Is your AI System High Risk

How to Check Is Your AI System High-Risk Under the EU AI Act (2026)

Is Your AI System High-Risk Under the EU AI Act (2026)?

Rohan is a product manager at a Bangalore-based startup. His team has spent eight months building an AI tool that reads job applications and scores candidates before a recruiter ever sees them.

Launch day is two weeks away. Then a European investor sends one question: “Has your system been classified under the EU AI Act? Is it high-risk?”

The room goes quiet. The engineer says it’s just an algorithm. The lawyer says she needs two weeks. The co-founder asks: “Can’t we just say it’s low-risk and move on?”

The answer to that last question is no. Guessing wrong — in either direction — is exactly how startups end up redesigning live products, losing contracts, or facing regulatory scrutiny they never prepared for.

The good news? You don’t need two weeks. You need a clear four-step check — and this article walks you through it.

1. Quick Answer

Is Your AI system high-risk under the EU AI Act if it either:

  • Is built into a safety-critical product — like a medical device or industrial machine — that needs an independent safety check before sale, or
  • Is used for a sensitive purpose listed in Annex III — such as hiring, education, credit scoring, or healthcare decisions

Even an Annex III system can avoid the high-risk label in narrow situations, but only if the provider documents that conclusion in writing before the product launches (Regulation (EU) 2024/1689, Art. 6). Classification depends entirely on what the system is used for — not on how advanced the technology is.

At a Glance

  • High-risk classification depends on the AI system’s intended use—not the model, algorithm, or parameter count.
  • There are two routes to high-risk status: Annex I (safety-critical products) and Annex III (specified high-risk use cases).
  • Article 6(3) provides a limited exemption for some Annex III systems that meet specific legal conditions.
  • The exemption does not apply if the AI system profiles individuals.
  • If relying on the Article 6(3) exemption, the provider must document the assessment before the system is placed on the market or put into service.
  • General-purpose AI models such as ChatGPT are not automatically high-risk, but using them in a high-risk application may trigger obligations under the EU AI Act.

2. Does This Apply to You?

ReaderShould you keep reading?
Startup founderYes — determine your AI system’s classification before launch to understand whether high-risk obligations apply.
Developer or engineerYes — classification determines the technical and compliance measures your system may require, including documentation, logging, human oversight, and testing where applicable.
Compliance officerYes — AI classification is the starting point for determining obligations under the EU AI Act.
LawyerYes — Article 6(3) provides a narrow exemption that requires careful legal analysis and documentation.
ResearcherYes — this article illustrates how the EU AI Act applies a risk-based regulatory framework in practice.
University or research labYes — especially if an AI system is intended to move from research into deployment or commercial use.
StudentYes — this is one of the clearest examples of risk-based legal classification under the EU AI Act.
Enterprise leaderYes — an incorrect classification can expose your organisation to significant compliance costs, enforcement action, and, where applicable, administrative fines under the EU AI Act.

If your startup already has an AI tool in use, also read: My Startup Uses ChatGPT. Do I Really Need an AI Policy? — the companion piece that covers what to put in your governance documentation once classification is done.

3. Why This Matters

It determines your compliance obligations.
If your AI system is classified as high-risk, you must meet additional EU AI Act requirements such as risk management, technical documentation, human oversight, logging, and post-market monitoring. Building these controls early is much easier than adding them after launch.

Getting it wrong can be costly.
Classifying a high-risk system as low-risk may lead to enforcement action. Classifying a low-risk system as high-risk can waste time, money, and resources on unnecessary compliance.

Be ready to explain your decision.
If you rely on the Article 6(3) exemption, the EU AI Act requires you to document why your Annex III AI system is not high-risk before placing it on the market or putting it into service.

The financial stakes are real.
Serious breaches of the EU AI Act can result in administrative fines of up to €35 million or 7% of worldwide annual turnover (whichever is higher), along with measures such as restricting, recalling, or withdrawing non-compliant AI systems from the EU market.

Enterprise buyers are already asking.
Many organisations now ask AI vendors to explain how their systems have been classified and what compliance measures are in place. Having a clear, documented assessment can help build trust and win contracts.

