Fake EU AI Act Annex III high-risk-system conformity-assessment lure — "Notified Body audit — submit technical file with mandatory CE marking documentation within 14 days" targeting B2B HR-tech and fintech ML teams running AI Act Annex III deployments (employment screening, credit decisioning, biometrics). The Aug 2 2026 conformity-assessment deadline is a real and credible regulatory pretext. Real Notified Body audits are arranged through commercial contracts; conformity-assessment findings come via email plus formal letter — never via inbound email link demanding immediate technical-file upload. Distinct from `ai-act-gpai-2026-compliance-deadline-lure` (GPAI providers, broader scope). Source: GC1 R8 multiagent council top-5 (S3 EU-reg specialist).

Fake EU AI Act Annex III high-risk-system conformity-assessment lure targeting B2B HR-tech, fintech ML, biometric, and credit-decisioning teams running AI Act Annex III deployments. The phish narrative arrives as: "Notified Body audit scheduled — submit technical file with mandatory CE marking documentation within 14 days," "AI Act Article 43 conformity assessment for your high-risk AI system is deficient — submit via Notified Body portal," or "Annex III high-risk audit deadline approaching — upload conformity-assessment evidence." Annex III to the AI Act enumerates the high-risk system categories (employment screening, education, credit/credit-scoring, biometric identification, critical-infrastructure operation, law-enforcement, migration/asylum/border, justice/democratic-processes); each Annex III deployment requires a conformity assessment via a Notified Body by Aug 2 2026. The deadline gives attackers a hard real-world pretext + a clear regulatory consequence (Article 99 fines up to 7% of global turnover), which converts well against compliance teams under deadline pressure. Lookalike Notified Body portals harvest the technical file (a complete blueprint of the AI deployment: training data sources, architecture, evaluation metrics, fairness analysis, ops procedures), CE-marking-related signed documents, and admin credentials — IP loss + regulatory-record-tampering exposure. Real Notified Body audits are arranged through commercial contracts; conformity-assessment findings come via email plus formal letter and a documented contractual engagement — never via inbound email link demanding immediate technical-file upload from an unfamiliar domain. Distinct from `ai-act-gpai-2026-compliance-deadline-lure` (GPAI providers / Article 53/55 broader scope) — this signal is specifically the Annex III high-risk / Article 43 / Notified Body / CE-marking regulatory framing targeting B2B deployers. Fires when body references Annex III / high-risk AI / Notified Body / conformity assessment / technical file / CE marking / Article 6 / Article 9 / Article 10 / Article 11 / Article 13 / Article 43 AND contains audit / submit / deficient / deadline / mandatory / action-required urgency. Excludes ec.europa.eu, digital-strategy.ec.europa.eu, tuv.com, bsigroup.com, dekra.com, and the broader .europa.eu umbrella. Auto-classified as danger via the `-lure` suffix. Source: GC1 R8 multi-agent council top-5 (S3 EU-reg specialist).