The EU's High-Risk AI Filter: Inside the May 2026 Draft Guidelines

On 19 May 2026, the European Commission published its long-delayed draft guidelines on the classification of high-risk AI systems under Article 6 of Regulation (EU) 2024/1689, the AI Act. The package is three documents: a general-principles paper, a paper on Annex I (AI as a product or safety component of regulated products like medical devices, machinery, vehicles, and lifts), and a paper on Annex III (the eight use-case domains where AI is high-risk regardless of the product context). Stakeholder feedback is open through the AI Act Single Information Platform questionnaire until 22:00 CET on 23 June 2026. The guidelines are not legally binding once final (only the Court of Justice can give the authoritative reading), but national supervisors and notified bodies will treat them as the working interpretation from day one.

The headline most readers will see is that the Commission missed its original 2 February 2026 deadline and arrived three months late. The substance is more consequential. The draft narrows the Article 6(3) exceptions that most providers and deployers have been quietly relying on, and it closes several common workarounds that vendor contracts and marketing materials have used to keep AI systems out of scope.

Key Takeaways

• The draft guidelines were published 19 May 2026 across three documents (general principles, Annex I product safety, Annex III use cases), with the consultation window closing 23 June 2026
• The Digital Omnibus on AI defers the high-risk obligations: Annex III systems are due 2 December 2027 (was 2 August 2026), Annex I systems are due 2 August 2028 (was 2 August 2027); GPAI provisions from 2 August 2025 are unaffected
• Article 6(3) has four exceptions (narrow procedural task, improvement of completed human work, ex-post pattern detection, preparatory task) and the Commission reads each narrowly; profiling under GDPR Article 4(4) removes the filter in every case
• A CV-screening tool that scores or ranks candidates is high-risk; a CV-screening tool that only sorts into predefined buckets without evaluative weight may qualify for exception; the operational substance of the system, not the contract language, decides
• Multi-agent and modular AI systems are assessed as a single unified system: module-by-module Article 6(3) claims do not work when the combined configuration materially influences a high-risk decision
• For Article 6(2) classification, the "intended purpose" comes from instructions, technical documentation, AND marketing materials. Disclaimers in terms of service do not insulate a system whose marketing presents it as deployable in high-risk contexts

What the Three Documents Cover

The classification regime under Article 6 has two routes. Article 6(1) treats an AI system as high-risk when it is itself a product, or a safety component of a product, that is already regulated under EU sectoral law listed in Annex I: the Machinery Regulation, the Toys Safety Regulation, medical device regulations, automotive type-approval, civil aviation, and others. Article 6(2) treats an AI system as high-risk when its intended purpose falls into one of the eight use-case categories in Annex III. Article 6(3) is the filter: four conditions under which an Annex III system can escape the high-risk regime.

Each of the three guideline documents serves a different audience:

• General principles. How the Commission reads Article 6 as a whole. The most important reading here is the Commission's stance on agentic and multi-agent systems: classification is assessed at the level of the deployed system, not its components.
• Annex I (product safety route). How AI inside a regulated product gets classified. The Commission clarifies that a manufacturer's procedural choice of internal conformity control under Module A cannot displace high-risk classification, even when harmonised standards are applied. Practical examples cited in the draft include combustion-efficiency optimizers in gas appliances (carbon monoxide and explosion risk), lift door-timing systems, vehicle lane-assistance, and agricultural spraying systems. Most consumer smart-home appliances fall outside if they exist for "convenience, comfort or efficiency optimisation" where failure means a higher bill or discomfort, not safety harm.
• Annex III (use-case route). How the eight categories are read and how the 6(3) filter applies. This is the document with the most direct impact on the largest number of enterprise deployments, because employment, education, essential services, and biometrics are where mid-market AI buying lands first.

The Eight Annex III Categories

The eight Annex III domains, restated in the draft, are unchanged from the text of the Act:

A system whose intended purpose lands in any of these is in scope unless the Article 6(3) filter applies, and the filter is the part the market has been treating as broader than it is.

The Article 6(3) Filter, Read Narrowly

Article 6(3) lets an Annex III system escape high-risk classification if it does not pose a significant risk of harm to health, safety or fundamental rights AND meets at least one of four conditions. The Commission's draft reads each condition narrowly because, as the guidelines put it, Article 6(3) is an exception to rules designed to protect fundamental rights and must be interpreted narrowly.

Condition (a): Narrow procedural task. The system performs a structurally simple action: categorising, reformatting, structuring, or deduplicating input. The dividing line is between organising input and assessing it. A tool that converts free-text CVs into a structured database row is in. A tool that scores those CVs on suitability is out, even if a human reviews the score afterwards.

Condition (b): Improvement of completed human work. The system refines the output of an already-completed human activity without changing rights, legal standing, or economic position. The Commission's reading is that "improvement" excludes substantive review or revision. Grammar polishing on a final letter is in. AI rewriting the substance of a decision before issuance is out.

