Annex III point 2High-risk domain

AI in critical infrastructure

For operators, vendors and public or private infrastructure managers using AI where failures can affect safety and access to essential services.

Annex III point 2 focuses on AI systems intended for safety components or management of specific critical infrastructure. The draft guidelines cover critical digital infrastructure, road traffic, water, gas, heating and electricity.

Scope according to the guidelines

The Commission splits this area into critical digital infrastructure, road traffic and the supply of water, gas, heating and electricity.

Classification question

Is the AI intended to manage, prioritise or secure infrastructure in a way that can affect safety or availability?

Read Article 6 classification rules Open Annex III legal text Use the Annex III classifier

Sources and status

This route is based on the Commission draft guidelines for high-risk classification, published on 19 May 2026. The examples are not exhaustive and may change when the guidance is finalised.

Always check Article 6 and Annex III of Regulation (EU) 2024/1689 as well. This page supports classification and evidence work, but it is not a supervisory decision.

Commission draft guidelines Official EU AI Act Article 6 on RAIP Annex III on RAIP 2026 guidance overview on RAIP

High-risk obligations

If an AI system is high-risk under Annex III, classification and evidence should be linked to the relevant obligations for providers and deployers.

Article 9: Risk management system Article 10: Data and data governance Article 11: Technical documentation Article 12: Logging Article 13: Transparency and instructions for use Article 14: Human oversight Article 15: Accuracy, robustness and cybersecurity Article 26: Deployer obligations Article 27: FRIA where Article 27 applies

Use case guidance

Point 2

Critical digital infrastructure

AI for management, monitoring, security or prioritisation within critical digital infrastructure.

Point 2

Road traffic and traffic management

AI systems supporting traffic flows, priorities or safety decisions in road traffic.

Point 2

Water, gas, heating and electricity

AI in supply, monitoring, balancing or disruption detection for utilities.

What to document

Intended purpose and context of use.

Why Article 6(2) and Annex III do or do not apply.

Whether the Article 6(3) filter may apply, and whether profiling blocks it.

Which provider and deployer obligations are triggered.

Infrastructure AI Act quick scan

Map the infrastructure function, AI output and impact on safety or availability.

Start risk scan Schedule intake Expert page

Frequently asked questions

Short answers for classification, evidence and next steps under Annex III.

When should infrastructure be assessed under Annex III?

The Commission splits this area into critical digital infrastructure, road traffic and the supply of water, gas, heating and electricity. The practical starting question is: Is the AI intended to manage, prioritise or secure infrastructure in a way that can affect safety or availability?

Which use cases are included in Critical infrastructure?

This domain page expands the main routes: Critical digital infrastructure, Road traffic and traffic management and Water, gas, heating and electricity. For each system, check the intended purpose, the output and the impact on access, rights or safety.

What should be documented before obligations are determined?

Document the intended purpose, use context, relevant Annex III route, Article 6(3) assessment, any profiling, provider/deployer roles and the required safeguards.