EU AI Act Draft Guidelines Clarify High-Risk AI System Classification

The European Commission has published draft guidelines on the classification of high-risk AI systems under Article 6 of the EU AI Act, providing the clearest indication yet of how providers and deployers should assess whether artificial intelligence systems fall within the regulation’s most heavily regulated category.

While the guidance remains subject to consultation, it offers an important roadmap for organisations preparing for future compliance obligations under the AI Act.

For businesses developing, deploying or procuring AI tools, the consequences extend far beyond classification. High-risk AI systems are subject to extensive requirements relating to risk management, human oversight, documentation, transparency, conformity assessments and ongoing governance. Incorrect classification could expose providers and deployers to regulatory intervention, corrective measures and potential penalties under the AI Act.

What appears to be a technical assessment is, in practice, a governance and accountability exercise. The draft guidelines place significant emphasis on intended purpose, real-world deployment and the role AI systems play in sensitive areas such as employment, education, critical infrastructure, access to essential services and law enforcement.

For many businesses, the immediate challenge will not be complying with the AI Act’s high-risk obligations but determining whether those obligations apply in the first place. The European Commission’s draft guidance is intended to answer that threshold question, placing greater emphasis on governance, documentation and intended use than on the underlying technology itself.

Regulatory Action in Brief

The European Commission issued the draft guidelines pursuant to Article 6(5) of Regulation (EU) 2024/1689, the Artificial Intelligence Act. The document is intended to assist providers, deployers and market surveillance authorities in determining whether an AI system falls within the Act’s high-risk category.

The Commission’s draft framework identifies two routes through which an AI system may be classified as high-risk.

The first applies to AI systems that are safety components of regulated products or are themselves regulated products covered by EU harmonisation legislation and subject to third-party conformity assessment requirements under Annex I. The second applies to standalone AI systems used in specific sensitive sectors identified in Annex III, including employment, education, critical infrastructure, creditworthiness assessments, law enforcement, migration management and administration of justice.

What Is Known So Far

Intended purpose sits at the centre of the proposed classification framework. Regulators will assess technical documentation, instructions for use, sales materials, product positioning and marketing content when determining whether a system falls within a high-risk category.

That approach creates compliance challenges for providers of enterprise AI tools and general-purpose AI systems marketed across multiple sectors. Broad marketing claims may bring systems within high-risk categories even where providers attempt to exclude certain uses through contractual language.

The document also clarifies that not every automated decision-making tool falls within the scope of the AI Act. Before classification can occur, the technology must first satisfy the statutory definition of an AI system under Article 3(1).

Applicable Legal and Regulatory Framework

Article 6 establishes the legal framework for high-risk classification.

Under Article 6(1), AI systems become high-risk where they operate as safety components of regulated products or are themselves regulated products subject to third-party conformity assessment requirements. This approach aligns AI governance with existing EU product safety frameworks.

Under Article 6(2), high-risk classification applies to specific use cases listed in Annex III. Those areas include biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration management and judicial decision-making. The list is exhaustive unless amended through future delegated legislation.

Several additional provisions become relevant once a system enters the high-risk category. These include Article 14, which requires meaningful human oversight, Article 25 concerning provider responsibilities within the AI value chain, Article 71 establishing the EU database, Article 80 governing market surveillance powers and Article 99 concerning penalties.

Procedural and Enforcement Context

Unlike an enforcement decision, the publication does not accuse any company of wrongdoing. Instead, it provides interpretative guidance on how classification decisions should be made.

One of the most consequential sections concerns Article 6(3), commonly known as the “filter mechanism.” This provision allows certain Annex III systems to avoid high-risk classification where they perform only narrow procedural, preparatory, quality-improvement or pattern-detection functions that do not materially influence decision-making outcomes.

The exemptions are interpreted narrowly throughout the draft. Human involvement alone does not prevent a system from being classified as high-risk, and businesses cannot avoid classification simply by inserting a human review step into an otherwise high-risk workflow.

Compliance Obligations and Governance Implications

For compliance teams, the practical takeaway is straightforward: classification can no longer be treated as an informal technical exercise.

Legal departments will need to assess whether systems fall within Annex I or Annex III categories. Compliance teams will need documented classification methodologies. Procurement teams will need to evaluate vendor claims regarding AI Act status. Internal audit and risk functions will need mechanisms to monitor whether intended uses evolve after deployment.

Boards may also need greater oversight of AI governance frameworks.

That becomes especially important when AI influences recruitment decisions, customer eligibility assessments, creditworthiness evaluations, workplace management or access to essential services.

Technical capability alone is unlikely to satisfy regulators. Governance records, oversight structures and internal documentation are likely to receive equal scrutiny.

Liability and Risk Analysis

A realistic internal failure scenario illustrates the challenge.

A business acquires an AI-powered recruitment tool marketed as an administrative system designed to organise and sort candidate applications. Initially, the tool performs a procedural function. Over time, hiring managers begin relying on rankings, scores and recommendations generated by the system when making interview and hiring decisions.

The technology itself may not have changed. However, the intended purpose and practical use of the system may have evolved into a high-risk employment use case under Annex III.

