"Is my AI system high-risk?" — the question I get asked more than any other, usually followed by either quiet dread or premature relief based on vibes rather than the actual regulation.

Two paths to high-risk

Path 1 — Annex I (Safety component in a regulated product)

Your AI is a safety component in a product covered by existing EU safety legislation (medical devices, vehicles, machinery, aviation). Deadline: 2 August 2028. Most companies aren't here.

Path 2 — Annex III (Standalone high-risk use cases)

Your AI falls within one of eight specific domains. Deadline: 2 December 2027. This is the one that affects most companies.

The eight Annex III domains

1. Biometric identification and categorisation

Facial recognition, fingerprint matching, voice identification, emotion recognition. You're here if your system identifies, categorises, or assesses people using biometric data.

2. Critical infrastructure

AI managing power grids, water treatment, gas distribution, traffic systems, or critical digital networks where failure endangers public safety.

3. Education and vocational training

AI that determines admissions, grades students, assesses educational levels, or monitors exam behaviour. A flashcard app isn't high-risk. An AI that decides who gets into university is.

4. Employment and workers management

CV screening, candidate ranking, interview evaluation, promotion decisions, performance monitoring, task allocation. This catches the most companies by surprise — any AI-powered HR tool making evaluative decisions about people is almost certainly here.

5. Essential private and public services

Credit scoring, insurance risk assessment and pricing, public benefits eligibility, emergency dispatch prioritisation.

6. Law enforcement

Risk assessment of individuals, polygraph-like tools, evidence evaluation, profiling for investigations.

7. Migration, asylum, and border control

Security risk assessment at borders, asylum and visa processing, irregular migration detection.

8. Administration of justice and democratic processes

AI assisting judges in applying the law, or AI designed to influence elections.

The exception most people miss

Article 6(3) says an AI system in an Annex III domain is not high-risk if it performs a narrow procedural task, improves a previously completed human activity, detects patterns without replacing human assessment, or performs preparatory work for a human decision. But you can't just decide this applies — you need documented reasoning a regulator can examine.

The three-question test

1. Does your AI make or materially influence decisions about individual people?

2. Do those decisions affect access to employment, education, financial services, benefits, or justice?

3. Could a wrong decision cause significant harm to someone's rights, safety, or livelihood?

Yes to all three — you're almost certainly high-risk. No to all three — you're probably not. In the middle — you need a proper assessment, not a gut feeling. The deadline is December 2027. Start your classification now.