---
title: "Are industry AI use cases high-risk under EU AI Act Annex III?"
canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases"
source_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases"
author: "Sorena AI"
description: "FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep."
published_at: "2026-05-09"
updated_at: "2026-05-17"
keywords:
  - "EU AI Act Annex III"
  - "Article 6 high-risk AI"
  - "industry AI use cases"
  - "Article 6(3)"
  - "EU database AI systems"
  - "EU AI Act"
  - "Annex III"
  - "Article 6"
  - "high-risk AI"
  - "EU database"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Are industry AI use cases high-risk under EU AI Act Annex III?

FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep.

*FAQ* *EU AI Act*

## Are industry AI use cases high-risk under Annex III?

Not every industry AI use case is high-risk under the EU AI Act. Annex III is triggered by the system's intended purpose in listed sensitive areas, and Article 6(3) can support a documented non-high-risk conclusion for narrow or preparatory systems that do not materially influence decisions.

Use this FAQ to separate ordinary industrial analytics, safety-component cases, Annex III use cases, Article 6(3) exceptions, and EU database registration consequences.

EU AI Act Annex III does not make all AI used by industry high-risk. The classification turns on Article 6: product safety-component cases under Article 6(1), listed Annex III intended purposes under Article 6(2), and the limited Article 6(3) non-high-risk exception for systems that do not pose a significant risk of harm, including because they do not materially influence decision-making.

## What is the direct answer for industry AI use cases?

An industry AI use case is high-risk under Annex III only when the AI system is intended to be used for one of the listed Annex III areas or when it separately meets the product safety-component rule in Article 6(1). The Commission FAQ explains that high-risk classification is based on intended purpose: the function performed by the system and the specific purpose and modalities for which it is used.

For industrial teams, that means a predictive-maintenance dashboard, production-quality analytics tool, or internal knowledge assistant is not high-risk merely because it is used in a factory, utility, insurer, bank, or public-sector supplier. The question is whether the intended purpose matches a listed high-risk use case, such as safety components in specified critical infrastructure, recruitment, worker management, creditworthiness, life or health insurance risk assessment and pricing, emergency triage or dispatch, biometric use, education, law enforcement, migration, justice, or democratic processes.

- Start with the provider's intended purpose, instructions for use, technical documentation, sales materials, and actual deployment context.
- Check Article 6(1) first if the AI is a product or safety component covered by Annex I legislation and the product requires third-party conformity assessment.
- Check Article 6(2) and Annex III next if the system is used for a listed area involving people, rights, access, employment, public services, infrastructure safety, or public authority decisions.
- Do not classify a system as high-risk just because the customer is in an industrial sector or the model uses operational, employee, financial, or safety-related data.
- Treat profiling of natural persons differently: Article 6(3) says an Annex III system is always high-risk where it performs profiling of natural persons.

Sources for this answer:

- [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Supports the Article 6 classification sequence, Annex III high-risk areas, Article 6(3) exception, provider documentation duty, and Annex VIII registration fields.
- [European Commission FAQ - Navigating the AI Act](https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act?ref=sorena.io) - Supports the intended-purpose classification approach and Commission examples of Annex III high-risk areas.

## Which Annex III boundaries matter most for industry?

The practical boundary is not the customer's industry label; it is the legal use case. Annex III covers eight areas: biometrics; critical infrastructure; education and vocational training; employment, workers' management and access to self-employment; access to essential private and public services and benefits; law enforcement; migration, asylum and border control management; and administration of justice and democratic processes.

Industrial uses most often need closer review where the AI affects natural persons or safety-critical infrastructure. Examples include recruitment screening for plant workers, task allocation or performance monitoring based on worker behaviour, credit scoring of natural persons, life or health insurance pricing, emergency-call triage, biometric identification, emotion recognition, or an AI safety component in road traffic, critical digital infrastructure, or water, gas, heating or electricity supply. By contrast, equipment-failure forecasting, inventory planning, energy-use optimisation, document search, or translation may fall outside Annex III if they do not serve a listed intended purpose.

- Critical infrastructure: check whether the AI is a safety component in management or operation of critical digital infrastructure, road traffic, or water, gas, heating or electricity supply.
- Employment and worker management: check recruitment, candidate evaluation, task allocation based on personal traits or behaviour, and worker performance or behaviour monitoring.
- Essential services: check eligibility for public benefits, creditworthiness of natural persons, life and health insurance risk assessment and pricing, and emergency response triage or dispatch.
- Biometrics: distinguish permitted remote biometric identification, sensitive biometric categorisation, and emotion recognition from simple verification whose sole purpose is confirming a claimed identity.
- Public-authority areas: law enforcement, migration, asylum, border control, justice, and democratic-process use cases need specific legal-purpose review and may have restricted registration visibility.

