EU AI Act Unpacked #32: Draft Commission Guidelines on “High-Risk” AI – Implications for Classification in Practice
The Commission has published its first draft guidelines on the classification of high-risk AI systems under Article 6 of the AI Act (Guidelines). While the Guidelines do not alter the legal framework, they provide the most detailed indication to date combined with useful examples of how regulators are likely to approach classification in practice.
This post walks through (i) the general principles for high-risk classification; (ii) classification under Article 6 (1) and Annex I; (iii) classification under Article 6(2) and Annex III, (iv) next steps in the finalisation of the Guidelines and the timeline for the entry into application of the obligations under Article 6, and (v) our key takeaways.
1. General principles: classification turns on function not form
Before addressing the two classification tracks, the Guidelines lay down two principles that cut across the regime.
Only AI systems fall within scope
As a threshold matter, the system must meet the AI Act definition of an AI system. This may appear straightforward, but in practice requires alignment with the Commission’s separately published guidelines on the definition of an AI system, already covered in one of our previous blogposts.
Intended purpose is central
The intended purpose of an AI system plays a pivotal role in its high-risk classification. Under Article 3 (12) of the AI Act, "intended purpose" means "the use for which that system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials, and statements, as well as in the technical documentation."
The Guidelines make clear that merely asserting in terms of service that high-risk uses are excluded is insufficient to avoid high-risk classification. Providers are supposed to describe the intended use of their system across relevant materials, including instructions for use, promotional content, and technical documentation.
This is particularly important for systems with multiple purposes or general-purpose AI systems: where such systems are presented, across documentation, marketing or technical materials, as broadly applicable across a wide range of contexts, without clearly and consistently limiting or excluding high-risk uses, their intended purpose may potentially be deemed to include high-risk use cases. This will be the case, in particular, where those uses are feasible and reasonably foreseeable in light of the system’s functionalities and capabilities.
Distributors, importers, deployers and other third parties may themselves become subject to provider obligations under Article 25 of the AI Act if they modify the intended purpose of a non-high-risk AI system in such a way that it becomes high-risk.
2. High-risk classification under Article 6 and Annex I: AI as a product or safety component
The first classification track under Article 6 applies to AI systems (i) that are intended to be used as a safety component of a product, or that are themselves a product, covered by Union harmonisation legislation listed in Annex I of the AI Act, and that (ii) are required to undergo a third party conformity assessment.
The Guidelines specifically focus on the notion of "safety component", which has its own meaning under the AI Act.
The concept of safety component
An AI system qualifies as a safety component where it either: (i) performs a safety function; or (ii) where its failure or malfunctioning could endanger the health and safety of persons or property.
Fulfilling a safety function requires that the safety function is the intended purpose of the AI system as specified by the provider and consists in preventing or mitigating risks to the health and safety of persons or property. For example, an AI system monitoring gas concentration, or system triggering a safe stop or speed reduction.
Failure or malfunctioning endangering health and safety captures AI systems that control or influence hazardous processes where failure could create or amplify risks. For example, an AI system optimising combustion efficiency in a household gas appliance may constitute a safety component if its failure could lead to carbon monoxide formation, explosion or fire even though its intended purpose is energy efficiency.
The role of conformity assessments
A further (often misunderstood) element is that the product or system must be subject to a relevant conformity assessment regime. The AI Act does not define these procedures but relies on existing product legislation structures specifically Decision 768/2008/EC. The link to third-party conformity assessment reflects the broader logic of aligning AI classification with existing regulatory risk categorisation of products.
3. High-risk classification under Article 6 and Annex III: the use-case track
The second classification track (Annex III) captures AI systems used in predefined use cases considered sensitive.
Across the examples, a consistent approach emerges: AI is high risk where it materially influences decisions affecting individuals, particularly in ways that impact:
access to opportunities (e.g., jobs, education),
access to services (e.g., credit, benefits), or
rights and freedoms.
The role of human involvement
One of the most significant clarifications in the Guidelines concerns the role of human involvement which cannot exempt system from high-risk classification. They make clear that human involvement cannot, in itself, prevent an AI system from being classified as high-risk. This is because classification hinges on the intended purpose of the system, which is not altered by the presence of human oversight. Human involvement is a compliance requirement under Article 14 of the AI Act for systems already classified as high-risk.
That said, the Guidelines recognise that the nature and degree of human involvement may still be relevant in the context of the filter mechanism. In particular, it may support an argument that the system performs only a limited or preparatory function and therefore does not materially influence decision-making.
Complex and modular AI systems
The Guidelines also address complex or modular AI systems where several AI systems form part of a broader system with a combined intended purpose or joint outputs that materially influence an individual decision.
