There is a question at the heart of the European Union’s Artificial Intelligence Act on which almost everything else depends: when is an AI system “high-risk”? The answer is not academic. From it follows whether a company must set up a risk-management system, document its data governance, ensure human oversight, register the system in a European database and undergo conformity assessments —or whether, on the contrary, it stays outside almost all of that. It is the line that separates a handful of obligations from a full compliance regime, and with it, the difference between a minor cost and one that can run to hundreds of thousands of euros per system.
On 19 May 2026, the European Commission finally published the guidelines that try to draw that line. It did so through three documents —general principles, the Annex I route and the Annex III route— open for public consultation until 23 June. It is the first time the Commission has explained, at this level of detail, how it reads the most consequential classification question in the entire Regulation.
It is worth saying from the outset what these guidelines are and are not, because the nuance is everything. They do not change the classification rules: Article 6 of the AI Act still says what it said. What they do is interpret it, offer examples and, according to the Commission itself, facilitate uniform application. But they are not legally binding —only the Court of Justice of the European Union can give the authoritative reading— and they themselves warn that their list of examples “is not exhaustive and may be updated over time.” That is: the most awaited guidance to clarify the high-risk boundary arrives acknowledging that the boundary is still not sharp.
The two gateways into high-risk
Article 6 sets out two paths by which an AI system is classified as high-risk, and the guidelines devote a section to each.
The first gateway is Article 6(1) and Annex I: a system is high-risk if it functions as a safety component of a product —or is itself a product— covered by EU harmonisation legislation, and that product must undergo a third-party conformity assessment. We are talking about machinery, lifts, toys, medical devices, radio equipment. The logic is inherited from product-safety law: if an AI controls a vehicle’s braking or a medical device’s dosing, its failure has physical consequences, and the law treats it accordingly.
The second gateway is Article 6(2) and Annex III: a system is high-risk if it is intended for one of the use cases listed in eight areas the Regulation considers sensitive. This is the gateway most companies pass through, and it is worth listing the eight areas because they map out what Europe considers delicate:
| # | Annex III area | Examples of high-risk use cases |
|---|---|---|
| 1 | Biometrics | Remote biometric identification; biometric categorisation; emotion recognition |
| 2 | Critical infrastructure | Traffic management, water, gas, electricity, heating supply |
| 3 | Education and training | Admission, learning assessment, exam-fraud detection |
| 4 | Employment and worker management | CV screening, promotion or dismissal decisions, task allocation |
| 5 | Essential services (public and private) | Creditworthiness assessment, scoring, access to benefits, emergency triage |
| 6 | Law enforcement | Recidivism-risk assessment, polygraphs, evidence-reliability evaluation |
| 7 | Migration, asylum and border control | Risk assessment, document verification, application examination |
| 8 | Administration of justice and democratic processes | Assistance to judicial authorities, influence on elections or referendums |
The list reveals an underlying principle that the Commission and analysts alike stress: what triggers high-risk is not the technology itself, but the context of use and the intended purpose. The same language model can be minimal-risk if it drafts emails and high-risk if it screens job applications. Classification, in the words of the lawyers who have read the draft, is “fact-specific”: it depends on what the system is deployed for, not on how it is built.
The Article 6(3) filter: the way out
Here appears the most disputed element of the draft. Article 6(3) contains an exception: even if a system falls into one of the eight Annex III areas, it may not be high-risk if it does not pose a “significant risk of harm” to health, safety or fundamental rights. The Regulation offers four conditions that can trigger that exit —for example, that the system performs only a narrow procedural task, or that it merely improves the result of a prior human activity.
It is an attractive way out for companies, because it allows them to argue that their system, despite operating in a sensitive area, does not deserve the full regime. But the guidelines, according to early readings by the firms following the file, warn against overusing this filter. The recommendation that recurs among analysts is cautious: in ambiguous sectors, it is wise to plan against the most expansive reading —that is, to assume the system is high-risk— rather than lean on the 6(3) filter and risk a later reclassification. The burden of proving the exception applies falls, moreover, on the provider, who must document its assessment.
Why it matters so much: the arithmetic of misclassifying
The reason this boundary draws so much attention is economic, and it is worth setting out with numbers. The AI Act’s sanction regime, fixed in its text, scales with severity:
| Type of breach | Maximum fine | Calculation base |
|---|---|---|
| Prohibited practices (Article 5) | €35M or 7% of worldwide turnover | The higher figure |
| Other obligations (incl. high-risk) | €15M or 3% of worldwide turnover | The higher figure |
| Incorrect information to authorities | €7.5M or 1.5% of worldwide turnover | The higher figure |
To grasp the weight of a wrong classification, a simple exercise helps. A company that deploys a system in an Annex III area and classifies it, in good faith or not, as outside high-risk by leaning on the 6(3) filter, exposes itself to two chained costs if the surveillance authority disagrees. First, the compliance cost it did not assume and must now set up against the clock: risk management, technical documentation, registration, human oversight, conformity assessment. Industry estimates for high-risk systems place that cost, depending on the company profile, in a range from a few thousand to tens or hundreds of thousands of euros. Second, exposure to the 3%-of-worldwide-turnover sanction for breaching the regime’s obligations.
