Chapter III
High-Risk AI Systems
The bulk of the Act. Defines what makes an AI system high-risk, the requirements it must meet (risk management, data governance, transparency, human oversight, accuracy, robustness, cybersecurity), the obligations of providers and deployers across the value chain, and the conformity assessment + CE marking framework.
Section 1
Classification of AI Systems as High-Risk- Art 6
Classification Rules for High-Risk AI Systems
Defines the two routes to high-risk: (1) Article 6(1) — AI systems that are themselves a safety component of, or are products covered by, the EU harmonisation legislation listed in Annex I and require third-party conformity assessment; (2) Article 6(2) — AI systems used in the eight Annex III domains. Article 6(3) introduces a narrow derogation where a system performs only a 'narrow procedural task' or improves the result of a previously completed human activity.
High riskEffective 2027-08-02 - Art 7
Amendments to Annex III
Empowers the Commission to add, remove, or modify use cases in Annex III via delegated acts when AI systems pose comparable or greater risk than existing entries.
High riskEffective 2026-08-02
Section 2
Requirements for High-Risk AI Systems- Art 8
Compliance with the Requirements
Sets the structural requirement that every high-risk AI system shall comply with Articles 9–15 throughout its lifecycle, taking into account the intended purpose and the generally acknowledged state of the art.
High riskEffective 2026-08-02 - Art 9
Risk Management System
A continuous, iterative risk-management process across the entire lifecycle: identify and analyse known and foreseeable risks, estimate and evaluate risks, evaluate post-market data, and adopt risk-control measures. Special attention to risks affecting persons under 18 and other vulnerable groups.
High riskEffective 2026-08-02 - Art 10
Data and Data Governance
High-risk AI systems trained on data must use training, validation, and testing datasets that meet quality criteria — relevance, representativeness, accuracy, completeness — and incorporate appropriate data-governance and management practices, including bias detection and mitigation. Permits processing of special-category personal data strictly to detect and correct bias, with safeguards.
High riskEffective 2026-08-02 - Art 11
Technical Documentation
Providers must draw up technical documentation before placing a high-risk AI system on the market and keep it up to date. Annex IV lists the minimum content, including a general description, design specifications, training/validation/testing data, monitoring procedures, the risk-management documentation and the EU declaration of conformity.
High riskEffective 2026-08-02 - Art 12
Record-Keeping
High-risk AI systems must enable the automatic recording of events ('logs') over the system lifecycle to a degree appropriate to the intended purpose. Logs must support traceability, post-market monitoring, and the detection of risks or substantial modifications.
High riskEffective 2026-08-02 - Art 13
Transparency and Provision of Information to Deployers
Providers must design high-risk AI systems so that their operation is sufficiently transparent for deployers to interpret the output and use it appropriately. Each system must come with concise, clear instructions for use covering identity of the provider, characteristics, capabilities and limitations, intended purpose, human oversight measures, and expected lifetime.
High riskEffective 2026-08-02 - Art 14
Human Oversight
High-risk AI systems must be designed so that they can be effectively overseen by natural persons during use. Oversight measures must enable assigned humans to understand capabilities and limitations, remain aware of automation bias, correctly interpret output, decide not to act, and intervene or stop the system.
High riskEffective 2026-08-02 - Art 15
Accuracy, Robustness and Cybersecurity
High-risk AI systems must achieve, throughout their lifecycle, an appropriate level of accuracy, robustness and cybersecurity. Providers must declare the relevant performance metrics in instructions for use; resilience must include defences against adversarial examples, data poisoning, model evasion, and confidentiality attacks.
High riskEffective 2026-08-02
Section 3
Obligations of Providers and Deployers of High-Risk AI Systems and Other Parties- Art 16
Obligations of Providers of High-Risk AI Systems
The master checklist for providers: ensure compliance with Articles 9–15, indicate name and contact details on the system, operate a quality management system, keep documentation and logs, undergo conformity assessment, draw up the EU declaration of conformity, affix CE marking, register in the EU database, and take corrective action when required.
High riskEffective 2026-08-02 - Art 17
Quality Management System
Providers must put in place a documented QMS proportionate to the size of the organisation, covering compliance strategy, design and verification techniques, data management procedures, risk-management system, post-market monitoring, incident reporting, communication with authorities, record-keeping, resource management, and accountability framework.
High riskEffective 2026-08-02 - Art 18
Documentation Keeping
Providers must keep technical documentation, QMS documentation, decisions of notified bodies, the EU declaration of conformity, and other relevant material at the disposal of national competent authorities for 10 years after the AI system is placed on the market or put into service.
