Artifact GuideEU

EU AI Act High-Risk AI Use Cases by Industry

Classify industry AI systems under the EU AI Act by separating Article 6 product-safety routes from Annex III use cases.

Use this page to spot likely high-risk systems, document carveouts, assign provider and deployer work, and avoid treating every AI feature as the same risk class.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

The EU AI Act has two main high-risk routes. Article 6(1) covers AI used as a safety component of, or itself constituting, a product covered by Annex I Union harmonisation legislation when that product route requires third-party conformity assessment. Article 6(2) separately makes the Annex III use cases high-risk, subject to the Article 6(3) non-high-risk carveout and the rule that Annex III systems performing profiling of natural persons remain high-risk.

Section 1

Start with the two Article 6 routes

Do not classify by industry label alone. A hospital, bank, manufacturer, school, recruiter, utility, or public authority can have low-risk, limited-risk, prohibited, and high-risk AI in the same portfolio.

First test Article 6(1): is the AI system a safety component of a covered product, or the product itself, under Annex I product legislation, and is third-party conformity assessment required under that sector law? Then test Article 6(2): is the intended purpose one of the Annex III use cases?

  • Article 6(1) route: product-safety sectors such as machinery, toys, radio equipment, medical devices, in vitro diagnostic medical devices, lifts, pressure equipment, personal protective equipment, vehicles, rail, aviation, marine equipment, and related Annex I legislation.
  • Article 6(2) route: Annex III areas covering biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration and border control, justice, and democratic processes.
  • Article 6(3) carveout: some Annex III systems are not high-risk if they do not pose a significant risk of harm, including where they only perform a narrow procedural task, improve a completed human activity, detect decision-pattern deviations without replacing or influencing human assessment, or perform a preparatory task.
  • Profiling limit: an Annex III system that performs profiling of natural persons is always treated as high-risk under Article 6(3).
  • Evidence to keep: intended purpose, user context, affected natural persons, product-safety route if any, Annex III category if any, carveout reasoning if used, and the role responsible for provider or deployer duties.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Primary legal text for Article 6 classification, Annex I product-law routes, Annex III use cases, and Article 6(3) carveouts.
European Commission - Navigating the AI Act
Commission FAQ explaining that high-risk classification is based on intended purpose, product safety legislation, and Annex III use cases.
Section 2

Industry examples that often trigger Annex III

Annex III is best read as a use-case list, not a complete industry list. The same industry can appear under multiple Annex III headings depending on what the AI system is intended to do.

Use the examples below as classification prompts. They do not make every AI system in that industry high-risk; the intended purpose and actual deployment context still control the answer.

  • Biometrics and security: remote biometric identification, sensitive biometric categorisation, and emotion recognition can fall under Annex III when permitted by relevant Union or national law; biometric verification used only to confirm a claimed identity is excluded from the remote biometric identification entry.
  • Energy, transport, water, gas, heating, and digital infrastructure: AI used as a safety component in managing critical digital infrastructure, road traffic, or supply of water, gas, heating, or electricity is an Annex III critical-infrastructure use case.
  • Education and vocational training: admissions ranking, assignment to institutions, learning-outcome evaluation, education-level assessment, and exam-proctoring systems for prohibited behaviour are Annex III use cases.
  • HR, staffing, and platform work: targeted job ads, CV screening, candidate evaluation, promotion or termination decisions, task allocation based on behaviour or personal traits, and worker performance monitoring map to the employment Annex III category.
  • Banking, insurance, healthcare access, and public services: creditworthiness or credit scoring, life and health insurance risk assessment and pricing, public-benefit eligibility decisions including healthcare services, and emergency-call triage or dispatch prioritisation are Annex III use cases.
  • Public sector, justice, and civic processes: law-enforcement risk tools, evidence reliability tools, migration and asylum risk or application-assistance tools, judicial legal-research tools used for concrete cases, and AI intended to influence elections or voting behaviour can fall under Annex III.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Annex III source for the listed high-risk areas and sector examples.
European Commission - AI Act regulatory framework
Commission overview summarising high-risk areas such as critical infrastructure, education, employment, essential services, biometrics, law enforcement, migration, asylum, and border control.
Section 3

Product-safety sectors: when Annex I matters

Annex I matters where the AI system is tied to product safety. The classification question is not simply whether a manufacturer uses AI; it is whether the AI is the product, or a safety component of a covered product, and whether that sector route requires third-party conformity assessment.