Sources for this answer:

- [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Provides the full Annex III list and the Article 3 definition of intended purpose used to classify borderline industry systems.
- [European Commission - AI Act regulatory framework](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai?ref=sorena.io) - Supports the public Commission explanation that high-risk systems include safety components in critical infrastructure and other listed sensitive uses.

## When can Article 6(3) support a non-high-risk conclusion?

Article 6(3) is an exception to the Annex III rule, not a shortcut around it. It can apply where an Annex III-referred system does not pose a significant risk of harm to health, safety, or fundamental rights, including because it does not materially influence the outcome of decision-making.

The supported conditions are narrow: a narrow procedural task; improving the result of a previously completed human activity; detecting decision-making patterns or deviations without replacing or influencing the prior human assessment without proper human review; or performing a preparatory task for an Annex III assessment. The exception is not available where the Annex III system performs profiling of natural persons, because Article 6(3) says such systems are always high-risk.

- Evidence for a narrow procedural task should show the system only structures, routes, deduplicates, translates, indexes, searches, or formats information without deciding the person-facing outcome.
- Evidence for improving a completed human activity should show the human decision or assessment was already complete before the AI improved wording, presentation, consistency checks, or other non-substantive output.
- Evidence for pattern or deviation detection should show the AI flags anomalies for proper human review and does not supersede or influence the underlying completed assessment.
- Evidence for a preparatory task should show the AI output has very low impact on the later Annex III assessment and is not treated as the deciding recommendation.
- If the system profiles natural persons, record that Article 6(3) cannot be used to classify the Annex III system as non-high-risk.

Sources for this answer:

- [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Supports the four Article 6(3) conditions, the profiling carve-out, the provider documentation duty, and the Article 49(2) registration link.
- [AI Act Service Desk - Article 49 registration](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-49?ref=sorena.io) - Supports that providers concluding a system is not high-risk under Article 6(3) must register themselves and that system in the EU database.

## What provider evidence and EU database records should exist?

For an Annex III high-risk conclusion, provider evidence should connect the intended purpose to the relevant Annex III point, then show the high-risk system records needed for conformity, traceability, and registration. The Commission FAQ identifies provider obligations before EU market placement or putting into service, including conformity assessment, quality management, and EU database registration.

For an Article 6(3) non-high-risk conclusion, the evidence should be different: it should explain the condition relied on, the grounds for the non-high-risk conclusion, and why the system does not materially influence a decision or otherwise pose significant risk. Annex VIII Section B specifically includes the Article 6(3) condition or conditions and a short summary of the grounds for treating the system as not high-risk.

- High-risk provider registration evidence: provider contact details, AI system trade name, intended purpose, supported functions, inputs and operating logic, status, Member States, EU declaration of conformity, instructions for use, and certificate details where applicable.
- Article 6(3) provider evidence: provider contact details, AI system trade name, intended purpose, the Article 6(3) condition relied on, short grounds for the non-high-risk conclusion, system status, and Member States where made available or used.
- Public-authority deployer evidence: when Article 49(3) applies, record the deployer details, the person submitting information, the system selected, and the registered use before putting the system into service or using it.
- Visibility boundary: most Article 49 registrations feed the EU database, but Article 49 provides secure non-public registration for specified law enforcement, migration, asylum, and border-control systems, and national-level registration for Annex III point 2 critical infrastructure systems.
- Change trigger: reassess the classification when intended purpose, user population, human-review design, instructions for use, deployment setting, or supplier claims change.

Sources for this answer:

- [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Supports Annex VIII registration fields for high-risk systems, Article 6(3) non-high-risk systems, and public-authority deployer registration.
- [European Commission FAQ - Navigating the AI Act](https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act?ref=sorena.io) - Supports provider and deployer obligation summaries for high-risk systems, including conformity assessment, quality management, monitoring, human oversight, and EU database registration.
- [AI Act Service Desk - Article 49 registration](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-49?ref=sorena.io) - Supports registration timing, public-authority deployer registration, secure non-public sections, and national-level registration for Annex III point 2 critical infrastructure systems.

## Primary sources

- [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal source for Article 6 classification, Annex III areas, Article 6(3), provider documentation, Article 49, Article 71, and Annex VIII registration fields.
  - Quote: "Classification rules for high-risk AI systems"
- [European Commission FAQ - Navigating the AI Act](https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act?ref=sorena.io) - Commission FAQ source for intended-purpose classification, examples of Annex III high-risk areas, provider obligations, deployer obligations, and EU database context.
  - Quote: "Annex III of the AI Act comprises 8 areas"
- [AI Act Service Desk - Article 49 registration](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-49?ref=sorena.io) - Official Service Desk source for Article 49 registration requirements for high-risk Annex III systems, Article 6(3) non-high-risk conclusions, public-authority deployers, restricted sections, and national-level critical-infrastructure registration.
  - Quote: "Before placing on the market or putting into service"
- [European Commission - AI Act regulatory framework](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai?ref=sorena.io) - Commission policy source for the risk-based framework and high-risk examples, including safety components in critical infrastructure.
  - Quote: "AI safety components in critical infrastructures"

