How do I know if our AI system is high-risk?

Two routes. (1) Article 6(1): the AI is a safety component of a product covered by EU product-safety law listed in Annex I (medical device, vehicle, machinery, toys, etc.). (2) Article 6(2) + Annex III: it falls into one of eight categories — biometrics (non-prohibited), critical infrastructure, education, employment/HR, essential services (credit scoring, insurance pricing, public benefits, emergency dispatch), law enforcement, migration/border, justice and democracy. If classification is unclear, run a documented gap analysis — that is item 1 on this 24-step checklist.

What are the maximum penalties for non-compliance?

Article 99 sets three tiers. Prohibited AI practices (Article 5): up to €35M or 7% of worldwide annual turnover, whichever is higher. High-risk non-compliance (Articles 16, 22-24, 26, 31, 33-34, 50): up to €15M or 3%. Inaccurate information to authorities or notified bodies: €7.5M or 1%. SMEs benefit from the lower of the percentage and absolute amount — meaningful relief but not exemption.

What is FRIA and when is it required?

The FRIA (Fundamental Rights Impact Assessment, Article 27) must be performed BEFORE deploying a high-risk AI system. Required for deployers that are (a) public bodies or private operators of essential services, and (b) using Annex III AI. The FRIA must include: deployment purpose, affected persons, deployment risks, human oversight arrangements, complaints handling, and remediation plan for harms. The result must be notified to the market surveillance authority.

What about general-purpose AI (GPAI) models?

Article 53 obligations for every GPAI provider: (1) technical documentation; (2) information for downstream integrators; (3) copyright policy (respect EU copyright, opt-out signals); (4) sufficiently detailed summary of training content. Systemic-risk GPAI (above 10^25 FLOPs or designated by the AI Office) gets Article 55 additional duties: adversarial testing, serious-incident reporting, cybersecurity. GPAI obligations have applied since 2 August 2025.

Who is the supervisory authority in Hungary?

Article 70 requires Member States to designate market surveillance authorities. As of 2026-05-04, the Hungarian government decree on AI authorities has not been published; oversight is provisionally distributed across NMHH, NAIH, MNB and other sector regulators based on the AI use-case domain. The EU AI Office (Articles 64-69) at DG CNECT directly supervises GPAI models. We document compliance against the EU primary sources by default, then align to the Hungarian decree once published.

How long and how much does a compliance project take?

Single high-risk system Annex III gap analysis + documentation pack (Annex IV technical file, FRIA, instructions for use, post-market monitoring plan): 4–6 weeks, EUR 13k–32k. Notified Body audit support, when third-party conformity assessment is required: +8–16 weeks and +EUR 21k–66k (NB fees additional). Multi-system program or GPAI integrator package: 3–6 months, EUR 40k–130k. Exact quote after a free 30-min scoping call.

What should we do RIGHT NOW if we have no program in place?

(1) AI inventory: list every AI system in use or planned (ChatGPT plugins, embedded Copilot, custom ML, vendor AI components). (2) Risk-classify each (prohibited / high / limited / minimal). (3) Gap-assess high-risk items against Annex IV. (4) Build a roadmap to 2026-08-02. (5) AI literacy: mandatory training for staff who use AI (Article 4 — already applicable). A 30-minute free scoping call gives you a concrete action plan with a project price band.

Reg. 2024/1689 · Annex III · 2026-08-02 deadline

EU AI Act high-risk checklist 24 steps to 2 August 2026

Regulation (EU) 2024/1689 obligations for Annex III high-risk AI systems become fully applicable on 2 August 2026 (Article 113). This checklist is sourced from the EU primary documents — exact Article references, applicability dates and fine thresholds. Last updated: 2026-05-04.

