A European Bank Just Asked How You Determined Your AI Credit Risk Tool Falls Inside or Outside the EU AI Act High-Risk Category: Answering the Article 6 Classification Questions

The request came through your enterprise account team three days into a new bank's procurement review. The risk and compliance team had sent a structured questionnaire. One section read:

"Please explain the process your company used to determine whether your AI system is classified as 'high-risk' under EU AI Act Article 6 and Annex III. If you determined it is high-risk, describe the applicable conformity obligations you have fulfilled. If you determined it is not high-risk, provide the legal and technical basis for that determination, including reference to the self-assessment or provider determination process your company completed under Article 6(3)."

This is the right question to ask. And it is becoming more common as European banks, insurers, and payments companies build out their AI procurement checklist infrastructure ahead of the August 2026 application date.

The classification question — is this AI system high-risk or not? — is the gateway question of the EU AI Act. Everything flows from it. Here is how Article 6 works and how to answer this section.

How Article 6 Classifies High-Risk AI

The EU AI Act uses a two-track classification for high-risk AI:

Track 1 (Article 6(1)): AI systems that are safety components of products covered by specific EU harmonisation legislation listed in Annex I (such as medical devices, aviation safety equipment, machinery), and which are required to undergo a third-party conformity assessment under that sector-specific legislation. Most fintech products do not fall here unless they are embedded in regulated safety-critical hardware.

Track 2 (Article 6(2)): AI systems that are themselves listed in Annex III of the EU AI Act. This is the track most relevant to fintech and credit tools.

Annex III, point 5 covers "AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score." If your product produces a credit score or creditworthiness determination for an individual — whether for lending, account approval, limit-setting, or similar — you are likely in Annex III, point 5. That means you are presumed to be a high-risk AI system under Article 6(2).

Additional Annex III categories relevant to fintech:

• Point 5(b): AI for risk assessment and pricing for life and health insurance in relation to natural persons
• Point 6: AI for law enforcement (not typical for commercial fintech, but relevant for AML/fraud tools that feed into enforcement workflows)

The Article 6(3) Self-Assessment Pathway

Article 6(3) creates an important route for providers: if you believe your AI system meets an Annex III description but poses limited risk, you can determine it is not high-risk, subject to conditions. Specifically, Article 6(3) states that an AI system listed in Annex III is not high-risk if it does not pose a significant risk of harm to the health, safety, or fundamental rights of natural persons, including by not materially influencing the outcome of decision-making.

The conditions for this self-determination include:

• The AI is intended to perform a narrow procedural task
• The AI is intended to improve the result of a previously completed human activity
• The AI is intended to detect decision-making patterns or deviations from prior patterns and is not meant to replace or influence the human assessment
• The AI is intended to perform a preparatory task to an assessment relevant to the listed use cases

If your product fits one of these conditions, you can self-certify it out of high-risk status. But Article 6(3) also requires that you document this determination and maintain it in your technical file. Providers who take the Article 6(3) route must notify market surveillance authorities in some Member States.

How to Answer the Bank's Classification Question

Step 1: Identify which Annex III entry your product maps to.

Most credit-related AI tools map to point 5(a) or 5(b). State clearly which entry applies, or confirm that your legal and technical review concluded that no Annex III entry applies and why.

Step 2: State your classification determination.

Either: "We have determined that this system is a high-risk AI system under Article 6(2) and Annex III point [X]. Our conformity obligations include [list applicable articles]."

Or: "We conducted a provider determination under Article 6(3) and concluded this system does not pose a significant risk of harm because [specific factual basis]. Documentation of this determination is available in our technical file."

Step 3: Describe the conformity steps completed.

If high-risk: confirm you have a technical file (Article 11), a quality management system (Article 17), human oversight mechanisms (Article 14), and a conformity assessment completed (Article 19). Specify whether you used the self-assessment route or a third-party notified body.

If Article 6(3) applies: confirm the determination is documented, who conducted the review (internal legal and technical team, or external counsel), and the date of determination.

What the Bank Is Actually Checking

European banks subject to EBA and ECB AI governance guidance are building their own internal AI risk registers. They need to know, for each AI vendor in their supply chain: did this vendor make a reasoned classification decision, or did they wave a hand at the regulation and call it "compliant"?

A clear, structured response to the Article 6 question signals that your company has actually engaged with the regulation rather than hoping the bank's procurement team won't ask a follow-up.

That is the gap Complizo's questionnaire answer engine closes — turning a regulation-dense classification question into a precise, referenced answer your procurement counterpart can file and close.

Try Complizo free at complizo.com