What specific obligations apply to high-risk AI systems?

Under the European AI Act, high-risk AI systems are subject to extensive obligations regarding technical documentation, risk management, transparency, human oversight, and conformity assessment. These requirements apply to both providers and organizations that deploy such systems. In “AI-Driven Intelligence,” you can read about how organizations can use AI responsibly. In this article, we answer the most frequently asked questions about what exactly high-risk AI entails and what obligations come with it.

Which AI systems exactly fall into the high-risk category?

High-risk AI systems are systems used in contexts where the outcomes can have significant consequences for people’s health, safety, or fundamental rights. The AI Act defines two main categories: systems used as safety components in products already covered by existing EU legislation, and systems deployed in specific application areas designated by law.

The designated high-risk application areas include, among others:

  • Critical infrastructure such as energy, water, and transportation
  • Education and vocational training, such as systems that determine who is admitted to a program
  • Employment and Human Resources Management, such as automated application screening
  • Access to essential services such as credit, social benefits, and health insurance
  • Law Enforcement and Border Control
  • The Administration of Justice and Democratic Processes
  • Biometric Identification and Categorization of Individuals

It is important to note that not every AI system used in one of these sectors is automatically classified as high-risk. The key factor is whether the system plays a decisive role in processes that have direct consequences for people. A simple scheduling system in healthcare generally falls outside the high-risk category; a system that makes medical diagnoses or assesses patient admissions, however, does fall under it.

What technical requirements apply to high-risk AI systems?

High-risk AI systems must meet a set of technical requirements focused on reliability, safety, and verifiability. At the core of these requirements are robustness, accuracy, and the minimization of risks throughout the system’s entire lifecycle.

The main technical requirements are:

  • Risk Management System: An ongoing process that identifies, evaluates, and manages risks throughout the system’s entire lifecycle.
  • Data Quality: Training, validation, and test data must be relevant, representative, and free of errors. Bias in the data must be actively minimized.
  • Robustness and accuracy: The system must perform consistently and reliably, even in the event of unexpected input or cyberattacks.
  • Cybersecurity: Technical measures to protect the system against tampering and misuse.
  • Logging and recording: Automatic recording of events throughout the lifecycle, so that the system’s performance can be reviewed afterward.
  • Human oversight: The system must be designed so that people can effectively monitor and understand it, and halt or correct it if necessary.

These technical requirements do not apply only once, at the time of the system’s launch. They remain in effect throughout the system’s entire operational lifespan and require periodic evaluation and adjustment.

What should be included in the technical documentation for a high-risk AI system?

The technical documentation for a high-risk AI system must demonstrate that the system complies with all applicable requirements of the AI Act. This documentation is prepared by the provider before the system is placed on the market and must be retained for at least ten years.

The documentation must include at least the following:

  • A general description of the system, including its intended purpose and the technology used
  • A detailed description of the system’s architecture and logic
  • Information about training dates, validation methods, and test results
  • A description of the risk management system and the control measures implemented
  • Performance metrics, including accuracy thresholds and known limitations
  • Measures for human oversight and the ways in which users can monitor the system
  • A description of cybersecurity measures
  • The declaration of conformity and, where applicable, the CE marking

In addition to the technical documentation, suppliers must also prepare user instructions. These are intended for the organizations that use the system and contain practical information on proper commissioning, monitoring, and identifying risks.

How does the conformity assessment for high-risk AI systems work?

A conformity assessment is the process by which a provider demonstrates that a high-risk AI system complies with the requirements of the AI Act. For most high-risk systems, the provider can conduct this assessment itself through an internal procedure. For specific categories, such as biometric identification systems, the involvement of a notified body is mandatory.

Self-Assessment vs. External Assessment

In the self-assessment process, the provider follows a structured internal procedure based on the harmonized standards published in support of the AI Act. The provider prepares the technical documentation, implements the risk management system, and records the results. Upon successful completion, a declaration of conformity is issued and, where applicable, a CE marking is affixed.

Registration in the EU database

High-risk AI systems must be registered in a central EU database before being placed on the market. This database is publicly accessible and promotes transparency and oversight. The registration includes key information about the system, the provider, and the intended use. Providers outside the EU are required to designate an authorized representative within the EU who will fulfill these obligations on their behalf.

What are the obligations for organizations that use high-risk AI?

Organizations that deploy high-risk AI systems—known as “deployers”—have specific obligations under the AI Act. They are not responsible for the technical development of these systems, but they are responsible for ensuring their responsible use in practice.