Practical Insight: Treat AI classification as part of product development—not just a legal task. Review it whenever your AI system’s purpose or use changes.

4. Understanding the Problem

The biggest mistake? Assuming every AI system is automatically high-risk.
It isn’t. The EU AI Act classifies AI based on its intended purpose—what the system is designed to do—not how advanced the technology is. Two AI systems built on the same model can fall into different risk categories depending on how they are used.

Three common misconceptions

Misconception 1: “A human reviews everything, so we’re safe.”
Not necessarily. Human oversight is a requirement for many high-risk AI systems, but it doesn’t decide whether a system is high-risk. Classification depends on the system’s intended purpose, not whether a person reviews the final output.

Misconception 2: “We only use it internally, so the EU AI Act doesn’t apply.”
Internal use does not automatically exempt an AI system from the Act. If an internal tool is used for purposes such as hiring, employee evaluation, or access to essential services, it may still fall within Annex III and require a high-risk assessment.

Misconception 3: “It’s a vendor’s AI, so compliance is their responsibility.”
Not always. If your organisation deploys an AI system—even one supplied by another company—you may have obligations under the EU AI Act. Buying AI software does not automatically transfer all compliance responsibilities to the vendor.

2026 update: The proposed Digital Omnibus package may postpone some compliance deadlines, but it does not remove the need to determine whether your AI system is high-risk. Knowing your classification early helps you prepare for future obligations.

Avoid This Founder Mistake:
“We’re only using ChatGPT internally, so the EU AI Act doesn’t apply to us.”

That’s not always true. If ChatGPT is used in a high-risk context—such as screening job applicants or supporting decisions covered by Annex III—your organisation may have obligations under the EU AI Act. The risk depends on how the AI is used, not simply on which AI tool you use.

Practical Insight: Don’t ask, “What can this AI model do?” Ask, “What is this AI system designed and intended to do?” That is the starting point for classification under the EU AI Act.

5. The Four EU AI Act Risk Tiers — At a Glance

Before you work through the four-step classification check, it’s helpful to understand the four risk levels under the EU AI Act. Every AI system falls into one of these categories, and each comes with a different level of legal responsibility.

Risk TierWhat It MeansExamplesKey Obligations
Prohibited RiskAI practices that are banned because they pose an unacceptable risk.Certain forms of social scoring, manipulative AI practices, and prohibited real-time remote biometric identification in public spaces (subject to limited legal exceptions).Cannot be placed on the market or used unless a specific legal exception applies.
High-RiskAI systems that are allowed but subject to strict regulatory requirements.Hiring and recruitment AI, creditworthiness assessment, medical device AI, education assessment systems.Risk management, technical documentation, human oversight, logging, conformity assessment, and post-market monitoring.
Limited RiskAI systems that must meet transparency obligations.Chatbots, AI-generated content, deepfakes.Users must be informed when they are interacting with AI or viewing AI-generated or manipulated content, where required by the Act.
Minimal RiskAI systems with little or no regulatory burden under the AI Act.Spam filters, video game AI, basic recommendation systems.No specific AI Act obligations, although other laws may still apply.
EU AI Act Risk Tiers

Practical Insight: Most everyday AI tools are not high-risk. The purpose of the four-step check is to determine the correct classification based on the AI system’s intended purpose—not to assume it belongs in a particular category.

6. The 4-Step Classification Check

Work through these in order. Stop when you have a clear answer. Write down your reasoning at every step — that written record is itself a legal requirement.

Step 1: Is it an AI system under the EU AI Act definition?
                        ↓
             No → Document and stop. Not in scope.
                        ↓
             Yes → Move to Step 2

Step 2: Is it embedded in an Annex I safety-critical product?
                        ↓
             Yes → HIGH-RISK (Annex I route)
                        ↓
             No → Move to Step 3

Step 3: Does it match one of the 8 Annex III categories?
                        ↓
             No → Limited or Minimal Risk — document and confirm
                        ↓
             Yes → Move to Step 4

Step 4: Does the Article 6(3) narrow escape genuinely apply?
         (And: does the system profile individuals?)
                        ↓
        Profiles individuals → HIGH-RISK. Escape closed.
                        ↓
        Escape applies and no profiling → NOT high-risk.
        Document in writing before launch.
🎨 Infographic Suggestion: This decision tree as a clean vertical flowchart — four numbered nodes, clear Yes/No branches, colour-coded endpoints (red = High-Risk, amber = Escape applies — document, grey = Out of scope). This is the highest-priority visual for this article. Most readers arrive wanting to run exactly this check for a specific product.

