High-risk AI under the AI Act
When is an AI system high-risk, and which obligations apply? All files on high-risk AI — classification (Annex III, art. 6), obligations, documentation and enforcement — together, each traceable to its primary source.
The Digital Omnibus file: what shifts, what stands, and what remains to be done
The 7 May 2026 political agreement on the Digital Omnibus shifts the heaviest AI Act dates. On 16 June 2026 the European Parliament adopted the text (423-57-174); only the Council's adoption and Official Journal publication remain. What shifts, what stands, and what is still to be done.
Right to explanation of an AI decision: what Article 86 of the AI Act gives you
If you are affected by a decision based (in part) on a high-risk AI system, Article 86 of the AI Act gives you the right to a clear explanation of the AI system's role and the main elements of the decision — from the deployer, on top of your GDPR rights.
Provider or deployer in HR AI: who is what?
In HR AI the builder of the ATS or HR tech is usually the provider and the employer the deployer. But an employer can become a provider itself through own branding or substantial modification (Art. 25). The role determines which duties apply.
AI in onboarding and internal mobility: where is the line?
Talent marketplaces, skills matching and career paths with AI seem neutral, but they reach the high-risk line as soon as they steer promotion or progression decisions (Annex III, point 4). Then the AI Act, GDPR, transparency and equal opportunity apply internally too.
Buying HR AI: the vendor due-diligence checklist for ATS software
Procuring HR AI or ATS software means inheriting AI Act obligations. This checklist gives the questions to ask the vendor before you sign — high-risk or not, CE marking, technical documentation, bias tests, logging — plus the contractual safeguards and the oversight that follows.
DPIA for HR AI: when is it mandatory and how do you combine it with the FRIA?
A DPIA (Art. 35 GDPR) is mandatory for large-scale, systematic monitoring and for high-risk AI in HR. This article explains what it must contain and how to combine the DPIA with the FRIA (fundamental rights assessment, Art. 27 AI Act) into one process. With a practical step plan.
Making HR AI compliant: a six-phase roadmap
A practical roadmap to make HR AI compliant: inventory every system, classify by risk, run a DPIA and FRIA, inform workers and involve the works council, set up human oversight, logging and bias monitoring, and lock down supplier arrangements.
AI matching in temporary agency work and secondment: who is responsible for what?
Matching AI in agency work and secondment is high-risk (recruitment). The tool vendor is usually provider, the agency deployer; the hirer can become co-responsible. The GDPR demands a clear allocation of roles.
AI analysis of video interviews: is it allowed?
Video AI that scores face, voice or "personality" is high-risk under the AI Act. Inferring emotions in the workplace is in addition prohibited. Its validity is questionable and the GDPR bar is high.
AI fraud detection by government: the lessons after SyRI
After the SyRI ruling (District Court of The Hague, 2020) and the Dutch childcare-benefits scandal, government fraud detection with AI is high-risk under Annex III. The lessons: no opaque risk scores, no proxy discrimination, but proportionality, explainability and a rights assessment.
Real-world testing and regulatory sandboxes (Articles 57-60)
The AI Act offers two controlled testing routes: regulatory sandboxes under supervision (Articles 57-59) and testing in real-world conditions outside the sandbox (Article 60). Both carry strict safeguards, such as informed consent and the right to have data erased.
The EU declaration of conformity under the AI Act (Article 47)
The EU declaration of conformity is the written statement by which the provider itself confirms that a high-risk AI system meets the AI Act. Article 47 sets out its content, language and retention; the provider bears full responsibility for it.
The authorised representative for non-EU providers (Article 22)
A provider established outside the EU must appoint a written authorised representative in the Union before placing a high-risk AI system on the market. Article 22 makes that person the European point of contact for authorities, with its own duties and power to end the mandate.
Distributor duties under the AI Act (Article 24)
A distributor makes a high-risk AI system available without being its provider or importer. Article 24 asks for a lighter but real check: confirm CE marking, declaration of conformity and documentation are present, and do not pass it on where there is doubt.
Importer duties under the AI Act (Article 23)
Anyone placing a high-risk AI system from outside the EU on the market is an importer and must verify before import that the provider has handled conformity. Article 23 makes the importer a gatekeeper, with its own recording, retention and stop duties.
CE marking and notified bodies for high-risk AI
High-risk AI receives a CE marking after a successful conformity assessment. Sometimes the provider assesses itself; sometimes an independent notified body must be involved. This guide explains when each route applies and what the CE marking means.
Instructions for use and transparency to the deployer: Article 13
Article 13 requires high-risk AI to be transparent enough and to come with instructions that let the deployer understand and use the system correctly. Those instructions must cover purpose, performance, limits and oversight measures. This guide explains what belongs in them.
Accuracy, robustness and cybersecurity: Article 15 of the AI Act
Article 15 requires high-risk AI to achieve an appropriate level of accuracy, robustness and cybersecurity across its lifetime. The system must withstand errors, faults and attacks such as data poisoning and adversarial input. This guide explains what that means.
