The European Commission has published draft guidelines on how to classify high-risk AI systems under the EU AI Act (the “Act”). The draft guidelines are open for feedback 19 May 2026 and 23 June 2026.
The draft guidance follows hot on the heels on the EU’s recent announcement that it is delaying key implementation dates under the Act, due to the introduction of the Digital Omnibus package (we will be writing a separate article on this shortly but essentially the Digital Omnibus is a package of changes to the EU AI Act and other digital legislation, proposed by the European Commission in November last year).
In particular the dates which are being delayed are the deadline of 2 August 2026 which is being delayed to 2 December 2027 (for Article 6(2) (Annex III use cases)) and from 2 August 2027 to 2 August 2028 (for Article 6(1) (Annex I safety component route).
Whilst compliance teams and lawyers in various organisations involved in high risk AI systems will be breathing a sigh of relief, appreciating that their workload over the summer of 2026 may be less frantic than originally anticipated, nonetheless the delay should be seen as important period to digest the 160+ pages of guidance and ensure readiness for the adjusted deadlines.
Focus point
At its core, the draft guidance focusses around one important question: when should an AI system be regarded as high-risk? It is intended to help providers and deployers of high risk AI systems, as well as regulators, work through a set of practical points, including whether a system is high-risk, the general principles that point towards that classification, when the Article 6 exception may apply such that an AI system falls outside the high risk category, and what records should be kept where a business decides a system is not high-risk.
Helpfully, the guidance is broken down into the following 3 sections:
- General principles
- High-risk AI in regulated products; and
- High-risk use cases in certain sensitive areas.
We take a brief look at each of these below.
General Principles – this section sets out the core framework for determining whether an AI system qualifies as high-risk under Article 6 of the Act. It explains that classification depends on two routes: (i) where the AI system is part of regulated products requiring safety conformity assessments, or (ii) where it falls within specific high-risk use cases listed in Annex III.
Before this analysis is undertaken, the system must first meet the legal definition of an AI system, meaning not all software is captured. A key determining factor is the system’s intended purpose, which must be clearly defined by the provider through documentation and marketing materials; if this is broadly framed or implicitly allows high-risk uses, the system may still be classified as high-risk, despite attempts to prevent this through the use of disclaimers. Responsibility for this assessment lies primarily with the provider, although third parties such as importers and distributors can assume obligations if they modify or re-purpose the system.
High-risk AI in regulated products – this section explains how AI systems linked to regulated products (Annex I e.g. lifts, children’s toys, radio equipment etc.) are classified as high-risk under Article 6(1) of the Act. It establishes a safety‑based, proportionate approach, under which only AI systems that are either (i) products themselves or (ii) safety components of products regulated by EU harmonisation legislation, and that require a third‑party conformity assessment, will be considered high-risk. The guidance clarifies the concept of a safety component, covering systems designed to prevent or mitigate risks, or whose failure could endanger health or safety, while excluding systems focused solely on optimisation or convenience. It also emphasises that classification builds on existing product safety regimes and introduces a structured methodology to ensure consistent assessment while avoiding unnecessary regulatory burden.
High-risk use cases in certain sensitive areas – the guidance breaks these cases down into 8 aspects (mirroring Annex III, namely biometrics, critical infrastructure, education and vocational training, employment, access to and enjoyment of essential private services and essential public services and benefits, Law Enforcement, Migration, asylum and border control management and finally Administration of justice and democratic processes.This section is particularly detailed. It looks at issues that arise across categories and then examines each category and sub-category in turn, setting out useful examples of systems which fall in or out of scope of high risk.
Given DWF’s expertise across several of these areas, and the likelihood that this section will have widespread applicability to organisations across a range of sectors, we thought it would be helpful to go through a few examples.
Biometrics
Critical infrastructure
Employment
Essential private services and essential public services and benefits
This section also covers what are referred to as horizontal issues, that apply across all of the 8 high risk categories. For instance, the role of human involvement in conjunction with the Annex III high risk AI systems. There is a certain exemption under Art 6(3) which states that an Annex III system will not be high-risk where it does not pose a significant risk of harm to the health, safety or fundamental rights of individuals, including by not materially influencing the outcome of decision making. This includes where an AI system is intended to perform a narrow procedural task; or to improve the result of a previously completed human activity etc. (provided that this doesn’t involve profiling of individuals).
The guidance states that whilst human involvement in itself does not impact the classification of the system as high-risk, the nature and extent of human involvement during the deployment of the system may demonstrate that the tasks the system is intended to perform are narrow procedural tasks or preparatory in nature, or that the system is only intended to improve a previously completed human activity, i.e. it supports the exemption under Art 6(3) applying. However, the guidance warns that a provider cannot exempt and categorise an AI system as ‘low risk’ simply by adding a requirement for human involvement to it.
What this means for UK organisations
The UK continues to take a different domestic approach from that of the EU, relying for the time being, on a principles based approach which is enforced by existing regulators, rather than a single AI statute.
Even so, UK organisations should not assume the Act is only relevant to businesses established in the EU. A UK company may still fall within scope if it places an AI system on the EU market, makes one available for use in the EU, or if outputs from its system are used there. UK organisations should therefore map their use of AI tools and operations in the EU, to consider whether the extra territorial effect of the Act could apply.
Conclusion
Although the guidance is not legally binding, it is likely to influence how regulators and courts approach classification over time. The guidance, whilst useful, is detailed and will require significant time to understand, digest, and then apply practically to readiness frameworks and policies.
The sensible next step is to map AI use cases, review governance and documentation, and make sure decisions on scope are recorded properly. Organisations that begin this work now are likely to be in a stronger position as the EU regime moves closer to full application.
If you would like to discuss any aspect of deploying or providing AI systems and the legal risks and issues which can arise, please feel free to get in touch for a no obligation initial discussion with one of our experts.
This article was authored by Chris Air, with assistance from Eirini Sakellari, who is a trainee in our Commercial Team.
