Your system uses facial recognition, but only to unlock a phone (authentication, not identification). → Not high-risk.
- Example: Your system uses facial recognition to identify individuals in a crowd. → High-risk (Annex III.1).
-
Is your system a safety component of a regulated product, or is it itself a regulated product?
- Example: Your AI controls a medical device. → High-risk (EU Medical Device Regulation + Annex III).
- Example: Your AI optimizes ad targeting. → Not high-risk (not a safety component, not in Annex III).
If you answered "yes" to all three questions, your system is high-risk and must comply with Articles 9–15, technical documentation, conformity assessment, and post-market monitoring.
Vigilia's Risk Classification Engine
Vigilia's 499ドル compliance audit includes a risk classification analysis. It checks:
- Whether your system falls into any Annex III category
- Whether your intended purpose triggers high-risk obligations
- Whether you are overclaiming or underclaiming high-risk status
- What compliance obligations apply (Articles 9–15, Article 52, Articles 53–54)
The report provides a clear high-risk / not high-risk determination with legal justification, so you know exactly what obligations apply.
Generate your risk classification report now: www.aivigilia.com
Timeline: When Annex III Becomes Enforceable
| Date |
Milestone |
| August 2, 2026 |
Annex III high-risk obligations enforceable |
| February 2, 2027 |
Full EU AI Act enforcement (all provisions) |
You have 83 days until high-risk obligations become legally binding. Penalties apply immediately after that date.
Final Checklist: Is Your System High-Risk?
Use this checklist to assess your system:
- [ ] My system falls into at least one Annex III category (biometrics, infrastructure, education, employment, essential services, law enforcement, migration, justice)
- [ ] My system is used for the specific purpose listed in that category (not a tangential use case)
- [ ] My system influences access, evaluation, or safety in that domain (not just assistance or analytics)
- [ ] I have documented the risk classification with legal justification
- [ ] If high-risk, I have begun implementing Articles 9–15 obligations (risk management, data governance, transparency, human oversight, accuracy, cybersecurity)
If you checked the first three boxes, your system is high-risk and you must comply with all obligations. If you checked fewer than three, your system is likely not high-risk, but you should verify with a compliance audit.
Vigilia can generate a full risk classification and gap analysis in 20 minutes.
Try the free EU AI Act checker or generate your full compliance report: www.aivigilia.com
This article is for informational purposes only and does not constitute legal advice. Consult a qualified EU AI Act attorney for guidance specific to your situation.
Originally published at Vigilia.