High-Risk AI Systems – AI Act Requirements

Which AI systems are classified as high-risk? Obligations for providers and users according to the AI Act.

The AI Act introduces special requirements for artificial intelligence systems classified as "high-risk." These are systems whose failure or improper operation may have serious consequences for the health, safety, or fundamental rights of individuals. Understanding which systems are subject to these requirements and what obligations are associated with them is crucial for organizations developing or deploying AI.

Which AI systems are classified as high-risk?

The AI Act identifies two categories of high-risk systems. The first is systems that are safety components of products covered by sectoral regulations (medical devices, machinery, toys). The second is systems listed in Annex III: biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to public services, law enforcement, migration and border control, administration of justice.

HR and recruitment systems as high-risk AI

AI systems in HR attract particular attention: automatic CV screening, candidate scoring, employee evaluation systems. These systems process personal data and make decisions affecting people's lives. In addition to AI Act requirements, they must meet GDPR requirements for automated decision-making (Art. 22). Personal data detection and appropriate processing is fundamental to compliance.

Requirements for high-risk system providers

Providers of high-risk AI systems must: implement a risk management system throughout the lifecycle, ensure quality of training and test data, create technical documentation, ensure event logging, provide transparent user instructions, enable human oversight, guarantee appropriate levels of accuracy, robustness, and cybersecurity. Conformity assessment is required before market placement.

Obligations of high-risk system users

Users (deployers) of high-risk AI systems also have obligations: use the system according to provider instructions, ensure human oversight by competent persons, monitor system operation and report incidents, conduct DPIA when required by GDPR, inform persons subject to system decisions. The user remains responsible for the consequences of decisions made using AI.

Training data and personal data detection

Training data quality is crucial for high-risk AI system compliance. Data must be representative, error-free, and bias-free. If it contains personal data, GDPR requirements must be met: legal basis, minimization, purpose limitation. Automatic personal data detection in training datasets enables identification and appropriate processing of sensitive information before model training.

Wizards.io tools support high-risk AI system compliance with data protection requirements. **Revelio** and **Detecto** automatically detect personal data in training datasets, enabling assessment and appropriate processing. **Nocturno** anonymizes training data, reducing risks associated with AI processing of personal data and facilitating GDPR and AI Act compliance.

High-risk AI systems are subject to strict requirements that demand a systematic approach. Training data quality and compliance, operational transparency, and human oversight capability are key. Combining AI Act and GDPR requirements requires particular attention to personal data detection and processing.