EU issues draft high-risk AI guidance

1/ The European Commission on May 19 published draft guidelines on how to classify “high-risk” AI systems under the EU AI Act and opened a public consultation through June 23. The draft is meant to help providers, deployers and market surveillance authorities apply Article 6 more consistently. (digital-strategy.ec.europa.eu) 2/ This is guidance on classification, not a rewrite of the law. The legal baseline remains the EU AI Act, Regulation (EU) 2024/1689, which sets the obligations for high-risk systems and the broader risk-based structure of the regime. (eur-lex.europa.eu) 3/ The immediate practical question is simple: does your system fall into the high-risk bucket at all? The Commission’s draft says the guidelines are designed to support that threshold decision, with general principles plus separate treatment of the two Article 6 pathways. (digital-strategy.ec.europa.eu) 4/ Those two pathways matter. Under Article 6, one route covers AI systems that are safety components of products, or are themselves products, already regulated under EU product-safety laws listed in Annex I. The other route covers stand-alone use cases listed in Annex III. (eur-lex.europa.eu) 5/ In plain English: some systems are high-risk because they sit inside regulated products; others are high-risk because of what they do. Annex III is where many buyers and vendors will focus, because it captures sensitive uses in areas such as employment, education, essential services, law enforcement, migration and administration of justice. (eur-lex.europa.eu) 6/ The Commission says the draft includes practical examples to show how classification should be assessed across different sectors and use cases. That matters because many disputes under the AI Act will start with edge cases: tools that look general-purpose in marketing copy but are deployed into a regulated decision workflow. (iapp.org) 7/ The timing is notable. IAPP reported the guidance was originally due by Feb. 2, 2026, and the Commission missed that deadline before releasing the draft on May 19. The consultation is now open, but the Commission has not given a timeline for final guidance. (prod.iapp.org) 8/ Why this matters for companies right now: classification drives the rest of the compliance stack. If a system is high-risk, the AI Act points to mandatory requirements around risk management, data and data governance, technical documentation, logging, human oversight, accuracy, robustness and cybersecurity. (eur-lex.europa.eu) 9/ So even though this draft is framed around classification, it has operational consequences. A company deciding whether a system is high-risk is also deciding whether it needs the evidence, controls and paperwork expected under the Act’s high-risk regime. (digital-strategy.ec.europa.eu) 10/ For U.S. vendors, the near-term effect may show up first in procurement rather than enforcement. That is an inference, but it is supported by the structure of the draft and the Act itself: once buyers in Europe need to determine whether a tool is high-risk, they will ask suppliers for clearer use-case descriptions, documentation and control evidence. (digital-strategy.ec.europa.eu) 11/ That means product teams should expect sharper questions about intended purpose, user role, deployment context, human review, logging, and whether the system influences decisions in Annex III-type settings. The draft is aimed at classification, but classification depends on those facts. (digital-strategy.ec.europa.eu) 12/ There is also a timing wrinkle. IAPP reported last week that a political agreement on the EU’s Digital Omnibus would move application dates for certain high-risk AI rules to Dec. 2, 2027, and for some product-integrated systems to Aug. 2, 2028, if formally adopted and published. That does not erase the need to map systems now; it affects when some obligations would apply. (iapp.org) 13/ The safest reading for companies is procedural, not dramatic: inventory systems, define intended purpose narrowly, map whether the tool falls under Annex I or Annex III, and prepare documentation that can survive customer and regulator scrutiny. That is an inference from the Commission’s stated purpose for the draft and the Act’s high-risk obligations. (digital-strategy.ec.europa.eu) 14/ The next formal milestone is June 23, 2026, when the Commission’s consultation on the draft guidelines closes. Until final guidance arrives, the draft is the clearest signal yet on how Brussels wants companies to approach the threshold question that determines whether the AI Act’s toughest requirements attach. (digital-strategy.ec.europa.eu)