EU Tries to Draw Clearer Lines Around High-Risk AI

Key Takeaways

• Commission Seeks Clarity on High-Risk AI: The European Commission has published draft guidelines to help organizations determine whether an AI system should be classified as high-risk under Article 6 of the AI Act.
• Two Routes to High-Risk Status: AI systems may be deemed high-risk either because they serve as safety components in regulated products covered by Annex I or because they are used in specific high-impact use cases listed in Annex III.
• Practical Examples Included: The draft guidance provides real-world examples of AI systems that should and should not be classified as high-risk, aiming to reduce uncertainty and promote more consistent application of the law.
• Classification Drives Compliance Obligations: A high-risk designation can trigger extensive requirements related to risk management, human oversight, data governance, technical documentation, and ongoing monitoring.
• Focus Shifts From Legislation to Implementation: The guidance signals a broader transition from debating the AI Act's provisions to applying them in practice, with classification decisions becoming a critical first step in compliance efforts.

Deep Dive

For much of the debate surrounding the EU AI Act, "high-risk" has been treated as a category everyone understood. It turns out that understanding it and applying it are not quite the same thing.

The European Commission has published draft guidelines intended to help companies, public authorities, and regulators determine whether an AI system falls into one of the AI Act's most consequential categories. The document focuses on Article 6 of the legislation, the section that determines when an AI system should be classified as high-risk and therefore become subject to some of the law's most extensive compliance obligations.

The guidance does not create new rules. Instead, it attempts to answer a question that has lingered since the AI Act was negotiated: when organizations sit down to assess an actual AI system rather than a hypothetical one, where exactly is the line?

That question matters because the difference between a high-risk system and one that falls outside the designation can be significant. Once an AI system is classified as high-risk, providers face requirements covering risk management, documentation, human oversight, data governance, monitoring, and a range of other controls that will shape how the technology is developed and deployed.

The Commission's draft guidance follows the structure of Article 6 itself, which establishes two routes through which an AI system can become high-risk.

Two Different Paths

The first is relatively straightforward. An AI system is classified as high-risk when it functions as a safety component of certain regulated products, or when the AI system itself is one of those products, provided the product falls under specific EU harmonization legislation listed in Annex I of the AI Act and is subject to third-party conformity assessment requirements.

In practical terms, this part of the framework focuses on sectors where product safety already sits at the center of regulatory oversight. Medical devices, machinery, aviation systems, vehicles, toys, and similar products are among the areas where AI can become part of an existing safety regime rather than a standalone regulatory issue.

The second route is where much of the debate has concentrated. Article 6 also classifies certain AI systems as high-risk because of how they are used. Annex III of the AI Act identifies specific use cases where AI decisions can have significant consequences for individuals, including applications involving biometric systems, education, employment, critical infrastructure, access to essential services, law enforcement, migration management, and the administration of justice.

That sounds clear enough on paper. It becomes more complicated when translated into real-world deployments. An AI system used to assist recruitment decisions may fall into one category. A similar system used for a different purpose may not. Context matters. Intended use matters. The role the system actually plays in a decision-making process matters.

The Commission's draft guidance is largely an attempt to bring greater consistency to those judgments.

The Importance of Examples

Perhaps the most useful feature of the document is also the least glamorous. The Commission spends considerable time providing examples. Regulatory texts tend to operate at a high level of abstraction. They describe categories, principles, and legal tests. Organizations trying to determine whether their own systems fall within those categories often end up asking a much simpler question: what does this look like in practice?

The draft guidance attempts to answer that question by providing examples of AI systems that should be classified as high-risk and others that should not.

The Commission is careful to note that these examples are not exhaustive. They are illustrations rather than definitive rulings. Even so, they offer something many organizations have been seeking since the AI Act's adoption: a clearer sense of how regulators are thinking about classification decisions in the real world.

That may prove particularly important as AI systems become more complex.

The original legislative debate often focused on discrete applications performing discrete tasks. Increasingly, organizations are deploying AI systems that interact with other systems, operate across multiple functions, or are incorporated into broader workflows. Determining where regulatory obligations begin and end becomes considerably harder when technology refuses to fit neatly into predefined boxes.

From Legislation to Enforcement

The publication of the draft guidelines is a reminder that the AI Act is entering a different phase. For years, the discussion centered on political negotiations, legislative text, and headline provisions. The harder work comes afterward.

Regulators must explain how broad legal concepts should be interpreted. Companies must translate those interpretations into governance frameworks, controls, and operational processes. Supervisory authorities must apply the rules consistently across industries and member states.

None of that happens automatically because legislation has been published. The Commission's guidance reflects an increasingly practical focus. The challenge is no longer defining what the AI Act says. The challenge is determining how organizations should apply it when evaluating actual systems, actual products, and actual use cases.

That may sound like a technical exercise. In reality, it is where much of the law's impact will be decided. Organizations can comply with obligations only after they know which obligations apply. Under the AI Act, that determination often begins with a deceptively simple question.

Is this system high-risk? The Commission's latest guidance is an effort to make sure more people arrive at the same answer.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.