We value your privacy

We use necessary cookies to run the site and, with your consent, analytics and marketing cookies to improve it. You can change your choice anytime. Privacy Policy

  • Security
  • Pricing
Book a scoping call
  1. Help Center
  2. Compliance & frameworks
  3. EU AI Act Article 6 — High-risk classification
Browse categories
Getting started
Shield Control
Shield Web
Policies & presets
Compliance & frameworks
  • DIFC Regulation 10 — AI & autonomous systems
  • EU AI Act — Provider vs deployer (roles & when the line shifts)
  • EU AI Act Article 26 — Deployer obligations
  • EU AI Act Article 4 — AI literacy
  • EU AI Act Article 5 — Prohibited practices
  • EU AI Act Article 50 — Transparency obligations
  • EU AI Act Article 6 — High-risk classification
  • GDPR Article 32 — Security of processing
  • GDPR Article 5 — Principles of processing
  • GDPR Article 6 — Lawfulness of processing
  • Illinois HB 3773 — AI in employment
  • ISO/IEC 42001 — AI management system
  • Korea AI Basic Act — trustworthy AI obligations
  • NIST AI Risk Management Framework (AI RMF)
  • NYC Local Law 144 — Automated employment decision tools
Admin & security
Troubleshooting
FAQ
Getting started
Shield Control
Shield Web
Policies & presets
Compliance & frameworks
  • DIFC Regulation 10 — AI & autonomous systems
  • EU AI Act — Provider vs deployer (roles & when the line shifts)
  • EU AI Act Article 26 — Deployer obligations
  • EU AI Act Article 4 — AI literacy
  • EU AI Act Article 5 — Prohibited practices
  • EU AI Act Article 50 — Transparency obligations
  • EU AI Act Article 6 — High-risk classification
  • GDPR Article 32 — Security of processing
  • GDPR Article 5 — Principles of processing
  • GDPR Article 6 — Lawfulness of processing
  • Illinois HB 3773 — AI in employment
  • ISO/IEC 42001 — AI management system
  • Korea AI Basic Act — trustworthy AI obligations
  • NIST AI Risk Management Framework (AI RMF)
  • NYC Local Law 144 — Automated employment decision tools
Admin & security
Troubleshooting
FAQ

EU AI Act Article 6 — High-risk classification

Updated July 13, 2026·2 min readAll plans

Note: this explainer is informational and framework references are never a compliance guarantee — align your program with your legal counsel.

Article 6 is where the EU AI Act high-risk classification happens — the gate that decides whether the heavier obligations (Articles 26 and beyond) apply to a given system at all. Under the 2026 Digital Omnibus, the high-risk rules for Annex III systems apply from December 2027, so the work between now and then is knowing which of your AI uses will land inside the gate.

When an Annex III use case becomes high-risk

Article 6(2) points to Annex III: an AI system is high-risk when it is used in one of the listed areas. The ones most operators touch:

  • Employment & worker management — CV screening, candidate ranking, task allocation, performance or promotion decisions.
  • Access to essential services — creditworthiness and credit scoring, insurance risk and pricing, eligibility for public benefits.
  • Education & vocational training — admissions, scoring, proctoring, and assessment of learning outcomes.
  • Critical infrastructure — safety components in the management and operation of utilities, traffic, and supply.
  • Law enforcement, migration & border control, and the administration of justice.

Article 6(1) adds a second route: AI acting as a safety component of a regulated product (under the Union harmonisation legislation in Annex I) that requires third-party conformity assessment is high-risk too.

The Article 6(3) filter — not every Annex III use is high-risk

An Annex III system is not automatically high-risk. Article 6(3) carves out systems that do not pose a significant risk of harm to health, safety, or fundamental rights — typically because the system only:

  • performs a narrow procedural task;
  • improves the result of a previously completed human activity;
  • detects decision-making patterns without replacing or influencing the human assessment; or
  • performs a preparatory task for an Annex III assessment.

The important exception: a system that carries out profiling of natural persons is always high-risk — the 6(3) filter never applies to it.

Classification is per use case, not per app

The same tool can be high-risk in one workflow and out of scope in another. A general chat assistant is minimal-risk when it drafts internal notes and high-risk the moment it ranks job applicants. So the unit of classification is the use case × context, not the vendor or the app — which means you cannot answer "are we high-risk?" from a software inventory alone; you need to see how each tool is actually used.

Shield's lever: Discovery surfaces which AI tools are in use across the browser, and the audit log shows what actually flows into them — the raw material for a use-case-level classification rather than a guess per app.

What to inventory now (before December 2027)

The organisations that meet Article 6 calmly are the ones that, well ahead of the date, can list: every AI tool in use, the workflows each one sits in, and which of those workflows fall in an Annex III area. Applying the EU AI Act & GDPR Starter bundle from the preset library starts that inventory today, so the classification work is a review — not a discovery scramble — when the obligations land.

Was this article helpful?

Related articles

EU AI Act Article 50 — Transparency obligations

Article 50 sets the EU AI Act transparency obligations: AI chatbots must disclose they are AI, and AI-generated content and deepfakes must be marked. Applicable from 2 August 2026, with a narrow Article 50(2) marking transition to 2 December 2026 for pre-existing systems.

Read article

EU AI Act Article 4 — AI literacy

Article 4 requires a sufficient level of AI literacy in your workforce — already in force. What that means in practice, and how Shield turns it into an operational program.

Read article

EU AI Act Article 5 — Prohibited practices

Article 5 bans AI practices deemed unacceptable — already in force. What is prohibited, why shadow AI is your exposure, and how Shield keeps prohibited-class tools out.

Read article

EU AI Act Article 26 — Deployer obligations

Article 26 defines your duties when deploying high-risk AI — applicable from December 2027 under the Digital Omnibus. What paragraphs (1), (5), and (6) require and how Shield prepares you now.

Read article

Still stuck?

Send us the details — we answer within one business day.

Contact support

On this page

  • When an Annex III use case becomes high-risk
  • The Article 6(3) filter — not every Annex III use is high-risk
  • Classification is per use case, not per app
  • What to inventory now (before December 2027)

Subscribe to our newsletter

Product and governance updates — see our privacy policy.

AI security and control for every model your team uses.

Built in Dubai. Designed for teams operating across regions, models, and regulatory environments.

  • Product

    • Shield Web
    • Shield Control
    • Shield Desktop
    • Shield Mobile
    • Pricing
    • Download
  • Solutions

    • For CISOs
    • For Operations
    • For AI Teams
  • Use Cases

    • AI Governance
    • AI Agent Security
    • LLM Access Control
    • Secure AI Deployment
    • Enterprise Operations
    • Financial Services
  • Resources

    • Help Center
    • Blog
    • Guides
    • Glossary
    • Changelog
    • AI Risk Calculator
    • Compare
    • FAQ
  • Company

    • About
    • Careers
    • Security & Trust
    • Contact
  • Legal

    • Legal
    • Privacy
    • Terms
    • Partner Terms
    • GDPR / DPA

© 2026 Qadar AI. All rights reserved. EU data residency available for Enterprise customers.