Step 1 — Is it an AI system under the EU AI Act at all?

Before classifying anything, confirm the product meets the EU AI Act’s legal definition. Not every automated tool qualifies. Simple rule-based software that follows a fixed, human-written script without any inference or learning may fall outside scope (ai-act-service-desk.ec.europa, scope and definition guidance).

What to do: Write down what the system does. Does it infer, predict, classify, recommend, or support decisions beyond a fixed script? If not, document that and stop.

Common mistake: jumping straight to Annex III without confirming scope first.

Best practice: write a one-paragraph scope note before any risk classification begins.

Step 2 — Is it embedded in a regulated safety-critical product? (Annex I)

Article 6(1) covers AI systems built into products already regulated by EU safety laws — medical devices, industrial machinery, toys, aviation components, motor vehicles — where the product itself requires a third-party safety inspection before sale (Regulation (EU) 2024/1689, Art. 6(1)).

What to do: Ask — is my AI embedded in a product that has its own EU safety regulation? Does that product need independent certification before reaching customers? Yes to both — the AI is automatically high-risk.

Common mistake: thinking only standalone software can be high-risk.

Best practice: have legal, product, and regulatory teams check the entire product chain, not just the AI module.

Step 3 — Does it match one of the eight Annex III categories?

This is the step that affects the most AI products. Annex III lists eight areas where AI is presumed high-risk by default:

  1. Biometrics — facial recognition, emotion detection, identity verification
  2. Critical infrastructure — energy grids, water systems, transport networks
  3. Education and training — admissions decisions, exam scoring, assessments
  4. Employment and HR — hiring, candidate ranking, performance evaluation
  5. Essential services — credit scoring, insurance, access to healthcare
  6. Law enforcement — crime prediction, evidence analysis, risk profiling
  7. Migration and border control — visa processing, border screening
  8. Administration of justice — legal research tools influencing court outcomes

If your system’s core purpose matches any of these areas, it is presumptively high-risk. Look at the use case, not the underlying model.

Common mistake: assuming only facial recognition or large enterprise systems are in scope. The list is much broader.

Best practice: document which specific Annex III category applies and why.

For a wider picture of how the EU AI Act works — including scope, timelines, and GDPR overlap — see the full EU AI Act guide for Indian companies and startups.

EU AI Act- Annex III High- Risk AI Use Cases

Step 4 — Does the Article 6(3) Exception Apply?

An AI system listed in Annex III is not always high-risk. Under Article 6(3), it may fall outside the high-risk category—but only if it meets one of four narrow conditions and does not profile individuals.

The exception may apply if the AI system:

  • Performs a limited procedural task, such as sorting documents into predefined folders.
  • Only supports or improves a task already completed by a human, without replacing that human assessment.
  • Detects patterns or anomalies in data without influencing a person’s earlier decision.
  • Carries out preparatory work for an Annex III activity without making or recommending a decision.

One important rule: if your AI system scores, ranks, labels, or categorises people, it is considered to profile individuals. In that case, the Article 6(3) exception does not apply.

This is why the common argument—“the human makes the final decision”—usually doesn’t work. For example, an AI tool that ranks job applicants is still profiling individuals, even if a recruiter makes the final hiring decision.

If you believe the exception applies: clearly document which Article 6(3) condition your system meets, explain why it does not profile individuals, and keep this assessment with your compliance records.

Practical Insight: A human making the final decision does not automatically make an AI system low-risk. If the AI scores or ranks people before that decision is made, the Article 6(3) exception is generally unavailable.

7. Can ChatGPT or a Standard AI Tool Be High-Risk?

This is one of the most common questions founders ask — and the answer is more nuanced than most people expect.

ChatGPT itself is not classified as high-risk by OpenAI under the EU AI Act. It is a general-purpose AI (GPAI) model covered by its own set of rules under Articles 51–55 of the Act, separate from the high-risk classification system.

