Note: This analysis is based on the Commission's draft guidelines on the classification of high-risk AI systems, published for consultation. These guidelines are not yet final. What follows is a first read. We will update this piece with a fuller analysis, including any material changes from the draft and their practical implications for providers and deployers.
The European Commission has released a series of draft guidelines to clarify the classification of high-risk AI systems under Article 6 of the AI Act. These guidelines are essential for providers, deployers, and market surveillance authorities to ensure the uniform application of the law, which aims to promote AI innovation while protecting health, safety, and fundamental rights.
The Commission acknowledges that these guidelines are draft documents published for stakeholder feedback and are not yet binding. To keep the list of high-risk use cases relevant, the AI Act includes a monitoring mechanism to review and update Annex III annually as technology evolves. Adhering to these principles now is a critical step for organizations to build trustworthy and compliant AI within the European market.
It is important to note that this is still a draft. The Commission has published it specifically to submit it for stakeholder consultation to gather input before adopting a finalised version.
1. What do the guidelines include?
Three interconnected draft guidelines issued by the European Commission providing practical guidance on how to classify AI systems as high-risk under Article 6 of Regulation (EU) 2024/1689. The three drafts cover:
- General Principles: the classification logic, intended purpose rules, and entry into application
- Annex I (Art. 6(1)): AI systems in safety-critical regulated products
- Annex III (Art. 6(2)): AI systems in eight sensitive societal areas
Why high-risk classification matters
The entire logic of the AI Act is built upon a risk-based approach. Being categorised as a "high-risk AI system" under Article 6 triggers strict and significant obligations for both providers and deployers, ensuring these systems are trustworthy, safe, and respect fundamental rights. Until now, the boundary between risk levels could appear blurred.
These guidelines provide the concrete method and criteria to determine whether your AI system falls into this regulated category or if it qualifies for an exemption. The document includes interpretation of key concepts, practical examples across all Annex III areas (such as biometrics, employment, and education), and detailed explanations of the "filter mechanism" under Article 6(3) which allows certain systems to be exempted from the high-risk classification.
A high-risk classification triggers a full compliance framework under Chapter III of the AI Act, including mandatory risk management, data governance, technical documentation, human oversight, accuracy/robustness requirements, transparency obligations, and conformity assessments.
Classification is not a prohibition, it just means the system is subject to heightened obligations to ensure it is safe and rights-respecting.
2. Key AI Act dates under AI Omnibus
| Date | Event | What it means |
|---|---|---|
| 2 August 2026 (→ postponed to 2 December 2027 under AI Omnibus) | Art. 6(2) + Annex III rules apply | High-risk for stand-alone use cases (biometrics, employment, etc.) |
| 2 August 2027 (→ postponed to 2 August 2028 under AI Omnibus) | Art. 6(1) + Annex I rules apply | High-risk for safety-critical product AI |
| 2 August 2030 | Hard deadline for public-authority deployers | All high-risk AI systems used by public authorities must comply |
| 31 December 2030 | Large-scale IT systems (Annex X) | Legacy systems in EU large-scale IT programmes must comply |
3. Who Is subject to high-risk rules?
Providers
Any natural or legal person placing a high-risk AI system on the EU market or putting it into service under their own name or trademark.
Core obligations: risk management, data governance, technical documentation, accuracy/robustness/cybersecurity, human oversight design, registration in EU database, conformity assessment, CE marking (for Annex I systems).
Deployers
Any person using a high-risk AI system under their authority in a professional context.
Core obligations: implement provider instructions, ensure human oversight, monitor performance, not use the system in ways beyond its intended purpose, log-keeping.
Becoming a provider (Art. 25(1))
While the original provider is typically responsible for self-assessment, the draft warns that distributors, importers, or deployers can inherit all "provider" obligations.
Three circumstances convert a distributor, importer, or deployer into a provider with full provider obligations:
- Putting their own name or trademark on a high-risk system already on the market
- Making a substantial modification to a high-risk system
- Changing the intended purpose of a non-high-risk system in a way that makes it high-risk
For General Purpose AI System (GPAI) integrators: If you build a downstream application on a GPAI model and your intended purpose includes a high-risk use case, you may become the provider of a high-risk system even if the underlying GPAI model provider is not.
4. The two scenarios for high-risk classification
Under the AI Act, an AI system is deemed "high-risk" if it falls into one of two specific legal scenarios defined in Article 6:
- Safety Components and Regulated Products (Article 6(1)): This applies if the AI system is a product itself or a safety component of a product covered by the EU harmonisation legislation listed in Annex I (e.g., machinery, toys, or medical devices) and is required to undergo a third-party conformity assessment.
