EU AI Act
Last updated: Dec 15, 2025 · 7 min
Annex III high-risk list (with examples)
A practical “does this look like Annex III?” checklist with examples and evidence pointers.
Orientation only. Not legal advice.
Who this matters for
Compliance, engineering, and product teams trying to classify a use case fast.
What you’ll leave with
A checklist, typical examples, and the evidence you need to defend your classification.
Fast checklist
- Is the system used to make or support decisions in employment/hiring/worker management?
- Does it affect access to education, essential private/public services, or creditworthiness?
- Is it used in critical infrastructure, healthcare operations, or safety-related contexts?
- Does it involve biometric identification/categorization in high-stakes settings?
- If unsure: treat as “potential high-risk” and start evidence capture immediately.
Typical examples (non-exhaustive)
- Hiring: screening, ranking, interview scoring, performance prediction
- Credit/insurance: creditworthiness scoring, fraud/eligibility decision support
- Healthcare: triage support, eligibility/prioritization, operational decision support
- Biometrics: identity verification and categorization in sensitive contexts
Evidence you keep
- Intended purpose and boundaries (“what it is not used for”)
- Classification rationale + approvals (who decided, when)
- Risk register + mitigation verification
- Annex IV-aligned technical documentation draft
- Operational logs showing oversight, interventions, and releases
Next step: artifacts
Compliance work gets funded when the output is forwardable. Use the starter templates to convert obligations into controls and evidence.
Govern · Measure · Prove
Need a defensible evidence path?
KLA Digital turns obligations into controls, controls into measurements, and measurements into exportable evidence.