What counts as high-risk
The EU Artificial Intelligence Act — Regulation (EU) 2024/1689 — sets a risk-based framework for AI systems placed on the EU market or used in the EU. A significant share of obligations attach to AI systems classified as high-risk.
Annex III of the Regulation lists the high-risk areas. These cover, among others:
- Biometrics
- Critical infrastructure
- Education and vocational training
- Employment, workers management and access to self-employment
- Access to essential private and public services
- Law enforcement
- Migration, asylum and border control
- Administration of justice and democratic processes
An AI system intended to be used as a safety component of a product, or which is itself a product, covered by certain EU harmonisation legislation may also fall within scope. Confirming whether each system is high-risk is the first step before any checklist applies.
Provider obligations (Articles 9–15)
The Regulation places a core set of requirements on providers of high-risk AI systems. Work through each as a control you can evidence:
- Risk management system (Art. 9) — a continuous, iterative process to identify, evaluate and mitigate risks across the system life cycle.
- Data and data governance (Art. 10) — training, validation and testing data sets that meet quality criteria appropriate to the intended purpose.
- Technical documentation (Art. 11) — documentation demonstrating that the system meets the Regulation's requirements, kept up to date.
- Record-keeping (Art. 12) — automatic logging of events over the system's lifetime to support traceability.
- Transparency and provision of information to deployers (Art. 13) — instructions for use that let deployers understand and operate the system appropriately.
- Human oversight (Art. 14) — measures enabling effective oversight by natural persons during use.
- Accuracy, robustness and cybersecurity (Art. 15) — appropriate levels of accuracy, robustness and cybersecurity, consistent throughout the life cycle.
Deployer obligations (Article 26)
Deployers of high-risk AI systems carry their own duties under Article 26. In broad terms, the Regulation requires deployers to:
- Use the system in accordance with the provider's instructions for use.
- Assign human oversight to people with the necessary competence and authority.
- Ensure that input data is relevant and sufficiently representative for the intended purpose, where the deployer controls that data.
- Monitor operation and inform the provider or relevant authorities where risks or serious incidents arise.
- Keep the logs that the system generates, where these are under the deployer's control.
A practical readiness checklist
To translate the obligations into a programme of work, a high-risk AI system typically needs:
- A confirmed classification decision, recorded with its reasoning.
- A documented risk management process that is reviewed over time.
- Evidence of data governance for the data sets the system relies on.
- Maintained technical documentation and event logs.
- Clear instructions for use and a defined human-oversight arrangement.
- Tested measures for accuracy, robustness and cybersecurity.
Penalties for getting it wrong
The Regulation sets administrative fines that scale with the type of infringement. For prohibited practices, fines can reach up to €35 million or 7% of total worldwide annual turnover, whichever is higher. For other infringements of the Regulation's obligations, fines can reach up to €15 million or 3% of total worldwide annual turnover.
How TrustedAIGov helps
The TrustedAIGov Governance Platform is designed to support work aligned to these obligations — recording classification decisions, holding the documentation and evidence each Article expects, and giving owners a place to track human-oversight and risk-management activity. It supports your team's readiness work; it does not replace your own legal assessment.