European Commission Issues Draft Guidelines on “High-Risk” AI Systems

On 19 May 2026, the European Commission published draft guidelines on the classification of “high-risk” AI systems under Article 6 of the EU AI Act (the “AI Act”) and opened a public consultation through 23 June 2026. The draft guidelines provide practical, step-by-step framework, for determining when an AI system falls within the “high-risk” category and triggers the more stringent compliance requirements of the AI Act.

1. Is the system an AI system?

A high-risk classification is relevant only if the product in question is an “AI system”.  In plain terms, this means a machine-based system that processes inputs, from which it infers how to generate outputs (such as predictions, recommendations, or decisions) with varying levels of autonomy, and that may adapt over time after it has been deployed. Not every software application or automated tool meets that threshold. The draft guidelines refer to the EU Commission’s guidelines on the definition of AI system, which provide that there is no exhaustive list of AI systems and that the classification depends on the specific architecture and functionality of the relevant system.

2. What is the “intended purpose” of the AI system?

The system’s intended purpose – namely, what it is designed and presented to do – is central to determining whether it is high-risk.  In other words, classification turns not only on what the technology can do, but also on how the provider presents and documents it. If product materials, including usage policies and instructions, contracts, marketing materials, or technical documentation present the AI system broadly across multiple contexts and functions and do not consistently limit or exclude high-risk uses, the system may be treated as high-risk.

3. Is the AI system a regulated product, or a safety component of a regulated product (Annex I)?

An AI system is “high-risk”, pursuant to Annex I of the AI Act, if two cumulative conditions are met: First, the AI system is itself a product, or a safety component of a product, covered by the Union harmonization legislation listed in Annex I of the AI Act (which covers a range of regulated products, such as machinery, toys, lifts, radio equipment, medical devices, and products in the automotive and aviation sectors). Second, the respective product is subject to a third-party conformity assessment.

The draft guidelines explain that a “safety component” may exist not only where the AI system is intended to perform a safety function, but also where its failure or malfunction would endanger the health or safety of persons or property.

4. Is the AI system included within the high-risk use cases prescribed in Annex III?

Annex III of the AI Act provides an alternative route to high-risk classification, by setting out a closed list of high-risk use cases across eight sensitive sectors: biometrics, critical infrastructure, education and vocational training, employment, access to essential private and public services and benefits, law enforcement, migration, asylum and border control, and the administration of justice and democratic processes, all of which classify the underlying AI systems as “high risk” systems. Such AI systems may include, for example:

• an AI system used to screen CVs, rank job applicants, or make decisions on promotions or terminations
• an AI system used by a bank to assess creditworthiness, or by an insurer to review applications for life insurance
• an AI system used to evaluate students, assess learning outcomes, or determine access to educational institutions
• AI systems intended to be used for the profiling of natural persons in the course of the detection, investigation or prosecution of criminal offences.

The draft guidelines further provide a wide range of practical examples of high-risk AI systems in various sectors – a useful starting point for assessing whether a specific system might be caught.

The guidelines clarify that not every AI system used in the sectors mentioned above is high-risk; only the use cases expressly listed in Annex III qualify.

Article 6(3) of the AI Act also provides exemptions from the high-risk category, where the AI system performs a narrow procedural task, improves the result of a previously completed human activity, detects decision-making patterns or deviations without replacing or influencing prior human assessment, or performs a preparatory task for an Annex III use case. The draft guidelines stress, however, that this is a narrow exception and should be relied on with caution.

5. Timelines

The obligations applicable to high-risk AI systems under Annex III are currently expected to become applicable as of 2 December 2027, whereas those under Annex I are expected to become applicable as of 2 August 2028. It is noted, however, that the AI Act includes several exemptions under which the application date may differ, based on the date the AI system was placed on the market or put into service.

What should organizations that provide AI systems in the EU do to prepare?

• Assess and document whether their AI system qualifies as an “AI system” under the AI Act, considering, inter alia, its inferential element, degree of autonomy, and outputs.
• Align technical documentation, product descriptions, marketing materials, contracts, and policies to ensure consistent description of the AI system’s intended purpose and expressly limit or prohibit high-risk uses where appropriate.
• Assess and document whether the AI system is high-risk under Annex I or Annex III.
• Where Annex III applies, assess whether the exemptions under Article 6(3) may exclude the AI system from the high-risk category.
• Where the AI system is high-risk, conduct a gap analysis to identify gaps in compliance with the obligations of the AI Act that apply to high-risk AI systems, and act to remediate identified gaps within the applicable timelines. Such obligations include, for example, the establishment of a continuous risk management system, satisfaction of conformity assessment procedures, data governance requirements, transparency obligations and, in the case of providers established outside the EU, the appointment of an authorized representative within the EU.

Please do not hesitate to contact us with any questions and/or advice regarding the above.

This client update is intended to provide only general information, does not constitute a full and complete analysis of the matters discussed herein, and may not be relied upon as legal advice.