High-Risk AI System
The EU AI Act's concept of a high-risk AI system is the regulation's central regulatory category — it is where the vast majority of substantive obligations sit, and where most compliance effort for commercial AI applications must be focused. High-risk AI systems are defined in Article 6 and Annex III, and the classification has two tracks. The first track covers AI systems that are themselves safety components of products subject to existing EU product safety legislation — such as the Machinery Regulation, the Medical Devices Regulation, or the Radio Equipment Directive — where those products require a third-party conformity assessment. The second track, which is far broader in commercial significance, covers AI systems in eight use-case categories listed in Annex III: biometric identification and categorisation of natural persons; management and operation of critical infrastructure; education and vocational training; employment, workers management, and access to self-employment; access to and enjoyment of essential private and public services and benefits; law enforcement; migration, asylum, and border control management; and administration of justice and democratic processes. With certain exceptions for narrow or low-risk applications, an AI system that falls into these Annex III categories is presumed high-risk. Before deploying such a system, providers must implement a risk management system under Article 9; use high-quality training, validation, and testing datasets under Article 10; produce and maintain Annex IV technical documentation under Article 11; build in automatic event logging under Article 12; ensure transparency to deployers under Article 13; design for effective human oversight under Article 14; achieve appropriate levels of accuracy, robustness, and cybersecurity under Article 15; and — for providers — complete a conformity assessment and register the system in the EU database before placing it on the market. For an EU SME deploying AI, the critical threshold question is whether the system materially influences an outcome that significantly affects a person's access to employment, services, education, or similar consequential domains. Getting this classification wrong — deploying a system that should be classified as high-risk without the required documentation and assessment — can result in fines of up to €15 million or 3% of global annual turnover. See the AI Act compliance guide at eurocomply.app/regulations/ai-act
Official regulation guide
AI Act Compliance Guide →Related terms
EU AI Act
Regulation (EU) 2024/1689, known as the EU AI Act, is the world's first comprehensive horizontal legal framework for artificial intelligence. Published in the Official Journal of the EU on 12 July 2024, it entered into force on 1 August 2024 and applies in phases over a 36-month transition period. The regulation applies to providers who place AI systems on the EU market or put them into service in the EU, regardless of whether the provider is established inside or outside the Union. It also applies to deployers — organisations that use AI systems in a professional context — when those systems are classified as high-risk. The Act classifies AI systems into four risk tiers. Unacceptable-risk practices (Article 5) are prohibited outright and have applied since 2 February 2025. Limited-risk systems — such as chatbots — carry transparency obligations requiring users to be informed they are interacting with AI. Minimal-risk systems face no mandatory requirements. High-risk systems, defined in Article 6 and Annex III, are the Act's main regulatory target: they must meet requirements covering risk management, training data governance, technical documentation (Annex IV), logging, transparency, human oversight, accuracy, and robustness before being placed on the market. For EU SMEs, the most pressing deadline is 2 August 2026, when obligations for high-risk AI systems under Annex III fully apply. If your business uses AI in hiring decisions, creditworthiness assessment, access to essential services, or safety-critical operations, you are almost certainly in scope. The Act also introduces requirements for General Purpose AI models (Chapter V) — large foundational models such as those underlying popular AI tools. Penalties are steep: up to €35 million or 7% of global annual turnover for deploying prohibited AI, up to €15 million or 3% for violations of other obligations, and up to €7.5 million or 1.5% for supplying incorrect information to regulators. See the AI Act compliance guide at eurocomply.app/regulations/ai-act
Annex IV Technical Documentation
Annex IV of the EU AI Act specifies the technical documentation that providers of high-risk AI systems must draw up and maintain under Article 11. This documentation is the evidentiary record that demonstrates a high-risk AI system was designed, built, and validated in compliance with the Act's requirements. It must be kept up to date throughout the system's lifecycle and made available to national market surveillance authorities and notified bodies on request. The Annex IV documentation requirement is substantial. It must include: a general description of the AI system, including its intended purpose, the version placed on the market, and how it interacts with hardware and software; a detailed description of the design specifications, including general logic, key design choices, the assumptions made, and the limitations of the system; a description of the system architecture and processes involved in developing and monitoring the system; a description of the training and testing methodologies used, including the datasets used and the validation approach; a description of the technical measures for human oversight under Article 14; a copy