- Specific Use Cases (Article 6(2)): This applies if the AI system falls under the high-risk areas listed in Annex III of the AI Act.
To make these rules more accessible, the Commission has released the guidelines in separate, user-friendly chapters focusing on General Principles, Annex I, and Annex III.
5. Key elements of the high-risk assessment
Before a system can be subjected to the rigorous requirements for high-risk AI, it must meet several threshold criteria:
It must be an "AI System": Only systems meeting the definition in Article 3(1), meaning machine-based systems designed for autonomy and inference that influence environments, are covered.
The power of "Intended Purpose": Classification depends heavily on how the provider defines the system's use in instructions, sales materials, and technical documentation. Merely stating in terms of service that "high-risk use is prohibited" is insufficient if the system's actual capabilities and marketing suggest otherwise.
Preventing circumvention: Providers cannot avoid a high-risk classification by simply stating in terms of service that "high-risk use is prohibited" if their overall marketing or the system's actual capabilities effectively promote such use.
Tip: don't rely on a single disclaimer to stay out of the high-risk category. Regulators will look at your technical documentation, marketing copy, instructions, and T&Cs together. If the overall picture points to high-risk use, the disclaimer won't save you.
- Defining "safety components": An AI system is a safety component if it fulfills a safety function (e.g., detecting human presence in a robot's path to trigger a stop) or if its failure endangers the health and safety of persons or property.
6. Assessing complex & agentic AI systems
The Commission clarifies that where multiple AI components jointly influence an individual decision in an Annex III use case, the combined configuration must be assessed as a single AI system.
This is particularly relevant for multi-component and "agentic" AI systems that coordinate linked actions to serve a high-risk purpose. Providers cannot avoid high-risk classification by splitting a workflow into separate modules if the overall system materially influences a relevant decision.
7. The "Filter Mechanism" of Article 6(3)
Article 6(3) provides a "filter mechanism" to exempt systems that do not pose significant risks, but the Commission interprets this exception narrowly.
This allows a system to be exempted from high-risk classification if it does not pose a significant risk of harm, such as when it:
- Performs a narrow procedural task (e.g., indexing, formatting, deduplication)
- Improves the result of a previously completed human activity.
- Performs a preparatory task for an assessment (e.g., factual verification or scheduling)
- Exception to the Filter: Any system that performs profiling of natural persons can never benefit from this filter and is always high-risk.
The decisive threshold is whether the system materially influences the substance or outcome of a decision.
Critical rule: The filter mechanism is never available where the AI system performs profiling (automated processing of personal data to evaluate personal aspects of natural persons as defined in Art. 4(4) GDPR). Profiling systems in Annex III areas are always high-risk.
Meaning that any system that performs profiling of natural persons can never benefit from this filter and will always be classified as high-risk.
8. The eight Annex III high-risk areas
| Area | Why high risk | Who it applies to | Example |
|---|---|---|---|
| 1. Biometrics | Processes sensitive biometric data; risks discrimination, unlawful surveillance, or misidentification with serious consequences for individual rights and freedoms. | Providers of remote biometric identification systems, and AI used for biometric categorisation or emotion recognition in workplaces or educational settings. | A facial recognition system used by an employer to control building access must be registered and undergo conformity assessment. |
| 2. Critical infrastructure | Failures can disrupt essential services (energy, water, transport, finance) at scale, posing systemic risk to entire populations. | Providers and operators deploying AI as a safety component in critical digital infrastructure or managing road traffic, water, gas, heating, or electricity supply. | An AI system managing load balancing for a national electricity grid (a malfunction could cause widespread outages affecting millions). |
| 3. Education & vocational training | Shapes access to education and life trajectories; biased or erroneous outputs can unlawfully restrict learning opportunities and career paths. | Providers of AI used to determine access to educational institutions, assess learning outcomes, or monitor students during exams. | An automated scoring system ranking university applicants based on admissions essays (errors could unjustly exclude qualified candidates). |
| 4. Employment & worker management | Directly affects livelihoods; algorithmic hiring and monitoring tools can embed discrimination and remove meaningful human oversight over consequential decisions. | Providers of AI used for recruitment, CV filtering, performance evaluation, task allocation, or monitoring employee behaviour. | An HR tool shortlisting CVs for job interviews: if trained on historically biased data, it may systematically exclude protected groups. |
