Annex X: Large-Scale EU IT Systems Under Article 6(2)
Annex X lists the large-scale EU information technology systems established by Union law that are referenced in Article 6(2). AI systems that are components of these large-scale IT systems are classified as high-risk. The listed systems include major EU databases and interoperability frameworks in the area of freedom, security, and justice — such as SIS (Schengen Information System), VIS (Visa Information System), Eurodac, ETIAS, ECRIS-TCN, and the interoperability framework under Regulations 2019/817 and 2019/818. The transitional deadline under Article 111(4) gives these systems until 31 December 2030 to comply.
Who does this apply to?
- -EU agencies operating large-scale IT systems listed in Annex X (eu-LISA and others)
- -Member State authorities using AI components within these systems
- -Providers developing AI components for integration into Annex X systems
- -Compliance teams assessing whether their system interacts with Annex X databases
Scenarios
eu-LISA develops an AI-powered automated matching component for the Schengen Information System (SIS II).
A national border authority uses an AI tool that queries VIS but is not itself a component of VIS.
Systems listed in Annex X
The full list appears on EUR-Lex Annex X. Key systems include:
1. SIS — Schengen Information System (Regulation (EU) 2018/1860, 2018/1861, 2018/1862) 2. VIS — Visa Information System (Regulation (EC) No 767/2008) 3. Eurodac — European Asylum Dactyloscopy Database (Regulation (EU) No 603/2013) 4. EES — Entry/Exit System (Regulation (EU) 2017/2226) 5. ETIAS — European Travel Information and Authorisation System (Regulation (EU) 2018/1240) 6. ECRIS-TCN — European Criminal Records Information System for Third-Country Nationals (Regulation (EU) 2019/816) 7. Interoperability framework — (Regulations (EU) 2019/817 and 2019/818)
These are primarily managed by eu-LISA (European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice).
How Annex X connects to the rest of the Act
- Article 6(2) — High-risk classification for AI components of Annex X systems.
- Article 111(4) — 31 December 2030 compliance deadline.
- Article 113 — General application dates.
- Annex III — Separate high-risk classification for non-Annex-X AI in related areas (biometrics, law enforcement, border control).
Compliance checklist
- Determine if your AI system is a component of an Annex X large-scale IT system.
- If yes: classify as high-risk under Article 6(2) and plan for the 31 December 2030 deadline.
- If the system queries Annex X databases but is not a component: check Annex III classification instead.
- Coordinate with eu-LISA or the relevant EU agency on compliance requirements.
- Track any updates to the Annex X list via delegated acts.
Assess your AI system classification—free assessment.
Start Free AssessmentRelated Articles
Related annexes
- Annex III — High-risk AI system areas
Frequently asked questions
Why do Annex X systems get until 2030?
These are complex, multi-stakeholder EU-level systems. Article 111(4) provides extra transition time to ensure compliance does not disrupt critical security and border infrastructure.
Does Annex X apply to private-sector systems?
Annex X lists EU institutional IT systems. However, private-sector AI that is integrated as a component into one of these systems would be captured.
What is the compliance deadline for Annex X large-scale IT systems?
AI systems that are components of Annex X large-scale EU IT systems (SIS II, VIS, Eurodac, EES, ETIAS, ECRIS-TCN) have until 31 December 2030 to comply with the AI Act, unless the system was significantly modified before that date. This is the longest transition period in the Regulation.