In such cases, according to the Guidelines, the system must be assessed as a whole. The use of split architectures cannot be used to avoid high-risk classification. This principle also extends to more advanced configurations, including agentic AI systems that coordinate through interconnected actions.
That said, the Guidelines allow for a limited carve-out: only genuinely separable components that perform strictly procedural or preparatory functions and do not contribute to the high-risk purpose may remain outside the high-risk classification.
The "filter mechanism" to exempt systems from high-risk classification
Article 6(3) of the AI Act provides a critical filter mechanism allowing providers of AI systems that would otherwise fall within a use case in Annex III to self-declare that their system is not high-risk, where the system meets at least one of four conditions:
(a) the AI system is intended to perform a narrow procedural task, such as transforming unstructured into structured data, classifying documents into predefined categories, or detecting duplicates. This does not cover systems that perform value judgements of data relevant for decision-making. For example, according to the Guidelines systems that rank, score, or label inputs as “useful” or “less useful” for a human assessment go beyond a purely procedural role and therefore fall outside this exemption.
(b) the AI system is intended to improve the result of an activity already completed by a human, without replacing or autonomously performing that activity. The notion of "improve" is deliberately distinct from "review": the AI system must not be intended to provide a materially different result from the one previously reached by the human. Any improvement must not alter the rights, protections, or legal/economic position of the individuals affected. For example, systems that flag errors or contradictions in finalized human work that perform a quality-assurance function.
(c) the AI system is intended to detect patterns or deviations in previously completed human decisions, without replacing or influencing the previously completed human assessment without proper human review.
(d) the AI system is intended to perform a preparatory task to an assessment relevant for the use cases in Annex III, such as indexing, searching, processing or linking data. The decisive factor is the task’s role in the decision-making process and the proximity of the task to the final human decision: if the AI system's output is intended to produce a specific recommendation or evaluation of a case, it may play too decisive a role to qualify as preparatory. For example, according to the Guidelines, an AI system that generates job descriptions based on inputs predefined by a human recruiter performs a narrow procedural task. As it does not meaningfully influence the recruitment process, it falls within the filter and is not classified as high-risk.
This mechanism operates subject to two important overarching limitations. First, the filter mechanism is never available to AI systems that perform profiling. For example, an AI system used to detect deviations in recruitment decisions (without replacing the underlying human assessment) may in principle fall within the pattern‑detection filter. However, where the system also evaluates the personal characteristics of recruiters, thereby engaging in profiling, the filter mechanism is no longer available.
Second, it cannot apply if the AI system forms part of a complex system where the combined intended purpose or joint outputs materially influence an individual decision within a high-risk use case.
Spotlight on biometrics and employment
Of the eight areas listed in Annex III, two particularly stand out for private-sector-relevance: biometrics and employment and workers' management.
Biometrics (Annex III, point 1)
The guidance provided by the Commission in this area is notable for how broadly it conceptualises the use of biometric data.
Unlike the GDPR definition, the AI Act deliberately captures systems that use biometric data beyond identification, including systems that draw inferences about individuals. This significantly expands the relevance of the category in practice.
Within this area, three use cases are covered:
- (a) Remote Biometric Identification (RBI) – AI systems that identify individuals, as opposed to merely verifying their claimed identity, by comparing their biometric data against a reference database, without requiring their active involvement in the process. For example: AI system that uses gait recognition to compare the known fugitive’s stored biometric gait profile of an individual against CCTV footage feeds collected from nearby transport hubs to track the individual after a first detection on the reference material.
- (b) Biometric categorisation – AI systems that assign individuals to categories according to sensitive or protected attributes based on their biometric data. To qualify as high-risk, the system must use biometric data to infer sensitive or protected attributes and then classify individuals on that basis. In practical terms, biometric data functions as the input, while the sensitive or protected characteristic (e.g., health, ethnicity) is the inferred output driving the classification. For example: AI system used to detect early symptoms of diseases that manifest themselves in mobility issues. The system captures patients’ gait, infers their health data based on captured gait data, and assigns those individuals to pre-defined categories (e.g., early stages, advanced stages of diseases).
- (c) Emotion recognition – AI systems that identify or infer emotions or intentions (not physical state such as fatigue) from biometric data. For example: AI system that analyses customers’ voices and evaluates vocal tone, pitch and volume to measure customer satisfaction level for statistical reasons, to identify the moment to route them to a human agent.
The Guidelines also highlight the close interaction between this use case and the AI Act’s prohibitions (for more information on prohibited AI practices refer to Part 2 and Part 3 and Part 4 of our series blogpost covering the Commission’s first set of implementation guidelines). Where systems fall short of being prohibited (e.g., emotion recognition outside restricted contexts), they will often still be classified as high-risk — effectively creating a continuum between prohibition and high-risk regulation.