High riskEffective 2026-08-02 - Art 19
Automatically Generated Logs
Providers shall keep the logs automatically generated by their high-risk AI systems (where logs are under their control by virtue of contract or law) for a period appropriate to the intended purpose — at least six months unless other Union or national law requires longer.
High riskEffective 2026-08-02 - Art 20
Corrective Actions and Duty of Information
When providers consider or have reason to believe that a high-risk AI system already on the market is not in conformity, they must immediately take corrective actions (withdraw, disable, recall) and inform the distributors, deployers, importers, the authorised representative and the competent national authorities.
High riskEffective 2026-08-02 - Art 21
Cooperation with Competent Authorities
Providers must, upon a reasoned request from a national competent authority, provide all information and documentation necessary to demonstrate compliance, in a language that can be easily understood by the authority.
High riskEffective 2026-08-02 - Art 22
Authorised Representatives of Providers of High-Risk AI Systems
Providers established outside the Union must, by written mandate, appoint an authorised representative established in the Union before making the system available on the EU market. The representative verifies and keeps documentation, registers the system, and acts as a contact point for authorities.
High riskEffective 2026-08-02 - Art 23
Obligations of Importers
Importers may only place a high-risk AI system on the EU market when it conforms to the Act. They must verify CE marking, EU declaration of conformity, technical documentation, and that the provider has appointed an authorised representative where required. Importers must indicate their identity on the system.
High riskEffective 2026-08-02 - Art 24
Obligations of Distributors
Before making a high-risk AI system available, distributors verify CE marking, the EU declaration of conformity, instructions for use, and that the provider/importer have complied with their obligations. They must ensure storage and transport conditions do not jeopardise conformity.
High riskEffective 2026-08-02 - Art 25
Responsibilities Along the AI Value Chain
Distributors, importers, deployers or other third parties become 'providers' of a high-risk AI system — and inherit all provider obligations — when they put their name on a system, substantially modify it, or change its intended purpose so that it becomes high-risk. Original providers must cooperate with downstream actors and provide necessary information and assistance.
High riskEffective 2026-08-02 - Art 26
Obligations of Deployers of High-Risk AI Systems
Deployers must use high-risk AI systems in line with the provider's instructions, assign human oversight to competent persons, ensure input data is relevant and representative, monitor operation and stop using the system if a risk is detected, keep logs at least six months, inform affected workers/representatives, register their use in the EU database where required, and cooperate with authorities.
High riskEffective 2026-08-02 - Art 27
Fundamental Rights Impact Assessment for High-Risk AI Systems
Public bodies and private entities providing public services, plus deployers of credit-scoring or insurance-pricing high-risk systems, must — before first use — perform a Fundamental Rights Impact Assessment describing the deployer, processes, persons or groups affected, specific risks, oversight measures, and remediation. The assessment is notified to the market surveillance authority.
High riskEffective 2026-08-02
Section 4
Notifying Authorities and Notified Bodies- Art 28
Notifying Authorities
Each Member State must designate at least one notifying authority responsible for assessing, designating, and monitoring conformity assessment bodies (notified bodies).
High riskEffective 2025-08-02 - Art 29
Application of a Conformity Assessment Body for Notification
Conformity assessment bodies wishing to be notified must apply to the notifying authority, attaching descriptions of activities, harmonised standards used, and evidence of compliance with Article 31 requirements (independence, competence, insurance).
High riskEffective 2025-08-02 - Art 30
Notification Procedure
Notifying authorities notify the Commission and other Member States of the bodies they have authorised, using the NANDO electronic notification tool. Bodies receive an identification number and may operate as notified bodies once Commission/Member State objections, if any, are resolved.
High riskEffective 2025-08-02 - Art 31
Requirements Relating to Notified Bodies
Sets the substantive requirements for notified bodies: legal personality, independence from the entities they assess, no conflicts of interest, appropriate cybersecurity and confidentiality measures, sufficient personnel with the necessary technical and legal expertise, and adequate insurance.
High riskEffective 2025-08-02 - Art 32
Presumption of Conformity with Requirements Relating to Notified Bodies
Where a conformity assessment body demonstrates conformity with relevant harmonised standards, it is presumed to comply with the corresponding Article 31 requirements.
High riskEffective 2025-08-02 - Art 33
Subsidiaries of Notified Bodies and Subcontracting
Where a notified body subcontracts specific tasks or uses a subsidiary, it remains responsible for compliance with Article 31 and must inform the notifying authority. Subcontracting requires the agreement of the provider being assessed.
