EU AI Act High-Risk AI Systems: CISO Compliance Checklist 2026

EU AI Act high-risk AI systems compliance is no longer a future planning item. With the August 2, 2026 transparency deadline weeks away and classification decisions due now for the December 2027 technical obligations, security and compliance teams at enterprises deploying AI in regulated contexts face a concrete and immediate gap. Based on a 2026 readiness report by Vision Compliance, 78% of organizations have not taken meaningful steps toward EU AI Act compliance, and more than 50% lack a basic inventory of their AI systems.

This guide gives CISOs and security architects a practical classification framework, the 10 mandatory obligations under Articles 9 through 17, a mapping of security-specific requirements to NIST and ISO controls, and a 30-point CISO readiness checklist.

What Makes an AI System High-Risk Under Annex III

Annex III of the EU AI Act defines eight categories of high-risk AI systems. The classification is based on the intended use, not the underlying technology. A large language model used for HR screening is high-risk; the same model used for internal documentation drafting is not.

Category 1: Biometrics. Remote biometric identification systems, emotion recognition systems, and biometric categorization systems that infer sensitive attributes such as race, political opinions, religious beliefs, or sexual orientation. Real-time biometric identification in publicly accessible spaces for law enforcement purposes is generally prohibited, with narrow exceptions.

Category 2: Critical Infrastructure. AI used as a safety component in managing or operating road traffic, water, gas, heating, electricity, or critical digital infrastructure. This includes AI systems that trigger protective shutdowns, route traffic, or manage grid load.

Category 3: Education and Vocational Training. AI that determines access to educational institutions, allocates students, monitors for prohibited behavior during assessments, or evaluates academic performance.

Category 4: Employment and Workforce Management. CV screening tools, automated interview analysis, candidate scoring, performance monitoring, and promotion or termination decision support systems. In practice, this is where many enterprise deployments land: ATS integrations, AI-scored video interviews, and workforce analytics platforms.

Category 5: Essential Services. AI used in credit scoring, insurance eligibility assessment, loan decisions, and similar access-to-services determinations.

Category 6: Law Enforcement. Suspect identification, recidivism risk assessment, crime prediction, and evidence analysis systems used by police or prosecutorial authorities.

Category 7: Migration, Asylum, and Border Control. Automated processing of visa and asylum applications, risk assessments for border crossings, and identity verification for border management.

Category 8: Administration of Justice. AI that recommends case outcomes, allocates judicial resources, or assists in legal interpretation.

A critical operational question for enterprises: the classification decision itself is not delegated to the AI provider by default. Deployers have independent classification obligations under Article 26. If your organization deploys a third-party AI system that falls into Annex III, you are responsible for ensuring it is properly classified, documented, and subject to human oversight.

The 10 Mandatory Obligations for High-Risk AI Providers

Once a system is classified as high-risk, providers must satisfy the following obligations before placing it on the EU market or putting it into service:

1. Risk Management System (Article 9). An ongoing, documented process covering the full AI lifecycle from design through post-market monitoring. Risk identification must cover known and reasonably foreseeable risks to health, safety, and fundamental rights across all intended and reasonably foreseeable uses.

2. Data Governance and Quality (Article 10). Training, validation, and testing datasets must be relevant, representative, and free from errors and biases that could cause harm. Providers must document data collection and preparation choices, bias detection procedures, and how they handle data gaps.

3. Technical Documentation (Article 11, Annex IV). Nine mandatory sections including system description, design choices and assumptions, training data characteristics, performance metrics and limitations, known risks, post-market monitoring plan, and an EU Declaration of Conformity. The documentation retention period is 10 years after market placement.

4. Automatic Record-Keeping (Article 12). High-risk AI systems must automatically log events throughout their operation to support traceability and functional verification. For systems making access or authorization decisions, logs must capture input data, decisions, and confidence scores.

5. Transparency and Instructions for Use (Article 13). The system's capabilities, limitations, intended purpose, accuracy metrics, known risks, and maintenance requirements must be documented in instructions for use provided to deployers. This is distinct from Article 50 general AI transparency for end users.

6. Human Oversight Design (Article 14). Systems must be designed so that natural persons can effectively oversee, interpret, and override AI outputs. For biometric identification systems, Article 14(5) requires dual verification: two individuals with relevant competence, training, authority, and support must confirm decisions.

7. Accuracy, Robustness, and Cybersecurity (Article 15). Declared accuracy levels must be documented. Systems must be resilient to errors, faults, and inconsistencies. Technical solutions must specifically address AI-specific attack vectors: data poisoning, model poisoning, adversarial examples, confidentiality attacks, and systematic model flaws. This goes beyond standard ISMS requirements.

8. Conformity Assessment (Articles 43, 48, 49). Most Annex III systems may use self-assessment against Annex VI. Remote biometric identification systems require mandatory third-party assessment by a notified body. As of March 2026, very few notified bodies have been fully designated for AI Act purposes, creating capacity constraints.