However — using ChatGPT inside a high-risk use case creates high-risk obligations for your company.

If your startup builds a hiring tool that uses ChatGPT to rank candidates, your system — the tool you built using ChatGPT — falls into Annex III’s employment category. You are the provider of that system. Your company carries the high-risk obligations, not OpenAI.

The AI powering a tool does not determine its risk tier. The use case does.

This is why an AI Policy for your startup matters even when you’re using mainstream AI tools. The policy governs how your team deploys those tools — and prevents them from accidentally creating high-risk obligations through unapproved use cases.

Did You Know? There is no minimum company size or revenue threshold for EU AI Act obligations. A 5-person startup with one Annex III feature faces exactly the same legal requirements as a multinational using the same type of system.

8. Can a Startup Accidentally Become High-Risk?

Yes — and it happens more often than founders realise. Here are the three most common accidental routes:

Route 1: Feature creep. A startup launches a simple job-matching tool. Over six months, the team adds a “candidate suitability score” to help recruiters prioritise applications. The original tool was minimal risk. The new scoring feature is Annex III — employment. The classification changed. The compliance obligations followed. Nobody noticed.

Route 2: Expanding to the EU market. An India-based startup builds an AI performance review tool for the domestic market. An EU client signs up. The product is now being used in the EU, bringing it into scope. For a full explanation of when EU rules apply to Indian companies, see the EU AI Act applicability guide for Indian businesses.

Route 3: Using a vendor’s AI in a sensitive context. A startup buys an HR platform with embedded AI candidate scoring. The team uses it for hiring. The startup is now the deployer of a high-risk AI system — with its own obligations — even though it didn’t build the AI.

The lesson: classification is not a one-time exercise done at launch. It is a recurring check that should happen every time a product feature changes, a new market is entered, or a new use case is deployed.

9. Official Legal Analysis

The legal foundation for high-risk AI classification is Regulation (EU) 2024/1689 (the EU AI Act). Adopted on 13 June 2024 and published in the Official Journal on 12 July 2024, it sets out the rules for determining whether an AI system is high-risk and what obligations follow.

Article 6(1) — The Annex I route.
An AI system is high-risk if it is a product, or a safety component of a product, covered by Annex I legislation and subject to third-party conformity assessment before it can be placed on the market.

Article 6(2) — The Annex III route.
An AI system intended for one of the Annex III use cases is generally considered high-risk, unless the Article 6(3) exception applies.

Article 6(3) — The exception.
An Annex III AI system may not be high-risk if it meets one of the four narrow conditions and does not profile individuals. Providers relying on this exception must carefully assess whether it genuinely applies.

Article 6(4) — Documentation.
If a provider relies on the Article 6(3) exception, the assessment must be documented before the system is placed on the market or put into service and made available to competent authorities upon request.

Article 6(5) — Commission guidance.
The European Commission is required to publish practical guidelines with examples to help providers classify AI systems consistently.

Articles 9–15 — Requirements for high-risk AI systems.
Once an AI system is classified as high-risk, providers must meet requirements relating to:

  • Risk management (Art. 9)
  • Data governance (Art. 10)
  • Technical documentation (Art. 11)
  • Record-keeping and logging (Art. 12)
  • Transparency (Art. 13)
  • Human oversight (Art. 14)
  • Accuracy, robustness, and cybersecurity (Art. 15)

To understand how the EU AI Act works alongside frameworks such as the NIST AI Risk Management Framework (AI RMF) and India’s Digital Personal Data Protection (DPDP) Act, 2023, explore the related guides in the AspirixWriters AI Governance Hub.

Practical Insight: Classification is only the first step. Once you know your AI system’s risk category, you can identify the compliance requirements that apply under the EU AI Act.

10. Real-World Examples

AI Resume Screening: A Common Annex III Scenario

Imagine a startup that builds an AI tool to read, score, and rank job applications before a recruiter reviews them. Many teams assume the system is low-risk because a human makes the final hiring decision. Under the EU AI Act, that isn’t enough. The AI is still profiling individuals by scoring and ranking candidates, so the Article 6(3) exception does not apply. The system is generally classified as high-risk under Annex III’s employment category.

