EU AI Act Article 6 — High-risk classification
Note: this explainer is informational and framework references are never a compliance guarantee — align your program with your legal counsel.
Article 6 is where the EU AI Act high-risk classification happens — the gate that decides whether the heavier obligations (Articles 26 and beyond) apply to a given system at all. Under the 2026 Digital Omnibus, the high-risk rules for Annex III systems apply from December 2027, so the work between now and then is knowing which of your AI uses will land inside the gate.
When an Annex III use case becomes high-risk
Article 6(2) points to Annex III: an AI system is high-risk when it is used in one of the listed areas. The ones most operators touch:
- Employment & worker management — CV screening, candidate ranking, task allocation, performance or promotion decisions.
- Access to essential services — creditworthiness and credit scoring, insurance risk and pricing, eligibility for public benefits.
- Education & vocational training — admissions, scoring, proctoring, and assessment of learning outcomes.
- Critical infrastructure — safety components in the management and operation of utilities, traffic, and supply.
- Law enforcement, migration & border control, and the administration of justice.
Article 6(1) adds a second route: AI acting as a safety component of a regulated product (under the Union harmonisation legislation in Annex I) that requires third-party conformity assessment is high-risk too.
The Article 6(3) filter — not every Annex III use is high-risk
An Annex III system is not automatically high-risk. Article 6(3) carves out systems that do not pose a significant risk of harm to health, safety, or fundamental rights — typically because the system only:
- performs a narrow procedural task;
- improves the result of a previously completed human activity;
- detects decision-making patterns without replacing or influencing the human assessment; or
- performs a preparatory task for an Annex III assessment.
The important exception: a system that carries out profiling of natural persons is always high-risk — the 6(3) filter never applies to it.
Classification is per use case, not per app
The same tool can be high-risk in one workflow and out of scope in another. A general chat assistant is minimal-risk when it drafts internal notes and high-risk the moment it ranks job applicants. So the unit of classification is the use case × context, not the vendor or the app — which means you cannot answer "are we high-risk?" from a software inventory alone; you need to see how each tool is actually used.
Shield's lever: Discovery surfaces which AI tools are in use across the browser, and the audit log shows what actually flows into them — the raw material for a use-case-level classification rather than a guess per app.
What to inventory now (before December 2027)
The organisations that meet Article 6 calmly are the ones that, well ahead of the date, can list: every AI tool in use, the workflows each one sits in, and which of those workflows fall in an Annex III area. Applying the EU AI Act & GDPR Starter bundle from the preset library starts that inventory today, so the classification work is a review — not a discovery scramble — when the obligations land.
Was this article helpful?
Related articles
EU AI Act Article 50 — Transparency obligations
Article 50 sets the EU AI Act transparency obligations: AI chatbots must disclose they are AI, and AI-generated content and deepfakes must be marked. Applicable from 2 August 2026, with a narrow Article 50(2) marking transition to 2 December 2026 for pre-existing systems.
Read articleEU AI Act Article 4 — AI literacy
Article 4 requires a sufficient level of AI literacy in your workforce — already in force. What that means in practice, and how Shield turns it into an operational program.
Read articleEU AI Act Article 5 — Prohibited practices
Article 5 bans AI practices deemed unacceptable — already in force. What is prohibited, why shadow AI is your exposure, and how Shield keeps prohibited-class tools out.
Read articleEU AI Act Article 26 — Deployer obligations
Article 26 defines your duties when deploying high-risk AI — applicable from December 2027 under the Digital Omnibus. What paragraphs (1), (5), and (6) require and how Shield prepares you now.
Read articleStill stuck?
Send us the details — we answer within one business day.