Chapter IX, Section 3 — EnforcementArticle 80

Article 80: Procedure for Dealing with AI Systems Classified by the Provider as Non-High-Risk in Application of Annex III

Applies from 2 Aug 20267 min readEUR-Lex verified Apr 2026

Article 80 gives market surveillance authorities a dedicated procedure to challenge a provider's own classification of an AI system as non-high-risk under Article 6(3) when the system falls within an Annex III domain. Where an authority has sufficient reason to consider the system is in fact high-risk, it conducts an evaluation. If confirmed, the authority requires the provider to bring the system into full Chapter III compliance (risk management, data governance, transparency, human oversight, etc.) within a prescribed period. Failure to comply triggers restriction, prohibition, withdrawal, or recall. The mechanism mirrors Article 79 but targets classification disputes rather than post-market risk findings. Always verify on EUR-Lex.

Start free assessment All articles

Who does this apply to?

-Market surveillance authorities challenging a provider's self-classification under Article 6(3)
-Providers of AI systems operating in Annex III domains who classified their system as non-high-risk
-Importers and distributors in the supply chain who placed or made available the system on the market

Scenarios

A fintech company deploys an AI system that assesses consumer creditworthiness for small personal loans. The provider classifies it as non-high-risk under Article 6(3), arguing its output is not the sole factor in lending decisions. The national market surveillance authority reviews the system and determines that the AI output is in practice determinative — loan officers override it less than 2% of the time.

The authority invokes Article 80, concluding the system is in fact high-risk under Annex III, area 5(b) (creditworthiness). It requires the provider to carry out a conformity assessment, implement a risk management system (Article 9), ensure data governance (Article 10), and register in the EU database (Article 49) within 90 days. The provider complies and reclassifies the system as high-risk.

Ref. Art. 80 + Art. 6(3) + Annex III

A company sells an AI-powered interview analysis tool to employers. It claims the system merely provides 'suggestions' and is therefore non-high-risk. A French surveillance authority investigates after complaints from job applicants and finds the system assigns numerical scores that employers use as the primary hiring filter.

Under Article 80, the authority evaluates the system and confirms it falls within Annex III, area 4(a) (recruitment). The provider is given 60 days to comply with Chapter III requirements. After the provider fails to act, the authority prohibits the system's placement on the French market and notifies the Commission under the Article 81 Union safeguard procedure.

Ref. Art. 80 + Art. 81 + Annex III

What Article 80 does (plain language)

Article 6(3) allows providers to self-classify certain AI systems as non-high-risk even though they operate in an Annex III area, provided the system does not pose a significant risk of harm. Article 80 is the counterweight to that provider discretion — it gives authorities the power to second-guess the classification:

A market surveillance authority identifies an AI system operating in an Annex III domain (biometrics, critical infrastructure, employment, credit scoring, law enforcement, etc.) that the provider has classified as non-high-risk
The authority has sufficient reason to consider the classification is incorrect — for example, the system's output is in practice determinative, or the system's deployment context changes its risk profile
The authority evaluates the system, involving the provider
If the system is indeed high-risk, the authority requires the provider to comply with all Chapter III requirements (Articles 8–15, conformity assessment, CE marking, EU database registration) within a specified period
If the provider fails to comply, the authority may restrict, prohibit, withdraw, or recall the system

How Article 80 connects to the rest of the Act

Article 6(3) — The provider self-classification mechanism that Article 80 oversees.
Article 7 — Commission power to amend Annex III (adds or removes high-risk areas).
Annex III — The list of high-risk areas within which the classification dispute arises.
Article 79 — The parallel 'risky system' procedure; Article 80 mirrors its enforcement ladder but focuses on classification.
Article 81 — Union safeguard procedure: if the provider or another Member State objects to the Article 80 measure, the Commission evaluates.
Article 99 — Penalties for non-compliance with corrective action orders.
Article 113 — Staged application dates; Article 80 applies from 2 August 2026.

Official wording (excerpt): Article 80

Editorial note: The full authentic text of Article 80 is published on EUR-Lex. The following is a faithful summary of its core operative provisions.