The main obligations for organizations that use high-risk AI are:

  • Follow the instructions for use: The system may only be used in the manner specified by the provider.
  • Organizing human oversight: Concrete measures must be in place to ensure human oversight, including the designation of responsible staff members.
  • Fundamental Rights Impact Assessment: Government agencies and certain other organizations must assess in advance the potential impact on the fundamental rights of those affected.
  • Retention of Logs: Automatically generated log files must be retained for the period specified by the provider, and for at least six months.
  • Reporting Incidents: Serious incidents or malfunctions with potentially dangerous consequences must be reported to the competent national authority.
  • Transparency toward those affected: When the system is used to make decisions about individuals, those individuals must be informed of this.

Please note: An organization that modifies a high-risk AI system, brands it with its own name, or uses the system for a purpose for which it was not intended becomes, from a legal standpoint, the provider itself. In that case, all obligations that apply to the original provider also apply to the organization.

What are the consequences of failing to comply with the high-risk AI requirements?

Failure to comply with the requirements for high-risk AI systems can result in substantial fines. The AI Act establishes a tiered fine structure that took effect on August 2, 2025, with the amount of the fine depending on the nature of the violation.

The three stages of penance are:

  • Prohibited AI Practices (Article 5): A maximum of 35 million euros or 7% of global annual revenue, whichever is higher.
  • Other non-compliance, including high-risk obligations: Up to 15 million euros or 3% of global annual revenue.
  • Inaccurate or misleading information provided to regulators: Up to 7.5 million euros or 1% of global annual revenue.

For small and medium-sized enterprises, the lower of the fixed amount or the percentage applies in each case, which offers some protection. Oversight of high-risk AI rests with national market surveillance authorities. In January 2026, Finland became the first Member State to grant enforcement powers under the AI Act to its national authority. Other Member States are expected to follow suit soon, leading to further tightening of enforcement throughout 2026.

In addition to financial penalties, authorities may also require that a system be withdrawn from the market or that its use be suspended until the noncompliance has been rectified. The reputational damage associated with public enforcement actions can be just as severe for many organizations as the fines themselves.

How Pegamento Helps with High-Risk AI Compliance

Navigating the requirements surrounding high-risk AI requires technical knowledge, legal insight, and practical implementation experience. We help organizations deploy AI responsibly and in compliance with regulations, without compromising speed or innovation.

What we can do for you:

  • Assessment and Risk Classification: We identify which AI applications within your organization fall into the high-risk category and determine the resulting obligations.
  • Agentic AI within compliance frameworks: Our Agentic AI for customer service is designed with human oversight as a core principle. Whereas traditional RPA bots operate based on fixed instructions, our self-thinking Agentic AI assistants take the initiative independently and act proactively—but always within the parameters you set.
  • Technical Documentation and Risk Management: We provide support in preparing the required documentation and establishing an ongoing risk management system.
  • Everything under one roof: From consulting and implementation to management and support, you have a single point of contact for the entire process, without the need for complex supplier coordination.
  • Certified Process: Our approach is based on ISO 27001 (information security), ISO 9001 (quality management), and ISO 26000 (corporate social responsibility), which aligns with the compliance requirements of the AI Act.

Would you like to know where your organization stands right now and what steps are needed to become compliant? Contact us, and together we’ll determine the best approach for your situation.

Frequently Asked Questions

How do I know if my existing AI system is classified as high-risk under the AI Act?

Start by conducting a thorough inventory of all AI applications within your organization and assess them against the use cases that the AI Act designates as high-risk. When doing so, don’t just look at the sector, but specifically at the role the system plays: does it have a direct impact on decisions that affect people in the areas of employment, healthcare, credit, or safety? If you’re unsure, it’s wise to seek legal or technical advice, as an incorrect classification can lead to non-compliance and associated fines.

What is the difference between a provider and a deployer, and why is that distinction so important?

A provider is the party that develops and markets a high-risk AI system; a deployer is the organization that puts the system into practice. The distinction is crucial because both parties have their own, non-transferable obligations under the AI Act. Important note: as soon as a deployer modifies the system, puts its own name on it, or uses it for a purpose other than its intended one, that party legally becomes a provider itself, and all associated obligations apply in full.

How do I start setting up a risk management system for a high-risk AI application?

A good risk management system starts with systematically identifying all possible risks throughout the system’s entire lifecycle, from development to decommissioning. Next, you assess the likelihood and impact of each risk and establish control measures, such as technical restrictions, user instructions, and monitoring procedures. It’s important to note that this isn’t a one-time exercise: the system requires periodic review, especially when the model is updated, the data changes, or its use is expanded.

