Skip to content
High-Risk under Annex III

Education AI is high-risk
under the EU AI Act

AI used in admissions, grading, exam proctoring, and learning assessment falls under Annex III, point 3 (education and vocational training). If your AI influences who gets admitted, how students are graded, or whether they pass — you have until December 2, 2027 — 561 days — to comply.

Which education AI is high-risk?

Annex III, point 3 covers AI intended for use in education and vocational training — specifically systems that determine access to education, assess learning outcomes, or monitor students.

Admissions & enrolment decisions

AI that evaluates applications, ranks candidates, or determines admission eligibility for educational institutions

Grading & assessment systems

Automated grading tools, essay scoring engines, or AI that evaluates student performance and assigns marks

Exam proctoring & cheating detection

AI systems that monitor students during examinations, flag suspicious behaviour, or make decisions about exam validity

Learning level assessment & tracking

AI that determines student proficiency levels, recommends educational pathways, or decides access to educational programmes

What's not high-risk in education?

Not every EdTech AI tool triggers Annex III. The deciding factor is whether the AI determines access to education or evaluates student outcomes in ways that materially affect their educational path.

Adaptive learning platforms that personalise content without gating access
Administrative chatbots for student queries (transparency obligations only)
Classroom scheduling and timetable optimisation tools
Plagiarism detection tools that flag content for human review

Even if your system is not high-risk, transparency obligations under Article 50 may still apply. Run the free classifier to find out.

10 mandatory obligations for high-risk education AI

Each must be in place before December 2, 2027. Non-compliance risks fines up to €15 million or 3% of global turnover.

1
Risk management system (Article 9)
2
Data governance & bias documentation (Article 10)
3
Full Annex IV technical documentation
4
Automatic event logging (Article 12)
5
Transparency & instructions for deployers (Article 13)
6
Human oversight measures (Article 14)
7
Accuracy, robustness & cybersecurity (Article 15)
8
Conformity assessment (Article 43)
9
EU database registration (Article 49)
10
Post-market monitoring (Article 72)

Schools and universities are deployers

Provider vs deployer matters

Most educational institutions using third-party AI tools are classified as deployers, not providers. Deployers have lighter obligations — but you still need to ensure AI systems are used according to the provider's instructions, conduct a fundamental rights impact assessment (FRIA), and maintain human oversight. If you've built your own AI system in-house, you're the provider and face the full set of obligations.

Read: Deployer vs Provider — which are you? →

Already GDPR compliant?

Some work carries over

Handling student data under GDPR means you already have data protection processes and impact assessments. These partially cover AI Act Articles 9 and 10. But the AI Act adds requirements GDPR doesn't cover: model accuracy documentation, bias testing across protected groups, conformity assessment, and continuous post-market monitoring.

See the full GDPR overlap mapping →

Further reading

EU AI Act Compliance Checklist for 2026

7 min read

EU AI Act Fines: How Much Can You Actually Be Fined?

5 min read

EU AI Act: Deployer vs Provider — Which Are You?

6 min read

561 days until enforcement

Education AI affecting admissions, grading, and assessment will be under heavy scrutiny. Classify your system now and start generating the compliance documentation you need.