Record-keeping and logging: what does Article 12 of the AI Act require?
Article 12 requires high-risk AI systems to automatically record events (logs) over their lifetime. Logging enables risk monitoring, traceability and after-the-fact investigation. This guide explains what the logs must contain at minimum and how long to keep them.
Designing human oversight: what does Article 14 of the AI Act require?
Article 14 requires providers of high-risk AI to build in effective human oversight. People must be able to understand the output, ignore it, override it or stop the system — and resist automation bias. This guide explains how to design that.
Explainability and transparency of government algorithms: FRIA and the register
Transparency of government algorithms runs along two axes: collective openness via the algorithm register and the FRIA, and individual explanation to the citizen via administrative law and the GDPR. The AI Act requires intelligibility and logging. Explanation is a legal duty, not a favour.
Registering high-risk systems in the EU database (Article 49)
Article 49 of the AI Act requires providers and certain deployers to register high-risk systems in a public EU database before deployment. The registration makes visible which systems are on the market and is a condition for lawful use.
Post-market monitoring (Article 72) after deployment
Article 72 of the AI Act requires providers of high-risk AI to keep actively monitoring systems after deployment. A post-market monitoring system collects and analyses performance data throughout the lifetime and feeds risk management. Compliance does not end at market launch.
AI in the judiciary and justice: high-risk under Annex III
AI that assists judicial authorities in researching facts or applying the law is high-risk under Annex III of the AI Act. Purely administrative support falls outside it. The judge remains the decision-maker; AI may advise, not adjudicate.
Data quality and governance (Article 10): training, validation and test data
Article 10 of the AI Act sets requirements for the data used to train, validate and test high-risk AI. Datasets must be relevant, representative, as error-free as possible and complete, with attention to bias. Data governance makes these choices traceable.
Algorithmic decision-making in government: AI Act, admin law and GDPR Art. 22
An automated government decision sits under three regimes at once: the AI Act (high-risk), administrative law (reasoning and due care) and GDPR Art. 22 (no solely automated decision with legal effect). They stack; they do not replace one another.
Setting up and maintaining the risk management system (Article 9)
Article 9 of the AI Act requires providers of high-risk AI to run a continuous risk management system: identify, estimate, mitigate and keep monitoring risks throughout the system's lifetime. It is an iterative process, not a one-off analysis, and sits at the heart of the compliance regime.
AI in insurance: underwriting and pricing
AI for risk assessment and pricing in life and health insurance is high-risk under Annex III of the AI Act. Other lines are not automatically covered, but the GDPR, solidarity rules and the prohibition of discrimination apply broadly.
Procuring AI in government: AI Act compliance as a tender requirement
A public body that procures an AI system becomes a deployer under the AI Act, and sometimes a provider itself. Make compliance, documentation and the rights impact assessment hard tender requirements, not loose ends in the contract.
Technical documentation (Annex IV): what high-risk systems must include
Providers of high-risk AI must draw up technical documentation following Annex IV of the AI Act. This file describes the system, design, data, performance and risk management, and forms the basis for conformity assessment. It must stay current throughout the system's lifetime.
AI in credit scoring: high risk under the AI Act
AI that assesses consumer creditworthiness is high-risk under Annex III of the AI Act. On top of that come GDPR Article 22 (automated decisions) and the prohibition of discrimination. Three regimes at once, with bias control at the core.
AI in scheduling, planning and payroll: task allocation is high-risk
AI that assigns shifts, plans capacity or calculates pay falls under Annex III once it allocates tasks based on behaviour or traits. Beyond the AI Act, working-time rules, schedule predictability and the GDPR apply — plus the risk that dynamic scheduling disadvantages certain groups.
AI in learning and development (L&D): when learning is high-risk
AI that recommends learning looks harmless, but once it determines who gets access to training or career paths it engages Annex III (access to vocational training). The risk is unequal development opportunities; the GDPR and bias testing come with it.
Algorithmic management: AI that allocates and steers work, beyond platform work
Algorithmic management — AI that allocates tasks, steers performance and nudges behaviour — is not limited to delivery platforms. In ordinary organisations it falls under Annex III (task allocation, evaluation) and the GDPR, with human oversight and transparency at its core.
AI assessments and games in selection: high-risk, validity and accessibility
Gamified and psychometric AI assessments evaluate candidates and are therefore high-risk (Annex III). Three questions are decisive: does it really measure what matters, is it free of bias, and does it not exclude people with a disability? Emotion analysis via image or voice is moreover prohibited.
Recruitment chatbots: transparency duty and high-risk once they select
A recruitment chatbot must always disclose that it is AI (Art. 50). Once it pre-selects, scores or rejects candidates, it is also a high-risk system (Annex III), with human oversight and the GDPR on top. A "handy assistant" thus quickly becomes a decision tool.
Targeted job advertising with AI: high-risk and a discrimination risk
AI that shows job ads to specific groups falls explicitly under Annex III of the AI Act as high-risk. The biggest risk is discrimination: an algorithm that shows a vacancy mostly to young men invisibly excludes others. The GDPR and the DSA set additional limits.