As a deployer, do I also need to take any action if my employees use the AI system on a daily basis?

Yes, human oversight is one of the core obligations for deployers and goes beyond just a technical setting. You must specifically define who within the organization is responsible for monitoring the system, how employees are trained to critically evaluate the output, and how they can stop or correct the system if necessary. Also, ensure that employees understand what the system can and cannot do, so they do not blindly rely on the results.

What is a Fundamental Rights Impact Assessment, and when is it required?

A fundamental rights impact assessment (FRIA) is a preliminary analysis of the potential effects of a high-risk AI system on the fundamental rights of data subjects, such as the right to privacy, non-discrimination, and due process. This assessment is mandatory for government agencies and private organizations that use high-risk AI in publicly accessible services, such as lending or insurance. The results must be documented and may lead to additional control measures before the system is put into use.

What happens if my high-risk AI system causes a serious incident?

In the event of a serious incident—such as a system failure with dangerous consequences or a significant violation of fundamental rights—you, as the deployer, are required to report this to the competent national market surveillance authority. Do this as soon as possible and document the incident in detail, including the cause, the consequences, and the corrective measures taken. Also, retain the automatically generated log files, as they are essential for the investigation and can demonstrate that your system and processes were properly configured.

On average, how long does it take to make a high-risk AI system fully compliant?

The turnaround time depends heavily on the complexity of the system, the quality of the existing documentation, and the maturity of the internal processes. For organizations already working with frameworks such as ISO 27001 or ISO 9001, the step toward AI Act compliance is considerably smaller, as many building blocks are already in place. In practice, a full compliance process—including risk assessment, documentation, and the implementation of oversight procedures—ranges from a few months for simpler systems to more than a year for complex, large-scale applications.

More blogs

Download the white paper here

Deepen your knowledge with Pegamento’s white papers.

Joost Schaap-Account manager Pegamento

Joost Schaap

Senoir Account Manager

When a customer contacts an organization because they have a complaint, it is crucial that the employee of the organization begin by listening carefully. What does this complaint mean for the customer and also for their own organization? How can this complaint be resolved? After listening carefully the employee needs the right information so that a solution can be offered.

This piece was written by Joost Schaap, working as an Account Manager at Pegamento.

Tim Treurniet-AI developer Pegamento

Tim Treurniet

Designer of Intelligent Systems

Real childhood heroes I never had. But in retrospect, I believe figures like Willie Carrot or Dexter’s lab may have had an influence on me. I get energy from actually making innovative and useful products myself. Nothing like seeing the effect of a project that automates a boring task, or makes a complex process suddenly accessible.

A nice bridge to my photograph is the physical aspect of my work. By working with image recognition, I am often very directly connected to the physical world and my work is more than just programming. For example, our image recognition software ensures safety on bridges, tracks players on a soccer field or uses your own smartphone to accurately measure yourself. This combination between physical and digital provides variety and extra challenge. For me, these are the main reasons for my interest and enthusiasm in what I do!

This piece was written by Tim Treurniet, employed Designer of intelligent systems at Pegamento.

Vera van der Plas-UI-UX designer

Vera van der Plas

UI/UX Designer

As a UX/UI designer, I deal daily with transforming complex data into user-friendly visualizations. All of this topped off with a digital lick of paint which should attract the visitor’s attention to take action.

One of the interesting aspects of this field I find the effects that small tweaks, both textual and visual, can have on conversion. The psychological impact that a simple background color of a CTA button has on our behavior is huge. After all, that color can determine whether or not you are going to buy that product.

What we see and how our brains process and interpret this information fascinates me. The possibilities of subconsciously pointing potential customers in your chosen direction are endless. I hope to apply my expertise more often within our solutions in the future.

This piece was written by Vera van der Plas, working as a UX/UI Designer at Pegamento.

Fouad Rahaoui-Finance Pegamento

Fouad Rahaoui

Financial Controller

A Financial Controller within a company should not only be an expert in Finance. You must also have knowledge of the latest IT developments. Because these are also moving very quickly in the world of Finance.

At Pegamento, I can learn all about the latest IT developments. Like the latest development in the field of Machine learning and deep learning.

Through these application areas, as Financial Controller, I can further automate the financial business processes within Pegamento and implement improvements for the automatic processing of financial data.

This piece was written by Fouad Rahaoui, working as a Financial Controller at Pegamento.

Ernst Vegter-Business consultant Pegamento

Ernst Vegter

Business Consultant

Hospitality is one of my deepest motivations.
Not surprisingly, of course, customer service is a common thread in my career. Aspects of hospitality is being able to connect, to facilitate but mainly to make someone feel genuinely welcome. My intuition is my greatest asset to be able to put myself in the shoes of a guest. A customer is my guest.