Request a free AI Act gap audit

30-min consultation

TL;DR

High-risk AI obligations apply from 2 August 2026 (Article 113). Annex I product-embedded AI gets until 2 August 2027 (Art. 6(1)).
Maximum fine for prohibited practices: €35M or 7% of global turnover (Article 99(3)). High-risk non-compliance €15M / 3%.
Annex III (eight categories) covers credit scoring, insurance pricing, employment/HR, education scoring — many SMEs are in scope and don't know it.
Article 4 (AI literacy) and Article 5 (prohibited practices) already apply — since 2025-02-02.
The 24-step checklist below maps to the EU primary sources (citations at the bottom).

Official applicability timeline (Article 113)

Source: artificialintelligenceact.eu/implementation-timeline and EUR-Lex 2024/1689.

Date	Article	What becomes applicable
2024-08-01	Art. 113	Entry into force (no application yet)
2025-02-02	Art. 113(a), 4, 5	Prohibited AI practices and AI literacy obligation
2025-08-02	Art. 113(b), Ch. III §4, V, VII, 78, 99, 100	Notified bodies, GPAI, governance, penalties
2026-08-02	Art. 113 (general)	High-risk AI (Art. 6(2), Annex III) — full obligations
2027-08-02	Art. 6(1)	Annex I regulated-product embedded AI
2026-02-02	Art. 6(5), 72(3)	Commission guidelines on Article 6 application
2026-08-02	Art. 57(1)	AI regulatory sandboxes operational

Annex III — the 8 high-risk categories

Annex III item 1
Biometrics
Remote biometric ID (where not prohibited), emotion recognition, biometric categorisation.
Annex III item 2
Critical infrastructure
Digital infra, traffic, water, gas, heating, electricity safety components.
Annex III item 3
Education & vocational training
Admission, exam scoring, plagiarism detection, training allocation.
Annex III item 4
Employment & HR
Recruitment (CV screening), promotion, task allocation, monitoring, termination decisions.
Annex III item 5
Essential services
Credit scoring, insurance pricing, public/private benefits, emergency dispatch (911/112).
Annex III item 6
Law enforcement
Crime risk assessment, evidence evaluation, profiling, AI-based polygraph.
Annex III item 7
Migration & border
Visa applications, asylum, biometric border crossing, risk assessment.
Annex III item 8
Justice & democracy
Fact interpretation for judges/prosecutors, election influence detection.

Source: artificialintelligenceact.eu/high-level-summary.

Article 99 — penalty thresholds

Maximum	For	Article
€35M or 7%	Prohibited AI practices (Art. 5)	Art. 99(3)
€15M or 3%	Provider/representative/importer/distributor/deployer/ transparency duties (Art. 16, 22-24, 26, 31, 33-34, 50)	Art. 99(4)
€7.5M or 1%	Inaccurate information to notified bodies / authorities	Art. 99(5)

For SMEs and start-ups the LOWER of the percentage and absolute amount applies — Art. 99(6).

Source: artificialintelligenceact.eu/article/99.

