What AI systems are high-risk under the EU AI Act?

High-risk systems are listed in Annex III of the EU AI Act. They include biometric identification systems, critical infrastructure management, education and vocational training, employment and worker management, access to essential private and public services (credit, insurance), law enforcement, migration and asylum management, and administration of justice.

What are the fines under the EU AI Act?

Fines are up to 7% of global annual turnover for using prohibited AI systems, up to 3% for non-compliance with other obligations, and up to 15 million euros or 1% for providing incorrect information to authorities. For SMEs and startups, limits are reduced to the lower amount.

How does Kaitalog help with EU AI Act compliance?

Kaitalog provides a structured AI system inventory, automatic risk classification by EU AI Act category (including Annex III verification), management of applicable obligations per system with evidence traceability, and a compliance dashboard with regulatory deadline tracking.

Practical guide · Regulation 2024/1689

EU AI Act: complete guide for European companies

Everything you need to know about the EU's first AI regulation: timeline, risk categories, obligations and fines.

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689 of the European Parliament and Council) is the world's first comprehensive legal framework dedicated specifically to artificial intelligence systems. It was published in the Official Journal of the European Union on 12 July 2024 and entered into force on 1 August 2024.

The regulation takes a risk-based approach: the higher the risk a system poses to health, safety or fundamental rights, the stricter the obligations placed on its provider and deployer.

The EU AI Act applies to providers placing AI systems on the EU market (regardless of where they are established), to deployers located in the EU, and to providers and deployers in third countries when the system's outputs are used in the EU.

Timeline

The regulation has a phased application schedule that organisations must track carefully:

1 Aug 2024

Entry into force

Regulation 2024/1689 enters into force. The transitional period begins.

2 Feb 2025

Prohibitions apply

Unacceptable-risk AI systems are prohibited (Art. 5): subliminal manipulation, exploitation of vulnerabilities, social scoring, real-time biometric identification in public spaces (with narrow exceptions), emotion recognition in workplaces and education.

2 Aug 2025

General-purpose AI models (GPAI)

Obligations for general-purpose AI models apply, including transparency, technical documentation and copyright compliance obligations for models such as GPT-4, Gemini and Claude.

2 Aug 2026

High-risk systems (Annex III)

Full obligations for all high-risk systems listed in Annex III: risk management, data governance, technical documentation, activity logging, transparency, human oversight and accuracy.

2 Aug 2027

High-risk systems (Annex I)

Obligations for AI systems regulated under existing EU sector-specific legislation (Annex I): machinery, medical devices, motor vehicles and other CE-marked products.

The four risk categories

The EU AI Act classifies AI systems into four risk levels. This classification determines which obligations apply to each system:

Unacceptable risk — Prohibited

Prohibited systems (Art. 5)

Systems that manipulate human behaviour subliminally, exploit vulnerabilities of specific groups, perform social scoring with detrimental consequences, or identify individuals via biometrics in real time in public spaces (with narrowly defined exceptions for law enforcement).

High risk — Annex III

High-risk systems (Arts. 8–15)

Systems with significant impact on fundamental rights, safety or access to essential services. They require risk management, technical documentation, EU database registration, human oversight and continuous risk management. Examples: credit scoring, HR screening, biometric identification.

Limited risk — Transparency

Limited-risk systems (Art. 50)

Systems that interact with people directly (chatbots, voice assistants) or generate synthetic content (deepfakes, AI-generated text, images). The primary obligation is to notify users they are interacting with AI or that content has been AI-generated.

Minimal risk

Minimal-risk systems

The vast majority of current AI systems: spam filters, content recommenders, AI in video games, productivity tools with embedded AI that do not influence significant decisions. No mandatory obligations apply, though voluntary codes of conduct are encouraged.