| 5. Essential services & public benefits | Decisions on credit, insurance, and social benefits have fundamental welfare impact; errors can deny access to vital resources. | Providers of AI evaluating eligibility for credit, insurance, public social benefits, emergency dispatch prioritisation, or life/health insurance risk assessment. | A bank's AI credit scoring model automatically approving or rejecting personal loan applications (a flawed model could deny credit on the basis of proxy variables). |
| 6. Law enforcement | State coercive power backed by AI poses acute risks to liberty, presumption of innocence, and non-discrimination, particularly where outputs inform arrests or investigations. | Providers of AI used by law enforcement to assess recidivism risk, predict crime, detect emotions during questioning, or evaluate the reliability of evidence. | A predictive policing tool assigning risk scores to individuals to recommend patrol deployment (errors risk discriminatory targeting of communities). |
| 7. Migration, asylum & border control | Decisions affect fundamental rights (asylum, non-refoulement, family unity) for vulnerable people with limited recourse; errors can cause irreversible harm. | Providers of AI used by migration or border authorities to assess irregular migration risk, verify documents, process visa or asylum applications, or monitor borders. | An AI tool assessing the credibility of an asylum seeker's account to recommend approval or rejection (a false negative could result in return to persecution). |
| 8.Administration of justice & democracy | AI influence over judicial decisions or democratic processes threatens the rule of law, fair trial rights, and free elections. | Providers of AI assisting courts, arbitration bodies, or electoral authorities — including tools that research case law, recommend sentences, or support electoral administration. | A legal research tool used by judges to summarise case law and suggest sentencing principles (biased outputs risk systematically skewing judicial outcomes). |
9. Focus on employment & worker management
Broad interpretation of recruitment and selection
The section on Area 4 of Annex III (Employment) establishes a broad interpretation of recruitment, covering the entire process of preparing a new work-related relationship.
- In-scope systems: this includes AI used for targeted job advertisements, candidate sourcing across platforms, CV screening, ranking and scoring, background checks, and determining access to self-employment.
- Platform workers: Systems that rank freelancers or platform workers fall into the high-risk category because they shape access to future assignments and livelihoods.
- Candidate-side exclusions: Conversely, tools intended to be initiated and controlled by the candidate (e.g., AI that helps an individual improve their own CV or identify suitable vacancies) are generally outside the high-risk recruitment use case.
Functional reading of workplace management
For management of existing work relationships (Annex III, 4(b)), the guidelines follow a functional reading focused on the impact on the worker.
- High-risk decisions: AI systems are captured if they are used to make decisions affecting terms of work, promotion, termination, task allocation, or performance evaluation. This applies even when a human manager formally takes the final decision but significantly relies on the AI output.
- Operational threshold: Not every day-to-day managerial adjustment is captured. Minor organisational arrangements that do not materially affect workers’ rights, obligations, or career prospects (such as allocating a specific desk or a lunch break time within an assigned shift) are not automatically treated as high-risk.
10. Consequences of high-risk classification
For providers
If an AI system is classified as high-risk, providers must comply with all of the following (Chapter III, Section 2 AI Act):
| Obligation | Summary |
|---|---|
| Risk management system (Art. 9) | Continuous, iterative risk identification and mitigation throughout the lifecycle |
| Data governance (Art. 10) | Training/validation/testing datasets must meet quality criteria; bias identification and mitigation |
| Technical documentation (Art. 11) | Comprehensive documentation before market placement; kept up to date |
| Record-keeping / logging (Art. 12) | Automatic logging to enable post-hoc auditability |
| Transparency to deployers (Art. 13) | Instructions for use covering capabilities, limitations, human oversight requirements |
| Human oversight (Art. 14) | System designed to allow meaningful human intervention, monitoring, override, and shutdown |
| Accuracy, robustness, cybersecurity (Art. 15) | Stated performance levels; resilience to errors, faults, inconsistencies, adversarial attack |
| Conformity assessment (Art. 43) | Either internal (provider self-assessment) or third-party, depending on type; before market placement |
| EU database registration (Art. 71) | Registration required before placement on market (for most systems) |
| CE marking (Art. 48) | Required for systems covered by Annex I |
| Post-market monitoring (Art. 72) | Continuous monitoring after deployment |
For deployers
Deployers must:
- Use the system only within its intended purpose and instructions
- Implement human oversight measures as specified by the provider
- Ensure relevant staff are trained
- Monitor performance and report serious incidents
- Not process biometric data beyond what the provider permits
We will update this piece with a fuller analysis, including any material changes from the draft and their practical implications for providers and deployers.