of the EU declaration of conformity; detailed information on the monitoring, functioning, and control of the AI system; and the results of all tests carried out to demonstrate conformity with Article 15 requirements on accuracy, robustness, and cybersecurity. For a provider deploying an AI system under its own name, this documentation must exist before the system is placed on the EU market or put into service. For deployers using a third-party high-risk system, the documentation obligation sits with the original provider, but deployers must be able to obtain it and understand it sufficiently to fulfil their own obligations around human oversight and monitoring. For an EU SME developing AI products in the high-risk categories, Annex IV documentation is best treated as a continuous engineering artefact rather than a compliance document produced after the fact. Regulators evaluating a system will look for evidence that the documentation reflects actual design decisions, not post-rationalisation. Failure to produce adequate technical documentation — or producing documentation that is found to be misleading — can attract fines of up to €15 million or 3% of global annual turnover. See the AI Act compliance guide at eurocomply.app/regulations/ai-act
Conformity Assessment
Conformity assessment is the process by which a high-risk AI system is evaluated against the requirements of the EU AI Act before it is placed on the market or put into service in the EU. It is a mandatory gate through which all high-risk AI systems must pass, and it results in the provider drawing up an EU declaration of conformity and affixing a CE mark to the system (or its documentation, where the physical product does not accommodate marking). The EU AI Act provides two routes to conformity assessment. The first, available for most high-risk AI systems listed in Annex III, is internal conformity assessment — sometimes called self-assessment. The provider carries out its own assessment, working through a checklist of the Act's requirements, generating Annex IV technical documentation, and drawing up the declaration of conformity. This self-assessment route mirrors the approach used for many CE-marked products and places the entire burden of demonstrating compliance on the provider. The second route applies to AI systems listed in Annex III paragraphs 1(a) — remote biometric identification systems intended to be used in publicly accessible spaces — and paragraph 6 when used by law enforcement. These systems require third-party assessment by a notified body: an independent, accredited conformity assessment organisation designated by an EU member state and notified to the European Commission. The notified body examines the technical documentation, audits processes, and issues an EU-type examination certificate if the system meets the requirements. For an EU SME, understanding which route applies to your specific AI system is the critical first step. Even for self-assessed systems, the documentation burden is substantial and the declaration of conformity is a legal statement for which the provider takes direct responsibility. Market surveillance authorities can challenge conformity assessments, require additional evidence, and in cases of non-conformity order withdrawal from the market and suspension of services. Placing a non-conforming high-risk AI system on the market can attract fines of up to €15 million or 3% of global annual turnover. See the AI Act compliance guide at eurocomply.app/regulations/ai-act
GPAI — General Purpose AI
General Purpose AI models — universally abbreviated as GPAI — are defined in EU AI Act Article 3(63) as AI models trained on large amounts of data using self-supervision at scale that displays significant generality and is capable of competently performing a wide range of distinct tasks. In practical terms, this covers the large language models and foundation models that underlie popular AI tools and APIs: systems capable of generating text, code, images, and other outputs across multiple domains. The GPAI provisions occupy Chapter V of the Act, comprising Articles 51 through 56, and have applied since 2 August 2025. All GPAI model providers must comply with a baseline set of obligations regardless of model scale. Under Article 53, they must draw up and keep up to date technical documentation containing information specified in Annex XI; establish and publish a policy to comply with EU copyright law, including identifying and honouring reservations of rights for training data; and make publicly available a summary of the training data used, sufficient to provide meaningful transparency. For GPAI models deemed to pose systemic risk — those trained using a compute threshold exceeding 10 to the power of 25 floating point operations — additional obligations apply under Article 55. These include performing model evaluations including adversarial testing before release and after significant updates, assessing and mitigating systemic risks, reporting incidents and malfunctions to the European AI Office, and implementing cybersecurity measures proportionate to the risk. The European AI Office is the primary enforcement body for GPAI models, with powers to request documentation, carry out evaluations, and impose fines. For an EU SME using a GPAI model via an API or embedding it in a product, you are typically a deployer rather than a provider — most of the Chapter V obligations sit with the model provider. However, if your product integrates a GPAI model into a high-risk use case, the high-risk provisions of Title III apply to your system. Fines for GPAI providers in breach of their obligations can reach €15 million or 3% of global annual turnover. See the AI Act compliance guide at eurocomply.app/regulations/ai-act