{"id":31930,"date":"2026-07-06T08:00:00","date_gmt":"2026-07-06T06:00:00","guid":{"rendered":"https:\/\/pegamento.nl\/niet-gecategoriseerd\/what-is-high-risk-ai-according-to-the-ai-act-and-does-your-chatbot-fall-under-that-category\/"},"modified":"2026-07-06T10:00:43","modified_gmt":"2026-07-06T08:00:43","slug":"what-is-high-risk-ai-according-to-the-ai-act-and-does-your-chatbot-fall-under-that-category","status":"publish","type":"post","link":"https:\/\/pegamento.nl\/en\/contact-center\/what-is-high-risk-ai-according-to-the-ai-act-and-does-your-chatbot-fall-under-that-category\/","title":{"rendered":"What is high-risk AI according to the AI Act, and does your chatbot fall under that category?"},"content":{"rendered":"<p>In most cases, a chatbot <strong>does not<\/strong> fall under the high-risk AI category defined by the AI Act. The law defines high-risk AI based on specific use cases and safety features, and a standard customer service chatbot generally does not meet those criteria. However, there are exceptions, and they\u2019re important enough to understand thoroughly. In this article, we answer the most frequently asked questions about high-risk AI and what the rules mean for your organization. Want to get a broader perspective on <a href=\"https:\/\/pegamento.nl\/en\/ai-powered-intelligence\/\">AI-driven intelligence<\/a>? You\u2019ll find more context on the possibilities there.     <\/p>\n<h2>Which AI systems do and do not fall into the high-risk category?<\/h2>\n<p>An AI system is considered high-risk if it is a safety component of a product subject to European harmonization legislation and requires a third-party conformity assessment, or if it falls within one of the eight specific domains listed in Annex III. Systems outside those domains are, in principle, not considered high-risk AI. <\/p>\n<p>The eight areas listed in Annex III are:<\/p>\n<ul>\n<li>Biometrics<\/li>\n<li>Critical Infrastructure<\/li>\n<li>Education and Vocational Training<\/li>\n<li>Employment and Human Resources Management<\/li>\n<li>Access to essential services, including credit, insurance, and emergency calls<\/li>\n<li>Law Enforcement<\/li>\n<li>Migration and Border Control<\/li>\n<li>The Administration of Justice and Democratic Processes<\/li>\n<\/ul>\n<p>If a system falls within one of these domains but performs only a narrow procedural or preparatory task without posing a significant risk to fundamental rights, it may fall outside the high-risk category, provided the provider documents this with supporting evidence. However, there is one strict exception: systems that profile natural persons are always considered high-risk, regardless of the domain.  <\/p>\n<p>AI systems that are explicitly excluded from the scope of the law include systems used for military or national security purposes, systems intended solely for scientific research, and systems for personal, non-professional use.<\/p>\n<h2>Does a chatbot fall under the AI Act as high-risk AI?<\/h2>\n<p>In most cases, a standard customer service chatbot <strong>does not<\/strong> fall into the high-risk category. The chatbot answers questions, refers customers to the appropriate department, or provides information, but does not make decisions that directly affect fundamental rights or safety. That is precisely the distinction made by the AI Act.  <\/p>\n<p>However, there are situations in which a chatbot can indeed be classified as high-risk:<\/p>\n<ul>\n<li>The chatbot automatically determines whether someone is eligible for a loan, insurance, or benefits (access to essential services).<\/li>\n<li>The chatbot is used in an HR context to screen job applicants or evaluate employees (employment and human resources management).<\/li>\n<li>The chatbot processes biometric data, such as voice recognition, for identity verification.<\/li>\n<li>The chatbot profiles individual users based on their behavior or characteristics in order to make decisions about them.<\/li>\n<\/ul>\n<p>So it\u2019s not about the technical design of the system, but about its intended use and its impact on individuals. A chatbot that merely provides information or forwards a conversation to an employee does not fall under the high-risk definition. A chatbot that independently decides whether someone receives a service, on the other hand, may very well fall under it.  <\/p>\n<h2>What are your obligations if your chatbot is classified as high-risk?<\/h2>\n<p>If your AI system is classified as high-risk, significant obligations apply. As a provider or deployer, you are responsible for implementing a series of technical and organizational measures before the system is put into use. <\/p>\n<p>The main obligations are:<\/p>\n<ul>\n<li><strong>Risk Management System:<\/strong> An ongoing process for identifying, evaluating, and managing risks throughout the system&#8217;s entire lifecycle.<\/li>\n<li><strong>Data Quality:<\/strong> Training and test data must be relevant, representative, and as free of errors as possible.<\/li>\n<li><strong>Technical documentation:<\/strong> Comprehensive documentation on the system, its operation, and risk management measures.<\/li>\n<li><strong>Logging and traceability:<\/strong> The system must automatically record relevant events so that regulators can verify what happened.<\/li>\n<li><strong>Transparency for users:<\/strong> Users need to understand what they&#8217;re dealing with and how the system works.<\/li>\n<li><strong>Human oversight:<\/strong> There must be mechanisms in place that allow people to monitor, correct, or disable the system.<\/li>\n<li><strong>Conformity Assessment and Registration:<\/strong> Depending on the type of system, a third-party assessment is required, as well as registration in the EU database.<\/li>\n<\/ul>\n<p>If you are registering a system that also requires a fundamental rights impact assessment, that assessment must be completed before the system is put into service. Providers outside the EU are required to designate an authorized representative in the EU. <\/p>\n<h2>How can you determine for yourself whether your AI system is high-risk?