The European Commission has finally published its long-awaited draft guidance on how AI systems should be classified as “high-risk” under the EU AI Act, giving businesses their clearest indication yet of how regulators are likely to interpret one of the most important parts of the legislation.
For organisations developing, deploying, customising or purchasing AI systems, the guidance represents a major turning point. Until now, many businesses have struggled to determine whether their AI tools would actually fall into the AI Act’s strictest compliance category. The new guidance attempts to answer that question in detail, spanning 167 pages of explanations, examples and interpretation.
The timing is significant because the publication arrived just days after EU policymakers agreed, through the Digital Omnibus package, to postpone the application dates for many of the AI Act’s high-risk obligations. While that delay offers businesses additional preparation time, the guidance itself makes clear that regulators intend to interpret the rules broadly and focus heavily on the real-world impact of AI systems rather than just on how they are labelled or marketed.
Why “high-risk” status matters
Perhaps the most important aspect of the guidance is that it clearly notes that being classified as “high-risk” does not mean an AI system is prohibited. It does, though, trigger a compliance regime covering governance, transparency, human oversight, documentation, risk management, record keeping and data quality obligations.
For many businesses, particularly those already embedding AI into operational decision-making, the compliance burden could be substantial. The publication of the guidance signals that regulators now expect organisations to begin taking classification and governance more seriously.
The two routes into the high-risk category
The EC confirms that there are two main routes by which an AI system becomes high-risk.
The first applies where AI forms part of a product already regulated under existing EU product safety legislation, including areas such as medical devices, machinery, vehicles, aviation and industrial equipment. Where those products require third-party conformity assessments, the AI component may also fall into the high-risk regime.
The second route, which will affect a wider range of organisations, concerns the use cases listed in Annex III of the AI Act. These include AI systems used in things like recruitment, biometric identification, credit scoring, insurance pricing and law enforcement.
The guidance provides practical detail and tangible examples of systems that are likely to qualify as high-risk. Recruitment tools that rank candidates, AI systems that evaluate worker performance, exam proctoring software, biometric categorisation tools and AI-driven credit assessments are all specifically discussed.
The examples actually make it difficult to argue that a system falls outside the high-risk perimeter if it closely resembles the use cases identified in the guidance. This also indicates where regulators are likely to focus enforcement attention.
Why disclaimers may not work
The guidance rejects the idea that businesses can avoid classification through carefully drafted disclaimers. It notes that regulators will assess an AI system’s “intended purpose” by looking at the full picture, including technical documentation, marketing materials, demonstrations, sales messaging and contractual terms.
This means that simply stating in terms and conditions that a tool is “not intended for high-risk use” may carry little weight if the product is otherwise marketed in ways that clearly anticipate high-risk applications.
The EC explicitly warns that boilerplate exclusions will not protect providers where the broader presentation of the system suggests otherwise. This point is particularly important for providers of general-purpose AI systems, APIs and foundation-model integrations, where commercial positioning may become increasingly important in future regulatory assessments.
Will businesses customising AI tools become providers?
The guidance also contains a warning for businesses customising or adapting third-party AI tools. Organisations that fine-tune, rebrand or significantly modify AI systems could themselves become classified as “providers” under the AI Act, inheriting the full range of compliance obligations.
This means that companies integrating foundation models into HR tools, customer scoring systems or operational decision-making platforms may find themselves directly responsible for regulatory compliance even where the underlying AI originated elsewhere.
This may impact business’ procurement strategies and supplier negotiations, particularly where responsibility for governance, testing and documentation is concerned.
What about the exemption?
One of the most heavily debated areas of the AI Act has been the exemption mechanism, often referred to as the “filter.” This allows certain AI systems to avoid high-risk classification where they perform only narrow procedural or preparatory tasks without materially influencing outcomes.
The new guidance suggests regulators intend to interpret this exemption narrowly. The EC gives examples of tasks that may fall outside the high-risk regime, such as formatting documents, transcribing interviews or routing files for human review. However, once an AI system begins ranking candidates, influencing scores, identifying risk indicators or shaping decisions, the exemption will likely disappear.
The guidance also makes clear that systems involving profiling of individuals will generally not benefit from the carve-out at all, limiting the usefulness of the exemption for many real-world commercial AI deployments.
What the Digital Omnibus means here
Alongside these clarifications, the Digital Omnibus package has now reshaped the AI Act’s implementation timetable. Under the revised timeline, obligations for Annex III high-risk systems will now apply from 2 December 2027, while Annex I product safety systems will follow on 2 August 2028. Public sector obligations have been pushed further back to 2030.
For businesses, the delay provides valuable breathing room, but not a major relaxation of the EU’s regulatory approach.And the guidance seems to support that. The EC appears determined to ensure that organisations cannot sidestep the rules through narrow interpretations or technical workarounds.
Many businesses will likely need the additional time simply to prepare. Identifying AI systems, assessing risk classifications, reviewing supplier relationships, building governance structures and preparing technical documentation are all likely to become major operational exercises, particularly for larger organisations with multiple AI deployments across departments.
Brussels’ regulatory message
The message from Brussels is that regulators intend to focus on how AI systems function in practice rather than how they are described on paper.
Human involvement will not automatically remove a system from the high-risk category if AI outputs continue to influence decisions. Splitting functionality across multiple tools or modules is also unlikely to avoid scrutiny if the systems collectively shape consequential outcomes.
The publication of the draft guidance marks the beginning of a much more concrete phase of AI regulation in Europe. Organisations now have a clearer view of how regulators are likely to assess AI systems and where enforcement priorities may emerge over the coming years.
The consultation on the draft guidance remains open until 23 June 2026, meaning there is still an opportunity for businesses and industry groups to influence some of the more contested interpretations. But it’s clear that the EU is building a broad and highly interventionist framework for AI governance, and companies using AI in sensitive or decision-making contexts are firmly in scope.
The Digital Omnibus may have moved the compliance deadlines, but it has not changed the scale of the challenge ahead.
