Annex III point 1High-risk domain

Biometrics under Annex III point 1

For organisations that need to classify biometric AI without mixing up prohibited practices, high-risk rules and privacy risk.

The Commission guidelines treat biometrics as a separate high-risk area with three routes: remote biometric identification, biometric categorisation and emotion recognition. The first question is whether Article 5 prohibits the system, and only then whether Annex III point 1 makes it high-risk.

Scope according to the guidelines

The 19 May 2026 draft guidelines cover point 1(a), 1(b) and 1(c), with strong attention to context, purpose, consent, real-time use and exceptions.

Classification question

Can this biometric system be used at all, or does Article 5 need to be checked first?

Read Article 6 classification rules Open Annex III legal text Use the Annex III classifier

Sources and status

This route is based on the Commission draft guidelines for high-risk classification, published on 19 May 2026. The examples are not exhaustive and may change when the guidance is finalised.

Always check Article 6 and Annex III of Regulation (EU) 2024/1689 as well. This page supports classification and evidence work, but it is not a supervisory decision.

Commission draft guidelines Official EU AI Act Article 6 on RAIP Annex III on RAIP 2026 guidance overview on RAIP

High-risk obligations

If an AI system is high-risk under Annex III, classification and evidence should be linked to the relevant obligations for providers and deployers.

Article 9: Risk management system Article 10: Data and data governance Article 11: Technical documentation Article 12: Logging Article 13: Transparency and instructions for use Article 14: Human oversight Article 15: Accuracy, robustness and cybersecurity Article 26: Deployer obligations Article 27: FRIA where Article 27 applies

Use case guidance

Point 1(a)

Remote biometric identification

AI systems that identify natural persons remotely based on biometric data.

Point 1(b)

Biometric categorisation

Systems that categorise persons using biometric data, with a strict boundary against prohibited practices.

Point 1(c)

Emotion recognition

AI systems that infer emotions or intentions, with special attention to work and education where prohibitions may apply.

What to document

Intended purpose and context of use.

Why Article 6(2) and Annex III do or do not apply.

Whether the Article 6(3) filter may apply, and whether profiling blocks it.

Which provider and deployer obligations are triggered.

Biometrics classification check

Have a biometric AI use case reviewed against Article 5, Annex III point 1, GDPR and required safeguards.

Start risk scan Schedule intake Expert page

Frequently asked questions

Short answers for classification, evidence and next steps under Annex III.

When should biometrics be assessed under Annex III?

The 19 May 2026 draft guidelines cover point 1(a), 1(b) and 1(c), with strong attention to context, purpose, consent, real-time use and exceptions. The practical starting question is: Can this biometric system be used at all, or does Article 5 need to be checked first?

Which use cases are included in Biometrics?

This domain page expands the main routes: Remote biometric identification, Biometric categorisation and Emotion recognition. For each system, check the intended purpose, the output and the impact on access, rights or safety.

What should be documented before obligations are determined?

Document the intended purpose, use context, relevant Annex III route, Article 6(3) assessment, any profiling, provider/deployer roles and the required safeguards.