EU AI Act High-Risk AI Systems: Full List and What It Means for UK Businesses

Complete list of AI systems classified as high-risk under the EU AI Act. Understand which AI uses require compliance steps and which fall into the minimal-risk category.

·7 min read
The EU AI Act classifies AI systems into four risk categories. High-risk AI systems — defined in Annex III — include AI used in critical infrastructure, educational assessment, employment decisions, access to essential services like credit scoring and insurance, law enforcement, migration processing, and administration of justice. For UK SMEs, the majority of AI use cases (chatbots, productivity tools, content generation) fall into the minimal-risk category with no specific compliance burden. Only an estimated 15% of typical SME AI use cases may qualify as high-risk.
55%
minimal risk (no burden)
30%
limited risk (transparency)
15%
potentially high-risk
€35M
maximum penalty

The four risk tiers

Prohibited (unacceptable risk): AI practices banned outright — social scoring, real-time biometric identification in public spaces, manipulation of vulnerable groups. Most UK SMEs will never encounter these.

High-risk: AI in sensitive domains (detailed below). Requires conformity assessments, documentation, human oversight, and registration.

Limited risk: AI that interacts with people or generates content. Requires transparency disclosures — users must know they're interacting with AI.

Minimal risk: Internal tools with no direct impact on individuals' rights. No specific obligations. This is where most UK SME AI usage falls.

Complete high-risk category list (Annex III)

The EU AI Act defines high-risk AI systems across eight domains:

  1. Biometric identification: remote biometric identification systems used in public spaces (with exceptions for law enforcement)
  2. Critical infrastructure: AI as safety components of critical infrastructure (energy, water, transport, digital infrastructure)
  3. Education and vocational training: AI that determines access to education, assesses students, or monitors exam behaviour
  4. Employment: AI for recruitment (CV screening, interview assessment), performance monitoring, task allocation, and termination decisions
  5. Essential services: AI used for credit scoring, insurance risk assessment, and determining access to public benefits
  6. Law enforcement: AI for risk assessment, polygraph-equivalent systems, evidence evaluation, and profiling
  7. Migration and border control: AI for visa application assessment, border surveillance, and asylum processing
  8. Justice and democracy: AI assisting judicial authorities in researching facts or applying the law

What's NOT high-risk

The following common UK SME AI use cases are explicitly NOT high-risk:

  • Chatbots and customer service AI (limited risk — transparency required)
  • Content generation tools (ChatGPT, Claude, Jasper) for marketing or internal use
  • Code assistance tools (GitHub Copilot, Cursor)
  • Meeting transcription and summarisation (Otter.ai, Fireflies)
  • Data analysis and business intelligence
  • Email drafting and writing assistance

The grey area: general-purpose AI

Tools like ChatGPT, Claude, and Gemini are classified as general-purpose AI (GPAI), not high-risk. However, if a business uses GPAI for a high-risk purpose — such as screening job applicants or assessing insurance claims — that specific deployment could be classified as high-risk. The classification follows the use case, not the technology.

How to classify your own AI use cases

Ask four questions for each AI tool:

  1. Does it make or influence decisions about individuals (hiring, credit, insurance)?
  2. Does it operate in a regulated domain (healthcare, education, law enforcement)?
  3. Could it significantly affect someone's rights or opportunities?
  4. Does it interact directly with EU individuals?

If the answer to any of these is yes, check against the Annex III categories. If no, your use case is likely minimal or limited risk.

What counts as a high-risk AI system under the EU AI Act?

High-risk AI systems are those used in areas listed in Annex III: critical infrastructure, education, employment, essential services, law enforcement, migration, and justice. The classification depends on the use case, not the technology.

Is ChatGPT a high-risk AI system?

No — ChatGPT is general-purpose AI. But using it for employment decisions could make that specific use case high-risk.

What do I need to do if I use a high-risk AI system?

Maintain technical documentation, implement risk management, ensure human oversight, conduct conformity assessment, and register with EU authorities.

Do most UK SMEs use high-risk AI?

No. About 85% of typical UK SME AI use falls into minimal or limited risk categories.