AI Act high-risk sectors

The AI Act's high-risk landscape. Made legible.

Annex III of the EU AI Act lists eight categories of high-risk AI use. If your firm uses AI in any of them, you're in scope. cosantio specialises in the sectors most exposed under Annex III §4 (employment) and §5 (essential services, including insurance and financial services). The Scorecard works for all eight categories.

8 Annex III categories2 in deep focus2 Dec 2027 standalone high-risk deadline

The Annex III taxonomy

Eight categories of high-risk AI.

Article 6(2) of the EU AI Act classifies the systems in Annex III as high-risk. The eight categories below are the full taxonomy. The two highlighted rows are where cosantio's key focus sectors sit: employment under §4, and insurance and financial services under §5.

§1

Biometrics

Remote biometric identification, biometric categorisation, emotion recognition

DPC
Privacy regulator

Future scope

§2

Critical infrastructure

AI in road traffic, water, gas, heating, electricity supply

CRU
Energy / utilities

Future scope

§3

Education & vocational training

Admissions AI, exam scoring, behaviour monitoring, course allocation

DoE
Education

Future scope

§4

Employment & worker managementEmployment & HR

CV screening, hiring scoring, performance monitoring, task allocation

WRC · DPC

Key focus

§5

Access to essential servicesInsurance · Financial services

Creditworthiness §5(b), life and health insurance pricing §5(c), benefits eligibility, emergency triage

CBI · EIOPA · ESMA

Key focus

§6

Law enforcement

Risk assessment of offenders, polygraph use, evidence reliability scoring

Garda
State authority

Future scope

§7

Migration, asylum & border control

Visa application scoring, asylum risk profiling, border-stop polygraphs

INIS
State authority

Future scope

§8

Administration of justice

AI assisting judicial decisions, alternative dispute resolution scoring

Courts Service

Future scope

Key focus areaFuture scopeSource: Regulation (EU) 2024/1689, Annex III

Key focus areas

Two categories. Three deep-dives.

Three focus areas, all within Annex III §4 (employment) and §5 (essential services): hiring & HR, insurance, and financial services. The fourth card covers the remaining six Annex III categories (§1, §2, §3, §6, §7, §8); deep-dives for those are on the roadmap. The Scorecard works across all eight.

Annex III §5(b)

CBI · DORA
Central Bank of Ireland

Financial services.

Credit unions, retail credit firms, payments and EMI, MiCA CASPs. AI used in creditworthiness assessment and credit scoring of natural persons.

In-scope AI systems

Loan underwriting & credit scoringFraud detection & transaction monitoringCollections triage & arrears scoring

Live obligations

AI literacy trainingArt. 4
Customer chatbot disclosureArt. 50
FRIA (when high-risk regime applies)Art. 27

12-15 min readRead the guide →

Annex III §5(c)

EIOPA · CBI · POG
Insurance regulators

Insurance.

MGAs, brokers, and carriers operating in EU markets. AI used in life and health insurance pricing and underwriting decisions.

In-scope AI systems

Pricing engines & quote generationUnderwriting risk assessmentClaims triage & fraud detection

Live obligations

AI literacy trainingArt. 4
EIOPA Opinion alignment2024 Opinion
FRIA (when high-risk regime applies)Art. 27

12-15 min readRead the guide →

Annex III §4

WRC · DPC
Workplace & privacy

Employment & HR.

Any SME using AI in hiring, performance management, or task allocation. Often overlooked, always in scope, regardless of company size.

In-scope AI systems

CV screening & candidate rankingVideo interview scoringPerformance review & task allocation

Live obligations

AI literacy trainingArt. 4
Worker information rightsArt. 26(7)
GDPR Art. 22 + AI Act overlapArt. 86

10-12 min readRead the guide →

Annex III §1, §2, §3, §6, §7, §8

Various
Sector-specific

Other high-risk sectors.

Education, biometrics, critical infrastructure, law enforcement, migration, justice. The Scorecard covers every Annex III category; bespoke guidance is on the roadmap.

Future deep-dive coverage

BiometricsCritical infrastructureEducation & trainingLaw enforcementMigration & asylumAdministration of justice

In the interim

Take the Scorecard (works for every sector)Free
Talk to us about your specific use20 min

Roadmap · 2026 H2Get in touch →

Common across every sector

Whatever sector you're in, the Scorecard works the same way.

Eight plain-English questions. A regulator-grade PDF. The same four obligations covered in every result. Sector context layers on top, it doesn't replace the core.

Risk classification under Article 6

Minimal, limited, high-risk, or prohibited. Mapped to your specific Annex III category if you're high-risk.

Four live obligations checked

Article 4 literacy, Article 5 prohibited practices, Article 50 transparency, Article 11 register.

Sector context overlay

If you're in a regulated sector, your obligations under EIOPA, the Central Bank, the DPC, or WRC are mapped alongside the Act.

Action plan, prioritised

Prioritised list of artefacts to produce. Ordered by regulatory urgency, with a credible weeks-to-readiness estimate.

Find out where your sector stands.

Eight questions. Three minutes. A regulator-grade PDF that scores your firm against every AI Act obligation already in force, with the sector context that applies to you.

Get the Scorecard →Or book a 20-minute call