Informing workers about AI: the transparency duty of Article 26
Before you deploy a high-risk AI system in the workplace, Article 26 of the AI Act requires you to inform the affected workers and their representatives. This duty sits alongside GDPR transparency and the works council's consent right — and is a separate, auditable step.
AI in evaluation, promotion and dismissal: high-risk beyond hiring
Annex III of the AI Act goes beyond recruitment: AI that helps decide on working conditions, promotion, termination, task allocation and performance evaluation is high-risk too. That catches performance tools and workforce systems many employers already use.
AI CV screening: why it is high-risk and what that requires
AI that filters, parses or ranks CVs is the most widely used HR AI — and falls under Annex III of the AI Act as high-risk. That applies to bought-in tools too. This explainer covers the duties, the bias risks and the employer's role.
The algorithm register: must governments publish their AI?
Dutch public bodies publish the algorithms they use in the national Algorithm Register, as a transparency instrument. In addition, the AI Act requires registration of high-risk AI in an EU database (Art. 49/71) — also for public authorities as deployers. Two registers, one aim: accountability.
AI proctoring and exam surveillance: is AI monitoring allowed?
AI proctoring (online exam surveillance) detects prohibited behaviour during tests and therefore falls under Annex III: high-risk. If the system infers emotions, it is even banned (Art. 5). The GDPR also requires a legal basis, proportionality and usually a DPIA — especially for minors.
AI as a medical device: the dual conformity (MDR + AI Act)
If your AI is a medical device, it must meet both the MDR (clinical evaluation, CE) and the AI Act (high-risk requirements). The regulations are meant to run together through a single conformity assessment and one notified body — not two separate tracks.
AI in government: what applies to the public sector?
AI that determines access to public services or benefits, or is used in law enforcement, migration or justice, is high-risk under the AI Act. As deployers, public bodies must often carry out a fundamental rights assessment (FRIA) and be transparent to citizens.
AI in education: what does the AI Act mean for schools and trainers?
AI that determines access to education, evaluates learning outcomes or monitors exam behaviour falls under Annex III and is high-risk. Emotion recognition in education is banned. The GDPR (often minors' data) and the AI-literacy duty also apply.
AI in healthcare: the AI Act and the Medical Device Regulation (MDR)
Medical AI often falls under two regimes at once: as a medical device under the MDR (CE marking) and as high-risk AI under the AI Act (Annex I). The regulations align the conformity assessment as far as possible. Health data is also special-category personal data under the GDPR.
Can an algorithm reject a candidate? Automated decisions in recruitment
Rejecting a candidate fully automatically is in principle not allowed: GDPR Art. 22 prohibits decisions based solely on automated processing that significantly affect someone, unless safeguards apply. The AI Act adds human oversight and transparency for high-risk recruitment.
Monitoring employees with AI: what is allowed and what isn't?
AI monitoring of employees quickly clashes with the rules: emotion recognition at work is banned (Art. 5), performance monitoring can be high-risk (Annex III), and the GDPR requires a legal basis, transparency and proportionality. Continuous, intrusive monitoring is legally risky.
AI and discrimination in recruitment: how to prevent bias?
AI recruitment tools can discriminate unintentionally. For high-risk systems the AI Act requires representative, bias-examined data (Art. 10) and human oversight; equal-treatment law and the GDPR also apply. Mitigating bias is an obligation, not a good intention.
AI in recruitment and HR: what every employer needs to know
AI in recruitment, selection and workforce management falls under Annex III of the AI Act and counts as high-risk — for every employer, regardless of sector or size. Emotion recognition in the workplace is banned, AI literacy already applies, and the GDPR runs in parallel for automated decisions.
Which AI systems are high-risk? The Commission's draft Article 6 guidelines
On 19 May 2026 the Commission published draft guidelines on which AI systems are high-risk under Article 6: the two routes (Annex I and Annex III), the Article 6(3) filter and practical examples. Non-binding; the targeted consultation was extended to 23 July 2026, final text expected later in 2026.
The missing harmonised standards: why CEN-CENELEC's delay reshaped the AI Act timeline
High-risk AI Act compliance rests on harmonised European standards granting a presumption of conformity. CEN-CENELEC's JTC 21 missed its 2025 deadline; October 2025 emergency measures target Q4 2026 delivery — a stated reason the Digital Omnibus pushed Annex III to December 2027.
The state of AI regulation — 2026 overview
One overview of where AI regulation stands in 2026: the phased AI Act, the shifts from the Digital Omnibus, the five regimes, and the international line from the Council of Europe to California and Korea — with links to the detail per topic.
High-risk AI mapped: classification and obligations in one overview
The high-risk regime is the centre of gravity of the AI Act. This overview explains the two classification routes (Annex I and Annex III), the obligations of providers and deployers, the filter provision of Article 6, and what the expected delay to December 2027 does and does not mean.
For your own systems
This knowledge base tells you what the law says. Want to see, per system, what applies to you and what changes? That is what Trusq does — built by the same team.