High-Risk AI System — EU AI Act Classification and Obligations
Definition
What is a high-risk AI system under the EU AI Act?
Under the EU AI Act, a high-risk AI system is an AI system classified as posing significant risks to health, safety, or fundamental rights. The classification is determined by the system’s intended use, not its technical architecture. High-risk systems are defined in two ways: AI systems that are safety components of products regulated under existing EU legislation (listed in Annex I), and standalone AI systems used in the areas listed in Annex III.
Annex III covers eight areas: biometric identification and categorisation of natural persons; management and operation of critical infrastructure; education and vocational training; employment, workers management, and access to self-employment; access to and enjoyment of essential private services and essential public services and benefits; law enforcement; migration, asylum and border control management; and administration of justice and democratic processes.
High-risk AI systems face the most stringent obligations under the regulation: a documented risk management system, data governance and data quality controls, technical documentation aligned with Annex IV, automatic logging capabilities, transparency and provision of information to deployers, human oversight measures, accuracy, robustness, and cybersecurity. They must undergo a conformity assessment before market placement.
Why it matters operationally
Why does the high-risk classification matter?
The high-risk classification is the critical threshold that determines whether an AI system faces mandatory conformity assessment or only minimal compliance obligations. Getting the classification right matters: under-classifying a high-risk system exposes the organization to enforcement action; over-classifying creates unnecessary compliance burden.
For providers of high-risk systems, the obligations are substantial and pre-deployment: conformity assessment, technical documentation, risk management system, and registration in the EU database of high-risk AI systems must all be completed before the system is placed on the market. Post-deployment, ongoing obligations include post-market monitoring, incident reporting, and maintaining the technical file.
For deployers (organizations that use high-risk AI systems developed by third parties) obligations include ensuring systems are used in accordance with instructions, designating human oversight responsibilities, and monitoring system performance. The AI Act creates shared accountability between providers and deployers, which means a customer cannot escape obligations simply because it did not build the model.
Regulatory framework
Which frameworks apply to high-risk AI systems?
| Framework | Application to high-risk systems |
|---|---|
| EU AI Act — Annex III | Defines high-risk AI system categories. Chapter III obligations apply in full. |
| ISO/IEC 42001 | The management system for meeting EU AI Act requirements. ISO 42001 certification provides structured evidence for high-risk conformity assessments. |
| ISO 23894 | Provides the detailed AI risk management methodology that high-risk systems must implement. |
| NIST AI RMF | Risk governance framework aligned with EU AI Act requirements for high-risk systems, especially in US-operating environments. |
| GDPR | High-risk systems processing biometric or personal data create overlapping GDPR + EU AI Act obligations. |
How Zertia evaluates it
How does Zertia audit high-risk AI systems?
Zertia conducts independent technical audits of high-risk AI systems against EU AI Act conformity requirements. The High-Risk AI Systems Audit evaluates technical documentation, risk management processes, data governance, human oversight mechanisms, logging capabilities, and operational controls. The output is a structured audit report that can be presented to regulators, notified bodies, enterprise clients, and investors as evidence that the system has been independently reviewed.
For organizations that need to first understand their exposure before committing to a full audit, the EU AI Act Compliance Assessment provides a diagnostic: risk classification, gap identification, and a remediation roadmap.
Definitions that hold up under audit.
Does this term apply to your certification project? Let's talk 30 minutes, no commercial pressure.
