In a significant move towards regulating artificial intelligence, the European Commission has released draft guidelines detailing how AI systems will be classified as 'high-risk' under Article 6 of the EU AI Act. These guidelines are open for consultation until June 23, 2026, and aim to help providers and regulators identify high-risk AI applications while making sure consistent enforcement across EU member states.
The classification of AI as high-risk will follow two main routes. The first applies to AI systems integrated into products already subject to EU product safety regulations that require third-party conformity assessments. The second route is broader, covering eight specific use cases outlined in Annex III of the EU AI Act, which include sensitive areas such as biometrics, employment decisions, credit scoring, and law enforcement. Notably, being classified as high-risk does not prohibit the system's use; instead, it brings heightened compliance requirements, including transparency, human oversight, and strict data governance.
A key element of these guidelines is how classification is determined. The assessment will take into account the intended purpose of the AI systems, examining technical documentation, marketing materials, and terms and conditions as a whole. A simple disclaimer about high-risk uses in terms and conditions will not be enough if other marketing messages imply otherwise. Businesses that rebrand or customize third-party AI tools may find themselves classified as full 'providers' under the Act, which entails broad compliance responsibilities.
Implications for Businesses
The timeline for compliance is established, with obligations under Annex III taking effect from December 2, 2027. Following this, product safety regulations outlined in Annex I will be enforced from August 2, 2028, and public sector applications will be subject to these regulations starting August 2, 2030. As these deadlines approach, companies must prepare for the impact of these guidelines on their operations and compliance strategies.
Engagement with regulatory bodies and legal experts may become increasingly necessary as organizations manage these new requirements. The guidelines not only provide a framework for compliance but also signal that the EU is serious about governing AI technologies that could affect individuals' rights and safety.
The Role of Stakeholders
Key stakeholders in technology, including legal advisors and compliance officers, need to closely monitor these developments. Those interested in the evolving regulatory environment surrounding AI can consult professionals such as Tom Whittaker, Brian Wong, Lucy Pegler, Martin Cook, and Liz Griffiths at Burges Salmon for insights on how these regulations may impact their operations.
As the consultation period unfolds, the final form of the EU AI Act will become clearer, with potential adjustments based on industry feedback. For now, companies using AI technologies should evaluate their current and future AI systems against these guidelines to makes sure compliance and mitigate risks associated with high-risk classifications. The regulatory landscape will likely influence various sectors, highlighting the importance of preparation and adaptability in light of upcoming changes.
Quick answers
What defines a high-risk AI system under the EU AI Act?
A high-risk AI system is defined based on its intended purpose and can fall under specific use cases outlined in Annex III of the Act.
What are the compliance obligations for high-risk AI systems?
High-risk AI systems must comply with requirements for transparency, human oversight, and data governance.
When do the new regulations take effect?
Annex III obligations begin on December 2, 2027, product safety regulations on August 2, 2028, and public sector deployments on August 2, 2030.
