A camera bolted above a loading dock used to raise no real legal questions. It watched, it recorded, and nobody gave much thought to where the footage went afterward. That changed once Brussels folded machine vision into a law built mostly with chatbots and credit-scoring engines in mind. Plenty of manufacturers now reach for a computer vision development company before they touch a procurement contract, hoping someone on the technical side has already walked the legal terrain. Fewer of them have asked what, exactly, that terrain looks like.
The EU AI Act splits artificial intelligence into four buckets, and a fair share of computer vision work sits uncomfortably across two of them. Often, before the ink on a contract dries, a typical machine vision engineering shop has to work out whether a given camera deployment counts as banned, high-risk, or barely regulated at all. Some practices are banned outright, full stop. Others get labeled high-risk, which sounds dramatic but mostly means extra paperwork, logging, and a documented chain of human oversight.
The Lines a Lens May Not Cross
Untargeted scraping of faces from open websites or storefront footage, just to build a recognition database, has been off the table since February 2025. So has inferring someone’s mood from their face inside a classroom or a call center, outside genuine medical or safety situations. Real-time biometric identification by police in public squares carries a near-blanket ban too, with only a handful of carve-outs: a missing child, a threat too credible to ignore, someone already wanted for a serious crime.
A narrower but sharper rule sits underneath all of this. AI that infers race, political views, religious belief, or sexual orientation from someone’s face, fingerprints, or gait is banned outright, regardless of who’s asking or why. Even border agencies wanted a version of it. Insurance underwriters wanted one, too. Neither got it.
None of these maps cleanly onto a warehouse safety camera or a retail heat-map tool, which is exactly why nervous procurement teams keep dialing the same numbers. A few of them, including N-iX, spend a fair portion of client calls explaining which side of the line a given vision pipeline actually sits on.
Where the Work Actually Lands
Most computer vision projects that drift into high-risk territory walk through one of two doors. The first, Annex I, covers vision used as a safety component inside regulated machinery: a robotic arm halting itself the instant a camera spots a hand within reach, a gas-detection rig ordering a shutdown once its sensors flag a dangerous buildup, a trackside camera warning of debris before a train arrives. Regulators draw a sharp line here: these count as safety functions because the system’s intended purpose is to prevent or reduce risks to health, safety, or property, not because the marketing copy calls it smart or efficient. Mundane hardware, life-changing classification.
The second door, Annex III, reaches further. Border checkpoints that run faces against watch lists, an exam platform watching eye movement during an online final, a CCTV feed quietly repurposed into a candidate-scoring tool: all of it can qualify. The Act lists employment decisions, credit scoring, and insurance pricing among the purposes that land a stand-alone system in this second category, and a video-interview tool ranking candidates by tone of voice or facial expression sits exactly inside that description, whether or not anyone building it set out to create a hiring algorithm.
Responsibility for getting this right sits mostly with whoever builds the system, not whoever buys it. Under the Commission’s draft guidance, it falls to the builder, not the buyer, to work out which category a system belongs in, judged against the purpose that the builder claims for it from the outset. Buy a vision tool marketed for shelf-stocking and quietly repurpose it to screen job applicants, though, and the legal weight can shift onto whoever made that call. A retailer, a city running facial-access gates, a hospital pointing the same camera at something it was never built for: the label on the box rarely tells the whole story once a system gets stretched past its original brief.
Building the Roadmap Around a Moving Deadline
The compliance calendar has shifted twice in eighteen months, which says something about how hard this has been to operationalize. Bans on the worst practices took hold back in February 2025 and never moved. The high-risk obligations, by contrast, originally due in August 2026, now land on stand-alone systems in December 2027, with safety-component systems getting until August 2028. Brussels published draft guidelines in mid-May 2026 explaining how to draw these lines in practice, open for public comment through late June, which is exactly the math most computer vision development teams are quietly running right now.
None of this means the next two years are free. Technical documentation, conformity assessment, and a working human-oversight process take real engineering time to build properly, and rushing all 3 in month 23 of a 24-month runway rarely ends well. The bans, meanwhile, never moved. A market surveillance authority can still knock on a door tomorrow over a scraped facial database, deadline or no deadline.
So what does a sane roadmap actually do with a deadline like that? A handful of computer vision development teams, N-iX among them, have settled into a similar pattern for client work that touches cameras, faces, or behavioral inference:
- Map every vision use case already running or planned, however small, and tag each one against the four risk tiers.
- Flag anything touching biometric categorization, emotion inference, or real-time public surveillance for immediate legal review, since the bans here don’t wait for 2027.
- Build logging and human-override hooks into high-risk candidates now, before a deadline forces a rushed retrofit later.
- Revisit the classification every few months, since the Commission can add or remove Annex III use cases by delegated act without much warning.
Nobody enjoys step two. Worth the discomfort anyway.
Summing Up
None of this turns computer vision into a forbidden technology. Most of what gets built for retail shelves, factory floors, and quality control sits comfortably outside the banned categories, and often outside high-risk, too. The harder part is staying honest about which bucket a given camera actually belongs in, especially once a product’s use drifts away from whatever the original pitch deck promised. Two extra years on the high-risk deadline count as real relief. The cameras keep watching either way; what changes is who has to answer for what they capture.