Employment, workers' and management (Annex III, point 4)
If biometrics illustrates the breadth of the regime, the employment category demonstrates its depth of impact.
The Guidelines takes an expansive view of scope: covering not only traditional employees, but also (by way of example) self-employed individuals formally integrated within organisations and persons providing services through platforms.
Within this area, two use cases are covered:
(a) Recruitment and selection – This covers the entire process of forming a new work-related relationship, from the initial identification and attraction of candidates through to the conclusion of a contract. It includes the assessment, filtering and ranking of candidates and the contracting of self-employed persons.
(b) Decisions affecting work-related relationships – AI systems used to manage work-related relationships after recruitment and selection, regarding decisions on terms, promotion, termination, task allocation, and performance monitoring. The influence such systems can have over workers' livelihoods, rights and career justifies their classification as high-risk.
The underlying rationale under the Guidelines is clear: these systems can have a direct and material effect on individuals’ livelihoods and career trajectories, and therefore warrant stricter scrutiny.
The Guidelines also underscore the risk that such systems may perpetuate or amplify existing biases, particularly in areas such as gender, age or ethnicity – a theme that runs across multiple examples.
At the same time, the Commission provides some limited room for nuance through the Article 6(3) filter. Tools that merely organise or visualise data (e.g., attendance reports) may fall outside high-risk classification where they do not influence decisions. However, systems that evaluate, rank or monitor individuals will typically remain in scope.
The remaining Annex III areas at a glance
The same logic can be observed across the remaining Annex III areas:
Critical infrastructure (point 3.2) classification is conditional on the AI system serving as a safety component within the management or operation of critical infrastructure covered by the Critical Entities Resilience Directive (which excludes systems that are merely supportive, informational or optimisation-oriented).
Education and vocational training (point 3.3) cover four use cases: admission, learning outcome evaluation, level assessment and exam monitoring. Only summative evaluations (i.e., those leading to a grade or qualification and affecting a student’s educational trajectory) are typically high-risk, whereas formative systems providing ongoing feedback generally are not.
Access to essential private and public services (point 3.5) is one of the broadest areas, covering AI systems intended to be used to assess eligibility for public benefits and healthcare, evaluate creditworthiness or establish credit scores, assess risk and pricing in life and health insurance, and classify and dispatch emergency calls and triage.
Law enforcement (point 3.6) covers five use cases including victim risk assessment, polygraph-type tools, evidence reliability evaluation, offending and reoffending risk assessment, and profiling. Within the Guidelines, the definition of law enforcement authority depends on the tasks the AI system is used for rather than the formal designation of the body deploying it.
Migration, asylum and border control (point 3.7) covers polygraph-type tools, risk assessment of persons seeking entry or stay, assistance with asylum, visa and residence applications, and identification of natural persons. The use cases apply only where the system is used by or on behalf of competent public authorities or Union institutions.
Administration of justice and democratic processes (point 3.8) covers AI systems assisting judicial authorities in researching and interpreting facts and the law, applying the law to concrete sets of facts, and influencing electoral and democratic processes.
4. Next steps and timing
The draft Guidelines have been published for a first stakeholder feedback ahead of the Commission adopting a finalised version. Before adoption, the Guidelines will be further consulted with the AI Board, which has been involved in their development alongside Member States, and published for an additional round of stakeholder input.
On timing, according to Article 113 of the AI Act, Article 6(2) and the corresponding obligations for high-risk AI systems will apply from 2 August 2026, whereas Article 6(1) and the corresponding obligations will apply as from 2 August 2027. These dates are now postponed with the AI Omnibus to 2 December 2027 and 2 August 2028 respectively.
5. Key takeaways
Several clear themes emerge:
Intended purpose is determinative – it must be described clearly, consistently, and without ambiguity across materials. A mismatch between what a system does in practice and how its purpose is described will not protect providers from high-risk classification.
Human oversight does not impact the classification – providers cannot avoid high-risk classification just by building in human-in-the-loop mechanisms. Oversight is a compliance requirement for systems already classified as high-risk, not a design feature that avoids it.
The filter mechanism – the four conditions in Article 6 (3) allow providers to avoid classification for systems at the margins, but they must be interpreted strictly and are unavailable where profiling is involved or where the system is part of a broader complex system.
Complex architectures are assessed holistically – the move towards agentic AI and modular system design does not open a path around high-risk classification. Where a combined system's purpose or outputs materially influence an individual decision covered by Annex III, the system is high-risk.
While not binding, the Guidelines are nevertheless likely to shape market practice and supervisory expectations, thereby significantly reducing interpretive flexibility. In doing so, they continue to position the AI Act as a reference point in international discussions on AI regulation, where its combination of an ex ante classification system and a high degree of operational detail remains unmatched.