## Topic Guides

- [EU AI Act AI System Classification Edge Cases FAQ](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md): Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence.
- [EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence](/artifacts/eu/artificial-intelligence-act/applicability-and-roles.md): Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification.
- [EU AI Act applicability test: scope, role, and risk classification](/artifacts/eu/artificial-intelligence-act/applicability-test.md): Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records.
- [EU AI Act Article 5 Prohibited AI Practices Screening Guide](/artifacts/eu/artificial-intelligence-act/prohibited-ai-practices.md): Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions.
- [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md): Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions.
- [EU AI Act Article 50 transparency, labeling, and user disclosures](/artifacts/eu/artificial-intelligence-act/transparency-labeling-and-user-disclosures.md): Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use.
- [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md): FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions.
- [EU AI Act Compliance Checklist by Risk Class](/artifacts/eu/artificial-intelligence-act/checklist.md): A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties.
- [EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents](/artifacts/eu/artificial-intelligence-act/compliance.md): Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties.
- [EU AI Act conformity assessment and notified bodies for high-risk AI](/artifacts/eu/artificial-intelligence-act/conformity-assessment-and-notified-bodies.md): Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement.
- [EU AI Act deadlines and compliance calendar | Article 113 dates](/artifacts/eu/artificial-intelligence-act/deadlines-and-compliance-calendar.md): source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning.
- [EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates](/artifacts/eu/artificial-intelligence-act/faq.md): Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates.
- [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md): Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration.
- [EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence](/artifacts/eu/artificial-intelligence-act/fria-and-high-risk-impact-assessments.md): Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence.
- [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ](/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties.md): FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement.
- [EU AI Act GPAI evidence pack checklist for Article 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-evidence-pack-workflow.md): Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable.
- [EU AI Act GPAI Provider Obligations: Articles 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-and-foundation-model-obligations.md): Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls.
- [EU AI Act High-Risk AI Requirements: Articles 8-16 and 26](/artifacts/eu/artificial-intelligence-act/requirements.md): Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties.
- [EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide](/artifacts/eu/artificial-intelligence-act/high-risk-ai-use-cases-by-industry.md): Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries.
- [EU AI Act high-risk conformity assessment route selector](/artifacts/eu/artificial-intelligence-act/high-risk-conformity-route-selector-workflow.md): Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence.
- [EU AI Act high-risk requirements checklist: Articles 8-15](/artifacts/eu/artificial-intelligence-act/high-risk-requirements-checklist.md): Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity.
- [EU AI Act penalties and fines: Article 99 tiers and GPAI exposure](/artifacts/eu/artificial-intelligence-act/penalties-and-fines.md): EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines.
- [EU AI Act post-market monitoring and serious incident reporting](/artifacts/eu/artificial-intelligence-act/post-market-monitoring-and-serious-incidents.md): Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions.
- [EU AI Act post-market monitoring FAQ for high-risk AI systems](/artifacts/eu/artificial-intelligence-act/faq/post-market-monitoring.md): Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers.
- [EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ](/artifacts/eu/artificial-intelligence-act/faq/provider-and-deployer-role-boundaries.md): FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries.
- [EU AI Act risk classification intake workflow](/artifacts/eu/artificial-intelligence-act/risk-classification-intake-workflow.md): A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers.
- [EU AI Act serious incident reporting triage workflow: Article 73 and Article 55](/artifacts/eu/artificial-intelligence-act/serious-incident-reporting-triage-workflow.md): Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting.
- [EU AI Act Technical Documentation and Provider Evidence Templates](/artifacts/eu/artificial-intelligence-act/technical-documentation-and-provider-evidence-templates.md): Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring.
- [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/artificial-intelligence-act/faq/technical-documentation.md): What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring.
- [EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide](/artifacts/eu/artificial-intelligence-act/timeline-and-phasing-roadmap.md): Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations.
- [EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-iso-42001.md): Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits.
- [EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-nist-ai-rmf.md): Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits.
- [FAQ: EU AI Act conformity assessment procedures and notified body selection](/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies.md): source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration.

*Recommended next step*

*Placement: before sources*

## Turn Article 6 and Annex III boundaries into a repeatable review

Sorena can help convert intended-purpose facts, Article 6(3) exception evidence, provider records, and EU database registration fields into a grounded EU AI Act review workflow.

- [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask source-linked questions about Annex III, Article 6 classification, provider evidence, and EU database registration using the cited sources on this page.
- [Talk through implementation](/contact.md): Review your industry AI use-case inventory, Article 6(3) exception evidence, and Annex III registration implications with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases