European Commission clarifies high-risk AI

The European Commission published draft guidelines on May 19 setting out how companies, public authorities and regulators should decide whether an AI system is “high-risk” under the EU AI Act. The draft, released for consultation until June 23, is meant to guide the application of Article 6, the part of the law that determines which systems face the Act’s toughest compliance duties. The Commission said the text is not legally binding, but reflects its interpretation and is intended to support enforcement. The guidance arrives as EU institutions are also revisiting parts of the law’s implementation timetable after industry pressure. ### Which AI systems does the Commission say are actually high-risk? Article 6 creates two routes into the high-risk category, and the Commission’s draft sticks closely to that structure. One route covers AI used as a safety component of products, or AI that is itself a product, under EU product laws listed in Annex I, where third-party conformity assessment is required. The second route covers standalone AI systems used for the specific use cases listed in Annex III of the AI Act. (digital-strategy.ec.europa.eu) The Commission said the examples in the draft are intended to help providers and deployers work through those categories in practice. The list is not exhaustive and may be updated over time, according to the Commission’s policy page and consultation notice. ### Why does this guidance matter so much for companies? High-risk status triggers the AI Act’s heaviest obligations before a product can be placed on the market or put into service. (digital-strategy.ec.europa.eu) Providers of high-risk systems generally have to run risk-management processes, prepare technical documentation, meet data-governance and human-oversight requirements, complete conformity assessment steps, and register the system in the EU database before launch, according to legal analyses of the draft and the Act’s structure. (digital-strategy.ec.europa.eu) Medianama reported that the provider’s stated intended purpose remains central to the classification test. The outlet said the draft makes clear that companies cannot rely only on restrictive terms of service if their marketing materials or product examples point users toward high-risk uses such as CV screening or credit scoring. ### Where is the new ambiguity around law-enforcement use? (dataprotectionreport.com) The Commission’s draft is aimed at clarifying Article 6, but outside analyses say it also leaves room for argument in some law-enforcement-adjacent cases. Medianama reported that some systems used by private companies on their own behalf may fall outside certain law-enforcement-related Annex III categories, because those categories are tied to the intended purpose and to the specific listed use case rather than to a broad sector label. (medianama.com) Data Protection Report said the draft spends significant time on the Article 6(3) derogation, which can keep some Annex III systems out of the high-risk bucket in limited circumstances. That matters because the Commission is not expanding the law’s list of high-risk use cases; it is explaining how to read the existing list and its carve-outs. (medianama.com) ### Is the Commission changing the law here? The Commission said the draft does not rewrite Article 6 and is not legally binding. The final authority to interpret EU law rests with the Court of Justice of the European Union, and the consultation is meant to gather feedback before the Commission adopts a final version. The guidance also comes after a separate political agreement on the “AI Omnibus,” which the Commission says changed the enforcement timetable for some obligations. (dataprotectionreport.com) Under the timeline on the Commission’s site, rules for certain high-risk areas including biometrics, critical infrastructure, education, employment, migration, asylum and border control apply from December 2, 2027, while rules for systems integrated into products such as robotics and industrial machinery apply from August 2, 2028. (digital-strategy.ec.europa.eu) ### What happens next before this becomes the working rulebook? The Commission’s consultation runs until June 23, 2026, and the feedback is due to be folded into the final version before formal adoption. The draft is split into general principles, Annex I guidance and Annex III guidance, and the Commission has published all three on its AI Act information platform. (digital-strategy.ec.europa.eu) European standardisation bodies CEN and CENELEC are also developing standards tied to high-risk compliance, according to Data Protection Report. Once those standards are published in the EU’s Official Journal, following them would provide a presumption of conformity for providers using the high-risk framework. (dataprotectionreport.com) (digital-strategy.ec.europa.eu)