← Back to blog

High-Risk AI Categories Under the EU AI Act — Explained for Builders

2026-07-03·6 min read·Risk, AI Act Basics

What makes an AI system "high-risk"?

The EU AI Act defines high-risk AI systems in Annex III. There are 8 categories, and if your product falls into any of them, you face stricter obligations.

The 8 high-risk categories

1. Biometric identification

AI systems that identify or verify natural persons through biometric data (facial recognition, fingerprint, voice). Includes real-time and post-facto identification.

Likelihood for SaaS founders: Low, unless you build biometric products.

2. Critical infrastructure

AI used in the management and operation of critical infrastructure (energy, transport, water). Risk if failure could endanger life or health.

Likelihood for SaaS founders: Low.

3. Education and vocational training

AI used to determine access to education, evaluate learning outcomes, or assess students. Includes admission systems, grading automation, and learning path personalization.

Likelihood for SaaS founders: Medium-high if building EdTech AI.

4. Employment, workers management, access to self-employment

CV screening, candidate ranking, performance monitoring, worker assignment algorithms. This is the most common high-risk category for B2B SaaS.

Likelihood for SaaS founders: High for HR/recruiting platforms.

5. Access to essential services

Credit scoring, insurance pricing, access to healthcare services, energy supply, communication services. AI that determines who gets access to basic services.

Likelihood for SaaS founders: Medium for FinTech and InsurTech.

6. Law enforcement

AI used by law enforcement for risk assessment, evidence analysis, profiling, or crime prediction.

Likelihood for SaaS founders: Low.

7. Migration, asylum, and border control

AI used for visa processing, asylum assessment, border surveillance.

Likelihood for SaaS founders: Very low.

8. Administration of justice

AI used to assist judicial decision-making or apply the law.

Likelihood for SaaS founders: Low.

The grey zone: what if you touch multiple categories?

Many AI SaaS products operate at the edge of these categories. For example:

Our recommendation: If you're unsure, run a readiness scan. The cost of over-classifying is extra paperwork. The cost of under-classifying is fines.

What changes if you're high-risk?

  1. Risk management system — continuous process to identify and mitigate risks
  2. Technical documentation — detailed model cards, training data, accuracy metrics
  3. Human oversight — ability for humans to review and override AI decisions
  4. Conformity assessment — self-declaration or third-party audit depending on context
  5. Registration in EU database — your system must be registered before deployment

The reality check

Most AI SaaS products are not high-risk. But many founders don't know that — and they waste money on unnecessary legal fees, or worse, ignore compliance entirely.

Get a clear picture first. Then decide what to do.


Not sure where your product stands?

Run a free AI Act readiness scan. Get your risk score in 2 minutes.

→ Get your free risk score