EU AI Act compliance for logistics AI in 2026

Annex III, point 2 covers AI used as a safety component in the management and operation of critical infrastructure including road traffic and the supply of water, gas, heating and electricity [1]. The "safety component" test is narrow. A traffic-management AI that controls signal phasing on motorways or that controls a critical port's vessel-traffic system can fall inside; a route-optimisation AI that suggests delivery sequences to drivers does not, because the system is not a safety component of road infrastructure.

Vehicle-level AI - lane-keeping, autonomous emergency braking, automated driving functions - is regulated under the UNECE WP.29 framework and the relevant EU type-approval regulations rather than primarily under the AI Act. The AI Act applies on top, but the technical assessment is integrated into the type-approval process. UNECE Regulation No. 157 on Automated Lane Keeping Systems and the broader UNECE work on AI for vehicles are the canonical reference for vehicle-level autonomous functions [3].

For logistics AI that is not a safety component of road traffic or critical infrastructure and that is not built into a regulated vehicle, no AI Act conformity assessment is required. The system sits in the limited-risk or minimal-risk category. Article 50 transparency obligations may still apply: an AI system that interacts with natural persons must inform the data subject they are interacting with an AI unless this is obvious from the circumstances. AI-generated content must be marked as such where applicable. These transparency obligations apply from 2 August 2026 [1].

Where the AI is a safety component, the Article 43 internal-control procedure of Annex VI applies. Where the AI is built into a vehicle covered by EU type-approval law, the AI Act technical documentation is integrated into the type-approval technical documentation. The result is one assessment, not two. The provider still maintains the Annex IV technical documentation pack and the post-market monitoring plan under Article 72.

Three pathways. First, the safety-component test under Annex III point 2 - narrow, applying to AI that controls critical infrastructure. Second, vehicle-level AI under EU type-approval law - integrated into the type-approval process via Article 43(3). Third, the cross-vertical Annex III categories that catch logistics deployers in specific contexts: point 4 covers employment-related AI including AI used to monitor and evaluate workers, which captures driver-monitoring and warehouse-worker-monitoring AI [1].

The Article 6(3) carve-out applies to most logistics AI on its face. Route optimisation, demand forecasting, dynamic pricing for shipping, container yard scheduling, warehouse robotics scheduling, and last-mile dispatch are all preparatory or operational tasks that do not fit Annex III. The carve-out has to be documented with intended-purpose evidence. The interaction with GDPR Article 22 is the part that catches deployers - any AI output that is used to make a decision producing legal or similarly significant effects on a driver, warehouse worker or end customer is inside Article 22 regardless of the AI Act classification.

For non-high-risk logistics AI no Annex IV pack is mandatory under the AI Act. Sensible deployer hygiene is to maintain a model card, a data-governance description, a validation summary, and a human-oversight design even where not legally required, because the next deployment context (a public-sector logistics tender, a critical-infrastructure contract, a worker-monitoring deployment) can trigger high-risk reclassification overnight. The ISO/IEC 42001:2023 AI management system standard is the convergent reference for voluntary documentation [4].

For driver-monitoring AI - dashcam-based fatigue detection, telematics-based driving-style scoring, AI-driven driver-performance evaluation - GDPR Article 22 plus Article 88 (data processing in the employment context) plus the relevant Member-State employment law all apply. The EDPB's guidelines on processing personal data through video devices and the Article 29 Working Party (now EDPB) opinion on data processing at work set the canonical reading [2]. A logistics deployer running driver monitoring needs a Data Protection Impact Assessment under Article 35 of the GDPR, a worker-information notice under Article 88, and a worker-council consultation in jurisdictions where collective representation applies.

For non-high-risk logistics AI, human oversight is not a legal obligation under the AI Act. It is still operational hygiene: a designated reviewer for model output, an escalation path for anomalies, and a periodic validation pass against ground truth. For driver-monitoring AI inside the GDPR Article 22 perimeter, oversight is mandatory: a human reviewer with authority to override any decision producing legal or similarly significant effects, with the override logged.

The interaction with Annex III point 4 - AI in the employment context for hiring, promotion, termination, performance evaluation, or task allocation - is the part that catches deployers using AI to allocate routes or shifts to drivers. AI that allocates work in a way that produces meaningfully different earnings outcomes can trigger point 4 as a high-risk classification on the deployer side, regardless of how the provider describes the system. A 2026-grade deployment treats route-allocation AI as Annex III point 4 high-risk by default and produces the documentation pack accordingly. Article 26 deployer obligations apply.

Impetora ships every logistics AI system with a written risk classification analysis (Annex III points 2, 4 and the safety-component test, with reasoning written out), a data-governance description aligned with Article 10, a model card, a validation summary, and a human-oversight design even where not strictly required. Where the deployment touches driver or worker data, the GDPR Article 22 review architecture, the Article 35 DPIA outline, and the Article 88 worker-information notice are produced as named deliverables.

For deployments inside the type-approval perimeter or critical-infrastructure perimeter, the Annex IV pack is integrated into the existing sectoral technical documentation. Cross-references: the EU AI Act overview, the logistics industry hub, the document processing automation use case, and the TRACE methodology.