EU opens high-risk AI guidance
- The European Commission opened a public consultation on draft guidance to classify “high-risk” AI systems, a step that will determine which products face the strictest rules. - The draft also centralises enforcement by giving the EU’s new AI Office exclusive competence over some obligations tied to general-purpose AI models, shifting oversight away from individual member states. - The move coincides with 25 EU regulators preparing coordinated privacy‑notice audits after €1.2bn in GDPR fines in 2025, and France’s CNIL plans heavy data‑security checks. (itpro.com) (globalpolicywatch.com) (kiteworks.com)
1/ The European Commission launched a public consultation on May 20, 2026, for draft guidelines classifying "high-risk" AI systems under the EU AI Act. This determines which AI products must comply with the strictest rules, like risk assessments and transparency obligations. 2/ High-risk AI includes systems in education, employment, critical infrastructure, and law enforcement—areas where errors could harm rights or safety. The 28-page draft lists 14 examples, such as AI for biometric categorization or emotion recognition in workplaces. Providers can't just add disclaimers; deployment context decides the label. 3/ Consultation runs until July 15, 2026—stakeholders submit feedback via the Commission's "Have Your Say" portal. Final guidelines expected later in 2026, ahead of full AI Act enforcement on August 2, 2027. This shapes market access for AI firms targeting EU users. 4/ Separately, amendments give the EU AI Office exclusive oversight for general-purpose AI models (like large language models) on obligations such as systemic risk evaluations. This centralizes power from national authorities, recognizing cross-border AI risks. 5/ The AI Office, established in 2024, now handles GPAI compliance directly—e.g., codes of practice for frontier models. Member states retain roles for other high-risk systems, but Brussels leads on the biggest tech. Enforcement starts February 2027 for GPAI. 6/ This lands amid ramped-up enforcement. In 2025, EU regulators issued €1.2 billion in GDPR fines, with a 22% rise in breach notifications—AI tools now raise new disclosure risks in privacy notices. 7/ Twenty-five EU data protection authorities plan coordinated audits of company privacy notices starting mid-2026. Focus: accuracy, transparency on AI data processing. Non-compliance risks fines up to 4% of global revenue. 8/ France's CNIL reported record 2025 complaints, fines, and breaches; half its 2026 inspections target data security, prepping for AI Act duties. CNIL fined firms like Amazon €32 million last year for cookie consent failures. 9/ Timeline: High-risk rules apply August 2027; prohibited AI (e.g., social scoring) banned February 2025. GPAI obligations tiered—open models lighter, proprietary heavy. Fines up to €35 million or 7% revenue for violations. 10/ Firms like OpenAI and Google already self-assess GPAI models under interim rules. Guidance clarifies if tools like hiring AI or medical diagnostics hit high-risk thresholds based on use case, not just capability. 11/ Broader context: EU AI Act, world's first comprehensive AI law, passed March 2024. Complements GDPR—25 regulators' audits bridge the two. U.S. lags with voluntary guidelines; China mandates security reviews. Expect global ripple effects by 2027.
