EU AI Act High-Risk AI Systems List: The Complete Reference for Compliance Teams
The EU AI Act creates a tiered risk framework , and high-risk is where the real compliance burden lives. This page breaks down every category in Annex III, maps the obligations that apply, and gives your team a clear starting point for assessing your AI portfolio.
If your organization develops, deploys, or procures AI systems that touch any of the eight high-risk domains, you face mandatory conformity assessments, risk management documentation, human oversight requirements, and ongoing monitoring obligations. Most teams underestimate the scope. This guide ensures you don't.
8
Annex III high-risk categories
EU AI Act, Annex III (2024/1689)
12+
Mandatory obligations per system
Articles 9–17, EU AI Act
<30%
Of organizations have completed an AI inventory
IAPP AI Governance Survey, 2024
From AI System Inventory to Ongoing Monitoring , Without the Spreadsheet Chaos
The EU AI Act's high-risk obligations span risk management, documentation, human oversight, and post-market monitoring. Here's how Priverion turns that regulatory burden into a structured, manageable workflow across every entity in your group.
AI Register for EU AI Act Compliance
Catalogue every AI system across all subsidiaries in a single, structured register. Map each system to Annex III categories, assign risk levels, and maintain the living inventory that Article 49 requires , without chasing business units for spreadsheet updates.
AXA achieved 100% ROPA recertification rate with automated workflows across their entire group.
AXA customer result , first 6 months on Priverion
AI-Assisted Impact Assessments
Generate draft Fundamental Rights Impact Assessments and DPIAs with AI-assisted analysis that pre-populates risk factors, maps relevant regulatory articles, and suggests mitigation measures. Every output is reviewed by your team before it becomes a compliance record. AI assists , humans decide.
Medtec saved 200+ hours preparing for ISO 27001 using Priverion's documentation workflows.
Medtec customer result , ISO 27001 preparation phase
Vendor AI Risk Management
The EU AI Act holds deployers accountable for the AI systems they procure, not just the ones they build. Priverion's vendor risk assessment workflows let you evaluate third-party AI providers against Annex III requirements, track conformity documentation, and maintain audit-ready evidence for every supplier relationship.
Zurzach Care achieved 100% vendor risk assessment coverage across their provider network.
Zurzach Care customer result , vendor assessment program
Group-Wide Compliance Dashboards
See the compliance posture of every subsidiary from one dashboard. Track which entities have completed their AI inventories, which high-risk assessments are pending, and where gaps exist , so you can report to the board with confidence instead of stitching together data from 47 spreadsheets.
Aircraft manufacturer reduced compliance admin time by 60% in their first 6 months.
Aircraft manufacturer customer result , first 6 months on Priverion
Incident Management and Serious Event Reporting
Article 62 requires providers of high-risk AI systems to report serious incidents to market surveillance authorities. Priverion's incident management workflow captures events, documents root causes, triggers notification timelines, and generates the evidence package regulators expect , before the deadline pressure hits.
Swiss Data Sovereignty . By Design, Not by Checkbox
Every AI-assisted analysis, every compliance record, and every piece of documentation your team creates lives within Swiss infrastructure. No customer data is used for AI model training. In a regulatory environment where data residency and cross-border transfer compliance are under constant scrutiny, this isn't a feature , it's a foundation.
All data processing within Swiss infrastructure . European data residency guaranteed.
Priverion infrastructure commitment , verified Swiss hosting
Enterprise-grade compliance without enterprise complexity
Mid-market organizations need powerful privacy management , not a platform built for Fortune 100 budgets and 18-month implementations. Here's why compliance teams are making the switch.
The OneTrust experience
Per-user, per-module pricing
Costs escalate unpredictably as you add users, subsidiaries, or modules. CFOs dread renewal conversations when the invoice doubles year over year.
US-hosted infrastructure
In a post-Schrems II landscape, US-hosted compliance data creates the very cross-border transfer risks you're trying to manage. Additional SCCs required just to use your privacy tool.
Built for Fortune 100 complexity
Feature-rich to the point of overwhelm. Mid-market teams report using less than 30% of available functionality while paying for 100% of it.
Months-long implementation
Enterprise implementations routinely stretch 6–12 months. By the time you're live, regulatory requirements may have already shifted.
200+ shallow integrations
A marketplace of connectors that look impressive on paper but create maintenance overhead. Most teams need deep integration with a handful of core systems . HR, procurement, IT assets , not a catalogue.
The Priverion experience
Predictable, all-in-one pricing
Based on number of companies and organizational size , not per-user or per-module. Every capability included from day one. No expansion traps, no surprise invoices.
Guaranteed Swiss data sovereignty
Swiss-built and Swiss-hosted. All data processing within Swiss infrastructure. European data residency isn't a marketing checkbox . it's our architecture. Your compliance tool should never be a compliance risk.
Purpose-built for multi-entity management
Every feature designed around the reality of managing privacy across subsidiaries and jurisdictions. Aircraft manufacturer cut compliance admin time by 60% in their first six months , because the platform fits how group-level DPOs actually work.
Aircraft manufacturer case study , first 6 months post-implementation
Operational in weeks, not months
Clean UX designed for privacy professionals, not IT departments. Time-to-value measured in weeks. Your team is productive before the first quarterly review, not after the second.
Deep integrations where it matters
Focused integrations with HR, procurement, and IT asset management systems , the workflows that actually drive privacy compliance. Deep connectivity with fewer maintenance headaches.
