The European Fee has lastly revealed its long-awaited draft steering on how AI methods must be categorised as “high-risk” underneath the EU AI Act, giving companies their clearest indication but of how regulators are more likely to interpret one of the vital vital components of the laws.
For organisations creating, deploying, customising or buying AI methods, the steering represents a significant turning level. Till now, many companies have struggled to find out whether or not their AI instruments would truly fall into the AI Act’s strictest compliance class. The new steering makes an attempt to reply that query intimately, spanning 167 pages of explanations, examples and interpretation.
The timing is critical as a result of the publication arrived simply days after EU policymakers agreed, by the Digital Omnibus bundle, to postpone the appliance dates for most of the AI Act’s high-risk obligations. Whereas that delay presents companies extra preparation time, the steering itself makes clear that regulators intend to interpret the foundations broadly and focus closely on the real-world influence of AI methods quite than simply on how they’re labelled or marketed.
Why “high-risk” standing issues
Maybe crucial side of the steering is that it clearly notes that being categorised as “high-risk” doesn’t imply an AI system is prohibited. It does, although, set off a compliance regime masking governance, transparency, human oversight, documentation, threat administration, report protecting and knowledge high quality obligations.
For a lot of companies, notably these already embedding AI into operational decision-making, the compliance burden might be substantial. The publication of the steering indicators that regulators now anticipate organisations to start taking classification and governance extra critically.
The 2 routes into the high-risk class
The EC confirms that there are two fundamental routes by which an AI system turns into high-risk.
The primary applies the place AI varieties a part of a product already regulated underneath present EU product security laws, together with areas equivalent to medical units, equipment, autos, aviation and industrial gear. The place these merchandise require third-party conformity assessments, the AI element can also fall into the high-risk regime.
The second route, which can have an effect on a wider vary of organisations, considerations the use instances listed in Annex III of the AI Act. These embody AI methods utilized in issues like recruitment, biometric identification, credit score scoring, insurance coverage pricing and regulation enforcement.
The steering supplies sensible element and tangible examples of methods which might be more likely to qualify as high-risk. Recruitment instruments that rank candidates, AI methods that consider employee efficiency, examination proctoring software program, biometric categorisation instruments and AI-driven credit score assessments are all particularly mentioned.
The examples truly make it troublesome to argue {that a} system falls exterior the high-risk perimeter if it carefully resembles the use instances recognized within the steering. This additionally signifies the place regulators are more likely to focus enforcement consideration.
Why disclaimers might not work
The steering rejects the concept that companies can keep away from classification by fastidiously drafted disclaimers. It notes that regulators will assess an AI system’s “meant function” by trying on the full image, together with technical documentation, advertising and marketing supplies, demonstrations, gross sales messaging and contractual phrases.
Which means merely stating in phrases and situations {that a} device is “not meant for high-risk use” might carry little weight if the product is in any other case marketed in ways in which clearly anticipate high-risk functions.
The EC explicitly warns that boilerplate exclusions is not going to defend suppliers the place the broader presentation of the system suggests in any other case. This level is especially vital for suppliers of general-purpose AI methods, APIs and foundation-model integrations, the place industrial positioning might develop into more and more vital in future regulatory assessments.
The steering additionally accommodates a warning for companies customising or adapting third-party AI instruments. Organisations that fine-tune, rebrand or considerably modify AI methods might themselves develop into categorised as “suppliers” underneath the AI Act, inheriting the complete vary of compliance obligations.
Which means corporations integrating basis fashions into HR instruments, buyer scoring methods or operational decision-making platforms might discover themselves instantly chargeable for regulatory compliance even the place the underlying AI originated elsewhere.
This may increasingly influence enterprise’ procurement methods and provider negotiations, notably the place duty for governance, testing and documentation is worried.
What concerning the exemption?
One of the crucial closely debated areas of the AI Act has been the exemption mechanism, also known as the “filter.” This enables sure AI methods to keep away from high-risk classification the place they carry out solely slim procedural or preparatory duties with out materially influencing outcomes.
The brand new steering suggests regulators intend to interpret this exemption narrowly. The EC offers examples of duties which will fall exterior the high-risk regime, equivalent to formatting paperwork, transcribing interviews or routing information for human evaluate. Nonetheless, as soon as an AI system begins rating candidates, influencing scores, figuring out threat indicators or shaping choices, the exemption will seemingly disappear.
The steering additionally makes clear that methods involving profiling of people will typically not profit from the carve-out in any respect, limiting the usefulness of the exemption for a lot of real-world industrial AI deployments.
What the Digital Omnibus means right here
Alongside these clarifications, the Digital Omnibus bundle has now reshaped the AI Act’s implementation timetable. Below the revised timeline, obligations for Annex III high-risk methods will now apply from 2 December 2027, whereas Annex I product security methods will observe on 2 August 2028. Public sector obligations have been pushed additional again to 2030.
For companies, the delay supplies worthwhile respiration room, however not a significant rest of the EU’s regulatory strategy.And the steering appears to assist that. The EC seems decided to make sure that organisations can’t sidestep the foundations by slim interpretations or technical workarounds.
Many companies will seemingly want the extra time merely to organize. Figuring out AI methods, assessing threat classifications, reviewing provider relationships, constructing governance constructions and getting ready technical documentation are all more likely to develop into main operational workout routines, notably for bigger organisations with a number of AI deployments throughout departments.
Brussels’ regulatory message
The message from Brussels is that regulators intend to give attention to how AI methods operate in observe quite than how they’re described on paper.
Human involvement is not going to robotically take away a system from the high-risk class if AI outputs proceed to affect choices. Splitting performance throughout a number of instruments or modules can be unlikely to keep away from scrutiny if the methods collectively form consequential outcomes.
The publication of the draft steering marks the start of a way more concrete section of AI regulation in Europe. Organisations now have a clearer view of how regulators are more likely to assess AI methods and the place enforcement priorities might emerge over the approaching years.
The session on the draft steering stays open till 23 June 2026, which means there may be nonetheless a possibility for companies and trade teams to affect a few of the extra contested interpretations. Nevertheless it’s clear that the EU is constructing a broad and extremely interventionist framework for AI governance, and corporations utilizing AI in delicate or decision-making contexts are firmly in scope.
The Digital Omnibus might have moved the compliance deadlines, but it surely has not modified the size of the problem forward.
