EU AI Act — Annex III

High-risk AI enforcement starts 2 August 2026. €15M–€35M penalty exposure. Independent void assessment available for credit scoring, EdTech, HR tech, and healthcare AI.

Enforcement Timeline

The AI Act applies in stages. Some obligations are already in force. The Annex III high-risk window closes 2 August 2026.

In force
2 February 2025

Prohibited practices

Social scoring, real-time biometric ID, emotion recognition in workplaces and schools, subliminal manipulation. No transition period — violations already enforceable.

In force
2 August 2025

GPAI model rules

General-purpose AI: transparency obligations, technical documentation, copyright compliance. Applies to foundation models and their deployers.

⚠ Enforcement begins
2 August 2026

Annex III high-risk AI

Conformity assessments, risk management, data governance, human oversight, and transparency obligations for all Annex III categories. This is the window.

Penalty Exposure (Art. 99)

€35M
or 7% global annual turnover
Prohibited practices (Art. 5). Social scoring, biometric ID, subliminal manipulation. Already in force.
€15M
or 3% global annual turnover
High-risk AI non-compliance (Annex III). Insufficient risk management, missing conformity assessment, inadequate human oversight.
€7.5M
or 1.5% global annual turnover
Incorrect, incomplete, or misleading information to notified bodies or national authorities.

Annex III — High-Risk Categories

The profiling exception (Art. 6(3)) means that AI systems performing profiling of natural persons are always classified as high-risk — regardless of other mitigations. No derogation escape for credit scoring, employment screening, or criminal justice.

§
Domain
What it covers
Research
§3
Education & EdTech
AI in admissions, learning outcome assessment, student monitoring, proctoring. Emotion recognition in schools already prohibited (Feb 2025).
Paper 21 ↗
§4
Employment & HR
CV screening, recruitment ranking, performance monitoring, termination decisions. Profiling exception applies — always high-risk, no derogation.
Paper 21B
Q1 2026
§5
Credit & Insurance
Credit scoring, insurance pricing, benefit eligibility. Profiling exception applies — always high-risk, no derogation.
Paper 18 ↗
§5
Healthcare
Clinical decision support, diagnostic AI, triage systems, treatment recommendations. Highest opacity risk due to medical complexity.
Paper 22
Wave 3
§6
Law Enforcement
Recidivism prediction, crime analytics, offender profiling. Profiling exception applies — always high-risk, no derogation.
Paper 29
Wave 3
§2
Critical Infrastructure
Digital infrastructure, road traffic, utilities management. Opacity in infrastructure AI presents systemic risk across dependent systems.
Paper 19
Wave 2

What a Void Index Assessment Provides

The assessment

  • Opacity score (O ∈ [0,3]) — mechanism transparency audit
  • Responsiveness score (R ∈ [0,3]) — personalization depth
  • Coupling score (α ∈ [0,3]) — user dependency and lock-in
  • Void Index total (0–12) — aggregate risk position
  • Demon lattice phase assignment (Gas / Fluid / Crystal / Vortex)
  • Drift cascade stage prediction (D1 / D2 / D3)
  • Péclet number (Pe) — self-sustaining risk threshold

Annex III relevance

  • Opacity score maps to Art. 13 transparency requirements
  • Responsiveness score maps to Art. 9 risk management (personalization risk)
  • Coupling score maps to Art. 14 human oversight feasibility
  • Phase assignment predicts Art. 26 user notification obligations
  • Drift cascade maps to Art. 9(2) foreseeable risk documentation
  • Methodology CC-BY 4.0 — independently verifiable, no black box

Published research — peer-reviewable, CC-BY 4.0

The void framework is published on Zenodo with permanent DOIs. The methodology is open. Any assessor can check any score. Same model as S&P publishing its rating criteria.

Paper 18: Credit Scoring ↗ Paper 21: EdTech ↗ All 16 papers →

Score your AI system

The Void Index scoring tool walks through the three conditions. Outputs a 0–12 score, phase assignment, and risk classification. Results exportable as JSON for inclusion in conformity assessment documentation.

Score a system → Void calculator → Learn the framework →