Transparency rules in2 Aug 2026
Library / Guide

When an Annex III use is actually high-risk (Article 6)

Article 6 is the gatekeeper. It decides when a system actually counts as high-risk, and it includes a narrow exception for uses that do not really put people at risk.

Two routes to high-risk

A system is high-risk in one of two ways. The first is when it is a safety component of a product already regulated under EU product-safety law, the Annex I route, which mainly affects manufacturers. The second is when its use falls in an Annex III area.

For most businesses, the Annex III route is the one that matters. If your use sits in one of those areas, Article 6 is what decides whether it actually counts as high-risk.

The narrow exception

An Annex III use may not be high-risk if it does not pose a significant risk to health, safety, or fundamental rights, for example where it only performs a narrow procedural task or improves the result of work a person already did.

The bar is high, and it is the provider who assesses and documents the exception, not you as the deployer.

Profiling is always high-risk

There is a hard limit on the exception: if a system profiles individuals, it stays high-risk regardless of how narrow the task looks. That closes the obvious loophole of dressing profiling up as a minor step.

Profiling here means the automated evaluation of personal aspects, like predicting someone's performance, reliability, or behaviour. If that is in the mix, do not expect the exception to apply.

What this means for a deployer

You generally take the provider's classification as your starting point. If a provider claims the exception, they should be able to show their reasoning, and they still have to register the system in the EU database.

When a borderline use is genuinely yours to judge, treat it as high-risk and confirm with counsel rather than leaning on the exception. It is narrow by design, and the cost of getting it wrong sits with you.

Placeholder

This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.

Put it into practice

Classify your AI systems against the Act and generate the documents this guide describes.

A note on cookies

We use strictly necessary cookies to run the site and keep it secure. With your OK, we also use privacy-respecting, EU-hosted analytics to see how Veillo is used. No advertising, no third-party trackers. Read our cookie policy.