Is your AI system high-risk under the EU AI Act? How to find out

The EU AI Act doesn't impose the same obligations on every AI system. It's structured around a tiered risk model:

• Prohibited — AI practices that are banned outright (Article 5). Social scoring by public authorities, manipulative subliminal techniques, real-time biometric identification in public spaces by law enforcement.
• High-risk — AI systems listed in Annex III. Substantive obligations: risk management, technical documentation, human oversight, registration. Applies to providers and deployers.
• Limited risk — Transparency obligations under Article 50. Chatbots must disclose they're AI. Deepfake generators must label their output. No conformity assessment required.
• Minimal risk — No mandatory obligations. The majority of AI systems fall here. Voluntary adherence to best practices is recommended.
• General Purpose AI (GPAI) — Foundation models made available to others. Separate obligations under Chapter V (Articles 51–55).

Annex III lists the specific use cases that make an AI system high-risk. If your system falls into one of these categories, the high-risk obligations apply regardless of how sophisticated or unsophisticated the underlying technology is:

1. Biometric identification and categorisation — identifying individuals from biometric data
2. Critical infrastructure — safety components in energy, water, transport
3. Education and vocational training — admissions, assessment, monitoring
4. Employment and worker management — recruitment, performance, termination
5. Essential private services and public benefits — credit, insurance, benefits eligibility
6. Law enforcement — risk assessment, profiling, crime analytics
7. Migration, asylum, and border control — risk assessment, document review
8. Administration of justice and democratic processes — judicial assistance, electoral influence

The most commercially relevant categories for enterprise AI are category 4 (employment) and category 5 (essential services). If you're building AI that assists in HR decisions, or that determines access to financial products or benefits, you're likely in scope.

If your system is high-risk, the core obligations are:

• Article 9 — Risk management system. A documented, ongoing risk management process: identify foreseeable risks, evaluate and mitigate them, test before deployment, monitor after. Each step requires a record.
• Article 11 — Technical documentation. A technical file covering system description, design specifications, training data, testing results, and risk management records. Must be kept for 10 years after the system is placed on the market.
• Article 13 — Transparency. The system must come with instructions for use that explain its capabilities and limitations to deployers.
• Article 14 — Human oversight. Appropriate human oversight measures must be built in — the ability to detect and intervene when the AI behaves unexpectedly.
• Article 71 — Registration. High-risk AI systems must be registered in the EU database before deployment (for providers) or use (for deployers in some categories).

A common point of confusion: whether you are a provider (you built the AI system and make it available to others) or a deployer (you use someone else's AI system in your own context) determines which obligations apply to you.

Providers carry the heavier burden: they must ensure the system meets the technical requirements, prepare the technical documentation, perform conformity assessment, and register the system. Deployers have narrower obligations — primarily: use the system per the provider's instructions, implement human oversight, monitor for risks, and (for high-risk systems in certain categories) maintain logs.

If you're using a third-party AI system (a vendor LLM, a HR screening tool, a credit scoring API) in a high-risk context, your deployer obligations still apply. You can't delegate them to the provider.

We built a free, no-login tool that walks through the Annex III classification logic for your specific system type. It takes about 2 minutes, the logic is deterministic (no AI guess — it implements the regulation's decision tree), and the result includes a plain-language explanation of why your system is or isn't in scope.

If the classification tells you your system is high-risk, the next step is to build the Article 9 risk management record. This is not a one-time form — it's a documented process that covers the system's full lifecycle from design through post-deployment monitoring.

The record needs to cover: the risks you identified, the controls you put in place, the evidence that those controls are implemented, and the triggers that would require you to re-assess the system. The EU AI Act's Article 9 is explicit that the risk management system must be "ongoing" — not a one-off compliance exercise.

Drel produces this record per AI system. You describe the system; Drel produces the threat model, control plan, evidence gaps, and clearance decision that constitutes the Article 9 risk management documentation. See the EU AI Act system inventory guide for the full documentation requirements.