§1 Biometrics
Cross-sector- Remote biometric identification (not Article 5 prohibited)
- Biometric categorisation (sensitive attributes excluded)
- Emotion recognition in non-prohibited contexts
The EU AI Act (Regulation (EU) 2024/1689) classifies AI systems into four risk tiers: prohibited, high-risk, limited risk, and minimal risk. The high-risk category — defined in Article 6 plus the lists in Annex I and Annex III — is where most enterprise AI obligations sit.
Annex III contains eight categories of high-risk use cases: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and justice/democracy. If your AI lands in any of them, you face the full conformity-assessment, technical documentation, human-oversight, post-market-monitoring stack — and penalties up to €15 million or 3% of global turnover.
High-risk obligations apply from 2 August 2026. Article 6(3) provides a narrow derogation if the AI performs only a "narrow procedural task," improves a previously completed human activity, detects deviations from a decision pattern without replacing it, or performs a preparatory task.
The EU AI Act is the first comprehensive horizontal regulation of AI globally. It applies to providers placing AI systems on the EU market and to deployers using AI systems in the EU — including non-EU companies whose output is used in the EU (Article 2).
Like the GDPR, the AI Act is extraterritorial. Like the GDPR, breaching it carries percentage-of-turnover penalties. Unlike the GDPR, it has explicit categories of prohibited use cases and a much larger volume of pre-market requirements for high-risk systems.
Most enterprise AI lands in either high-risk (because of HR, credit, or biometric use cases) or limited risk (because of chatbot deployments).
Article 6 classifies an AI system as high-risk if it satisfies either:
Many systems satisfy both tests; the Annex III route is the one most product teams need to understand.
Article 6(3) carves out a narrow exemption. An AI system listed in Annex III is not high-risk if it does not pose a significant risk of harm to the health, safety, or fundamental rights of natural persons, including by not materially influencing the outcome of decision-making. The Article 6(3) conditions are:
The derogation does not apply if the AI system performs profiling of natural persons. Where a provider concludes that an Annex III system is not high-risk, the provider must document the assessment (Article 6(4)) and register the system in the EU database (Article 49).
The high-risk obligations are extensive. Providers must:
Deployers — the natural or legal persons using an AI system under their authority — have lighter but real obligations:
Usually no. A generic chatbot is limited-risk under Article 50 — you must disclose that users are interacting with AI. But a chatbot evaluating job applicants, credit applications, or asylum claims would be high-risk under Annex III §4, §5, or §7.
General-purpose AI models have their own rule set under Articles 51–55 (technical documentation, copyright policy, training-data summary, and stricter rules for GPAI with systemic risk). GPAI obligations applied from 2 August 2025.
Partially. Article 2(12) excludes free and open-source AI from many requirements — unless the system is high-risk, prohibited, or subject to the Article 50 transparency duties. Practical effect: open-source models can be used freely, but deployers in high-risk contexts still take on the high-risk obligations.
They run in parallel. AI processing personal data must satisfy both GDPR (lawful basis, DPIA, automated decision-making under Article 22) and the AI Act (conformity assessment, FRIA, post-market monitoring). High-risk AI providers typically need both a DPIA and an AI Act technical documentation file.
Not really. Article 2(1) catches providers placing AI systems on the EU market, providers in third countries whose output is used in the EU, and deployers in the EU. Most material AI vendors are in scope.
RegulatoryBridge runs the conformity assessment, FRIA, technical documentation, and post-market monitoring for high-risk AI systems — so your product team focuses on the model, not the paperwork.