The Commission's High-Risk AI Guidelines: What the Consultation Actually Asks

These questions sit at the center of what gets discussed at Human x AI Europe on 19 May in Vienna. If classification mechanics and enforcement pathways matter to your work, that room is where the practitioners will be.

The Artifact

On 19 May 2026, the European Commission opened a targeted consultation on draft guidelines for classifying high-risk AI systems. The consultation runs until 23 June 2026. Registered participants receive an anonymous questionnaire; only responses submitted through that channel will be reflected in the final summary report.

The draft guidelines themselves are structured in three downloadable sections: general principles, Annex I (product safety), and Annex III (use-case domains). The Commission has also published the content on the AI Act Single Information Platform in a searchable format, allowing stakeholders to navigate directly to the areas most relevant to their operations.

The stated purpose is to support providers, deployers, and market surveillance authorities in determining whether an AI system qualifies as high-risk under Article 6 of the AI Act. The guidelines offer the Commission's interpretation of key concepts and, as required by Article 6(5), include practical examples of systems that should or should not be classified as high-risk.

The Two Classification Pathways

The AI Act defines high-risk AI systems through two distinct routes.

Article 6(1) covers AI systems used as safety components of products, or AI systems that are themselves products, falling under EU harmonisation legislation listed in Annex I. If such a product requires third-party conformity assessment, the AI system is classified as high-risk. This pathway captures AI embedded in machinery, medical devices, toys, vehicles, and similar regulated products.

Article 6(2) covers AI systems deployed in specific use cases listed in Annex III. These span eight domains: biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border control, and administration of justice.

The guidelines address both pathways, with Section III covering Annex I systems and Section IV covering Annex III systems. The examples provided are not exhaustive and may be updated over time.

The Derogation Question

Article 6(3) introduces a derogation mechanism: an AI system listed in Annex III is not automatically high-risk if it does not pose a significant risk of harm to health, safety, or fundamental rights. Four conditions are listed under which this exception may apply, including systems that perform narrow procedural tasks or improve the result of previously completed human activity.

The interpretive question that has occupied legal practitioners is whether this list is exhaustive or illustrative. As one legal expert noted, the phrasing "shall apply where any of the following conditions is fulfilled" can be read either as "shall apply ONLY where" or "shall apply, IN PARTICULAR, where." The distinction matters: a museum exhibit that scans faces for entertainment, stores nothing, and transmits nothing would fall outside all four listed conditions yet poses no meaningful risk. Under a strict reading, it remains high-risk.

Providers who invoke the derogation must document their assessment and register the system in the EU database before placing it on the market. Market surveillance authorities retain the power to challenge such classifications.

The Timeline Shift

The consultation arrives after the Digital Omnibus agreement of 7 May 2026 reset the compliance calendar. Standalone high-risk systems under Annex III now face a compliance deadline of 2 December 2027, pushed back from the original 2 August 2026. High-risk AI embedded in Annex I regulated products must comply by 2 August 2028.

The delay was driven by the absence of finalised harmonised standards. The political compromise fixed new dates regardless of whether standards arrive on schedule. If standards remain incomplete, the dates do not move with them.

One structural consequence: the AI Act is not retroactive. Under Article 111, systems placed on the market before the new deadlines do not need to comply unless substantially modified. As critics have noted, this creates an incentive to deploy before December 2027, particularly for systems facing the heaviest compliance burdens. A hiring tool placed on the market before that date may remain outside the Act indefinitely unless it is substantially altered.

What the Consultation Seeks

The Commission is asking for feedback on two dimensions: clarity and usefulness.

On clarity, the question is whether the guidelines adequately explain the relevant provisions of Article 6 and the annexes. Stakeholders have previously flagged ambiguity around the interplay between high-risk classification and existing sectoral regulations. The European Savings and Retail Banking Group, in an earlier consultation response, called for clarification on how Annex III.5 (essential private services) interacts with financial sector supervision already conducted by the European Central Bank and national authorities.

On usefulness, the question is whether the practical examples help providers and deployers make classification decisions. The guidelines cover all eight Annex III areas, but the examples are explicitly non-exhaustive. Stakeholders are invited to propose additional use cases or flag scenarios where the current examples create confusion.

The consultation also invites input on future guidelines covering the requirements and obligations that high-risk systems must meet, including responsibilities along the AI value chain.

The Enforcement Gap

The guidelines were originally due by 2 February 2026. The Commission missed that deadline. As IAPP reported, the delay contributed to the political pressure that produced the Digital Omnibus. More than 110 EU-based businesses lobbied for a two-year pause on high-risk enforcement, citing the absence of guidance and standards.

The provisional agreement addressed the timeline but not the underlying capacity gap. National competent authorities are still being designated. Harmonised standards remain in development. Notified bodies for third-party conformity assessment are not yet fully operational across all member states.

The guidelines, once finalised, will provide interpretive clarity. They will not resolve the infrastructure deficit.

Implications

• Providers should review the draft guidelines against their current AI inventory and assess whether any systems fall within Annex III domains. The derogation pathway requires documented risk assessment and EU database registration.
• Deployers should verify provider classifications and ensure intended use aligns with the system's documented purpose. Deviating use may trigger reclassification.
• Public sector bodies face additional scrutiny: under Article 111, systems deployed by public authorities before the compliance deadline must still comply by 31 December 2030.
• Consultation participants should focus feedback on specific examples, interpretive ambiguities, and sectoral overlaps. The Commission has indicated it will consider only responses submitted through the official questionnaire.