Fed by various senses, an image forms around the client. I listen to what is being said, watch facial expressions, taste the underlying tone and get a feel for the challenge to be addressed. An image literally forms on my retina. I have to be able to see it. If I can see it, I can create it.

In this, the trick is to pursue simplicity, give the client a warm feeling that the problem is understood, receive good advice, facilitated and carefully guided to the solution. Trust, connect and unburden.

The feeling when a guest arrives at your hotel after a long tiring journey, can sit in front of the fireplace, be handed a good glass of wine and stare carefree at the fire. My guest knows it will be okay.

This piece was written by Ernst Vegter, working as a Business Consultant at Pegamento.

Gunisch-AI developer Pegamento

Gunish Alag

AI Developer

A picture is worth a thousand words, is an expression most of us have heard. We see a lot of things around us on a daily basis and subconciously have the ability to recognize and understand them. This ability of humans to me seems bizarre.

As a computer vision developer at Pegamento that is what I do, break down complex problems and turn them into solutions using images by meticulously extracting useful data.
With the world moving forward and new technologies emerging, complicated problems which were difficult to solve a decade earlier suddenly seem possible and viable. The future is full of new challenges and I look forward to them.

This story is written by Gunish, working as an AI developer at Pegamento.

Ewold Jansen-Service engineer Pegamento

Ewold Jansen

Service & Support Engineer

Hearing the wishes a customer has or the problems a customer is facing is important in order to then be able to help them properly. In both cases, I help find the right solution.

When the customer comes to us with a desire, they don’t know what all the options are. In this I advise them to make the right choices. When problems arise, listening to them is important. For example, a problem arises from a wrong action. By communicating well in this, many problems can be solved quickly by explaining it well. Through poor communication, a small problem can become very big.

This piece was written by Ewold Jansen, working as a Service & Support Engineer at Pegamento.

Andre Glasbergen-Scrum master Pegamento

Andre Glasbergen

Scrum Master

After completing my studies, I started working as a developer at a young Pegamento with a lot of ambition and enthusiasm. In the first years I learned all about process automation, now better known as RPA. I often had to rack my brains to convert the work instruction into a logical function, with not too many If-statements, so that the robot could perform the work.

I developed further and went to work as a consultant. Listening well to the customer and supporting in the pre-sales phase of projects. Executing projects and listening suited me very well. It was a small, but logical, step to now work as a Scrum Master and Project Manager. I have been supervising projects for a few years now. Such as RPA, Cloud applications and AI, according to the Human lead agile approach, We build this with a large team of specialists.

This piece was written by André Glasbergen, working as a Scrum Master at Pegamento.

Ensar Ari-IT engineer Pegamento

Ensar Ari

IT Engineer

Good communication between customer and organization is very important. As an organization, you naturally want to be easily accessible to your customers. Either via social media channels or via the old familiar telephone. Often organizations do not know exactly how they want their telephone line set up. That is why I like to help them think along and give them ideas. I believe there is a solution to every problem. But sometimes you just need someone who looks at the situation a little differently.

This piece was written by Ensar Ari, working as an IT Engineer at Pegamento.

Nini Heerings-Chief Happiness Officer Pegamento

Nini Heerings

Chief Happiness Officer

“You get to know someone better by playing for an hour than by talking for a year.”

This quote from Plato is totally hitting home for me. That’s why I like to connect people through play. Because while playing, you are totally on, all your senses at work.
In my great role as Chief Happiness Officer, I want to do that by connecting colleagues with each other and with the organization. In a creative and playful way that suits Pegamento.

When I’m not at work, I also enjoy connecting people. I do this by organizing The Playground, where adults play games you used to play in the schoolyard, gymnasium or neighborhood playground. The pure feeling of fun, total relaxation and no thoughts of anything but playing. That feeling is the goal.

This piece was written by Nini, working as Chief Happiness Officer at Pegamento.

Ger Koedam-Communication & Marketing Pegamento

Ger Koedam

Marketing & Communications

How can I help you? That’s pretty much the first question I ask when talking to people who are curious about our services. In such a conversation, the use of senses is very important. Because not everyone is the same. One person thinks in images, while for another words are important or how something feels. For me, sight and hearing are the most beautiful senses, because both eyes and ears absorb information and can convey or process emotions.

Why hearing? Because listening is essential in contact. And it’s the key to unlocking valuable insights.

I developed this skill early on. As a child, I enjoyed radio plays on the radio, bringing the stories to life in my head.