High riskEffective 2025-08-02 - Art 34
Operational Obligations of Notified Bodies
Notified bodies must verify the conformity of high-risk AI systems against Articles 8–15, applying procedures proportionate to the size of the provider and the complexity of the system. They must avoid unnecessary burdens, particularly for SMEs.
High riskEffective 2025-08-02 - Art 35
Identification Numbers and Lists of Notified Bodies
The Commission assigns an identification number to each notified body and publishes a list of all notified bodies (with their numbers and the activities for which they have been notified).
High riskEffective 2025-08-02 - Art 36
Changes to Notifications
When a notified body materially changes its activities, the notifying authority and Commission must be informed. Notifications can be suspended, withdrawn, or restricted, in which case the Commission updates the public list and arrangements are made for ongoing assessments.
High riskEffective 2025-08-02 - Art 37
Challenge to the Competence of Notified Bodies
The Commission may investigate cases where it has reason to doubt a notified body's competence and compel the relevant Member State to act, including by suspension or withdrawal of notification.
High riskEffective 2025-08-02 - Art 38
Coordination of Notified Bodies
The Commission ensures that notified bodies coordinate via a sectoral group to harmonise procedures and avoid divergence in assessment outcomes.
High riskEffective 2025-08-02 - Art 39
Conformity Assessment Bodies of Third Countries
Third-country conformity assessment bodies may operate under the Act only when an EU-third-country agreement is in place and they meet equivalent requirements.
High riskEffective 2025-08-02
Section 5
Standards, Conformity Assessment, Certificates, Registration- Art 40
Harmonised Standards and Standardisation Deliverables
Where a high-risk AI system complies with harmonised standards (or parts thereof) referenced in the Official Journal, it is presumed to conform with the corresponding requirements of Section 2 (Articles 9–15).
High riskEffective 2026-08-02 - Art 41
Common Specifications
If harmonised standards are insufficient or unduly delayed, the Commission may adopt common specifications via implementing acts. Compliance with common specifications also yields presumption of conformity.
High riskEffective 2026-08-02 - Art 42
Presumption of Conformity with Certain Requirements
Specific presumption rules: high-risk AI systems trained on data reflecting the specific geographical, behavioural or functional setting in which they will be used are presumed compliant with the relevant data-quality requirements of Article 10. AI systems certified under EU cybersecurity certification schemes are presumed compliant with Article 15 cybersecurity requirements.
High riskEffective 2026-08-02 - Art 43
Conformity Assessment
Sets the routes to conformity assessment for high-risk AI systems. For most Annex III systems where harmonised standards apply: internal control (Annex VI). For biometric systems and where standards are not (fully) applied: notified-body assessment (Annex VII). For Annex I product-safety systems: the conformity assessment procedures of the underlying sectoral law, augmented by AI Act requirements.
High riskEffective 2026-08-02 - Art 44
Certificates
Notified bodies issue certificates valid for up to four (Annex VII) or five (Annex VI) years and must be drawn up in a language easily understood by the relevant authorities. They may be reduced, suspended or withdrawn if the system no longer complies.
High riskEffective 2026-08-02 - Art 45
Information Obligations of Notified Bodies
Notified bodies must inform notifying authorities of any certificate issued, refused, suspended, withdrawn or restricted, and provide periodic activity reports.
High riskEffective 2026-08-02 - Art 46
Derogation from Conformity Assessment Procedure
On exceptional grounds (public security, life or health, environmental protection, key industrial or infrastructure assets), market surveillance authorities may authorise placing on the market or putting into service of a specific high-risk AI system without the standard conformity assessment.
High riskEffective 2026-08-02 - Art 47
EU Declaration of Conformity
The provider must draw up a written EU declaration of conformity for each high-risk AI system, retain it for 10 years, and provide it on request. Annex V lists the mandatory contents.
High riskEffective 2026-08-02 - Art 48
CE Marking
The CE marking must be affixed visibly, legibly and indelibly to the high-risk AI system or its packaging or accompanying documentation. For digital-only systems, a digital CE mark suffices. The marking is followed by the identification number of the notified body where applicable.
High riskEffective 2026-08-02 - Art 49
Registration
Before placing on the market or putting into service a high-risk AI system listed in Annex III (other than law-enforcement, migration and critical-infrastructure systems), the provider — and certain deployers (public authorities, EU bodies, persons acting on their behalf) — must register the system in the EU public database.
High riskEffective 2026-08-02