Which EU regulations does LandingRed cover?

LandingRed covers the EU AI Act, GDPR, NIS2, DORA, the Cyber Resilience Act and the Data Act, plus ISO/IEC 42001 readiness. You enable only the frameworks that apply to your organisation, and the platform keeps obligations, evidence and deadlines for all of them in one place.

When do EU AI Act obligations actually apply?

The obligations are phased. Bans on prohibited practices and AI-literacy duties have applied since February 2025, and general-purpose AI rules since August 2025. Following the Digital Omnibus, most high-risk system obligations are expected to apply from December 2027 (Annex III use cases) and August 2028 (regulated products). The platform tracks each deadline against your AI inventory.

Who is the platform for?

SMEs and mid-market teams that deploy or provide AI systems and need to demonstrate compliance without a dedicated regulatory department. Consultancies and legal advisors also use it to run assessments for their clients.

How does the free trial work?

Every plan starts with a 14-day free trial — no credit card required. You get guided onboarding, a working AI inventory and AI-assisted document generation, so you see real output on your own use cases before paying.

Where is our data stored?

All customer data is hosted in EU data centres and processed under GDPR. Our sub-processor list and technical and organisational measures are published on our Trust page.

Can we change frameworks or plans later?

Yes. Framework applicability can be toggled at any time, and you can move between plans as your inventory grows — your data, evidence and audit trail carry over.

Back to home

Deep Dive8 min read

Annex III Risk Classification Explained

The EU AI Act uses a risk-based approach. Article 6(2) defines high-risk AI systems as those falling within the eight categories listed in Annex III. If your AI system matches any of these categories, it is subject to the full set of obligations in Chapter III, Section 2 (Articles 8-15).

This guide walks through each category with plain-language explanations so you can determine whether your AI systems qualify as high-risk.

How Classification Works

There are two paths to being classified as high-risk under the EU AI Act:

Article 6(1) — Safety component path: The AI system is a safety component of a product covered by existing EU harmonisation legislation (e.g., medical devices, machinery, toys, vehicles) and requires a third-party conformity assessment under that legislation.
Article 6(2) — Annex III path: The AI system falls within one of the eight use-case categories listed in Annex III. This is the path most organisations need to evaluate.

Important exception: An AI system listed in Annex III is not considered high-risk if it does not pose a significant risk of harm to health, safety, or fundamental rights — including by not materially influencing the outcome of decision-making. However, this exception does not apply if the system performs profiling of natural persons.

Category 1: Biometrics

AI systems used for biometric identification, categorisation, or emotion recognition — where permitted under EU or national law.

Remote biometric identification — Systems that identify natural persons at a distance by comparing biometric data against reference databases. This excludes simple biometric verification (confirming someone is who they claim to be).
Biometric categorisation — Systems that infer sensitive or protected attributes such as race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation from biometric data.
Emotion recognition — Systems intended to recognise emotions of natural persons.

Category 2: Critical Infrastructure

AI systems intended to be used as safety components in the management and operation of:

Critical digital infrastructure
Road traffic management
Supply of water, gas, heating, or electricity

Example: An AI system that manages traffic signal timing at intersections, or one that predicts and manages electrical grid load distribution.

Category 3: Education & Vocational Training

Determining access or admission to educational or vocational institutions
Evaluating learning outcomes, including steering the learning process
Assessing the appropriate level of education a person will receive or be able to access
Monitoring and detecting prohibited behaviour of students during tests

Example: An AI system used by a university to screen and rank applicants, or an automated essay grading system used for final examinations.

Category 4: Employment & Workers Management

Recruitment and selection — Placing targeted job advertisements, filtering applications, and evaluating candidates in interviews or tests
Work-related decisions — Affecting promotion, termination, task allocation based on individual behaviour or personal traits, or monitoring and evaluating performance and behaviour

Example: An AI screening tool that ranks CVs and shortlists candidates, or a performance monitoring system that flags employees for review based on behavioural patterns.

Category 5: Essential Services

AI systems used in access to and enjoyment of essential private and public services and benefits:

Public benefit eligibility — Evaluating eligibility for public assistance, healthcare services, or granting/reducing/revoking such benefits
Credit scoring — Evaluating creditworthiness or establishing credit scores (excluding fraud detection)
Insurance risk assessment — Risk assessment and pricing for life and health insurance
Emergency services — Evaluating or classifying emergency calls, dispatching first responders, or triaging patients in emergency healthcare

Category 6: Law Enforcement

Where permitted under EU or national law:

Assessing risk of a person becoming a victim of criminal offences
Systems functioning as polygraphs or similar deception detection tools
Evaluating reliability of evidence in criminal investigations
Assessing risk of a person offending or re-offending (not solely based on profiling)
Profiling of persons during detection, investigation, or prosecution of criminal offences

Category 7: Migration & Border Control

Where permitted under EU or national law:

Polygraphs or similar tools used in migration contexts
Assessing risks (security, irregular migration, health) posed by persons at borders
Assisting in examination of applications for asylum, visas, or residence permits
Detecting, recognising, or identifying persons in migration and border control contexts (excluding travel document verification)

Category 8: Justice & Democratic Processes

Assisting judicial authorities in researching and interpreting facts and law, applying the law to concrete facts, or in alternative dispute resolution
Influencing elections or referendums — AI systems intended to influence voting behaviour (excluding campaign logistics tools that don't directly expose users to AI outputs)

What Happens If Your System Is High-Risk?

If your AI system falls into any of the above categories, you must comply with:

Risk management system (Article 9)
Data and data governance requirements (Article 10)
Technical documentation per Annex IV (Article 11)
Automatic logging and record-keeping (Article 12)
Transparency and instructions for use (Article 13)
Human oversight measures (Article 14)
Accuracy, robustness, and cybersecurity standards (Article 15)
Conformity assessment before market placement (Article 43)
EU Declaration of Conformity and CE marking (Articles 47-48)
Registration in the EU database (Article 49)

Not sure where your system falls? LandingRed's risk classification engine walks you through a guided questionnaire mapped to every Annex III category and automatically determines your risk level with full evidence trail.

LandingRed automates all of this

Stop managing compliance in spreadsheets. Classify, document, assess, and monitor your AI systems from one platform.