Annex III of the EU AI Act: the practical list of high-risk systems you are probably already operating
Annex III of Regulation (EU) 2024/1689 defines eight categories of AI systems considered high risk. This is the practical list with real examples to audit your organisation before August 2026.
- Topics:
- EU AI Act
- Annex III
- High risk
- Compliance
Annex III of Regulation (EU) 2024/1689 on artificial intelligence is probably the most relevant document of the year for any Spanish board of directors. Not because of its length — barely three pages — but because it enumerates, in a closed list, the eight categories of AI systems the European legislator considers high risk. Being inside one of them means moving from the free regime to the strictest regime of the Regulation: CE marking, conformity assessment, documented risk management, human oversight, registration in an EU database, post-market monitoring and incident reporting.
What I will argue in this article is simple: most Spanish organisations are already operating one or more systems that fall under Annex III, and they haven't identified them. This is not alarmism: it is what I see recurrently in conversations with management and boards.
The eight Annex III categories, translated into practice
The table below is my applied reading of the Annex. The "Realistic examples" column collects systems that medium and large Spanish companies are effectively operating today, and that are often managed without having been classified.
| Annex III category | Description in the Regulation | Realistic examples in a Spanish company |
|---|---|---|
| 1. Biometrics | Remote biometric identification, biometric categorisation by sensitive traits, emotion recognition | Facial recognition access control systems; emotion analysis on call-centre recordings |
| 2. Critical infrastructure | Management and operation of road traffic, water, gas, electricity, and essential digital services | AI-optimised power grids; predictive urban traffic management; water treatment plant control |
| 3. Education and training | Determining access, evaluating learning outcomes, evaluating standardised tests, detecting prohibited behaviour | Automated exam evaluation platforms; online proctoring; university admission systems |
| 4. Employment and worker management | Recruitment, task allocation, performance evaluation, termination | ATS with automated CV scoring; dynamic shift assignment; remote productivity evaluation; predictive talent flight risk analysis |
| 5. Access to essential services | Eligibility for public services, credit, life and health insurance, emergency dispatch | Credit scoring models; automated insurance underwriting; emergency call prioritisation; eligibility for public subsidies |
| 6. Law enforcement | Evidence evaluation, criminal profiling, predictive behaviour analysis | Predictive policing systems; automated forensic communications analysis |
| 7. Migration, asylum and borders | Polygraphs, risk profiles, evaluation of visa and asylum applications | Customs documentary verification systems; applicant credibility analysis |
| 8. Administration of justice and democratic processes | Assistance in judicial investigation and interpretation; influence on electoral outcomes | Judicial transcription systems with analysis; algorithmic electoral segmentation |
Category 4 (employment) is, in my experience, the most underestimated. Any company of relevant size in Spain today uses an Applicant Tracking System that prioritises CVs with some algorithmic component. The question is not whether there is AI in HR, but who has classified it.
The three most frequent traps on Spanish boards
I have seen the same three confusions repeat across different sectors. Worth naming them.
Trap 1: "The supplier did not tell us"
Many high-risk systems enter organisations through third parties: an HR provider, a bank offering integrated credit scoring, a customer service SaaS with embedded emotion analysis. The organisation acquires the capability without the supplier formally saying "this is high risk under Annex III".
Article 26 of the Regulation is clear: deployer status is not transferred to the supplier. If your organisation operates the system under its authority, it assumes deployer obligations. The supplier's silence does not absolve.
Trap 2: "It's just a pilot"
Pilots, proofs of concept and non-production environments remain outside the sanctioning scope if they are clearly bounded, yes. But the line is easily crossed: the moment the system processes real data on real people and produces decisions that affect them, the regime applies. I have seen systems labelled "pilot" for eighteen months, serving in production.
Practical recommendation: define in writing the threshold from pilot to production, and review it quarterly.
Trap 3: "It's not AI, it's advanced statistics"
The distinction between traditional statistical model and AI system in the Regulation is deliberately broad. Article 3(1) defines an AI system as one "that infers, from the input it receives, how to generate outputs". A credit scoring model with logistic regression trained on history meets that definition. The internal "machine learning" or "statistics" label is irrelevant for regulatory classification.
Audit check-list: five questions to start tomorrow
If you want to translate this article into a concrete board action, I propose five questions that management must be able to answer in a meeting:
- How many systems operating today process personal data and produce a decision, recommendation or score about natural persons? (If the answer is not a number, an inventory is needed.)
- Of those systems, how many fall under any of the eight Annex III categories? (Primary classification with uniform criteria.)
- For each identified high-risk system, who is the "internal deployer responsible" and to whom do they report? (Documented accountability.)
- Are there operating records, documented human oversight, and a procedure for serious incident notification? (Articles 14 and 73 of the Regulation.)
- What sanction exposure does the organisation face in the base case and in an adverse scenario if August 2026 comes without these elements? (Up to 3 % of global annual turnover for Annex III infringements.)
If the five answers exist, written and signed by an identifiable responsible party, the board is fulfilling its duty of care in this matter. If any of the five is missing, there is outstanding duty.
What I recommend to a board starting from zero
The most expensive mistake I see is buying the tool first (an automated AI inventory system, a governance software) before doing the intellectual exercise. The first two weeks of an AI Act compliance programme need no technology: they need two people with mixed criteria (a legal profile, a technical profile) walking the organisation with the Annex III list in hand, interviewing each functional area.
The output of that exercise fits in a spreadsheet. That spreadsheet, afterwards, tells you what tools, what investment and what board reporting you need. Doing it backwards — buying the solution before having the map — is the most effective way to burn budget without reducing risk.
The clock is ticking. On 2 August 2026 the obligation is fully enforceable, and the sanctioning regime operates at cruising speed. Barely two months left. Having the Annex III inventory complete and an internal owner assigned before mid-July is still realistic for most medium-sized organisations if they start now. Past that date, the room for manoeuvre is practically nil and exposure to the sanctioning regime, real.