An honest note: We don't cover ESG, ethics hotlines, or cookie consent. We're not built for single-entity companies. Our strength is group-wide privacy program management , and we do it exceptionally well.
Book a 30-min walkthroughThe Eight High-Risk AI Categories Your Team Needs to Assess
Annex III of the EU AI Act defines eight domains where AI systems are classified as high-risk. Each carries mandatory obligations under Articles 9–17. Here's what compliance teams need to know about each category.
1. Biometric Identification and Categorisation
Remote biometric identification systems used in publicly accessible spaces. Includes real-time and post-identification systems, emotion recognition in workplaces and education, and biometric categorisation based on sensitive attributes.
Key obligation: Fundamental Rights Impact Assessment required before deployment (Article 27).
2. Critical Infrastructure Management
AI systems used as safety components in the management and operation of critical digital infrastructure, road traffic, and supply of water, gas, heating, and electricity.
Key obligation: Continuous post-market monitoring and serious incident reporting (Articles 61–62).
3. Education and Vocational Training
Systems that determine access to or assignment within educational institutions, evaluate learning outcomes, monitor prohibited behaviour during tests, or assess appropriate education levels for individuals.
Key obligation: Transparency to affected persons and human oversight mechanisms (Articles 13–14).
4. Employment and Worker Management
AI used in recruitment, CV screening, interview evaluation, promotion decisions, task allocation, performance monitoring, and termination of employment relationships.
Key obligation: Data governance requirements and bias testing documentation (Articles 10–11).
5. Essential Services Access
Systems evaluating eligibility for public assistance benefits, credit scoring, risk assessment for life and health insurance, and emergency service dispatch prioritisation.
Key obligation: Risk management system covering entire AI lifecycle (Article 9).
6. Law Enforcement
AI used for individual risk assessments, polygraphs, evidence reliability evaluation, crime prediction based on profiling, criminal offence analysis, and facial recognition database searches.
Key obligation: Logging and traceability for every decision output (Article 12).
7. Migration, Asylum, and Border Control
Systems used for polygraph assessments, application risk evaluation, document authenticity verification, and asylum/visa/residence permit application processing.
Key obligation: Human oversight with authority to override automated decisions (Article 14).
8. Administration of Justice and Democratic Processes
AI assisting judicial authorities in researching, interpreting facts and law, applying law to facts, and systems used to influence the outcome of elections or voting behaviour.
Key obligation: Quality management system and technical documentation (Articles 11, 17).
What Compliance Teams Ask About High-Risk AI Systems
What makes an AI system "high-risk" under the EU AI Act?
An AI system is classified as high-risk if it falls into one of the eight categories listed in Annex III of the EU AI Act (Regulation 2024/1689), or if it is used as a safety component of a product already covered by EU harmonised legislation listed in Annex I. High-risk classification triggers mandatory obligations including risk management, data governance, technical documentation, human oversight, accuracy requirements, and post-market monitoring under Articles 9–17.
When do the high-risk AI obligations take effect?
The EU AI Act entered into force on 1 August 2024. Prohibited AI practices apply from 2 February 2025. Most high-risk AI obligations, including conformity assessments and the requirements in Articles 9–17, apply from 2 August 2026. However, high-risk AI systems already on the market before that date will need to comply when significantly modified. Organizations should begin their AI inventory and gap assessment now to avoid a compliance scramble.
Do deployers (not just providers) have obligations for high-risk AI?
Yes. The EU AI Act places explicit obligations on deployers , the organizations using high-risk AI systems, not just those developing them. Deployers must ensure human oversight, monitor AI system operation, keep logs, conduct Fundamental Rights Impact Assessments for certain use cases (Article 27), and report serious incidents. If your organization procures AI from third-party vendors, you are a deployer and carry regulatory responsibility.
How does Priverion help with EU AI Act compliance specifically?
Priverion's AI Register allows you to catalogue every AI system across all subsidiaries, map each to Annex III categories, and assign risk classifications in one structured platform. AI-assisted impact assessments pre-populate risk factors and suggest mitigation measures , with every output reviewed by your team before it becomes a compliance record. Vendor risk workflows ensure you're assessing third-party AI providers against the same standards. And because everything runs on Swiss infrastructure with no customer data used for model training, you avoid creating new compliance risks with your compliance tool.
Can Priverion handle EU AI Act compliance alongside GDPR?
Yes , that's the core design principle. Privacy program management and AI governance share significant overlap: data mapping, impact assessments, vendor management, incident response, and cross-border transfer documentation. Priverion manages both in a single platform, so your team isn't duplicating effort across separate tools. ROPA management, DPIAs, and the AI Register all live in one place with shared workflows.
What if we're not sure which of our AI systems are high-risk?
That's exactly where most organizations start. Fewer than 30% of organizations have completed an AI inventory (IAPP AI Governance Survey, 2024). Priverion's AI Register helps you begin with a structured inventory , cataloguing AI systems across your group, mapping them to Annex III categories, and identifying which require conformity assessments. The platform guides classification decisions rather than assuming your team already has the answers.
Stop managing privacy in spreadsheets
Your group-wide privacy program deserves 30 minutes of clarity
See how organizations like Aircraft manufacturer cut compliance admin time by 60% in their first six months , with automated ROPA recertification, AI-assisted DPIAs, and cross-entity visibility, all hosted on Swiss infrastructure.
No sales pitch , a live walkthrough tailored to your group structure and compliance needs.