Using AI Through a Third-Party Platform

Now consider a fintech company that purchases an HR platform with built-in AI for employee performance scoring. It’s easy to assume the software vendor is responsible for compliance. In practice, organisations deploying AI systems may also have obligations under the EU AI Act. Using a third-party AI tool does not automatically remove those responsibilities.

Quick Scenario Guide

AI SystemClassification RouteLikely Outcome
AI tool that scores and ranks job applicantsAnnex III – EmploymentHigh-risk – profiling means the Article 6(3) exception is unlikely to apply.
Internal AI system for employee performance reviewsAnnex III – EmploymentLikely high-risk if it falls within the Annex III use case.
AI diagnostic feature in a medical deviceAnnex I – Regulated productHigh-risk – subject to the Annex I route and applicable conformity assessment requirements.
AI tool that simply sorts documents into predefined foldersAnnex III (if applicable)The Article 6(3) exception may apply, provided the legal conditions are met and the assessment is documented.
General-purpose research chatbot with no Annex III use caseOutside Annex I/IIILikely limited or minimal risk, depending on its intended purpose and deployment context.

11. Common Mistakes — Including the “Avoid This” Box

  • Assuming “AI” automatically means high-risk — classification depends on use case, not technology.
  • Classifying based on what the model could do instead of what the system is designed to do.
  • Skipping Step 1 — checking Annex III before confirming the product is even in scope.
  • Applying Article 6(3) too broadly — especially for systems that rank, score, or label individuals.
  • Assuming human review prevents high-risk classification — it is a requirement once classified, not a route around it.
  • Treating internal use as an exemption — it is not.
  • Making the classification decision verbally and never writing it down.
  • Not revisiting classification when a product feature or target market changes.

Avoid This Founder Mistake: “Our AI just gives a score — the human decides what to do with it.”

This is the single most common misapplication of the Article 6(3) escape. The test is not whether a human makes the final call. The test is whether the AI system profiles individuals — scores, ranks, or categorises them. If it does, the escape is closed. If your system outputs a “candidate fit score” or a “credit risk rating,” it is profiling. Classification as high-risk follows automatically under Annex III.

12. Myth vs Fact

MythFact
“Every AI system is high-risk.”High-risk depends on use case and route — most everyday tools are minimal risk (EU AI Act, Art. 6).
“If a human makes the final decision, the AI isn’t high-risk.”Human oversight is required inside high-risk systems — it does not prevent classification.
“Internal tools are exempt.”No internal-use exemption exists — internal hiring or performance AI faces the same Annex III analysis.
“Annex III always means high-risk.”Article 6(3) provides a narrow escape — but never applies to systems that profile individuals (Art. 6(3)).
“A team discussion is enough documentation.”Written documentation before market entry is a legal requirement, available to regulators on request (ai-act-service-desk.ec.europa, Art. 6(4)).
“The Digital Omnibus delayed classification.”It deferred compliance deadlines — not the obligation to classify. Classification must happen now.
“ChatGPT is not high-risk, so my ChatGPT-based tool isn’t either.”The tool you build with ChatGPT determines the risk tier — not the underlying model.

13. Practical Compliance Checklist

Before every product launch or major feature update:

  • [ ] Confirm the product meets the EU AI Act’s definition of an AI system.
  • [ ] Write a specific, narrow intended-purpose statement — not a general marketing description.
  • [ ] Check the Annex I regulated-product route — is this embedded in a safety-critical product?
  • [ ] Compare the use case against all eight Annex III categories.
  • [ ] Test whether Article 6(3) genuinely applies — and rule it out if any profiling is involved.
  • [ ] Write the classification conclusion with full reasoning — not a one-line note.
  • [ ] Store the written record with your product compliance files.
  • [ ] Re-check the classification whenever the product’s use case or target market changes.