9. EU Database Registration and CE Marking (Articles 48, 49). Providers must register their high-risk AI systems in the EU AI database before market placement and affix CE marking. The database is publicly accessible for standard systems; national competent authorities manage access for law enforcement and migration systems.

10. Serious Incident Reporting (Article 73). Providers must report incidents to national market surveillance authorities within 15 days for standard incidents, 10 days if death may have resulted, and 2 days for critical infrastructure disruptions or widespread infringements. Providers may not alter the AI system during an active investigation without authority notification.

August 2026 vs. December 2027: What Must Happen Now

The EU Council and Parliament reached a political agreement on May 7, 2026 extending several deadlines, but the August 2, 2026 transparency obligations remain unchanged. Enterprises need clarity on which requirements apply when.

August 2, 2026 (Unchanged): Article 50 transparency obligations. Any AI system that interacts with natural persons must disclose that it is an AI system. Emotion recognition and biometric categorization systems must notify subjects. Deepfakes and AI-generated content must be labeled. This applies regardless of whether the system is classified as high-risk.

December 2, 2027 (Extended from August 2026): The full Article 9 through 17 technical obligations for standalone high-risk AI systems. This covers the 10 obligations above. The extension gives more time for technical implementation but does not change the urgency of classification: you cannot comply by December 2027 if you have not classified your AI systems by mid-2026.

August 2, 2028: Further extension for AI systems embedded in products regulated under existing EU sectoral law, such as medical devices, aviation safety systems, and automotive safety components.

The practical implication: enterprises should treat classification and documentation initiation as August 2026 work, even if the technical obligation deadline is December 2027.

For SMB-specific considerations, see our EU AI Act compliance guide for SMBs. For Article 50 watermarking and transparency requirements applying from August 2026, see our Article 50 watermarking compliance guide.

Mapping ISO 27001 and ISO 42001 to EU AI Act Requirements

Enterprises with existing ISO 27001 or ISO 42001 certifications have a meaningful head start, but neither certification is sufficient on its own.

ISO 27001 contributions:

• Access controls and data integrity map to Article 10 data governance requirements
• Incident management procedures form the basis for Article 73 serious incident reporting workflows
• Audit log practices align with Article 12 automatic record-keeping
• Encryption and confidentiality controls address some Article 15 cybersecurity requirements

ISO 42001 alignment: ISO 42001 was designed with the EU AI Act in mind. Its 38 Annex A controls map structurally to AI Act obligations: Chapter A.5 (risk management) to Article 9, Chapter A.6 (data management) to Article 10, Chapter A.10 (human oversight) to Article 14, and Chapter A.11 (monitoring) to Article 26 deployer obligations.

Critical gaps ISO 42001 does not cover:

• EU database registration and CE marking procedures
• Conformity assessment (self-assessment or third-party)
• AI-specific adversarial robustness testing as required by Article 15
• The specific 10-year documentation retention timeline
• Regulatory notification requirements to national authorities

In practice, ISO 42001 certification provides a governance framework that auditors recognize, but it requires supplementary documentation and controls to satisfy EU AI Act compliance evidence requirements.

The NIST AI Risk Management Framework (AI 100-1) offers a useful alignment: GOVERN maps to Article 9 risk management, MAP to Article 10 data governance, MEASURE to Articles 12 through 14 testing and oversight, and MANAGE to Articles 26 and 73 monitoring and incident response. For adversarial robustness testing specifically, NIST AI 100-2 provides a taxonomy of four attack categories: evasion, poisoning, privacy attacks, and abuse attacks, all of which are directly relevant to Article 15 requirements.

Article 15 Security Requirements: What CISOs Must Implement

Article 15 is the most technically demanding obligation for security teams. The five AI-specific attack vectors it requires defenses against are not addressed by standard ISMS controls:

Data Poisoning. Attackers inject misleading or biased data during model training to degrade accuracy or introduce exploitable patterns. Defense requires training data provenance tracking, integrity verification, and anomaly detection on training pipelines. We have seen this attack vector used against employment AI systems to introduce discriminatory scoring patterns.

Model Poisoning. Manipulation of pre-trained model components used in fine-tuning pipelines. This is a supply chain risk: if your high-risk AI system fine-tunes on a foundation model from a public registry, the foundation model's integrity is your security control gap. Defenses include hash pinning of model artifacts, verified model registries, and behavioral testing post-fine-tuning.

Adversarial Examples (Evasion Attacks). Inputs crafted to cause incorrect outputs from the AI system. For biometric identification systems, this includes adversarial perturbations to images or audio that fool the classifier. For credit scoring, this includes crafted applications designed to achieve incorrect favorable scores. Defense requires adversarial robustness testing pre-deployment and periodic red teaming post-deployment.