<\/h2>\n<p>You can determine for yourself whether your AI system is high-risk by answering two questions: Is the system a safety component of a regulated product, or does its intended use fall within one of the eight Annex III domains? If the answer to both questions is no, the system is, in principle, not high-risk AI. <\/p>\n<p>A practical three-step approach:<\/p>\n<ol>\n<li><strong>Describe the intended use:<\/strong> What exactly does the system do? What decisions does it make, or what input does it provide to a decision-making process? <\/li>\n<li><strong>Check against the Annex III list:<\/strong> Does the use involve biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, or the administration of justice?<\/li>\n<li><strong>Assess the impact:<\/strong> Does the system have a significant impact on individuals\u2019 rights, opportunities, or access to services? Does it engage in profiling? <\/li>\n<\/ol>\n<p>If, after Step 2, you find yourself in an Annex III domain but believe that the system performs only a procedural or preparatory task, you must document this with supporting evidence. This documentation is not a mere formality, but a requirement for claiming the exception. Profiling individuals is never a preparatory task and always results in a high-risk classification.  <\/p>\n<h2>What are the risks of misclassification under the AI Act?<\/h2>\n<p>An incorrect classification\u2014where a high-risk system is mistakenly classified as low-risk\u2014can result in significant fines and reputational damage. The AI Act establishes a three-tiered fine structure, and non-compliance with obligations for high-risk systems can result in fines of up to 15 million euros or 3% of global annual revenue. <\/p>\n<p>In addition to the financial risks, there are also operational and legal consequences:<\/p>\n<ul>\n<li>Systems that do not meet the requirements for high-risk AI must be modified or taken out of service.<\/li>\n<li>Deployers who use a system that has been misclassified by the provider may be held liable themselves if they have substantially altered the intended use.<\/li>\n<li>Providing inaccurate or misleading information to regulators is a separate violation punishable by a fine of up to 7.5 million euros or 1% of revenue.<\/li>\n<\/ul>\n<p>For SMEs, the lower of the fixed amount or the percentage applies in each case, but even that can be substantial. The national market surveillance authorities are responsible for enforcement, and Finland was already the first Member State to grant enforcement powers to its authority in January 2026. The likelihood of actual enforcement is therefore increasing.  <\/p>\n<h2>When will the AI Act take effect for high-risk systems?<\/h2>\n<p>For most high-risk AI systems covered by Annex III, the requirements take effect on <strong>August 2, 2026<\/strong>. For high-risk AI used as a safety component in regulated products (Annex I), a later date applies: <strong>August 2, 2027<\/strong>. <\/p>\n<p>The phased timeline is as follows:<\/p>\n<ul>\n<li><strong>February 2, 2025:<\/strong> Prohibited AI practices (Article 5) and AI literacy requirements take effect.<\/li>\n<li><strong>August 2, 2025:<\/strong> Requirements for GPAI models, governance, and penalty provisions take effect.<\/li>\n<li><strong>August 2, 2026:<\/strong> Requirements for high-risk Annex III systems take effect.<\/li>\n<li><strong>August 2, 2027:<\/strong> Requirements for high-risk Annex I systems and compliance of existing GPAI models are required.<\/li>\n<\/ul>\n<p>The August 2026 deadline is the most relevant for most organizations that use AI in customer service, HR, or service provision. That may sound like plenty of time, but setting up a risk management system, preparing technical documentation, and completing a conformity assessment takes longer than expected. Anyone who hasn\u2019t yet begun assessing their AI systems runs the risk of not finishing in time.  <\/p>\n<h2>How Pegamento Helps with AI Compliance and the Responsible Use of AI<\/h2>\n<p>We understand that the AI Act can feel complex and overwhelming to many organizations, especially if you\u2019re already struggling with fragmented systems and staff shortages. Still, that\u2019s no reason to delay AI implementation. On the contrary, it\u2019s a reason to do it right.  <\/p>\n<p>When you purchase an <a href=\"https:\/\/pegamento.nl\/en\/agentic-ai-for-customer-service\/\">AI solution for customer service<\/a> from us, we work with you from the very beginning to address the system\u2019s classification and compliance. Specifically, here\u2019s what we offer: <\/p>\n<ul>\n<li>A clear understanding of whether your specific use falls within or outside the high-risk category.<\/li>\n<li>Customized solutions using standard building blocks, so you don&#8217;t need costly custom work but still get a system that fits your situation perfectly.<\/li>\n<li>Everything under one roof: from implementation and management to documentation and support, with a single point of contact.<\/li>\n<li>Agentic AI assistants that not only follow instructions but also take the initiative and act independently, and are designed to support\u2014rather than circumvent\u2014human oversight.<\/li>\n<li>Ensuring information security and quality through our ISO 27001, ISO 9001, and ISO 26000 certifications.<\/li>\n<\/ul>\n<p>Would you like to know how your current AI systems measure up against the AI Act criteria, or would you like to get started with AI in your customer interactions in a responsible way? <a href=\"https:\/\/pegamento.nl\/en\/contact-2\/\">Contact us,<\/a> and we\u2019d be happy to help you figure it out.<\/p>\n        <div class=\"wp-block-seoaic-faq-block\">\n            <h2 class=\"seoaic-faq-section-title\">Frequently Asked Questions<\/h2>\n                            <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What should I do if my chatbot is already live but turns out to be high-risk?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Begin a formal classification assessment based on the Annex III criteria as soon as possible. If the system is indeed high-risk, you have until August 2, 2026, to comply with all requirements, but setting up a risk management system, documentation, and any conformity assessment can easily take six to twelve months. If necessary, consult a legal or technical advisor with experience in the AI Act to avoid any surprises.