Deploying AI in CNC Manufacturing in Line with the EU AI Act
Which manufacturing AI is high-risk and which is not? An honest risk classification for precision machining and metalworking, with the decisive exceptions.
In short
The vast majority of typical manufacturing AI is not high-risk under the EU AI Act: cutting-parameter and CAM optimisation, predictive maintenance, capacity planning and the visual quality inspection of components do not appear in the high-risk catalogue of Annex III. It only becomes high-risk when AI is used as a safety component of a machine (Annex I) or in HR contexts (candidate screening, employee evaluation). Independently of this, the AI literacy obligation under Art. 4 has applied since 2 February 2025.
Auf Deutsch lesen: deutsche Fassung
Many manufacturers are uneasy: does the EU AI Act turn every use of AI on the shop floor into a high-risk case? The honest answer is no. The vast majority of typical manufacturing AI is not high-risk. But there are clearly delimited exceptions, and you should know them before you invest.
The four risk tiers, briefly explained
- Prohibited: manipulative or certain surveillance practices (in practice largely irrelevant to manufacturing)
- High-risk: only in the areas set out in Annex III, or as a safety component of products under Annex I
- Limited risk: transparency obligations, for example for chatbots or AI-generated content (Art. 50)
- Minimal risk: the default case, e.g. cutting-parameter optimisation, nesting, predictive maintenance
What in CNC machining is usually NOT high-risk
Cutting-parameter and CAM optimisation, tool-life and failure prediction (predictive maintenance), capacity planning, automatic costing from STEP files and the visual quality inspection of components: these applications do not appear in the high-risk catalogue of Annex III. The general obligations do apply, however, first and foremost the AI literacy of your workforce (Art. 4).
Where it can become high-risk after all
- AI as a safety component of a machine: if the AI controls or monitors a safety-relevant function (such as a protective function), it can become a high-risk system via the EU Machinery Regulation as an Annex I product.
- AI in HR: pre-screening of candidates, aptitude assessment or performance monitoring of employees fall expressly under Annex III, so they are high-risk, even in a small workshop.
- Biometric recognition at the factory gate or for time recording can be strictly regulated or outright impermissible, depending on how it is set up.
The machine that inspects a part is rarely the problem. The AI that pre-sorts job candidates is more likely to be, and many firms overlook it.
Obligations that apply almost always
Regardless of the risk class, the AI literacy obligation (Art. 4) has applied since 2 February 2025: providers and deployers must, with appropriate measures and to the best of their ability, ensure a sufficient level of AI literacy among their staff, a proportionate best-efforts duty. If you use chatbots or AI-generated text and images, the transparency obligations under Art. 50 apply on top: users must be able to recognise that they are interacting with AI, or that content is AI-generated. These transparency obligations apply from 2 August 2026; for systems already on the market before that date, marking of their content has a grace period until 2 December 2026.
How to proceed
- Inventory your AI applications, including bought-in software features
- Determine the risk class for each application (in particular: machine safety and HR-related AI)
- Set up and document AI literacy training
- Add transparency notices wherever Art. 50 applies
- Cast the whole thing into a lean ISO 42001 system, as evidence both internally and externally
Frequently asked questions
Is our AI-based component inspection high-risk?+
As a rule no; visual quality inspection does not appear in Annex III. It only becomes high-risk once the AI takes over a safety function of a machine (Annex I, via the EU Machinery Regulation). This has to be assessed case by case.
We use AI to screen job candidates, is that regulated?+
Yes, and strictly so: AI used to pre-screen or evaluate candidates and employees falls within the high-risk catalogue (Annex III), regardless of company size. Heightened obligations on transparency, human oversight and documentation apply here.
Does the Digital Omnibus defer these obligations?+
Yes. The Digital Omnibus, confirmed by the Council on 13 May 2026, defers the high-risk obligations (Annex III to 2 December 2027, Annex I embedded in regulated products to 2 August 2028) and eases the AI literacy requirements. This is settled law, not a mere proposal, so plan against these amended timelines.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & Senior Lead Implementer · ISO/IEC 27001 Lead Auditor & Lead Implementer (PECB)
Last updated: 16 July 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.