Annex III

Annex III of the EU AI Act — the list of high-risk AI use-case categories. AI systems falling into any Annex III category (biometric identification, critical infrastructure management, education, employment, access to essential services, law enforcement, migration / asylum / border control, administration of justice, democratic processes) inherit the full Article 8-17 obligations under the Act. Enforcement of Annex III obligations begins 2 August 2026.

Annex III is the test most enterprise procurement decisions miss. Vendors mark their products 'general-purpose' to keep the regulatory load on the deployer; the deployer's use case may make the deployment Annex III high-risk regardless of the vendor's marketing. The operational test from Article 6(2): does the deployment make, materially support, or substantially influence a decision in any Annex III category, with affected natural persons in EU jurisdiction? If yes, the deployment is high-risk and requires the topology (single-region EEA-resident, full audit substrate, conformity assessment) most 2025-era pilots did not budget for.

Articles that analyse this term

• The EU AI Act and agentic AI: what August 2026 actually requires
• Data residency for agentic AI: what CIOs must ship before EU AI Act enforcement on 2 August 2026
• The enterprise agentic AI governance playbook for 2026

Primary sources

• European Union. EU AI Act — Annex III
• European Commission. Regulatory framework for AI