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        Does the AI Act apply even if I use a chatbot from a third-party provider and don\u2019t develop it myself?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Yes, even as a deployer\u2014the organization that puts an AI system into use\u2014you have obligations under the AI Act. You are responsible for the intended use, and if you deploy the system in a way that makes it high-risk, you also bear the corresponding responsibility. Always verify the classification assigned by the provider, and ensure that the contract clearly specifies who is responsible for which compliance obligations. If you substantially modify the use of the system compared to what the provider has documented, you will be legally considered the provider yourself.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What about a chatbot that currently has no high-risk functions but is later expanded to include, for example, a credit assessment?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        A functional expansion that brings the system into a high-risk domain is considered a substantial modification and triggers a new classification assessment. From that point on, all obligations for high-risk AI apply, including the preparation of technical documentation and the implementation of a risk management system. It\u2019s wise to include a brief compliance check as a standard part of your development process for every significant expansion of an AI system, so you don\u2019t have to play catch-up later.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What is the difference between a provider and a deployer under the AI Act, and why does that matter to me?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        A provider is the party that develops or commissions the development of an AI system and places it on the market or puts it into service. A deployer is the organization that uses an existing AI system from a provider for its own purposes. This distinction determines who bears which obligations: providers are responsible for technical documentation, conformity assessment, and registration, while deployers are responsible for proper use, human oversight, and informing users. If you have a custom AI system built for your organization, in most cases you are the provider yourself\u2014even if you don\u2019t build it technically yourself.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        Are there also obligations for AI systems that are not high-risk, such as a standard informational chatbot?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Yes, obligations also apply to non-high-risk AI systems, albeit less stringent ones. The most important are the transparency obligations: users must know that they are interacting with an AI system, and systems that generate synthetic content or detect emotions are subject to additional disclosure requirements. In addition, all organizations that use AI are subject to the AI literacy obligations that have been in effect since February 2025: employees who work with AI or manage AI systems must have sufficient knowledge and understanding of the systems they use.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        How detailed does the documentation need to be if I want to demonstrate that my system falls within an Annex III domain but is not high-risk?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        The documentation must be specific and substantiated: describe the intended use, explain why the task is exclusively procedural or preparatory in nature, and demonstrate that the system does not have a significant impact on the rights or opportunities of individuals. A general statement that the system is \u2018low-risk\u2019 is not sufficient. Consider including a functional description, an explanation of the system\u2019s decision-making authority, and an analysis of the potential impact on end users. This documentation must be retained and made available to supervisory authorities upon request.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What is a Fundamental Rights Impact Assessment, and when is it required?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        A Fundamental Rights Impact Assessment (FRIA) is an analysis of the potential consequences of a high-risk AI system on fundamental rights such as privacy, non-discrimination, and access to justice. This requirement applies to deployers of high-risk Annex III systems that are public bodies, or to private organizations that deploy high-risk systems in areas such as lending, insurance, or essential services. The assessment must be completed before the system is put into use and must be registered in the EU database along with the system itself.                    <\/p>\n                <\/div>\n                        <\/div>\n        ","protected":false},"excerpt":{"rendered":"<p>High-Risk AI Under the AI Act: When Does Your Chatbot Fall Under This Category, and What Are the Consequences?<\/p>\n","protected":false},"author":2,"featured_media":31931,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[500],"tags":[],"class_list":["post-31930","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-contact-center"],"_links":{"self":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/31930","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/comments?post=31930"}],"version-history":[{"count":2,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/31930\/revisions"}],"predecessor-version":[{"id":31933,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/31930\/revisions\/31933"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media\/31931"}],"wp:attachment":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media?parent=31930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/categories?post=31930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/tags?post=31930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}