The relevant calculation is not the theoretical maximum fine —the 15 million— but the percentage, because for a large company 3% of worldwide turnover comfortably exceeds that fixed figure, and for a mid-sized one it represents a material fraction of its annual margin. A company with one billion euros in turnover is exposed, at the ceiling, to 30 million via the percentage route; one with fifty million, to 1.5 million. In both cases, the difference between classifying a single system right or wrong can equal a quarter’s profits. Hence the high-risk boundary is not a legal subtlety, but the centre of gravity of all compliance planning.
The chronology of a delay that became a cause
The most revealing fact of this episode is not the guidance itself, but when it arrives. Guidance on high-risk classification was initially expected by 2 February 2026, ahead of the Regulation’s original compliance milestones. It did not come in February. Nor in March or April. It came, as a draft for consultation, on 19 May.
That delay was not harmless. The absence of final guidance, added to delays in developing the technical standards, became a central argument in the debate over whether companies were operationally ready for the AI Act. More than a hundred EU-based companies pushed for a two-year pause on enforcing the high-risk rules, citing precisely the lack of guidance and standards in a shrinking grace period. That demand led to the Digital Omnibus on AI, the simplification package whose 7 May political agreement postponed the Annex III high-risk obligations to 2 December 2027 and the Annex I ones to 2 August 2028.
The sequence, put in order, draws a regulatory paradox:
| Date | Milestone |
|---|---|
| 1 Aug 2024 | The AI Act enters into force |
| 2 Feb 2025 | Article 5 prohibitions apply |
| 2 Feb 2026 | Expected date for the high-risk classification guidance (missed) |
| 28 Apr 2026 | The second Omnibus trilogue collapses after eleven hours |
| 7 May 2026 | Omnibus political agreement: high-risk obligations postponed |
| 19 May 2026 | The Commission finally publishes the draft classification guidance |
| 23 Jun 2026 | Public consultation closes |
| 2 Dec 2027 | New application date for Annex III high-risk |
| 2 Aug 2028 | New application date for Annex I high-risk |
Seen this way, the guidance that was meant to prepare companies for a date (August 2026) arrives once that date has already moved to 2027 and 2028, partly because the guidance had not arrived on time. The tool and the deadline it was meant to enable chased each other.
The two readings, with comparable weight
The episode admits, as almost everything in European digital regulation does, two legitimate readings worth setting out without tipping the scale.
For the Commission and those who defend the approach, the sequence is not a failure but a sensible correction. Their argument, sustained in the official communications of the simplification package, is that applying costly obligations without the support tools —guidance, standards, testing sandboxes— would have been counterproductive: it would have imposed burdens without clarity on how to meet them. Under this reading, postponing the dates and then publishing detailed guidance, open moreover to correction by the affected parties through consultation, is preferable to demanding compliance with a rule no one yet knew how to interpret. The very non-binding nature of the guidance, and its openness to consultation until June, are presented as virtues: they let providers, governments, academia and civil society refine the text before its final adoption, expected in late 2026 or early 2027.
For the critics —among them digital-rights organisations and some lawyers— the sequence reveals a deeper problem. Their argument is that each delay erodes the Regulation’s protective force: while the high-risk boundary remains blurry and the dates recede, the systems operating in sensitive areas —credit, employment, borders, justice— keep being deployed without the safeguards the AI Act promised. For this position, a non-binding guidance that admits it is not exhaustive and arrives fifteen months late is weak guidance for a question that should have been settled before the Regulation began to bind. And they warn of an underlying risk: that the logic of “simplification” and “competitiveness”, legitimate in itself, ends up emptying of practical content protections that were passed precisely for the most sensitive uses of AI.
It is not for this outlet to rule which reading is correct. It is to note that both describe the same fact from opposite angles: Europe has built the world’s most ambitious AI framework, and at the same time has spent two years discovering how hard it is to say, with the precision a 7% fine demands, where exactly the risk it aims to regulate begins.
Methodological note. The “relative compliance burden” on the cover is an in-house estimate on a 0-100 scale, built to illustrate the difference in obligations between the AI Act’s four risk levels, not a monetary measurement. It reflects the number and severity of the legal obligations associated with each level under the Regulation’s text: unacceptable risk entails a total ban (maximum burden); high-risk drags the full Chapter III regime (risk management, documentation, registration, human oversight, conformity assessment); transparency risk mainly requires informing the user; and minimal risk, where the majority of systems in use in the EU fall, adds no obligations. The fine figures and dates come from the AI Act’s text and the official communications of the European Parliament, the Council and the Commission. The compliance-cost estimates for high-risk systems come from industry analyses cited in prior coverage of this series. Data cutoff: 23 May 2026.