This route is especially relevant for AI in regulated physical products or safety-critical software embedded in them. It can sit alongside sector obligations under medical-device, machinery, vehicle, aviation, rail, radio-equipment, toy, lift, pressure-equipment, personal-protective-equipment, and other Annex I regimes.

  • Medical and in vitro diagnostic devices: AI diagnostic, triage, imaging, or monitoring systems may need an Article 6(1) check where they are the device or a safety component of a device subject to the relevant sector conformity route.
  • Industrial equipment and machinery: AI controlling protective stops, robot motion, safety interlocks, or equipment behaviour should be checked against the machinery and related Annex I routes before relying only on Annex III.
  • Mobility and transport: driver-assistance, vehicle-safety, rail, aviation, unmanned-aircraft, and marine-equipment AI can require product-safety analysis under the sector legislation listed in Annex I.
  • Consumer and workplace products: toys, lifts, pressure equipment, gas appliances, personal protective equipment, radio equipment, and equipment for explosive atmospheres need an Article 6(1) screen where AI affects safety performance.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Primary source for Article 6(1) and the Annex I list of Union harmonisation legislation.
European Commission - Navigating the AI Act
Commission FAQ gives examples of product-safety high-risk systems, including robots, drones, and medical devices.
Section 4

Exclusions and carveouts to record before assigning obligations

A useful high-risk register should show why a system is high-risk and why nearby systems are not. This avoids over-scoping low-risk tools and under-scoping systems that make or influence decisions about people.

The AI Act also contains scope exclusions that should be separated from Article 6(3). An Article 2 exclusion means the Regulation does not apply to that activity or actor in the described circumstances; an Article 6(3) carveout is a classification result for an Annex III system that would otherwise be high-risk.

  • Article 2 scope exclusions include areas outside Union law, military, defence or national security purposes, certain scientific research and development uses, pre-market research, testing and development activity, purely personal non-professional deployer use, and free and open-source AI systems unless they are placed on the market or put into service as high-risk systems or systems under Article 5 or Article 50.
  • Article 6(3) carveouts must be documented before placing the Annex III system on the market or putting it into service, and providers using the carveout are subject to Article 49(2) registration.
  • Examples that may need carveout analysis include a HR tool that only formats a completed human interview note, a school dashboard that only prepares administrative lists, or a credit model monitor that detects deviations without influencing a previously completed human assessment.
  • Do not use a carveout for systems that profile natural persons in an Annex III use case, or for systems that materially influence decision-making outcomes affecting health, safety, or fundamental rights.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Primary legal text for Article 2 scope exclusions and Article 6(3) high-risk carveouts.
AI Act Service Desk - Article 6
Official Service Desk article page for the Article 6 classification rule and the non-high-risk assessment record.
Section 5

Provider and deployer boundaries for industry teams

High-risk classification is only the start. The work changes depending on whether the organisation is the provider placing the system on the market or putting it into service, a deployer using it under its authority, or another operator in the value chain.

Industry teams should avoid pushing all work to either legal or the vendor. The provider usually owns conformity, technical documentation, quality management, logs under its control, registration, CE marking where required, and corrective actions. The deployer owns use according to instructions, human oversight, monitoring, input data under its control, workplace and affected-person notices where applicable, and some registration or impact-assessment duties.

Are all AI tools in banking, HR, healthcare, or education automatically high-risk under the EU AI Act?

No. The AI Act classifies by intended purpose and route, not by industry name alone. A creditworthiness tool, recruitment-screening system, medical-device AI, or admissions-ranking system may be high-risk, while a general drafting assistant or internal analytics tool in the same organisation may fall outside Article 6 high-risk classification unless another AI Act rule applies.

When can an Annex III EU AI Act system be treated as not high-risk?

Article 6(3) allows a non-high-risk result for some Annex III systems that do not pose a significant risk of harm, such as systems limited to narrow procedural, preparatory, improvement, or decision-pattern detection tasks. The provider must document that assessment before market placement or putting into service, register under Article 49(2), and cannot use this route for Annex III systems that perform profiling of natural persons.

