Annex III in practice: five high-risk sectors where 2 August bites first

The AI Act distinguishes between high-risk systems that are components of products already regulated under Union sectoral law (Annex I), and high-risk systems used in specific listed contexts (Annex III). Medical devices, machinery, toys, lifts and the rest of the Annex I list are absorbed into existing CE-marking regimes and continue to be governed by their sectoral notifying bodies. Annex III is where new compliance obligations and new oversight architecture had to be built from a standing start. Article 6 is the gateway; Annex III is the list.

The eight categories are: biometrics; critical infrastructure; education and vocational training; employment, workers' management, and access to self-employment; access to essential public and private services; law enforcement; migration, asylum and border control; and administration of justice and democratic processes. The deep-dive below treats the five with the greatest near-term economic mass: employment, biometrics, critical infrastructure, education, and access to services.

1. Employment, workers' management, and access to self-employment

This is the category European compliance teams have spent the most time preparing for, because nearly every large employer in the bloc operates AI systems within scope. CV screening, candidate ranking, performance management, allocation of tasks among workers, monitoring of behaviour, and decisions on termination all fall inside Annex III. Article 26 creates a deployer obligation on top of the provider obligation: every employer using an in-scope system must conduct a fundamental rights impact assessment and inform affected workers.

The German Bundesarbeitsgericht has been clear since its September 2025 ruling on automated performance scoring that employer-side compliance under the AI Act runs in parallel with co-determination obligations under the Works Constitution Act, not in lieu of them. French CNIL guidance published in February 2026 reaches the same conclusion, with stricter language on the employee notification timing. Dutch and Swedish guidance is still pending; both supervisory authorities have signalled an autumn 2026 timeline.

The compliance gap most likely to bite is not the impact assessment itself, which most large employers have already drafted, but the technical documentation requirement under Article 11. Buyers of HR-tech AI products are discovering that providers headquartered in the United States are not yet able to produce Article-11-compliant documentation in the level of detail European regulators expect, and renegotiating support clauses is a 2026 budget line item that was not in 2025 plans.

2. Biometrics

Annex III covers remote biometric identification, biometric categorisation, and emotion recognition. These three categories were the most heavily lobbied during the AI Act's trilogue and arrive at 2 August with materially different treatment. Real-time remote biometric identification in publicly accessible spaces by law enforcement is largely prohibited (Article 5), with narrow exceptions; post-remote biometric identification is high-risk under Annex III; biometric categorisation that infers protected characteristics is prohibited.

The operational implication for European retailers, transport operators and stadium operators is that off-the-shelf face-recognition CCTV products marketed for footfall analytics need to be re-evaluated against Article 5's prohibition before 2 August. Several large stadium operators in Italy and Spain have paused planned deployments pending guidance from their national supervisory authorities.

3. Critical infrastructure

Critical infrastructure here means the management and operation of digital infrastructure, road traffic, and supply of water, gas, heating and electricity. The AI Act's framing places AI systems used as safety components within these systems on the high-risk list. The interaction with the NIS2 Directive (already in force) and with the Critical Entities Resilience Directive is what makes this category operationally complex: a regulated essential service operator now has overlapping and not always identical obligations under three different EU regimes, plus national-level cybersecurity duties under the NIS2 transpositions.

The European Network of Transmission System Operators for Electricity (ENTSO-E) published a guidance note in January 2026 on AI-Act-NIS2 alignment for grid balancing systems. The note flags that AI systems used in real-time power flow forecasting fall within Annex III where they support grid security decisions, and that the conformity assessment regime should not be confused with cybersecurity certification under the NIS2 framework.

4. Education and vocational training

Annex III covers AI systems used to determine access or admission, evaluate learning outcomes, assess the appropriate level of education, and monitor or detect prohibited behaviour during examinations. The category is narrower than press coverage often implies, but it includes admissions algorithms used by universities, automated grading of summative assessments, and proctoring tools.

The Dutch Onderwijsinspectie issued an interim notice in March 2026 confirming that automated proctoring tools used by Dutch universities during the 2026-2027 academic year must hold provider Article-11 documentation by 2 August. Several proctoring vendors operating in the Dutch market have indicated they will withdraw rather than complete that documentation. The withdrawal will leave universities with manual invigilation as the fallback for the autumn examination cycle.

5. Access to essential public and private services

This is the catch-all category that includes credit scoring, insurance underwriting and pricing for life and health insurance, and the assessment of eligibility for public benefits. The scope is wide and the political sensitivity high. Member State supervisory authority appointments for this Annex III category vary significantly: in Germany the BaFin has been formally tasked with credit and insurance applications, in France the ACPR holds the equivalent, in the Netherlands the AFM is the lead.

The early divergence is in interpretation of Article 27's deployer obligation around fundamental rights impact assessments. The BaFin's draft guidance, published for consultation in March 2026, treats the FRIA as a binding annex to the existing prudential model risk management framework. The ACPR is taking a lighter touch and integrating it as a section within its existing model validation pack. That difference will matter for cross-border bancassurance groups operating in both jurisdictions.

The Member State enforcement map

Each Member State must designate national competent authorities for market surveillance and notification under Article 70. The current state of designations, as of mid-April 2026, is uneven: 21 Member States have appointed both market surveillance authorities and notifying authorities; 6 have appointed only one of the two. The Commission's Article 70 register is updated quarterly. The most operationally significant gap is Italy, which has not yet appointed a unified market surveillance authority, leaving sector-specific regulators to handle Annex III claims through August.

Where the August clock actually starts

For most providers and deployers, 2 August 2026 is not a single bright line. The AI Act's transitional provisions (Article 111) carve out high-risk systems already on the market or put into service before 2 August 2026, which only become subject to the full requirements where they undergo significant changes. Practically, the bright line is the next material model update or significant redeployment after 2 August. That phasing softens the immediate operational shock but lengthens the period over which compliance work must be sustained.

THE AI IN EUROPE VIEW

The five Annex III sectors above are not the most newsworthy, but they are the most economically consequential. The early divergence between national regulators on FRIA scope, on biometric guidance and on documentation thresholds will create predictable cross-border friction in the second half of 2026. European groups should expect the first formal Article 70 enforcement actions to land in the late autumn against deployers, not providers. The providers most exposed are not the major US labs, who can weather Article 11 documentation costs, but mid-tier European HR-tech and proctoring vendors whose business models do not absorb a sustained compliance overhead. Expect consolidation in those segments before the end of the year.