EU AI Act: Commission Publishes Draft Guidelines On Identifying "High-risk” AI Systems Under Article 6 – What Businesses Need To Do Now

The European Commission has taken a major step towards implementing the EU AI Act, publishing draft Guidelines on when an AI system will be classified as “high-risk” under Article 6.

Article 6 of the Act hasn't changed but this draft guidance is significant. It provides the clearest indication yet of how regulators will interpret and enforce one of the most commercially critical questions for businesses: does your AI system fall inside or outside the high-risk regime?

For organisations using or developing AI, this is not a theoretical exercise. Classification determines your compliance burden, cost of deployment, and, in some cases, whether your system can be used at all. Getting the classification wrong can have serious commercial, financial and reputational impact.

Importantly, the window for feedback and consultation on the draft Guidelines is open until 23 June 2026. Once the Guidelines are finalised, they remain non-binding until the Court of Justice affirms them. But, in the meantime, the only sensible approach for most businesses is to adopt the draft Guidelines as a roadmap for future development work.

This article cuts through the legal detail to explain what the Guidelines mean in practice.

Why Article 6 matters more than anything else in the AI Act

At the heart of the EU AI Act is a risk-based model. Systems classified as “high-risk” face the most stringent requirements, including risk management, data governance, human oversight, technical documentation and ongoing monitoring.

The key point

Getting classification wrong has direct consequences:

• Over-classify → unnecessary cost, slower innovation, potentially missing your market
• Under-classify → regulatory exposure, significant fines, market access risks, reputational damage

Put simply: classification is the gateway to your entire compliance strategy.

What the Guidelines clarify and why it matters

The draft Guidelines don’t rewrite Article 6 but they do clarify how it should be applied in practice, using examples and interpretation.

Four areas stand out for businesses.

1. Two routes into “high-risk” but both are wider in practice than many expect

Under Article 6, an AI system is high-risk if it meets either of two tests:

• Product safety route (Article 6(1)):
  AI is part of (or itself is) a regulated product, such as medical devices or machinery, that requires third-party conformity assessment.
• Use-case route (Article 6(2)):
  AI falls into one of the Annex III use-case categories, such as employment, education, biometrics or access to services.

The Commission emphasises that these routes are independent - either can trigger high-risk status.

Many organisations underestimate exposure by focusing only on “regulated products”. In reality, Annex III use cases will capture a much broader range of enterprise AI over and above those that you might expect, such as surveillance and emergency services, and include more general applications especially in HR, personal insurance and financial risk scoring.

2. “Intended purpose” is a critical, and often underdeveloped, concept

The Guidelines note that when assessing a system as "high-risk", the intended purpose (defined in Article 3(1) of the AI Act) of that system is a critical element of the classification analysis.

The Guidelines require providers to set out the intended use or purpose of their systems and this has to be consistent across all your materials. If your system has multiple potential uses in different contexts (a multi purpose or general purpose AI), then you must also describe these so that the assessment of whether the system is high-risk can be carried out in relation to each use. You cannot rely on disclaimers or narrow descriptions to avoid a "high-risk" classification if the system is realistically going to be used for high-risk purposes.

This means that:

• Internal documentation and product definitions now carry regulatory weight
• Sales and deployment contexts matter — not just technical design
• The same model could be high-risk in one use case and not in another

Treat “intended purpose” as a legal and commercial control point, not just a product description. Great care will need to be taken to align marketing, product and legal statements concerning intended purpose across the product's collateral.

3. Complex systems are assessed as a whole, not component-by-component

One of the most important clarifications is that interconnected AI systems may be treated as a single system for classification purposes.

This means that:

• Breaking systems into modules will not avoid high-risk classification
• Multi-agent or orchestrated AI environments must be assessed end-to-end
• Responsibility sits across the full system, not isolated components

4. The “exception” to high-risk is narrow (and documented)

Article 6 includes a carve-out for systems that technically fall within Annex III but do not materially impact decisions or risk outcomes.

The guidelines reinforce that this is:

• Limited in scope
• Fact-specific
• Subject to documentation requirements

What this means for businesses in practice

The AI Omnibus has postponed the application dates of Article 6 until late 2027 and mid 2028 (subject to the transitional provisions that are already in force) and the Guidelines are currently only draft. Businesses may be tempted to think that this is a 'tomorrow problem'. But, for any business currently selling and developing AI systems, the Guidelines serve as an early warning system and roadmap as to how the authorities are likely to enforce the law.

Given that the penalties for breach of the AI Act are significant, in some cases 7% of global annual turnover, and the impact on business could be significant with regard to lost contracts, lost customer confidence and reputational damage, it is wise to take account of the draft Guidelines and build them into your current and future development. The draft Guidelines are the best indication of how regulators are likely to apply the law.

For most organisations, the implications are immediate.

• Most businesses will have some high-risk exposure, particularly in HR, finance and customer decision making
• AI governance is now a core compliance function, not a technical afterthought
• Documentation and auditability matter as much as the technology itself

The Commission’s draft Guidelines make one thing clear: high-risk classification is not just a legal exercise - it is a strategic business decision.

It will shape how organisations:

• Develop and deploy AI
• Manage risk and compliance costs
• Promote and sell their products
• Operate in the EU market

Get in touch

If you would like support assessing whether your AI systems fall within the high-risk category, building a practical and proportionate AI governance framework, or engaging with the consultation, our AI team would be happy to help.

Get in touch to discuss how these developments could impact your business.

Read the original article on GowlingWLG.com