High-risk systems: the 8 Annex III domains

If a system operates in any of these 8 domains, it is high-risk. Verification of each domain must be documented in the inventory — even when the conclusion is that the system does not fall within a domain:

1. Biometric identification and categorisation: remote biometric identification systems, categorisation of persons based on sensitive characteristics inferred from biometric data.
2. Critical infrastructure: AI used as a safety component in power grids, water and gas supply, transport infrastructure (rail, aviation, traffic), and critical digital infrastructure.
3. Education and vocational training: systems determining access to educational institutions, assessing learning outcomes, detecting prohibited behaviour in exams.
4. Employment and worker management: CV screening and candidate filtering, performance evaluation, task assignment, worker productivity monitoring.
5. Essential private and public services: credit scoring, insurance eligibility assessment, eligibility for public benefits (unemployment, housing, healthcare), emergency services prioritisation.
6. Law enforcement: recidivism risk assessment, evidence analysis, digital polygraphs, crime prediction, criminal network identification.
7. Migration, asylum and border control: irregular migration risk assessment, document verification, asylum and visa application assessment.
8. Administration of justice and democratic processes: judicial assistance in law research and interpretation, alternative dispute resolution, and influence on electoral processes.

Obligations for high-risk systems

Providers and deployers of high-risk systems must meet a set of obligations before putting a system into service, and maintain them throughout its operational life:

Risk management system (Art. 9): a continuous process of identifying, analysing and mitigating risks throughout the system's lifecycle.
Data governance (Art. 10): training, validation and test data must meet quality, representativeness and bias-avoidance criteria.
Technical documentation (Art. 11 + Annex IV): comprehensive documentation before deployment, to be retained for 10 years.
Activity logging (Art. 12): automatic logging sufficient to verify the system's operation in case of an incident.
Transparency (Art. 13): understandable instructions for deployers, including limitations and operating conditions.
Human oversight (Art. 14): technical and organisational measures enabling natural persons to supervise, understand, intervene in and stop the system.
Accuracy, robustness and cybersecurity (Art. 15): appropriate levels of accuracy throughout the system's lifecycle.
EU database registration (Art. 49): mandatory registration in the EU high-risk AI systems database before launch.

Fines and penalties

Up to 7% of global annual turnover (or €35M, whichever is higher) for placing or using prohibited AI systems (Art. 5).
Up to 3% of global annual turnover (or €15M, whichever is higher) for non-compliance with any other obligation.
Up to 1% of global annual turnover (or €7.5M, whichever is higher) for providing incorrect, incomplete or misleading information to authorities.

How Kaitalog helps you comply with the EU AI Act

Structured inventory: register all your AI systems with the metadata required by Annex IV.
Automatic classification: Kaitalog's classification engine checks each system against all 8 Annex III domains and proposes the risk level with citable normative justification.
Obligations management: for each high-risk system, Kaitalog deploys the Arts. 9–15 obligations and enables assignment of owners, statuses and evidence.
Deadline tracking: the Committee dashboard shows key regulatory deadlines and your organisation's readiness against each.
Evidence export: generate documentation packages ready to present to the supervisory authority or in a certification audit.

Frequently asked questions

When does the EU AI Act come into force? +

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024. Prohibitions on unacceptable-risk systems apply from 2 February 2025. Obligations for general-purpose AI models (GPAI) apply from 2 August 2025. Full obligations for Annex III high-risk systems apply from 2 August 2026.

Does my company need to comply even if we don't develop AI? +

Yes. If your organisation uses high-risk AI systems as a deployer, you have specific obligations: verify the system has technical documentation and CE marking where applicable, implement human oversight measures, maintain usage logs, and report serious incidents. Compliance obligations are not limited to AI developers.

What is the difference between a provider and a deployer under the EU AI Act? +

The provider is the entity that develops and places the AI system on the market. The deployer is the entity that uses the system in its own context. Many companies are both (when using their own AI) or only deployers (when using third-party AI tools). Each role has distinct obligations under the regulation.

What does Annex IV technical documentation need to include? +

Annex IV specifies 8 elements: general description of the system, description of capabilities and limitations, training data and data governance, development methodology, monitoring and logging capabilities, human oversight measures, performance metrics, and cybersecurity measures. Kaitalog structures the inventory of each system to capture exactly these elements.

How does Kaitalog help prepare Annex IV technical documentation? +

Kaitalog structures each system's inventory entry to capture the 8 elements required by Annex IV. The evidence export generates a package directly aligned with Annex IV, ready to present to the supervisory authority or in a conformity assessment procedure.

Ready to classify your AI systems?

Kaitalog automates Annex III verification and generates the required technical documentation.

Start free →