AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Analysis

Which AI systems are high-risk? The Commission's draft Article 6 guidelines

Adopted 2026-06-19 ยท ≈ 4 min read ยท Dirk Baaijen

On 19 May 2026 the Commission published draft guidelines on which AI systems are high-risk under Article 6: the two routes (Annex I and Annex III), the Article 6(3) filter and practical examples. Non-binding; the targeted consultation was extended to 23 July 2026, final text expected later in 2026.

Most of the debate about the EU AI Act's high-risk regime is about timing โ€” when the obligations bite, and how far the Digital Omnibus pushes them out. But a logically prior question decides whether any of that applies to you at all: is your system high-risk in the first place? On 19 May 2026 the European Commission published its draft guidelines on exactly that question โ€” the first official reading of Article 6, the classification rule at the centre of the whole regime.

What the Commission published

The draft guidelines come as three documents that track the structure of Article 6: a set of general principles for classification, and one document each on the Annex I route and the Annex III route. They are accompanied by a list of practical examples of systems that should, and should not, be classified as high-risk. The Commission stresses that the guidelines are not legally binding โ€” only the Court of Justice can interpret EU law definitively โ€” but in practice they are the reference that providers, deployers and national market surveillance authorities will reach for when a classification is contested.

The text went out for a targeted stakeholder consultation, opened on 19 May 2026 for six weeks. After requests from several associations, the Commission extended the deadline by four weeks, to 23 July 2026; the final guidelines are expected later in 2026.

The two routes, restated

Article 6 routes a system into high-risk in one of two ways, and the guidelines take each in turn.

Route 1 โ€” Annex I (products). Under Article 6(1) a system is high-risk only when both conditions are met: it is a safety component of a product โ€” or is itself a product โ€” covered by the Union harmonisation legislation listed in Annex I (machinery, medical devices, toys, lifts and the like), and that product must undergo a third-party conformity assessment. This is where the high-risk regime meets the existing product-safety world, and where the harmonised standards under Article 40 supply the practical route to a presumption of conformity.

Route 2 โ€” Annex III (use cases). Under Article 6(2) a system listed in Annex III โ€” biometrics, critical infrastructure, education, employment, access to essential services such as creditworthiness and insurance, law enforcement, migration and the administration of justice โ€” is high-risk.

The filter is where the fights will be

The contested ground is Article 6(3): an Annex III system is not high-risk if it does not pose a significant risk of harm to health, safety or fundamental rights and meets at least one of four conditions โ€” it performs a narrow procedural task; it improves the result of a previously completed human activity; it detects decision-making patterns or deviations without replacing or influencing the human assessment without proper review; or it performs a preparatory task to a relevant assessment. One carve-out has no exit: a system that performs profiling of natural persons is always high-risk.

This filter is the single most consequential โ€” and most litigable โ€” sentence in the classification rules, because it is the line between "full Chapter III obligations" and "almost none". A provider who claims the exemption must document that assessment, and the burden of getting it right sits with them. The Commission's practical examples matter most precisely here: they show how it reads the difference between a genuinely narrow procedural tool and a system dressed up as one.

Why this lands now

The guidelines arrive at a useful moment. Because the Digital Omnibus is expected to push the Annex III start date to 2 December 2027, organisations have an unusually long runway โ€” and classification is the work to do first. You cannot scope a risk-management system, conformity assessment or CE marking until you know whether you are in the regime, and Annex III deployers cannot judge whether they owe a fundamental-rights impact assessment until the same question is settled.

It is worth keeping two different "classifications" apart. This guidance is about **high-risk AI systems under Article 6. It is not the separate test for general-purpose AI models with systemic risk**, which runs on its own criteria under the GPAI regime. The draft guidelines, and the newly appointed Scientific Panel and Advisory Forum, are two halves of the same move: the substance and the institutions that will make high-risk enforcement workable before the obligations fall due. For a fuller map of the regime itself, see our overview of high-risk obligations.

Sources

  1. https://digital-strategy.ec.europa.eu/en/library/draft-commission-guidelines-classification-high-risk-ai-systems
    EC library page: draft guidelines published 19 May 2026 in three documents (general principles, Annex I, Annex III); explicitly non-binding.
  2. https://digital-strategy.ec.europa.eu/en/consultations/targeted-consultation-draft-guidelines-classification-high-risk-artificial-intelligence-systems
    EC targeted consultation: opened 19 May 2026, originally six weeks to 23 June, extended by four weeks to 23 July 2026.
  3. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689, Article 6 and Annexes I and III: the two classification routes and the Article 6(3) exemptions.

Share on LinkedIn

Read next

W

Inventorying your AI systems for the AI Act: how to approach it

Inventorying starts with classification: for each AI system, determine whether it is prohibited, high-risk, limited-risk or minimal-risk under Article 6 and Annexes I and III. Then map each system to its role and obligations.

U

AI as a medical device: the dual conformity (MDR + AI Act)

If your AI is a medical device, it must meet both the MDR (clinical evaluation, CE) and the AI Act (high-risk requirements). The regulations are meant to run together through a single conformity assessment and one notified body โ€” not two separate tracks.

U

AI in healthcare: the AI Act and the Medical Device Regulation (MDR)

Medical AI often falls under two regimes at once: as a medical device under the MDR (CE marking) and as high-risk AI under the AI Act (Annex I). The regulations align the conformity assessment as far as possible. Health data is also special-category personal data under the GDPR.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.