  • Provider evidence: intended purpose, Article 6 route, Annex I or Annex III mapping, requirements testing, technical documentation, quality management system, conformity assessment route, declaration of conformity, registration, post-market monitoring, and corrective-action process.
  • Deployer evidence: instructions for use, local use case, human oversight assignment, input-data checks where the deployer controls inputs, monitoring records, incident escalation, worker notices for workplace use, affected-person notices for Annex III decision support, and FRIA where Article 27 applies.
  • Procurement evidence: contract clauses and supplier records should show the provider/deployer split, access to instructions for use, logs or monitoring data where available, escalation contacts, change-notification triggers, and whether the system is registered when required.
  • Change triggers: reassess classification after substantial modification, new intended purpose, new sector deployment, new affected-person category, new product-safety use, or a switch from internal support to decision assistance about natural persons.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Primary legal text for Articles 16, 26, and 27 provider, deployer, and fundamental-rights-impact-assessment duties.
European Commission - Navigating the AI Act
Commission FAQ summarising provider and deployer obligations for high-risk AI systems in practical terms.
Recommended next step

Turn industry use cases into a sourced Article 6 register

Sorena can help turn product, vendor, and deployment facts into a cited high-risk classification register with Article 6 routes, Annex III categories, carveout records, and provider/deployer evidence requests.

Research workflow
Open Research Copilot for EU AI Act

Ask source-linked questions about Article 6, Annex I product-safety routes, Annex III use cases, and provider or deployer duties.

Explore next step
Talk to Sorena
Talk through implementation

Review your AI system inventory, high-risk classification evidence, and supplier/deployer responsibility split with Sorena.

Explore next step
Primary sources

References and citations

AI Act Service Desk - Article 6
ai-act-service-desk.ec.europa.eu
Referenced sections
  • Official Service Desk article page for the Article 6 classification rule and the non-high-risk assessment record.
"Classification rules for high-risk AI systems"
European Commission - AI Act regulatory framework
digital-strategy.ec.europa.eu
Referenced sections
  • Commission overview summarising high-risk areas such as critical infrastructure, education, employment, essential services, biometrics, law enforcement, migration, asylum, and border control.
"AI use cases that can pose serious risks"
European Commission - Navigating the AI Act
digital-strategy.ec.europa.eu
Referenced sections
  • Commission FAQ summarising provider and deployer obligations for high-risk AI systems in practical terms.
"What are obligations of deployers of high-risk AI systems?"
Regulation (EU) 2024/1689 (EU AI Act)
eur-lex.europa.eu
Referenced sections
  • Primary legal text for Articles 16, 26, and 27 provider, deployer, and fundamental-rights-impact-assessment duties.
"Obligations of providers and deployers of high-risk AI systems"
Related guides

Explore more topics

Are industry AI use cases high-risk under EU AI Act Annex III?
FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep.
EU AI Act AI System Classification Edge Cases FAQ
Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence.
EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence
Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification.
EU AI Act applicability test: scope, role, and risk classification
Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records.
EU AI Act Article 5 Prohibited AI Practices Screening Guide
Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions.
EU AI Act Article 50 transparency disclosures FAQ
Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions.
EU AI Act Article 50 transparency, labeling, and user disclosures
Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use.
EU AI Act Article 73 serious incident FAQ
FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions.
EU AI Act Compliance Checklist by Risk Class
A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties.
EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents
Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties.
EU AI Act conformity assessment and notified bodies for high-risk AI
Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement.
EU AI Act deadlines and compliance calendar | Article 113 dates
source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning.
EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates
Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates.
EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification
Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration.
EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence
Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence.
EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ
FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement.
EU AI Act GPAI evidence pack checklist for Article 53 and 55
Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable.
EU AI Act GPAI Provider Obligations: Articles 53 and 55
Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls.
EU AI Act High-Risk AI Requirements: Articles 8-16 and 26
Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties.
EU AI Act high-risk conformity assessment route selector
Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence.
EU AI Act high-risk requirements checklist: Articles 8-15
Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity.
EU AI Act penalties and fines: Article 99 tiers and GPAI exposure
EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines.
EU AI Act post-market monitoring and serious incident reporting
Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions.
EU AI Act post-market monitoring FAQ for high-risk AI systems
Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers.
EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ
FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries.
EU AI Act risk classification intake workflow
A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers.
EU AI Act serious incident reporting triage workflow: Article 73 and Article 55
Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting.
EU AI Act Technical Documentation and Provider Evidence Templates
Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring.
EU AI Act technical documentation FAQ | Article 11 and Annex IV
What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring.
EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide
Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations.
EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits
Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits.
EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries
Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits.
FAQ: EU AI Act conformity assessment procedures and notified body selection
source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration.