AI Act Article 6 Annex III: operational challenges in classifying biometric verification as high-risk

Jurisdiction: EU, DE We're running a biometric identity verification flow (facial comparison + liveness) for customer onboarding. Under the AI Act Annex III, biometric categorization and emotion recognition are explicitly high-risk — but the boundary between 'biometric identification' (explicitly listed) and 'verification' (one-to-one matching) remains contested. How has your compliance team approached this classification? Did you treat one-to-one verification as high-risk by default, or did you build a documented risk assessment showing it falls outside Annex III scope? Specifically interested in: - Whether notified bodies accepted the verification vs. identification distinction - How Article 6(2) exception criteria were documented - Whether your legal counsel recommended conservative high-risk classification regardless