Without effective governance controls, documentation reviews and compliance monitoring, companies may find themselves operating a high-risk AI system without implementing the obligations required by the AI Act.

The scenario illustrates why regulators are focusing so heavily on intended purpose, documentation and governance controls rather than purely technical design.

Financial and Operational Consequences

High-risk classification carries immediate compliance costs.

Companies may need to invest in governance frameworks, documentation systems, risk assessments, monitoring procedures, training programmes and oversight mechanisms. Procurement processes may require modification to ensure vendors provide sufficient information regarding classification and compliance status.

Deployment delays may be among the first operational consequences. Misclassification can also result in regulatory intervention, corrective action requirements and reputational damage. Where market surveillance authorities determine that a provider has improperly relied on Article 6(3) exemptions, authorities may require compliance measures and corrective actions. Penalties may also be available under Article 99 of the AI Act.

For businesses integrating AI into sensitive decision-making processes, classification errors may create legal, operational and commercial exposure simultaneously.

Legal Teams

Legal teams should begin by conducting formal Article 6 classification reviews for all AI systems currently in use or under consideration. That assessment should determine whether a system falls within Annex I or Annex III categories and whether any Article 6(3) exemptions may be available. Classification decisions should be documented and retained as part of the organisation’s compliance record. Legal departments should also review contracts with vendors, developers and deployers to ensure responsibilities for AI Act compliance, documentation and risk management are clearly allocated.

Compliance Teams

Compliance functions should establish a formal AI governance framework supported by written classification policies, approval procedures and monitoring controls. Maintaining an AI inventory or governance register can help track system purpose, classification status, ownership, risk assessments and exemption decisions. Where reliance is placed on Article 6(3), organisations should document the rationale in sufficient detail to demonstrate compliance if challenged by regulators.

Procurement Functions

Procurement teams should treat AI classification as part of vendor due diligence. Suppliers should be asked to disclose whether products have been assessed under the AI Act, whether high-risk classifications apply and whether conformity assessments or registration requirements have been completed. Procurement processes should also consider whether a proposed use case could alter the classification status originally identified by the vendor.

Risk and Internal Audit Teams

Risk and internal audit functions should monitor whether AI systems continue to operate within their documented intended purpose. Particular attention should be given to systems whose use expands over time, as evolving deployment practices may alter regulatory obligations. Regular reviews of governance controls, oversight mechanisms and decision-making processes can help identify compliance gaps before they become regulatory issues.

Boards and Senior Management

Boards should ensure clear accountability for AI governance exists across the organisation. Regular reporting should include information on high-risk AI systems, classification decisions, compliance risks, incidents and emerging regulatory obligations. Senior leadership may also wish to review whether sufficient resources, expertise and governance structures are in place to support long-term AI Act compliance.

This version feels much more like regulatory guidance rather than a bullet list. It also increases licensing value because it can function as a practical compliance briefing, board paper reference, or training resource. For Lawyer Monthly, I’d absolutely use the expanded version.

Regulatory and Policy Considerations

The publication offers a useful insight into how Brussels is approaching AI regulation. Policymakers are attempting to encourage adoption while reserving the strictest controls for systems capable of affecting health, safety or fundamental rights.

Regulators also appear concerned about regulatory circumvention, particularly where providers attempt to fragment systems, redefine intended purposes or rely on superficial human involvement to avoid classification requirements.

Profiling remains one of the areas attracting the greatest regulatory attention. Systems involving profiling of individuals are unlikely to benefit from Article 6(3) exemptions even where other exemption criteria may appear applicable.

Key Takeaways

The draft guidelines make clear that high-risk AI classification is as much a governance issue as a technical one.

Businesses should avoid treating AI classification as a responsibility that sits exclusively with technology teams. Legal, compliance, procurement, risk and board-level stakeholders all have responsibilities under the emerging framework.

The cost of getting classification wrong extends beyond regulatory compliance. Misclassification can expose businesses to operational disruption, enforcement action, governance failures and reputational harm.

Regulatory scrutiny is likely to focus heavily on documented decision-making, intended purpose, accountability structures and ongoing oversight rather than technical functionality alone.

What Happens Next

The guidelines remain in draft form and are currently subject to stakeholder consultation before final adoption by the European Commission. Further guidance is expected regarding compliance obligations for high-risk systems and responsibilities across the AI value chain.

The draft also notes that implementation deadlines have been postponed under the AI Omnibus package, with obligations relating to Article 6(2) high-risk systems expected to apply from 2 December 2027 and Article 6(1) obligations from 2 August 2028.

For businesses currently deploying AI systems, the consultation period provides an opportunity to review governance structures before enforcement expectations become fully operational.

Sources and Legal Authorities

• Regulation (EU) 2024/1689 (Artificial Intelligence Act)
• Article 6 AI Act
• Article 14 AI Act
• Article 25 AI Act
• Article 71 AI Act
• Article 80 AI Act
• Article 99 AI Act
• Annex I AI Act
• Annex III AI Act
• European Commission Draft Guidelines on the Classification of High-Risk AI Systems under Article 6 AI Act (2026 stakeholder consultation draft)