High-Risk AI System (EU AI Act)

What is a “high-risk AI system” under the EU AI Act?

A high-risk AI system is the EU AI Act’s central regulatory category — AI systems whose use poses significant risks to health, safety or fundamental rights of natural persons. High-risk systems face the most demanding compliance obligations under the AI Act: risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy and cybersecurity.

Two routes into “high-risk”

1. Annex I — Safety components: AI as a safety component in products already regulated by EU harmonisation legislation (medical devices, machinery, toys, vehicles, aviation).
2. Annex III — Listed uses: biometric identification, critical infrastructure, education and vocational training, employment and worker management, access to public services, law enforcement, migration/asylum, administration of justice and democratic processes.

Core obligations for high-risk providers

• Article 9 — Risk management system: documented, iterative, lifecycle-long.
• Article 10 — Data and data governance: training data relevant, representative, free from bias as far as possible.
• Article 11 — Technical documentation: demonstrating compliance.
• Article 12 — Record-keeping: automatic logs throughout system lifecycle.
• Article 13 — Transparency to deployers: instructions for use.
• Article 14 — Human oversight: designed in.
• Article 15 — Accuracy, robustness, cybersecurity.

Deployer obligations (Article 26)

• Use the system per provider’s instructions.
• Assign human oversight roles to competent persons.
• Monitor operation; suspend if it presents risks.
• Keep logs for at least 6 months.
• Inform workers and their representatives before deployment in workplace context.

Türk şirketleri için pratik etki

AB’ye satan Türk yazılım şirketleri için en yaygın yüksek-risk kategorileri istihdam (CV taraması, performans yönetimi), eğitim (öğrenci değerlendirme), erişim (kredi puanlaması) ve kritik altyapı (BDDK düzenlenmiş finans hizmetleri) alanlarındadır.

Do: classify your AI use case against Annex III early; budget for compliance from product design, not after.
Don’t: assume “we are not high-risk” without documented analysis — getting classification wrong is the most expensive AI Act mistake.