EU AI Act for Energy & Utilities: High-Risk Rules for Critical-Infrastructure AI

Energy and utility companies use AI for grid balancing, demand forecasting, predictive maintenance and outage management. Under the EU AI Act (Regulation (EU) 2024/1689), AI acting as a safety component in the operation of critical infrastructure — including electricity supply — is high-risk under Annex III(2). Because a failure can disrupt an essential service for millions, these systems carry the full high-risk obligations.

Is it in scope?

Annex III(2) lists AI intended to be used as a safety component in the management and operation of critical infrastructure, expressly including the supply of electricity, gas, heating and water. AI that performs a safety function in grid or network operation is therefore high-risk. Not every energy use qualifies: back-office forecasting, tariff analytics or customer chatbots are generally minimal- or limited-risk. The distinction is whether the system is a safety component whose failure endangers the supply's integrity, versus a supporting analytical tool.

Typical AI use cases

  • Grid balancing and load management safety systems
  • Fault detection and outage prediction
  • Predictive maintenance of generation and network assets
  • Energy demand and generation forecasting
  • Smart-metering and consumption analytics

Risk classification

AI operating as a safety component of critical energy infrastructure is high-risk under Annex III(2). The developer is the provider (Art. 9–15), with accuracy, robustness and cybersecurity under Art. 15 especially critical given the systemic consequences of failure; the utility running it is a deployer under Art. 26 responsible for oversight and monitoring, effective 2 August 2026. Supporting tools — demand forecasting, smart-meter analytics, customer chatbots (Art. 50) — are generally minimal- or limited-risk. The classification hinges on the safety-component test, so each system should be mapped against it.

Obligations to prepare for

Risk management system (Art. 9)
Data governance & quality (Art. 10)
Technical documentation (Art. 11)
Accuracy, robustness & cybersecurity (Art. 15)
Human oversight (Art. 14)
Deployer obligations (Art. 26)

Your exact duties also depend on whether you build or use the AI. See obligations by operator role — provider, deployer, importer, distributor or GPAI provider.

FAQ

Is our demand-forecasting AI high-risk?

Usually not. Forecasting, tariff analytics and consumption dashboards are supporting tools and are generally minimal-risk. The high-risk trigger under Annex III(2) is reserved for AI that acts as a safety component in the actual operation of critical infrastructure.

What makes grid AI high-risk?

Annex III(2) covers AI used as a safety component in the management and operation of critical infrastructure, including the supply of electricity, gas, heating and water. AI whose failure could compromise the safe operation of that supply is high-risk.

Who is responsible — the software vendor or the utility?

Both, in different roles. The vendor building the safety-critical AI is the provider and handles the design-time duties under Art. 9–15. The utility deploying it is the deployer under Art. 26, responsible for human oversight, correct use and monitoring in operation.

See exactly what applies to your system

Run the free 2-minute risk checker — no sign-up.

Run the free check