Commission´s Draft Guidelines on the Classification of High-Risk AI Systems

The European Commission finally published its long-awaited (draft) guidelines on the classification of high-risk AI systems under the AI Act. The guidelines are open for public consultation until 23 June 2026.

The draft guidelines are presented in a user-friendly manner on the AI Act Single Information platform.

Purpose and Scope

The guidelines are being published pursuant to Article 6(5) of the AI Act. (Under the AI Act, the Commission was required to publish the guidelines by February 2, 2026, at the latest. This delay may be offset by the postponement of the application of the AI Act, which is linked to the adoption of the AI Omnibus.)

The aim of the guidelines to support providers and deployers of AI systems, as well as competent market surveillance authorities, in assessing whether an AI system should be classified as high-risk, thereby facilitating the uniform application and effective enforcement of the AI Act. The guidelines set out the European Commission’s interpretation of concepts relevant to high-risk classification and provide practical examples of AI systems that should or should not be classified as high-risk.

The guidelines are limited in scope to the question of whether an AI system is high-risk or not; they do not address compliance with the substantive requirements imposed on high-risk AI systems. They are non-binding, and authoritative interpretation of the AI Act rests ultimately with the Court of Justice of the European Union.

The guidelines are divided into sections, following the structure of Article 6 of the AI Act.

Application and enforcement timeline

Following the political agreement on the ‘AI Omnibus’, there will be a new enforcement timeline:

• Rules for systems used in certain high-risk areas — including biometrics, critical infrastructure, education, employment, migration, asylum and border control — apply from 2 December 2027.

• For systems integrated into products such as robotics and industrial machinery, the rules apply from 2 August 2028.

• High-risk AI systems intended for use by public authorities must comply by 2 August 2030 in any event.

General Principles for Classification

Two Pathways to High-Risk Classification. Under Article 6 of the AI Act, an AI system is classified as high-risk in two scenarios:

• Article 6(1) and Annex I: The AI system is intended to be used as a safety component of a product, or is itself a product, covered by Union harmonization legislation listed in Annex I, and the product is required to undergo a third-party conformity assessment.

• Article 6(2) and Annex III: The AI system falls within one of the use cases listed in Annex III of the AI Act.

Threshold Requirement: Before a system can be classified as high-risk, it must qualify as an “AI system” within the meaning of Article 3(1) of the AI Act. (See the Commission´s guidelines on AI system definition here.)

Intended Purpose Is Determinative. The intended purpose of the AI system, as defined by the provider in instructions for use, promotional materials, and technical documentation, plays a central role in classification. If the provider presents the AI system as broadly applicable without consistently limiting or excluding high-risk uses, the system’s intended purpose will be deemed to encompass high-risk use cases. Merely asserting that high-risk uses are excluded (e.g., in terms of service) is insufficient if the provider’s overall positioning or examples effectively provide for or promote such uses.

Self-Assessment by the Provider. The classification assessment is the responsibility of the provider, supervised by competent market surveillance authorities. Distributors, importers, deployers, or other third parties may become subject to provider obligations under Article 25(1) of the AI Act if they put their name or trademark on a high-risk AI system, make a substantial modification, or modify the intended purpose of a non-high-risk AI system such that it becomes high-risk.

Annex I Classification Criteria (Article 6(1) of the AI Act)

Classification Rationale. Article 6(1) establishes a proportionate, safety-based classification mechanism for AI systems integrated into products already regulated under EU harmonization legislation. Only AI systems that present significant risks to health, safety, or fundamental rights are classified as high-risk; not all AI-enabled products are automatically high-risk.

Two cumulative conditions must be met:

1. The AI system must be a product, or a safety component of a product, covered by Annex I legislation. Annex I lists Union harmonization legislation covering products such as machinery, toys, lifts, pressure equipment, radio equipment, medical devices, in vitro diagnostic devices, and products in the automotive and aviation sectors. The AI system may be embedded in the product or placed on the market independently (e.g., as a software update or remote service).

2. The product must be required to undergo a third-party conformity assessment. The product must be deemed by Union harmonization legislation to present higher risks requiring independent third-party verification before being placed on the market.

Safety Component Definition. Article 3(14) of the AI Act defines a “safety component” as a component of a product or of an AI system which fulfils a safety function for that product or AI system, or the failure or malfunctioning of which endangers the health and safety of persons or property. This is an autonomous definition independent of any sectoral legislation’s definition of safety components. (Please note that the AI Omnibus proposes a new definition of safety components. According to the proposed new definition, ‘safety component’ means a component of a product or of an AI system which fulfils a safety function for that product or AI system, or the failure or malfunctioning of which endangers the health and safety of persons or property; for the purposes of this definition, a component fulfils a safety function where its intended purpose is to prevent or mitigate risks to health and safety of persons or property” )

Based on the above, two alternative scenarios trigger classification as a safety component:

• The AI system is intended to fulfil a safety function (intent-based, determined by the provider).

• The AI system’s failure or malfunctioning would endanger health, safety, or property (consequence-based).