Where a market surveillance authority has sufficient reason to consider that an AI system classified by the provider as non-high-risk pursuant to Article 6(3) is in fact a high-risk AI system, that authority shall carry out an evaluation of the AI system concerned. The provider shall cooperate with the authority. Where the authority finds that the AI system is high-risk, it shall require the provider to take all necessary and appropriate corrective actions to bring the system into compliance with the obligations laid down in Chapter III, Section 2 (requirements for high-risk AI), as well as adopt appropriate restrictive measures, within a reasonable period which the authority shall prescribe. If the provider fails to take adequate corrective action, the authority shall restrict, prohibit, or require the withdrawal or recall of the system.

Compliance checklist

Document your Article 6(3) classification reasoning thoroughly — authorities will review this first when considering an Article 80 challenge.
Retain evidence that your system's output is genuinely non-determinative in practice (not just in theory) for use cases within Annex III areas.
Monitor deployment contexts: if downstream deployers use your system in ways that change its risk profile, your classification may be challenged.
Establish an internal escalation procedure for responding to authority classification inquiries within tight timelines.
If reclassified: have a contingency plan for rapid conformity assessment (Article 43), technical documentation (Article 11), and EU database registration (Article 49).
For importers/distributors: verify the provider's classification before placing the system on the market — you may face enforcement if the classification is later overturned.

Read the official text on EUR-Lex

Check your Annex III classification—start the free assessment.

Start Free Assessment

Article 6: Classification Rules for High-Risk Systems

Article 7: Amendments to Annex III

Annex III: High-Risk AI System Areas

Article 79: Procedure at National Level for AI Systems Presenting a Risk

Article 99: Penalties for AI Act Infringements

Article 113: Entry into Force and Application Dates

Related annexes

annex-iii-high-risk-areas

Frequently asked questions

What triggers an Article 80 investigation?

A market surveillance authority needs 'sufficient reason' to consider the provider's non-high-risk classification is wrong. This could come from complaints, post-market monitoring signals, media reports, whistleblowers, or the authority's own sector analysis. The bar is lower than proof — the authority only needs reason to investigate, not to prove misclassification upfront.

How is Article 80 different from Article 79?

Article 79 addresses AI systems that present a risk — even if formally compliant. Article 80 specifically targets classification disputes: the provider says non-high-risk, the authority disagrees. Article 79 is about real-world risk; Article 80 is about whether the system was correctly classified under the Annex III framework.

What happens if I am reclassified as high-risk?

You must comply with all Chapter III requirements (risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, cybersecurity), complete a conformity assessment, apply CE marking, and register in the EU database — all within the period the authority prescribes.

On this page

Key terms

Article 6(3) self-classification: The mechanism by which a provider of an AI system falling within an Annex III area may classify it as non-high-risk if the system does not pose a significant risk of harm to health, safety, or fundamental rights — subject to authority challenge under Article 80.
Annex III areas: The eight high-risk domains listed in Annex III: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration/border, and administration of justice. AI systems in these areas are presumed high-risk unless the provider demonstrates otherwise under Article 6(3).
Classification dispute: A disagreement between the provider (who classifies as non-high-risk) and the market surveillance authority (which considers the system high-risk) — resolved through the Article 80 evaluation procedure.

Maximum penalties (Art. 99)

3% of turnover / Up to EUR 15 million or 3% of global annual turnover under Article 99(4) for failure to comply with corrective action orders
SMEs / start-ups: Lower caps for SMEs and start-ups under Article 99(6)
Beyond financial penalties, an Article 80 finding that your system is actually high-risk retroactively exposes you to the full Chapter III penalty regime — including up to EUR 15 million or 3% for non-compliance with high-risk requirements. Market prohibition and recall are also possible.

Timeline

2 Aug 2025
Article 6(3) self-classification mechanism applies — providers may begin classifying Annex III systems as non-high-risk.
2 Aug 2026
Article 80 classification-challenge procedures become enforceable alongside the full high-risk regime.

At a glance

Article: 80
Status: Upcoming
Timeline: 2 Aug 2026
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now