Annex III is the list every compliance lead reads line by line. It is also the list most operational teams have not been walked through. This checklist translates the dense Annex III text for the three teams that run the risky AI day-to-day — HR, security, and operations. Built to amplify your in-house expertise, not to replace qualified review.
Why Annex III is the list that matters
Annex III of Regulation (EU) 2024/1689 sets out the standalone use cases the AI Act treats as high-risk. It triggers the heavy substantive obligations: risk management, data governance, documentation, transparency, human oversight, accuracy and robustness, post-market monitoring, and conformity assessment.
Annex III sits alongside Annex I — AI embedded as a safety component in products already regulated by EU harmonised product legislation (medical devices, machinery, lifts, toys). The two behave differently under the Digital Omnibus deferral (Annex III standalone provisionally moved to 2 December 2027, Annex I embedded to 2 August 2028) but the classification work does not change. The European Commission AI Act policy page is the canonical timeline reference.
The practitioner takeaway: the deferral changes the when, not the what. The inventory still needs doing, and the three teams below are the ones who know which systems are in scope.
HR: where AI usually triggers Annex III
Annex III explicitly covers AI used in employment, workers management, and access to self-employment. In practice, three HR uses are almost always in scope:
- Recruitment and selection — AI used to source candidates, screen applications, evaluate test responses, parse CVs, or rank shortlists.
- Decisions affecting work relationships — AI used in promotion, termination, work allocation, or task assignment.
- Performance and behaviour monitoring — AI used to evaluate productivity, conduct, or performance during the employment relationship.
A common HR-stack trap: an applicant-tracking system, video-interview tool or productivity analytics platform quietly includes AI ranking or scoring the team did not explicitly procure. The Article 5 prohibition on emotion recognition in the workplace is the live edge — any tool inferring emotional state from face, voice, or text in a workplace context is already prohibited, regardless of Annex III status.
What to do this fortnight: list every HR system, tag the ones with AI ranking or scoring, and flag any emotion-recognition feature.
Security: biometrics, surveillance, access
Annex III pulls in several security-adjacent use cases:
- Remote biometric identification — beyond the Article 5 prohibition on real-time identification in public spaces by law enforcement, Annex III still captures non-prohibited biometric identification.
- Biometric categorisation and emotion recognition (where not already prohibited under Article 5).
- Critical infrastructure — AI as a safety component in critical digital infrastructure, road traffic, water, gas, heating, and electricity supply.
- Law-enforcement-adjacent profiling — AI used to assess risk of offending, evaluate evidence reliability, or profile natural persons during investigation.
Two Article 5 prohibitions sit close to security work and need separate confirmation: biometric categorisation to infer sensitive characteristics, and untargeted scraping of facial images to build facial-recognition databases. Both are already prohibited.
What to do this fortnight: inventory every system that ingests biometric data, sits on critical infrastructure, or performs profiling. Confirm Article 15 cybersecurity expectations are captured.
Operations: essential services, infrastructure, education, justice
Annex III also captures operational AI touching access to services and rights:
- Essential private and public services — AI in credit scoring, life and health insurance pricing or eligibility, emergency-service dispatch, and public-benefits eligibility.
- Education and vocational training — AI determining access, assigning institutions, evaluating learning outcomes, or monitoring prohibited behaviour during tests.
- Justice and democratic processes — AI assisting a judicial authority in researching, interpreting, or applying law, and AI intended to influence elections or voting behaviour (with narrow exceptions).
- Migration, asylum and border control — AI in risk assessment of natural persons, document verification, and application processing.
The trap here is product reach: a SaaS feature shipped globally may be in scope as soon as one customer deploys it for an Annex III purpose in the EU. The Article 2 extraterritoriality test runs alongside the Annex III classification.
What to do this fortnight: walk product and operations through the Annex III sub-list and tag any feature touching credit, insurance, public benefits, education access, judicial work, or migration.
How to inventory your Annex III exposure in a week
A one-week sprint is enough for a defensible first-pass inventory:
- Day 1–2 — pull the system list from procurement, IT, and the data team. Include AI features inside non-AI products.
- Day 3 — workshop with HR, security, and operations to tag each system against the three categories above.
- Day 4 — flag Article 5 prohibitions as separate entries — not Annex III, but prohibited and to be closed now.
- Day 5 — review with Legal, capture gaps, book qualified review.
The AI Risk Register is built to hold this inventory mapped to Annex III categories and the Article 9–15 obligations.
Where to read the source material
- Regulation (EU) 2024/1689 — full text on EUR-Lex — Annex III sits at the back of the Regulation.
- European Commission AI Act policy page — the canonical timeline of which obligations apply when.
- Commission Guidelines on Prohibited AI Practices (4 Feb 2025) — for the Article 5 prohibitions that sit alongside Annex III.
Inventory your high-risk AI → /tools/ai-risk-register
Or generate your AI policy → /tools/policy-generator
Qualified review still required. Outputs are AI-generated starting-point documents — not a substitute for qualified legal or compliance advice.