EU AI Act High-Risk Requirements: What Businesses Must Do by Dec 2027

High-risk AI systems under the EU AI Act must meet eight core obligations—including a risk management system, technical documentation, data governance controls, human oversight mechanisms, and a conformity assessment—before they can legally operate in the EU market. Companies that deploy or place these systems must be compliant by 2 August 2026 (for newly deployed systems) and ensure all existing high-risk systems satisfy general-purpose AI rules by 2 August 2027. The overarching deadline for full Article 10–17 compliance by high-risk operators is December 2, 2027.

What Counts as a High-Risk AI System?

The EU AI Act defines high-risk systems in Annex III, which lists eight domains. If your AI system operates in any of these areas, assume you are in scope until a legal review says otherwise.

Notably, AI systems that are a safety component of a product already regulated under EU harmonisation law (medical devices, machinery, lifts) are high-risk by default, even if the AI itself isn't directly listed.

The Eight Core Obligations for High-Risk AI

1. Risk Management System (Article 9)

You must establish a continuous risk management process for the full AI lifecycle—from design through decommissioning. This is not a one-time document. The system must:

• Identify and analyze known and foreseeable risks
• Estimate and evaluate risks that emerge under normal and reasonably foreseeable misuse
• Adopt risk mitigation measures and test their effectiveness
• Document residual risks and communicate them to deployers

2. Data and Data Governance (Article 10)

Training, validation, and test datasets must meet specific quality criteria:

• Relevant, representative, and as free from errors as possible
• Account for known biases that could cause discriminatory outcomes
• Subject to documented data governance practices

3. Technical Documentation (Article 11 + Annex IV)

Before market placement, providers must prepare detailed technical documentation covering:

• System purpose and intended use
• Architecture and algorithms used
• Training methodology and datasets
• Performance metrics across different demographic groups
• Human oversight measures
• Known limitations and failure modes

4. Record-Keeping and Logging (Article 12)

High-risk AI systems must be capable of automatic logging of events during operation. These logs must:

• Enable traceability of the system's outputs
• Cover the full period of use by the deployer

For systems that make individual decisions affecting people—credit, hiring, benefits—logs must enable reconstruction of each decision for audit.

5. Transparency and Instructions for Use (Article 13)

Deployers must receive instructions that let them understand what the system can and cannot do. These must include:

• Identity and contact details of the provider
• System capabilities, intended purpose, and accuracy levels
• Known limitations and circumstances under which it may underperform
• Data input specifications
• Human oversight procedures

6. Human Oversight (Article 14)

This is the most operationally demanding requirement. High-risk systems must be designed so that natural persons can effectively oversee them during use. At minimum, oversight must allow a human to:

• Understand the system's capabilities and limitations
• Monitor its operation for anomalies
• Override, interrupt, or shut down the system
• Not over-rely on system outputs ("automation bias" mitigation)

7. Accuracy, Robustness, and Cybersecurity (Article 15)

High-risk systems must achieve appropriate levels of accuracy for their intended purpose, be resilient to errors, and resist adversarial manipulation. Providers must:

• Define and document accuracy metrics before deployment
• Test robustness against edge cases and distribution shift
• Implement cybersecurity measures proportionate to the risk

8. Conformity Assessment (Article 43)

Before placing a high-risk AI system on the EU market, providers must complete a conformity assessment:

Who Bears Which Obligations?

The Act distinguishes between providers (companies that develop or place AI systems on the market) and deployers (companies that use AI systems in their operations).

• Complete conformity assessment and affix CE marking
• Register in the EU database before market placement
• Appoint an EU representative if headquartered outside the EU
• Report serious incidents to national supervisory authorities within defined timeframes

• Conduct a fundamental rights impact assessment before deploying Annex III systems in sensitive domains (new obligation effective 2026)
• Follow the provider's instructions for use
• Assign human oversight to qualified staff
• Inform employees when AI is used to monitor them
• Retain logs for six months

Key Deadlines at a Glance

Here's the compliance timeline every team needs on a wall:

Practical Steps to Reach Compliance

Key Takeaways

• Eight obligations apply: risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy/robustness, and conformity assessment
• Most high-risk systems can self-assess; only biometric identification systems require a third-party notified body

• Deployers who modify or misuse AI take on provider-level obligations

Frequently Asked Questions

What is the penalty for non-compliance with EU AI Act high-risk requirements?

Fines for violations of high-risk obligations (Articles 8–15) reach up to €15 million or 3% of global annual turnover, whichever is higher. For prohibited practices under Article 5, penalties go up to €35 million or 7% of global turnover. Regulators can also order suspension of market access.

Does the EU AI Act apply to US or UK companies?

Yes. The Act applies to any provider or deployer whose AI systems affect people in the EU, regardless of where the company is headquartered. US and non-EU companies must appoint an EU authorized representative before placing high-risk systems on the EU market.

Is a large language model (LLM) automatically high-risk under the EU AI Act?

No. A standalone LLM is classified as a general-purpose AI (GPAI) model under Articles 51–55, which carries different (lighter) obligations unless it poses systemic risk. It becomes high-risk only when embedded in an application that falls under Annex III—for example, an LLM powering an HR screening tool.

What is a conformity assessment and how long does it take?

A conformity assessment is the structured verification that your high-risk system meets Articles 9–15. For most Annex III systems, it is a self-assessment against the Annex VI checklist. It typically takes 8–16 weeks for a well-documented system. Notified body assessments for biometric systems add 4–12 weeks depending on queue times.

What is the EU AI Act database and when must I register?

The EU database is a public registry of high-risk AI systems maintained by the EU AI Office. Providers must register each high-risk system before placing it on the market. Deployers using public-authority AI must also register. Registration requires technical documentation summaries but does not make full documentation public.

We use a SaaS AI tool from a US vendor. Are we responsible for EU AI Act compliance?

As a deployer, you share obligations with the provider. You must follow instructions for use, conduct a fundamental rights impact assessment for sensitive domains, maintain logs, and ensure qualified human oversight. If the vendor cannot demonstrate their system meets Articles 9–15, you face risk. Before deploying any high-risk SaaS AI in the EU, require a conformity declaration from the vendor.