Pim Ritmijer-Software developer Pegamento

Pim Ritmeijer

Software Developer

Programming is more than just “code knocking. For me, listening to what the customer wants and visualizing that is an important part of software development.

Actively listening to a customer to understand the customer’s full story is crucial before building a solution. When you understand a customer’s story, you can think together about a solution that truly helps the customer.

Visualizing solutions is the next step for me. What will be the route we will climb to get to a solution? What challenges are we going to face to get to the top?

Like climbing, good preparation is valuable. Even though you can’t prepare for everything, preparation helps make the application fit the client’s needs as well as possible.

What a beautiful and fascinating profession programming is.

This piece was written by Pim Ritmeijer, working as a Software Developer at Pegamento.

Denise Verhoef-Software developer Pegamento

Denise Verhoef

Software Developer

Hearing is something you do a lot of as a programmer but also thinking, for example, when you are tasked with putting together a customer need. If the customer wants a function for his application, it is important that as a programmer you think carefully about which functions are functional and which functions are not. In this way, you will put together the most functional application possible and the customer will have a good end product. Turning needs into code into functionality is something I find interesting.

I am currently doing an internship at Pegamento and studying Software Developer. I get a lot of information that you have to process and apply. The nice thing about this is that you can learn new things but also that you can experience how it works in real business. I started this training last year and knew nothing about programming beforehand. Now I can find my own way with programming and I enjoy working with it. That you can get from a blank page to a functional application through code is cool!

This piece was written by Denise Verhoef, working as a Software Developer intern at Pegamento.

Remco Pabst-Business consultant Pegamento

Remco Pabst

Computer Vision & AI Lead

Using innovative software technology for people or business to make “things” easier and smarter is really a driving force. That’s why the connection between the senses appeals to me the most. Our brains connect the senses just like a business process connects people, systems (data) and logic. They register and trigger an action, exactly how it should be in an optimal workflow. Very cool what is already possible today when we add a lot of computational power to that as well.

Hearing also means a lot. Not because I like to listen to Jazz, Soul, Deep House or Focus-like music every day AND have to be able to listen well to interpret a wish or pain point, but more because not everyone can have all the senses at their disposal. Think of him or her with a visual impairment. The fact that in close cooperation we were able to apply AI, TTS/STT technology (which is still in development) for this often underserved group of people in today’s digital world and to improve the interaction and experience with it gives me a lot of energy and meaning to what I try to do with technology; create value.

This piece was written by Remco, working as a Business Consultant at Pegamento.

Thomas de Wolf-Vision Engineer Pegamento

Thomas de Wolf

R&D Director

Once when I had to choose which study I was going to do, I had a hard time making that choice. I was interested in engineering, but what I most wanted to do was just work with a team toward a common goal.

To this day, that is still what I love doing most. The technology has become image recognition and the team the computer vision department of Pegamento. So it’s logical that in terms of sense, I end up with “seeing. By using our image recognition solutions to see things in the real world, our entire team solves relevant problems for our customers. And because of the variation in customers, the places where our solutions end up are never the same. For example, one moment I am in the control room of a bridge and the next day I am on a production line for sandwiches or between the fences of a TBS clinic.

This piece was written by Thomas de Wolf, working as a Computer Vision & AI Lead at Pegamento.

Rob Roode-Research Development

Rob Roode

Research & Development

Recognizing and automating patterns. Tasks we are constantly working on when implementing our robots at Pegamento. My 2 Drentsche Patrijshonden are hunting dogs and certainly not robots. The hunting instinct and intuition is basically in their genes. Continuing to offer new forms of training has taught them to recognize and act independently in hunting situations. Even “unsupervised,” even if I’m not around.

But when you try to teach a brain something, it also starts to see things you don’t expect. Dogs pick up on the slightest deviation in your voice or directions. To start recognizing that and correcting it again is perhaps the most complex challenge. But in our work, for the wonderful clients for whom we get to work, it often yields the most beautiful new insights!

This piece was written by Rob, founder of Pegamento and in charge of Marketing and R&D.

Serge Poppes-CEO Pegamento

Serge Poppes

CEO

Feeling. That’s the best thing Pegamento stands for. Feeling for technology in the broadest sense of the word. Not only feeling for the exciting stuff like AI, but also for the basics of communication.

The very best part of my job is selling, listening, translating and thinking about what really matters. We bring the digital transformation with a great team!
The diversity of our team, how sharp we are, but especially the wonderful things we get to make makes me feel extremely good. Hence, I intuitively chose the sense of “feeling.

Feeling gives life and differentiation!