High-Risk AI Systems Under the EU AI Act: Obligations and Compliance

What counts as high-risk AI under the EU AI Act, the obligations for providers and deployers, human oversight, and a practical path to compliance.

June 17, 2026

High-Risk AI Systems Under the EU AI Act: Obligations and Compliance

Most of the EU AI Act's compliance weight falls on a single category: high-risk AI systems. These are the systems that can meaningfully affect people's health, safety or fundamental rights — and the regulation treats them accordingly. If your organisation builds or deploys AI in sensitive areas, this is the part of Regulation (EU) 2024/1689 you cannot afford to misread.

This article is part two of our AI Act series. If you need the big picture first, start with The EU AI Act Explained. Here we focus on what counts as high-risk, what providers and deployers must do, and how to approach compliance without grinding innovation to a halt.

What qualifies as a high-risk AI system?

The Act identifies high-risk uses in two broad ways. First, AI that acts as a safety component of a product already covered by EU harmonisation legislation — and that requires third-party conformity assessment — is high-risk. Second, a defined list of use cases (Annex III) is high-risk because of its potential impact on fundamental rights. That list includes:

Critical infrastructure — AI safety components in transport, water, gas, heating, electricity and digital infrastructure.
Education and vocational training — systems that determine access to education, score exams, or monitor behaviour during tests.
Employment — CV-sorting and recruitment tools, and systems that influence promotions, terminations, task allocation or performance monitoring.
Essential private and public services — credit scoring, insurance risk assessment, eligibility for benefits, and prioritising emergency responses.
Biometrics — remote identification, biometric categorisation by sensitive attributes, and emotion recognition (outside the prohibited contexts).
Law enforcement — assessing crime risk, evaluating evidence reliability, or profiling individuals.
Migration, asylum and border control — risk assessments and automated examination of visa applications.
Administration of justice and democratic processes — supporting judicial decisions or systems that could influence elections.

If a system fits one of these descriptions, the high-risk obligations apply.

The core obligations for providers

Before a high-risk system can be placed on the market, its provider must build in a set of guarantees. The Act requires:

Risk management — an adequate system to assess and mitigate risks across the lifecycle.
Data quality — high-quality training, validation and testing datasets to minimise the risk of discriminatory outcomes.
Logging — automatic recording of events to ensure the traceability of results.
Technical documentation — detailed information so authorities can assess compliance.
Transparency for deployers — clear instructions so the people running the system understand it.
Human oversight — meaningful measures that let people intervene or override.
Robustness, accuracy and cybersecurity — a high level of technical resilience.

These are not box-ticking exercises. Together they form a conformity case that must hold up to scrutiny from market surveillance authorities.

Human oversight: more than a kill switch

Human oversight is one of the most frequently misunderstood requirements. It does not simply mean a person can switch the system off. It means designing the system so that a human can genuinely understand its output, recognise when something is going wrong, and decide not to act on a recommendation. For a recruitment tool, that might mean a recruiter who can see why a candidate was ranked a certain way and has the authority — and the training — to disregard it.

What deployers must do

The Act does not only regulate providers. Deployers — the organisations that put a high-risk system to use — carry obligations too. They must ensure human oversight in practice, monitor operation, and use the system in line with the provider's instructions. Entities providing public services must also carry out a fundamental rights impact assessment before deploying certain high-risk systems. And high-risk systems, along with the entities using them, must be registered in an EU database.

After deployment: the compliance lifecycle

Compliance does not end at launch. Once a system is live:

Providers operate a post-market monitoring system to catch problems that emerge in the real world.
Deployers keep humans in the loop and watch performance.
Market surveillance authorities supervise the market and can demand corrective action.
Both providers and deployers must report serious incidents and malfunctions.

This continuous loop is what turns a one-time conformity assessment into ongoing trust.

