Op 19 May 2026, the European Commission (EC) published its draft guidelines on the classification of high-risk AI systems. The good news is that the guidelines provide greater clarity. The bad news is that this may result in more AI systems falling within this category. Below, we outline the key points of the guidelines.
Under the AI Act, an AI system may be classified as high risk if:
The draft guidelines provide practical guidance and consist of three parts:
The general principles (section 1) explain the basic conditions. Among other things, they clarify when a system qualifies as an AI system and what is meant by the “intended purpose”. They also refer to the postponed timelines under the Digital Omnibus, namely: 2 December 2027 (for safety components and/or AI systems falling under harmonisation legislation), 2 August 2028 (for AI systems used for the purposes listed in Annex III), and 31 December 2030 (as the deadline by which AI systems already placed into service before 2 August 2027 must comply with all obligations).
The further clarification of Annex I of the AI Act (section 2) elaborates on when an AI system qualifies as a safety component. Practical examples of safety and mitigating functions are provided, and the guidelines explain in which situations a system may be regarded as a safety component due to risks arising from malfunctioning.
Finally, the further clarification of Annex III of the AI Act (section 3) explains, among other things, that human oversight does not automatically remove the qualification of “high risk”. It also emphasises that the focus of the risk assessment is on the impact on natural persons (rather than organisations). In addition, the guidelines address the assessment of AI within complex systems and the interpretation of terms such as “intended to be used”. The so-called filtering mechanism is also further clarified, and concrete examples are provided for each category listed in Annex III. These last two points in particular are highly insightful.
Where an AI system is classified as “high risk”, extensive obligations apply. These include, among other things, the requirement to implement a risk management system, make technical documentation available, obtain certification where required, carry out mandatory logging, provide certain information, and ensure human oversight. AI systems classified as limited or low risk are subject to far fewer obligations. The classification therefore makes a significant difference.
All in all, it is important to determine before putting an AI system into use whether it qualifies as high risk and, if so, whether all applicable obligations are met. The guidelines are expected to contribute to a more uniform and practical application of the categorisation under the AI Act, although it remains to be seen what their final content will be. Definitely something worth keeping an eye on.
You can. The guidelines are not yet final, and feedback can still be submitted to the EC until 23 June 2026.
Do you have any questions in this area? We would be happy to assist you. Please feel free to contact Michelle Wijnant, lawyer IT, Privacy & Cybersecurity, or another member of Team IT, Privacy & Cybersecurity.
Heeft u vragen op dit gebied? Wij denken graag met u mee. Neem gerust contact op met Michelle Wijnant, advocaat IT, Privacy & Cybersecurity of iemand anders van Team IT, Privacy & Cybersecurity.
Would you like to receive a monthly overview of updates and blogs in your inbox? Subscribe to our newsletter.