Examples of safety components include AI-based collision detection in machinery, AI monitoring gas concentrations in explosive environments, and AI systems in vehicles providing lane assistance. By contrast, an AI system recommending music in a connected toy or performing yield forecasting in agriculture would not be a safety component.

Compliance Burden Minimization. The AI Act provides mechanisms enabling economic operators to integrate AI-specific risk and quality management assessments into existing compliance frameworks under sectoral legislation, thereby avoiding duplication.

Annex III Classification Criteria (Article 6(2) of the AI Act)

Rationale. Article 6(2) classifies certain stand-alone AI systems as high-risk where their intended purpose poses a significant risk to health, safety, or fundamental rights. Classification as high-risk does not prohibit the use of such systems; rather, it subjects them to appropriate requirements ensuring accuracy, proper risk mitigation, and fundamental rights protection.

Eight High-Risk Areas. Annex III identifies eight broad areas susceptible to AI-related risks:

1. Biometrics: remote biometric identification, biometric categorization, and emotion recognition.

2. Critical infrastructure: AI systems as safety components in digital infrastructure, road traffic, and supply of water, gas, heating, or electricity.

3. Education and vocational training: systems determining access to education, evaluating learning outcomes, and monitoring student behavior during assessments.

4. Employment, workers’ management, and access to self-employment: AI systems for recruitment, selection, task allocation, performance monitoring, and decisions on terms of employment or termination.

5. Access to and enjoyment of essential private and public services and benefits: systems evaluating eligibility for public assistance, creditworthiness, insurance risk/pricing, and emergency call triage.

6. Law enforcement: victim risk assessment, polygraphs, evidence evaluation, offending risk assessment, and profiling of persons.

7. Migration, asylum, and border control management: risk assessment of persons, examination of applications, polygraphs, and detection/identification of persons.

8. Administration of justice and democratic processes: AI assisting judicial authorities or in alternative dispute resolution, and systems influencing election outcomes or voting behavior.

The list of use cases within each area is exhaustive and can only be amended through delegated acts under Article 7(1) of the AI Act.

Horizontal Principles for Annex III Classification:

• Human involvement does not alter classification. Since human involvement cannot change the intended purpose of a system, it has no effect on whether the system is classified as high-risk. The provider cannot exempt and categorise an AI system as ‘low risk’ simply by adding to it a requirement for human involvement

• Natural persons. Several use cases require that the AI system directly or indirectly evaluate “natural persons,” which includes sole traders, self-employed persons, and individuals acting in a professional capacity.

• Complex and agentic AI systems. AI systems operating as part of complex, interconnected configurations (including agentic AI) are assessed as a whole; exemptions do not apply to individual modules if the overall system materially influences key decisions.

• “Intended to be used.” Classification depends on the system’s intended purpose as defined by the provider; actual use is not required - the assessment occurs before placing the system on the market.

The Article 6(3) “Filter” Mechanism

Article 6(3) of the AI Act provides a mechanism allowing providers to exempt AI systems falling within Annex III use cases from high-risk classification where the system does not pose a significant risk of harm. This filter applies if any one of four conditions is met:

1. Narrow procedural task: the system transforms, categorizes, or structures data without performing value judgments (e.g., sorting applications by grade, detecting duplicates).

2. Improves a previously completed human activity: the system only refines or verifies an already-completed human result without reverting or replacing it (e.g., correcting grammar in a finalized decision).

3. Detects decision-making patterns or deviations: the system is used for quality assurance without replacing or influencing the previously completed human assessment (e.g., detecting grading inconsistencies).

4. Preparatory task: the system performs indexing, searching, or processing tasks prior to the assessment, with very low impact on the outcome (e.g., referencing relevant legal provisions).

Critical Limitation: Profiling. The filter mechanism cannot be applied where the AI system performs profiling of natural persons within the meaning of Article 4(4) of the GDPR. Additionally, systems forming part of complex configurations whose combined outputs materially influence decisions in a high-risk use case cannot benefit from the filter.

Documentation Obligations. Providers invoking the filter must document their assessment before placing the system on the market and must register the system in the EU database under Article 71 of the AI Act.

Anti-Circumvention. Market surveillance authorities may evaluate whether a system has been misclassified as non-high-risk and impose penalties under Article 99 of the AI Act.

Key Compliance Considerations

Provider Responsibilities. Providers must clearly define and describe the intended purpose of their AI system across all materials (instructions for use, technical documentation, promotional materials, terms of service). Ambiguity or broad positioning that does not consistently exclude high-risk uses will result in the system being deemed high-risk.

Deployer Awareness. Deployers procuring AI systems are encouraged to verify any claimed filter exemptions in the EU database for due diligence purposes. Critical infrastructure entities should note that the high-risk classification under Annex III point 2 applies only to entities identified as critical under the CER Directive.

Integrated Compliance. For Annex I high-risk AI systems, economic operators may integrate AI Act compliance into existing risk management and quality management systems established under sectoral legislation, avoiding duplication.

Ongoing Monitoring and Updates. Article 112(1) of the AI Act establishes an annual review mechanism for Annex III use cases. The Commission may adopt delegated acts to add new use cases, amend or remove existing ones, or modify the Article 6(3) filter conditions.