The 24-step checklist

01.
AI inventory
List every AI system in use or planned (own, vendor, GPAI integration).
Art. 3 (definitions)
T-12 mo
02.
Risk classification
Assign each item to: prohibited / high / limited / minimal.
Art. 5–6, Annex III
T-12 mo
03.
Provider vs. deployer role
Many companies are both — different duties apply.
Art. 3(3), 3(4)
T-12 mo
04.
AI literacy programme (already applicable)
Mandatory training for everyone using AI.
Art. 4 — already applicable
Ongoing
05.
Annex IV gap analysis
Inventory missing technical-documentation elements.
Annex IV
T-10 mo
06.
Risk Management System (Art. 9)
Iterative risk-management process documented.
Art. 9
T-9 mo
07.
Data governance (Art. 10)
Training/validation/test data quality, bias, representativeness.
Art. 10
T-9 mo
08.
Technical documentation
Full Annex IV pack.
Art. 11, Annex IV
T-7 mo
09.
Logging
Automatic event log over the system lifecycle.
Art. 12
T-7 mo
10.
Transparency to deployers
Instructions for use.
Art. 13
T-6 mo
11.
Human oversight
Override mechanism, monitoring, trained human in the loop.
Art. 14
T-6 mo
12.
Accuracy, robustness, cybersecurity
Measurement pipeline + thresholds documented.
Art. 15
T-5 mo
13.
Quality Management System (providers)
ISO-9001-style QMS for AI processes.
Art. 17
T-5 mo
14.
FRIA (qualifying deployers)
Fundamental rights impact assessment BEFORE deployment.
Art. 27
T-4 mo
15.
Article 50 transparency
Chatbot disclosure, generated-content marking, deepfake labelling.
Art. 50(1)–(4)
T-4 mo
16.
Conformity Assessment
Internal control or notified-body audit (Annex VI/VII).
Art. 43, Annex VI–VII
T-3 mo
17.
EU Declaration of Conformity
Signed EU DoC.
Art. 47
T-3 mo
18.
CE marking
Physical/digital marking on product or accompanying documentation.
Art. 48
T-3 mo
19.
EU AI Database registration
Article 71 central registry.
Art. 71
T-2 mo
20.
Post-Market Monitoring plan
Proactive observation post-launch.
Art. 72
T-2 mo
21.
Incident reporting procedure
Serious incident notification within 15 days (Art. 73).
Art. 73
T-2 mo
22.
Vendor / integrator contract update
Document provider–deployer responsibility split.
Art. 25, 27
T-2 mo
23.
Internal audit + tabletop
Mock authority inspection.
—
T-1 mo
24.
Go-live 2026-08-02 + ongoing compliance
Annual review, document refresh, training renewal.
Art. 72(1)
Ongoing

What a compliance project costs

The ranges below are our own published project ranges (see /pricing.md). Notified Body fees are separate; the official NB list is in the EU NANDO database.

· Single-system Annex III gap audit + documentation: 4–6 weeks, €13k–€32k
· Notified Body audit support: +8–16 weeks, +€21k–€66k (NB fees additional)
· Multi-system / full programme: 3–6 months, €40k–€130k
· GPAI integrator / downstream provider package: 4–8 weeks, €8k–€24k
· Ongoing compliance retainer (PMM, document refresh, incident response): €0.8k–€3.2k / month

Talk to us in person

When the cost of getting it wrong starts at €35M, a 30-minute scoping call is always worth it. Call +36 30 098 0767, write to balint@appforge.hu, or visit us in person.

Budapest office: Szabadság tér 7., 1054 Budapest (Bank Center), 1st floor, office 112 · Mon–Fri 9:00–18:00 by appointment.

Official sources

Last updated: 2026-05-04. This page does not constitute legal advice. Book a scoping call for an obligation-specific review.

GYIK

EU AI Act — frequently asked

Regulation 2024/1689 obligations for Annex III high-risk AI systems become applicable on 2 August 2026 (Article 113). One exception: AI embedded into already-regulated products under Annex I (medical devices, vehicles, machinery, toys) under Article 6(1) gets an extension to 2 August 2027. The full regulation entered into force on 1 August 2024; prohibited practices (Article 5) and AI literacy obligations (Article 4) have been applicable since 2 February 2025.

Kapcsolódó megoldások

Start the audit before the 2026-08-02 deadline

A 30-minute scoping call maps your high-risk AI systems and gives you a precise project timeline and cost band.

Book the AI Act gap audit →Free 30-min consultation

EU AI Act high-risk checklist 24 steps to 2 August 2026

TL;DR

Official applicability timeline (Article 113)

Annex III — the 8 high-risk categories

Article 99 — penalty thresholds

The 24-step checklist

What a compliance project costs

Talk to us in person

EU AI Act — frequently asked

Related topics

EU AI Act compliance

NIS2 compliance

AI development

Process automation

Start the audit before the 2026-08-02 deadline