European Commission Issues Draft Guidelines for Following AI Act

admin


The European Commission’s Draft Guidelines are the Commission’s next step in issuing practical guidance to the statutory text of Article 6 of the AI Act

The guidelines are expressly aimed at supporting providers and deployers of AI systems in evaluating whether their AI system is classified as high-risk. The draft is not yet legally binding and has been published for stakeholder consultation. 

Why the European Commission Delayed the High-Risk AI System Guidelines

The original deadline for the draft guidelines for the European Commission was Feb. 2. A potential delay was forecasted on Jan. 26, when Deputy Director General for Communication Networks Renate Nikolay expressed that the guidance needed to provide legal certainty and thus, the Commission needed more time to work on the guidelines.

The delay was also a result of member-state-level authorities struggling to appoint enforcers, and the lack of sufficient advanced guidance on the enforcement of the directive before its scheduled implementation. A Commission spokesperson stated that the EU’s executives were integrating feedback and wanted to publish the draft guidelines in February for stakeholder input. 

As a result of the delay, AI systems subject to product regulation have a postponed compliance deadline of August 2028 and AI systems intended for use cases have a postponed compliance deadline of December 2027. 

How the Draft Guidelines Define and Classify High-Risk AI Systems Under the EU AI Act

Pursuant to Article 6 of the AI Act, there are two classifications of “high-risk” systems:

  1. AI systems embedded in products regulated under the Union’s legislation on product safety.
  2. AI systems that can significantly affect people’s health, safety, or fundamental rights in specific use cases listed in the AI Act.

The first classification provides two cumulative conditions under Article 6(1) and Annex I to classify a system as high-risk. First, the AI system must be a product itself, or a safety component of a product under the EU’s legislation of Annex I of the AI Act. Second, the system must undergo a third-party conformity assessment. As to the first condition, an AI system is a safety component if it is intended to prevent or mitigate risks to health, safety, or property, or, if the system’s failure could endanger health, safety, or property. As to the second condition under third-party conformity, the system must be subject to regulatory scrutiny involving a notified body before it can be placed in the EU market.

Once the two conditions are met under Article 6(1), the AI system is classified as high-risk under the first classification.

The second classification, governed by Article 6(2) and Annex III, classifies high-risk AI systems through determining whether a system’s intended purpose falls into one of the specific cases listed in Annex III, which identifies areas that are particularly susceptible to AI risks. Providers are responsible for clearly describing the system’s intended purpose including its envisioned use and its functionalities.

There are eight areas under Annex III which the system’s intended purpose could fall under:

  1. Biometrics
  2. Critical Infrastructure
  3. Education and Vocational Training
  4. Employment
  5. Essential Public and Private Services
  6. Law Enforcement
  7. Migration, Asylum, and Border Control
  8. Administration of Justice and Democratic Processes

If the system falls within an Annex III use case, providers are exempt from a high-risk classification if a “filter” governed by Article 6(3) applies. The filter applies under one of four conditions:

  1. The AI system is intended to perform a narrow procedural task.
  2. The AI system is intended to improve the result of previously completed human activity.
  3. The AI system is intended to detect decision-making patterns or deviations from prior decision-making patterns and is not meant to replace or influence the previously completed human assessment without proper human review; or
  4. The AI system is intended to perform a preparatory task to an assessment relevant for the purposes of the use cases listed in Annex III of the AI Act.

If a filter applies, the providers who rely on it must document a self-assessment explaining why the exemption applies. A misclassification can be penalized by market surveillance authorities. However, the filter cannot be applied if the AI system performs profiling of natural persons-automated processing of personal data to evaluate personal aspects.

Key Principles for Determining Whether an AI System Is High Risk

Before a classification is made, the system must first qualify as an “AI system” under Article 3(1) of the AI Act. Under the relevant definition, the AI system:

  • Must be a machine-based system designed to operate with varying levels of autonomy
  • May exhibit adaptiveness after deployment
  • Infers from input to generate outputs such as predictions, content, recommendations, or decisions, and
  • Can influence physical or virtual environments

The intended purpose of an AI system plays an important role in its classification as high-risk and for assessing compliance with the requirements of a high-risk AI system under the second classification governed by Article 6(2) and Annex III. It is the responsibility of the provider, who is supervised by the relevant competent market surveillance authorities, to assess whether an AI system is intended to be used for a high-risk use case. Consequently, a provider cannot merely assert that high-risk uses of the AI system are excluded to avoid being considered high-risk.

Additionally, distributors, importers, deployers, or other third parties may be subject to provider obligations under Article 25(1) of the AI Act if they:

  • Put their name on a high-risk system
  • Make a modification to one, or
  • Modify the purpose of a non-high-risk system so that it becomes high-risk

Furthermore, some AI systems that could be classified as high-risk may be entirely prohibited under Article 5 of the AI Act. The guidelines note that use cases listed in category 1 of Annex III should be considered in light of AI practices prohibited by Article 5.

Implementation Dates

Obligations under the first classification governed by Article 6(1) and Annex I of the AI Act will apply beginning on Aug. 2, 2028. The original application date was set for Aug. 2, 2027, but was then postponed.

Obligations under the second classification governed by Article 6(2) and Annex III of the AI Act will apply beginning on Dec. 2, 2027. The original application date was set for Aug. 2, 2026, but was then postponed.

Moreover, Article 111(2) of the AI Act states that the act applies to operators of high-risk AI systems that have been placed in the market or put into service before Aug. 2, 2026. Obligations under Article 111(2) of the AI Act will apply to operators of these systems if they undergo significant changes from Aug. 2, 2026.

Providers and deployers of high-risk AI systems intended to be used by public authorities should comply with the requirements and obligations for high-risk AI systems by Aug. 2, 2030.

AI systems that are components of the large-scale IT systems established by the legal acts listed in Annex X of the AI Act placed in the market or put into service before Aug. 2, 2027, should be brought into compliance with the high-risk requirements by Dec. 31, 2030.

European Commission Consultation on the Draft High-Risk AI Guidelines

The Commission is collecting feedback on the guidelines from stakeholders until June 23, 2026. The target audience is “[a]nyone with an interest in the development, deployment, supervision or use of AI systems…this includes AI providers and developers, organizations using AI systems, public authorities, researchers, civil society organizations, supervisory bodies and members of the public.”

In addition to the current feedback collection process, the AI Office organized a stakeholder workshop in December 2025 to collect more sector-specific feedback on the draft guidelines. In contrast, this round of feedback collection is targeted at collecting feedback on clarity, completeness, and usability of the draft guidelines.

Next Steps

The Commission will continue to review the list of high-risk use cases through a monitoring instrument and have the power to adopt delegated acts to add new use cases or remove existing ones. Moreover, the AI Office and the AI Act Service Desk will provide ongoing support. An AI regulatory sandbox is expected to be established by August 2026. 



Source link

Related Posts

California DPFI Suspends FIPVCC

On March 17, 2026, the California Department of Financial Protection and Innovation (DPFI) announced it would suspend implementation of the…

Leave a Reply

Your email address will not be published. Required fields are marked *