Relief for smaller players

Regulators know that these obligations are demanding. The Act therefore builds in proportionality for SMEs and start-ups, including simplified compliance paths and reduced fees, and administrative fines that are proportional to company size. It also promotes AI regulatory sandboxes — controlled environments where innovative high-risk systems can be developed, tested and validated, sometimes under real-world conditions, with guidance from authorities. Member States are required to establish these sandboxes, giving smaller innovators a safer route to market.

A practical path to readiness

For organisations facing high-risk obligations, a structured approach helps:

Classify accurately. Confirm whether your system really is high-risk — the distinction between Annex III areas and specific use cases matters.
Stand up governance. Many companies are appointing an internal AI officer or oversight board to coordinate compliance.
Document as you build. Risk management, data governance and logging are far cheaper to design in than to retrofit.
Plan for oversight and incidents. Define who intervenes, how, and how serious incidents get reported.

High-risk does not mean off-limits. It means accountable. The organisations that treat these obligations as a design discipline — not a paperwork burden — will ship AI that customers and regulators can trust.

Continue with part three, General-Purpose AI and Governance, or talk to our team about your compliance roadmap.

Back to blog

High-Risk AI Systems Under the EU AI Act: Obligations and Compliance

What counts as high-risk AI under the EU AI Act, the obligations for providers and deployers, human oversight, and a practical path to compliance.

June 17, 2026

What qualifies as a high-risk AI system?

Critical infrastructure — AI safety components in transport, water, gas, heating, electricity and digital infrastructure.
Education and vocational training — systems that determine access to education, score exams, or monitor behaviour during tests.
Employment — CV-sorting and recruitment tools, and systems that influence promotions, terminations, task allocation or performance monitoring.
Essential private and public services — credit scoring, insurance risk assessment, eligibility for benefits, and prioritising emergency responses.
Biometrics — remote identification, biometric categorisation by sensitive attributes, and emotion recognition (outside the prohibited contexts).
Law enforcement — assessing crime risk, evaluating evidence reliability, or profiling individuals.
Migration, asylum and border control — risk assessments and automated examination of visa applications.
Administration of justice and democratic processes — supporting judicial decisions or systems that could influence elections.

If a system fits one of these descriptions, the high-risk obligations apply.

The core obligations for providers

Before a high-risk system can be placed on the market, its provider must build in a set of guarantees. The Act requires:

Risk management — an adequate system to assess and mitigate risks across the lifecycle.
Data quality — high-quality training, validation and testing datasets to minimise the risk of discriminatory outcomes.
Logging — automatic recording of events to ensure the traceability of results.
Technical documentation — detailed information so authorities can assess compliance.
Transparency for deployers — clear instructions so the people running the system understand it.
Human oversight — meaningful measures that let people intervene or override.
Robustness, accuracy and cybersecurity — a high level of technical resilience.

These are not box-ticking exercises. Together they form a conformity case that must hold up to scrutiny from market surveillance authorities.

Human oversight: more than a kill switch

What deployers must do

After deployment: the compliance lifecycle

Compliance does not end at launch. Once a system is live:

Providers operate a post-market monitoring system to catch problems that emerge in the real world.
Deployers keep humans in the loop and watch performance.
Market surveillance authorities supervise the market and can demand corrective action.
Both providers and deployers must report serious incidents and malfunctions.

This continuous loop is what turns a one-time conformity assessment into ongoing trust.

Relief for smaller players

A practical path to readiness

For organisations facing high-risk obligations, a structured approach helps:

Classify accurately. Confirm whether your system really is high-risk — the distinction between Annex III areas and specific use cases matters.
Stand up governance. Many companies are appointing an internal AI officer or oversight board to coordinate compliance.
Document as you build. Risk management, data governance and logging are far cheaper to design in than to retrofit.
Plan for oversight and incidents. Define who intervenes, how, and how serious incidents get reported.

Continue with part three, General-Purpose AI and Governance, or talk to our team about your compliance roadmap.