Classification effort by company stage:

StageRecommended Action
Pre-launch startupOne-page Article 6 review for every AI feature before shipping
Growth-stage SaaSStanding AI inventory with a classification field per system
EnterpriseRecurring classification review built into every release cycle

14. Comparison Table

FrameworkWhat It DoesHow It Helps Here
EU AI Act (Regulation (EU) 2024/1689)Legally classifies AI systems and assigns obligations by risk tierThe binding legal test — Article 6 and Annex III are the actual classification rules
NIST AI RMFVoluntary risk management framework — Govern, Map, Measure, Manage (nist.gov, AI RMF 1.0)Practical governance scaffold to build once classification is settled
ISO/IEC 42001:2023AI management system standardGovernance structure and audit trail for classification decisions
OECD AI PrinciplesBroad principles for trustworthy AI (oecd.org, AI Principles)Policy framing — not a classification tool
India DPDP Act, 2023Indian data protection lawParallel obligation — applies alongside EU AI Act if Indian personal data is processed

15. Frequently Asked Questions

1. How do I know if my AI system is high-risk?

Run the four-step check: confirm it is an AI system, check the Annex I product route, check all eight Annex III categories, and test whether the Article 6(3) escape genuinely applies (ai-act-service-desk.ec.europa, Art. 6 guidance).

2. Do I need a lawyer to classify my AI system?

Not always — but legal review is wise when the use case is borderline, cross-border, or customer-facing in a sensitive domain. The Article 6(3) analysis especially benefits from qualified legal input.

3. What if my system is only used internally?

There is no internal-use exemption. If your internal system touches an Annex III category — such as hiring or performance management — it is subject to the same classification rules as externally sold products.

4. Does “a human makes the final decision” remove high-risk status?

No. Human oversight is a compliance requirement you must build into a high-risk system — not a route to avoid classification. Classification depends on the system’s intended purpose and whether it profiles individuals.

5. Does Annex III always mean high-risk?

No — the Article 6(3) escape exists. But it never applies to systems that profile individuals, and it requires written documentation before launch (Art. 6(3)).

6. Do I need to document my classification even if I conclude the system is not high-risk?

Yes — especially then. The documentation duty under Article 6(4) applies specifically to providers who use the Article 6(3) escape to conclude their Annex III system falls below the high-risk threshold.

7. Can ChatGPT make my product high-risk?

ChatGPT itself is a GPAI model, not classified as high-risk. But if you use it to build a system in an Annex III use case — such as hiring or credit decisions — your system can be high-risk regardless of what powers it.

8. Does the EU AI Act apply to Indian startups?

Yes, if the system is placed on the EU market, put into service in the EU, or used by people in the EU. For a full explanation, see the guide on whether the EU AI Act applies to Indian companies.

9. What happens if I get the classification wrong?

Under-classify — face enforcement, fines, and potential product withdrawal from the EU market. Over-classify — carry unnecessary compliance cost. Neither is acceptable, which is why documented reasoning matters.

10. The Digital Omnibus moved the deadline. Do I still need to classify now?

Yes. The Omnibus deferred compliance deadlines — not the classification obligation. You need to know your category now so you can plan what must be built and by when.

16. Key Takeaways

  • The EU AI Act classifies AI by intended use — not by the sophistication of the technology.
  • There are two routes into high-risk: Annex I (safety-critical products) and Annex III (eight sensitive use cases).
  • The Article 6(3) escape is narrow and automatically unavailable to any system that profiles individuals.
  • Human oversight does not prevent high-risk classification — it is a legal requirement once classified.
  • Every classification decision — including “not high-risk” — must be documented in writing before launch.
  • ChatGPT is not high-risk — but using it inside a high-risk use case creates obligations for your business, not OpenAI.
  • Startups can become high-risk accidentally through feature creep, EU market expansion, or vendor AI use.

17. What Should You Do Next?

Startup founder. Run a one-page Article 6 check for every AI feature before you ship. Assign one person to own it. If your team uses AI tools daily, also read the guide on why your startup needs an AI policy — governance and classification go together.

Developer or engineering lead. The classification outcome tells you what to build — logging systems, oversight features, documentation pipelines. Get the answer before the sprint starts. Check whether the tools your team uses day-to-day are being used in any Annex III context.

Lawyer (in-house or firm). Build a classification memo template covering all four steps, the Article 6(3) conditions, and the documentation duty under Article 6(4). Apply it consistently — not only when clients specifically request it.

Researcher. Compare your use case against all eight Annex III categories. Document whether the system materially influences a human decision. Cross-reference with NIST AI RMF for practical risk controls once classification is settled.

