Lesson 3 of 6·10 min read

Obligations for High-Risk AI

When your AI system is classified as High Risk, extensive obligations apply from August 2026. This lesson explains the key requirements — and what you need to implement concretely.

The 7 Core Obligations

1. Risk Management System (Art. 9)

A continuous process throughout the entire lifecycle:

  • Identification and analysis of known and foreseeable risks
  • Assessment of risks during intended use AND foreseeable misuse
  • Appropriate risk mitigation measures
  • Regular review and updating

Practice: Create a living document updated quarterly.

2. Data Governance (Art. 10)

Training, validation, and test data must:

  • Be relevant and representative for the intended purpose
  • Be free of bias (or known biases documented)
  • Be collected and processed in compliance with data protection
  • Be documented (origin, scope, preprocessing)

3. Technical Documentation (Art. 11)

Comprehensive documentation before placing on the market:

  • General description of the system
  • Detailed description of elements and development process
  • Information about monitoring, functionality, and control
  • Description of accuracy and security measures

4. Logging and Record-Keeping (Art. 12)

Automatic logging during operation:

  • Time and duration of each use
  • Reference database for input validation
  • Input data that led to a decision
  • Identification of involved persons

Retention period: At least 6 months (or longer if legally required).

5. Transparency and Information (Art. 13)

Deployers must be able to understand how the system works:

  • Instructions for use in clear, comprehensible language
  • Description of capabilities and limitations
  • Information on accuracy metrics
  • Risks to health, safety, and fundamental rights

6. Human Oversight (Art. 14)

The system must be designed so that humans can:

  • Understand and interpret the results
  • Intervene or override
  • Stop the system (kill switch)
  • Not be manipulated through automation bias

7. Accuracy, Robustness, Cybersecurity (Art. 15)

The system must:

  • Work accurately (defined and measured metrics)
  • Be robust against errors and manipulation attempts
  • Be cybersecure (protected against adversarial attacks)

Conformity Assessment

Before market launch, a conformity assessment is required:

  • In most cases: Self-assessment (internal conformity assessment)
  • In sensitive areas (biometrics): Assessment by a notified body

Practical Tip: Start with documentation now. Most companies underestimate the effort — plan for 3–6 months for the first High-Risk conformity.

Previous lessonNext lesson