AnnexesArticle Annex X

Annex X: Large-Scale EU IT Systems Under Article 6(2)

Applies from 2 Aug 20264 min readEUR-Lex verified Apr 2026

Annex X lists the large-scale EU information technology systems established by Union law that are referenced in Article 6(2). AI systems that are components of these large-scale IT systems are classified as high-risk. The listed systems include major EU databases and interoperability frameworks in the area of freedom, security, and justice, such as SIS (Schengen Information System), VIS (Visa Information System), Eurodac, ETIAS, ECRIS-TCN, and the interoperability framework under Regulations 2019/817 and 2019/818. The transitional deadline under Article 111(4) gives these systems until 31 December 2030 to comply.

Who does this apply to?

  • -EU agencies operating large-scale IT systems listed in Annex X (eu-LISA and others)
  • -Member State authorities using AI components within these systems
  • -Providers developing AI components for integration into Annex X systems
  • -Compliance teams assessing whether their system interacts with Annex X databases

Scenarios

eu-LISA develops an AI-powered automated matching component for the Schengen Information System (SIS II).

The AI component is high-risk under Article 6(2)/Annex X. It must comply with Chapter III by 31 December 2030 (Article 111(4)).
Ref. Annex X + Art. 6(2) + Art. 111(4)

A national border authority uses an AI tool that queries VIS but is not itself a component of VIS.

The AI tool may still be high-risk under Annex III (e.g., biometric identification in law enforcement) but is not classified via Annex X. The Annex X transitional deadline does not apply.
Ref. Annex III vs Annex X

Systems listed in Annex X

The full list appears on EUR-Lex Annex X. Key systems include:

1. SIS, Schengen Information System (Regulation (EU) 2018/1860, 2018/1861, 2018/1862) 2. VIS, Visa Information System (Regulation (EC) No 767/2008) 3. Eurodac, European Asylum Dactyloscopy Database (Regulation (EU) No 603/2013) 4. EES, Entry/Exit System (Regulation (EU) 2017/2226) 5. ETIAS, European Travel Information and Authorisation System (Regulation (EU) 2018/1240) 6. ECRIS-TCN, European Criminal Records Information System for Third-Country Nationals (Regulation (EU) 2019/816) 7. Interoperability framework, (Regulations (EU) 2019/817 and 2019/818)

These are primarily managed by eu-LISA (European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice).

How Annex X connects to the rest of the Act

  • Article 6(2), High-risk classification for AI components of Annex X systems.
  • Article 111(4), 31 December 2030 compliance deadline.
  • Article 113, General application dates.
  • Annex III, Separate high-risk classification for non-Annex-X AI in related areas (biometrics, law enforcement, border control).

Compliance checklist

  • Determine if your AI system is a component of an Annex X large-scale IT system.
  • If yes: classify as high-risk under Article 6(2) and plan for the 31 December 2030 deadline.
  • If the system queries Annex X databases but is not a component: check Annex III classification instead.
  • Coordinate with eu-LISA or the relevant EU agency on compliance requirements.
  • Track any updates to the Annex X list via delegated acts.

Assess your AI system classification-free assessment.

Start Free Assessment

Related annexes

  • Annex III, High-risk AI system areas

Frequently asked questions

Why do Annex X systems get until 2030?

These are complex, multi-stakeholder EU-level systems. Article 111(4) provides extra transition time to ensure compliance does not disrupt critical security and border infrastructure.

Does Annex X apply to private-sector systems?

Annex X lists EU institutional IT systems. However, private-sector AI that is integrated as a component into one of these systems would be captured.

What is the compliance deadline for Annex X large-scale IT systems?

AI systems that are components of Annex X large-scale EU IT systems (SIS II, VIS, Eurodac, EES, ETIAS, ECRIS-TCN) have until 31 December 2030 to comply with the AI Act, unless the system was significantly modified before that date. This is the longest transition period in the Regulation.