Student. Focus on the logic of the four-step test. It is one of the clearest examples in current law of how risk-based regulation converts a broad policy principle into a sequential, documented legal workflow.

Enterprise leader. Build classification into product release planning as a standing agenda item — not a retrospective review triggered by a customer complaint. If your products reach EU users and also process Indian personal data, the DPDP Act obligations run in parallel and need their own review.

19. Conclusion

The question is not whether your AI product is impressive or well-intentioned. It is whether its intended use places it into a legally sensitive category — and whether you can prove you checked.

For many startups, the honest answer after the four-step check will be: no, this is not high-risk. That is a good outcome — and you now have the documentation to show it.

For others, the answer will be yes. That is not a crisis — it is a compliance roadmap. Build the required controls before the product reaches EU users, rather than retrofitting them under investor or regulator pressure later.

The expensive mistake is making no assessment at all. Start with the four steps. Write down your reasoning. Update it whenever the product changes.

Need Help with EU AI Act Compliance?

AspirixWriters provides practical support for AI risk classification, EU AI Act compliance documentation, AI governance policies, legal research, and regulatory content. Whether you’re a startup, business, or legal team, we help you build AI with confidence and compliance.

Related Reading — Build Your AI Governance Stack

  • Does the EU AI Act Apply to Indian Companies? — Start here if you’re not sure whether EU rules apply to your business at all
  • My Startup Uses ChatGPT. Do I Really Need an AI Policy? — The governance companion to this article
  • EU AI Act: Complete Startup Guide — Timelines, obligations, and the Digital Omnibus update
  • NIST AI RMF Explained for Startups — Build your internal risk controls once classification is done
  • India’s DPDP Act, 2023: What It Covers — The parallel Indian data protection obligation that runs alongside EU rules

Written by

Dr. Rekha Khandelwal Legal Researcher | AI Governance Writer | Author | Assistant Professor (Law) Founder – AspirixWriters

About the Author

Dr. Rekha Khandelwal is a legal researcher, educator, author, and AI governance writer specialising in AI regulation, digital law, cyber law, legal research, and emerging technology governance. Through AspirixWriters, she publishes practical, research-backed guides that simplify complex legal and regulatory frameworks for businesses, professionals, researchers, and students.

Author’s Note

This article is for educational and informational purposes only and does not constitute legal advice. The European Commission’s detailed Article 6 classification guidelines were still in draft form as of the time of writing — verify the finalised text before making any live compliance decision. The Digital Omnibus on AI had been approved by the European Parliament but was awaiting formal Council adoption at the time of writing; verify the current legal position before relying on any deadline mentioned here. Consult a qualified legal professional for advice specific to your jurisdiction and product.

Review Information

Last Reviewed: June 2026 Next Review: Within 6 months, or immediately upon finalisation of the Commission’s Article 6 classification guidelines or formal adoption of the Digital Omnibus — whichever comes first.

Official References

  1. Regulation (EU) 2024/1689 — EU AI Act, Articles 6, 9–15, Annex I, Annex III. Official Journal of the European Union, 12.7.2024. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  2. AI Act Service Desk — “Article 6: Classification rules for high-risk AI systems.” https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-6
  3. AI Act Service Desk — “General principles for classification of high-risk AI systems.” https://ai-act-service-desk.ec.europa.eu/en/general-principles-classification-high-risk-ai-systems
  4. AI Act Service Desk — “Annex III: High-Risk AI Systems referred to in Article 6(2).” https://ai-act-service-desk.ec.europa.eu/en/ai-act/annex-3
  5. artificialintelligenceact.eu — “Annex III.” https://artificialintelligenceact.eu/annex/3/
  6. NIST — “AI Risk Management Framework 1.0.” https://www.nist.gov/itl/ai-risk-management-framework
  7. OECD — “AI Principles.” https://www.oecd.org/en/topics/policy-issues/artificial-intelligence.html
  8. Ministry of Electronics and Information Technology — Digital Personal Data Protection Act, 2023. https://www.meity.gov.in/data-protection-framework
  9. European Commission — Digital Omnibus on AI (Council-Parliament agreement, May 2026). https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/

Scroll to Top