On May 19, 2026, the European Commission (EC) published draft guidance on how to determine whether an AI system qualifies as a high-risk AI system (HRAIS) under the EU’s Regulation 2024/1689 on artificial intelligence (AI Act). The draft reflects input from stakeholders and EU Member States through the EU AI Board and represents the most detailed interpretative material issued to date on this topic.
What the EC Published
The EC released a package of three complementary documents that together set out its proposed approach to HRAIS classification (available here as well as in a user-friendly format via the AI Act Single Information Platform available here):
- An HRAIS classification methodology overview document (6 pages, available here): This document sets out the EC’s overall approach to HRAIS classification, including the proposed analytical methodology for determining whether an AI system qualifies as high-risk. It also clarifies the timeline for the application of relevant AI Act provisions in light of the AI Act Omnibus (discussed in a previous A&B blog post available here), which delays the entry into application of certain HRAIS obligations. In particular:
-
- The rules applicable to HRAIS qualifying as safety components of products – or as products themselves – under the sectoral legislation listed in Annex I of the AI Act are expected to apply from August 2, 2028; and
- The rules applicable to HRAIS falling within the use cases listed in Annex III of the AI Act are expected to apply from December 2, 2027.
- An HRAIS classification methodology for AI systems as safety components or regulated products (Article 6(1) and Annex I of the AI Act) (13 pages, available here): This document sets out the methodology for classifying AI systems that qualify as safety components of products – or as products themselves – under the sectoral EU legislation listed in Annex I of the AI Act (e.g., machinery, toy safety, lifts, radio equipment, pressure equipment, and gaseous fuels); and
- An HRAIS classification methodology for “standalone” AI systems (Article 6(2) and Annex III of the AI Act) (148 pages, available here): This document addresses the classification of HRAIS based on the use cases listed in Annex III of the AI Act, including where such AI systems are used or intended to be used for certain purposes in connection with biometrics, critical infrastructure, employment, and law enforcement.
Key Takeaways for Businesses
The draft guidance provides meaningful insight into how EU regulators are likely to assess high-risk classification in practice, including:
- Detailed guidance on the interpretation of key AI Act concepts, including “safety function”, “intended purpose”, “risk assessment”, and the “context and conditions of use” of AI systems;
- Clarification of when the “filter mechanism” – which allows certain systems to be excluded from HRAIS classification – may apply, and expands on the implications of the mechanism for the applicability of HRAIS obligations;
- An overview of how human involvement and the profiling of natural persons affect HRAIS classification, notably in specific contexts covered by Annex III (i.e., for standalone AI systems);
- Practical direction on how to approach classification in more complex scenarios – such as where AI systems form part of broader products or services, or where their use may raise questions as to whether they fall within the scope of prohibited practices under the AI Act; and
- Concrete examples illustrating use cases that would be high-risk, and those which would not.
What’s Next?
The guidelines are not yet final and are open for public consultation until June 23. Feedback can be submitted via the dedicated consultation link (available here). As such, the guidelines may be further revised and should not be regarded as definitive at this stage.
While non-binding, the guidelines provide important interpretative support for both deployers and providers-as they provide a practical basis for determining – at least on a preliminary basis – whether their AI systems are likely to qualify as high-risk. The guidelines will also be of relevance for regulators overseeing compliance with the AI Act.
The EC makes clear that the guidelines are not exhaustive and may be revised or supplemented over time. This may include additional guidelines on the obligations of providers and deployers, as well as the development of regulatory sandboxes, which EU AI authorities are required to establish by August 2, 2026.
If you have any questions regarding the EC’s guidelines on the classification of HRAIS under the AI Act, or the related obligations, the Alston & Bird Privacy, Cyber & Data Strategy team is available to help.
