Topic dossier

High-risk & high-impact AI obligations

Name: AI regulation by topic — High-risk AI systems
Creator: AI Law Radar
License: https://creativecommons.org/licenses/by/4.0/

How the major risk-based regimes define high-risk or high-impact AI, and the assessments, oversight and documentation that classification triggers. 7 obligations across 7 jurisdictions — 4 in force, 2 proposed. Next dated deadline: 1 Jan 2027.

Risk-tiering is the architecture of most comprehensive AI laws: a system classified as high-risk — or high-impact — attracts the heaviest duties, typically a pre-deployment assessment, human oversight, risk management, technical documentation and sometimes registration. The EU AI Act’s Annex III is the reference model; South Korea, Vietnam, Peru, Brazil and the DIFC each run their own variant. The obligations below are the high-risk tier of each regime.

Other themes Deepfakes Transparency Frontier / GPAI Prohibited Hiring

The Register

7 obligations · 7 jurisdictions

European Union 1

EU Proposed

High-risk AI obligations (Annex III)

Binds Providers & deployers of Annex III high-risk AI (employment, credit, education, biometrics, law enforcement, migration). Omnibus defers this from 2 Aug 2026 to 2 Dec 2027: EU Parliament adopted 16 Jun 2026; Council adoption + OJ publication still pending, so the original date legally stands until then.

Pending — Digital Omnibus deferral (Parliament-adopted 16 Jun 2026; Council adoption + OJ publication still pending). The original 2 Aug 2026 date legally stands until publication.

Stated maximum penalty — Up to 3% turnover or €15M

Proposed · target 2 Dec 2027 checked 24 Jun 2026 EU AI Act (Digital Omnibus) ↗ low confidence

United States 1

US · CO Binding

Colorado AI Act (SB 26-189)

Binds Developers & deployers of automated decision-making tech in consequential decisions. ADMT documentation, consumer notice & appeal rights.

Stated maximum penalty — AG enforcement; per violation

Applies 1 Jan 2027 checked 21 Jun 2026 SB 26-189 ↗ high confidence

South Korea 1

S. Korea Comprehensive

AI Basic Act — high-impact AI duties

Binds Operators of high-impact AI and advanced / high-compute AI. Risk management, human oversight and impact assessment for high-impact / advanced AI (MSIT enforcement grace period through 2026).

MSIT is running an enforcement grace period through ~2026.

Stated maximum penalty — Admin fine up to ₩30M

In force · 22 Jan 2026 checked 24 Jun 2026 AI Basic Act ↗ medium confidence

Brazil 1

Brazil Proposed

AI Act bill (PL 2338/2023) advancing

Binds Would bind AI providers / deployers once enacted. Risk-based, EU-style framework; Senate-approved Dec 2024, now before the Chamber of Deputies.

Senate-approved Dec 2024; before the Chamber of Deputies.

Stated maximum penalty — Bill: up to R$50M / 2% revenue

Proposed checked 24 Jun 2026 PL 2338/2023 ↗ medium confidence

Vietnam 1

Vietnam Comprehensive

Law on AI — risk-tiered obligations

Binds AI developers / providers / deployers / users; extraterritorial (local representative required). Three-tier risk classification; high-risk AI needs conformity assessment + registration (general grace to 1 Mar 2027).

Grace period: general to 1 Mar 2027 (18 months for health, education and finance).

Stated maximum penalty — Admin fines up to ₫2B (decree-set)

In force · 1 Mar 2026 checked 24 Jun 2026 Law 134/2025/QH15 ↗ medium confidence

Peru 1

Peru Comprehensive

AI Law 31814 + Reglamento — risk-based regime

Binds Public and private AI developers / deployers. Prohibited / high-risk / acceptable tiers; high-risk AI needs prior evaluation, human oversight and transparency.

Stated maximum penalty — Referral to data-protection / Indecopi

In force · 22 Jan 2026 checked 24 Jun 2026 Ley 31814 + DS 115-2025-PCM ↗ high confidence

United Arab Emirates 1

UAE Binding

DIFC Data Protection Regulation 10

Binds Controllers / operators deploying autonomous or AI systems processing personal data in the DIFC. Binding rules for autonomous / AI systems processing personal data in the DIFC; high-risk needs certification or an Autonomous Systems Officer.

DIFC free-zone scope; enforcement from early 2026.

Stated maximum penalty — DIFC data-protection fines

In force · 1 Jan 2026 checked 24 Jun 2026 DIFC Regulation 10 ↗ medium confidence

Questions & answers

From the data

What is a high-risk AI system?

A system whose use could materially affect safety or fundamental rights — for example in employment, credit, essential services, biometrics or critical infrastructure. The EU AI Act lists these uses in Annex III; other regimes use comparable high-risk or high-impact categories with their own lists.

What does a high-risk classification require?

Usually a pre-deployment or conformity assessment, human oversight, risk management, technical documentation and sometimes registration. The precise package depends on the instrument — see each row’s primary source.

When do the EU AI Act’s high-risk rules apply?

The Annex III high-risk obligations were set for 2 August 2026. The Digital Omnibus, adopted by the European Parliament on 16 June 2026, proposes deferring them to 2 December 2027; until the Council adopts it and it is published in the Official Journal, the original date legally stands.

Which jurisdictions does AI Law Radar track for high-risk ai systems?

We currently track high-risk ai systems obligations across 7 jurisdictions: European Union, United States, South Korea, Brazil, Vietnam, Peru and United Arab Emirates. Each is dated and linked to its primary source on this page.

Not legal advice. Each obligation links to its primary source and carries the date it was last checked; verify the legal text before relying on it.

← All topics · By jurisdiction · Back to the Radar