Confidentiality Attacks. Attacks that extract information about training data or model parameters through repeated queries. Membership inference attacks and model extraction attacks fall into this category. Relevant for any high-risk AI system trained on sensitive personal data. Defenses include differential privacy during training, output perturbation, and rate limiting on API access.

Systematic Model Flaws. Consistent errors in AI outputs for specific demographic groups or input patterns. This overlaps with bias requirements under Article 10 but is listed separately as a cybersecurity obligation because it can be intentionally induced. Detection requires ongoing performance monitoring disaggregated by demographic group.

Article 15 compliance is not a one-time certification exercise. It requires ongoing adversarial robustness testing throughout the system's operational lifetime. If your organization needs an independent assessment of your AI system's robustness posture, see our AI security assessment service.

CISO 30-Point EU AI Act High-Risk Readiness Checklist

Classification and Inventory (Complete by July 2026)

Completed an AI system inventory covering all production and development systems

Applied Annex III classification to each AI system with documented rationale

Classified deployer obligations under Article 26 for third-party AI systems

Identified systems requiring third-party conformity assessment (biometric ID systems)

Assigned classification review ownership to a named individual

Documentation (Complete by September 2026)

Initiated Annex IV technical documentation for each high-risk system

Documented intended purpose, capabilities, and limitations for each system

Documented training data sources, collection procedures, and bias detection processes

Documented risk management process and identified risks to health, safety, and fundamental rights

Established 10-year document retention policy for all Annex IV documentation

Data Governance (Complete by October 2026)

Implemented data lineage tracking for training datasets

Documented bias detection procedures with test results

Implemented access controls on training data modifications

Documented dataset representativeness assessments

Established data quality monitoring for live input data

Cybersecurity and Robustness (Complete by October 2026)

Conducted adversarial robustness testing using NIST AI 100-2 taxonomy

Implemented training pipeline integrity controls against data poisoning

Verified foundation model artifact integrity via hash pinning or verified registry

Conducted adversarial example testing pre-deployment

Implemented confidentiality controls against model extraction attacks

Human Oversight (Complete by November 2026)

Designed and tested human override mechanisms for all high-risk decisions

Assigned named individuals with documented competence, training, and authority

For biometric ID systems: implemented dual-verification requirement

Documented human oversight procedures in instructions for use

Monitoring and Logging (Complete by November 2026)

Implemented automatic event logging with minimum 6-month retention

Configured performance monitoring dashboards disaggregated by demographic group

Established anomaly detection alerts for unexpected output pattern changes

Documented serious incident reporting procedures with Article 73 timelines

Registration and Conformity (Complete by Q1 2027)

Initiated EU AI database registration process for all high-risk systems

Completed self-assessment (Annex VI) or engaged notified body for biometric systems

Common Gaps We Find in Enterprise EU AI Act Assessments

In engagements with enterprises beginning EU AI Act compliance work, several gaps appear consistently:

Inventory incompleteness. Enterprises typically know their primary production AI systems but miss AI features embedded in SaaS platforms, AI-assisted HR tools procured at the department level, and model serving endpoints created by data science teams outside the main product.

Classification conservatism in the wrong direction. Some enterprises over-classify to be safe, which creates documentation burden for systems outside Annex III scope. Others under-classify by treating AI decision support tools as "just recommendations," ignoring that Article 14 human oversight obligations apply even when the AI does not make a final decision autonomously.

Documentation retroactivity. Agile development practices do not naturally produce the Annex IV documentation the EU AI Act requires. Creating retrospective documentation for systems already in production is harder than building documentation discipline into development from the start.

Conflating ISO 42001 certification with compliance. ISO 42001 is a valuable management framework, but EU-specific requirements like conformity assessment procedures, CE marking, and EU database registration are not addressed by the standard.

Article 15 gaps. Standard vulnerability scanning and penetration testing do not cover AI-specific attack vectors. Enterprises with strong traditional security posture often have no adversarial machine learning testing program.

For data protection intersections with EU AI Act obligations, our GDPR compliance guide for AI systems covers the interaction between GDPR and AI Act requirements for high-risk systems processing personal data.

Conclusion

EU AI Act high-risk AI systems compliance requires a structured program that starts with classification and ends with ongoing adversarial robustness testing and incident monitoring. The August 2, 2026 transparency deadline is weeks away. The December 2, 2027 technical obligations deadline sounds distant, but the classification, documentation, and governance infrastructure required to meet it takes 12 to 18 months to build from scratch.

The enterprises that will meet December 2027 without a last-minute crisis are the ones starting classification work now. Security teams that treat Article 15 cybersecurity requirements as a standalone technical obligation, distinct from the broader compliance program, will build the right adversarial testing capability early.

BeyondScale conducts AI security assessments against EU AI Act Article 15 requirements, including adversarial robustness testing, supply chain integrity audits, and data poisoning defenses. To assess your high-risk AI system's security posture, run a Securetom scan or contact our AI security team to book a full assessment.