Condition (c): Pattern detection (ex post). The system identifies patterns or deviations in past decision-making, for quality assurance, training, or audit, provided that the underlying human assessments were complete first and the AI's comparison is retrospective. A monitoring system that detects drift in promotion decisions over the last 24 months is in. A system that flags candidates in real time as deviating from prior patterns is out.

Condition (d): Preparatory task. The system functions before the substantive assessment begins (indexing, searching, retrieving) without reaching any conclusion that informs the decision. A document-search tool that surfaces case law for a judge is in. A tool that ranks case law by predicted relevance to the disposition is out.

Two cross-cutting limits apply to all four conditions:

• Profiling carve-out. If the system performs profiling within the meaning of GDPR Article 4(4) (any automated processing of personal data that evaluates personal aspects to predict or analyse work performance, economic situation, health, preferences, location, behaviour, reliability, or movements), the 6(3) filter is unavailable. The draft is explicit: the filter is removed "in every case" where profiling is present.
• Modular and agentic systems. Where an AI system has multiple modules or an agentic, multi-step architecture, the Commission assesses the combined system, not each module independently. A retrieval module that would qualify under (d) on its own does not protect a downstream scoring module that does not. The deployed configuration is what gets classified.

For boards and legal teams, the practical move is to retest every Article 6(3) claim already in the portfolio against the draft conditions, with documented evidence and not just contract language. Systems that internal counsel cleared as out-of-scope on a previous, broader reading of the Act will move back into scope under the draft.

"Intended Purpose" Is Decided by Substance, Not Disclaimer

For Article 6(2) systems, classification depends on the provider's stated intended purpose. The draft tells supervisors how to determine that purpose: read the instructions for use, the technical documentation, AND the marketing materials. All three must align.

Three specific traps are now closed:

• The terms-of-service disclaimer. A contract that says "this system is not intended for high-risk use" does not control if the user-facing marketing presents the same system as suitable for hiring decisions, credit underwriting, or other Annex III contexts. The draft is explicit: merely asserting in the terms of service that high-risk uses are excluded is insufficient.
• The general-purpose carve-out. Enterprise copilots, general-purpose models, and platform AI deployed across multiple use cases cannot rely on a contractual carve-out without coherent operational substance. If the system is sold for, configured for, or supported for an Annex III use case, it is in scope at provider level, and the deployer carries deployer obligations on top.
• The breadth-of-application argument. Systems "presented as broadly applicable across multiple contexts with feasible high-risk use cases" are deemed to encompass those uses regardless of disclaimers. Selling a system that can do CV screening with a footnote saying users should not use it for CV screening does not move it out of Annex III.

The implication is that the next time procurement or legal evaluates an AI tool, the diligence file has to include the marketing landing page, the data sheet, the customer-success deck, and the contract, and they all need to describe the same system. If they describe different systems, the classification is decided by whichever one is broadest.

What the Digital Omnibus Changed About the Calendar

The original AI Act timeline had Article 6(2) high-risk obligations entering application on 2 August 2026, a date that drove most of the in-flight enterprise compliance work. Under the Digital Omnibus on AI, agreed at the May 2026 trilogue, that date moves to 2 December 2027 for Annex III (Article 6(2)) systems and to 2 August 2028 for Annex I (Article 6(1)) embedded systems. GPAI provisions that took effect 2 August 2025 and the prohibitions in Article 5 are unaffected.

The deferral is not a reprieve. It is a re-baselining:

• The 2 December 2027 date is now the constraint on the Annex III evidence pack: risk management system, data governance, technical documentation, logging, transparency, human oversight, accuracy, robustness, cybersecurity, and EU database registration for any classified-high-risk system.
• The 2 August 2028 date is the constraint on Annex I products, which involves harmonised standards, notified-body conformity assessment for some Module choices, and CE marking adjustments. Substantially longer lead times than software deployment.
• The draft classification guidelines fix the interpretation the supervisors and notified bodies will use to evaluate that evidence. Vendors and buyers who waited for the deferral are now working with both more time and a tighter reading.

For the cross-framework view of how the AI Act overlaps with NIS2, DORA, CRA, and the revised CSA, see the five frameworks, one vendor analysis. For how runtime AI governance maps to the AI Act's risk-management and human-oversight obligations, see AI governance as an operating system. For the boardroom evidence pack that supports an Article 6(2) classification claim, see from AI principles to proof of control.

What Changes in Diligence and Deployment

For four audiences, the draft guidelines change a specific workflow:

Boards. The AI inventory needs a classification column: Annex I, Annex III (with category), Article 6(3) claim (with condition), or not in scope. Every Article 6(3) claim should reference one of the four conditions and the evidence supporting it. Every Annex III system should have an EU database registration owner and a documentation start date.

Procurement and legal. Vendor contracts can no longer rely on disclaimer language. The buyer's diligence has to look at how the vendor markets the system, what the data sheet says about intended purpose, and whether the contract description matches the deployment reality. Where they diverge, the buyer's deployer obligations expand to fill the gap.

Mid-market deployers. Most mid-market organisations are deployers, not providers. Under the draft, deployer obligations attach to any high-risk system in production: human oversight, monitoring, log retention, transparency to affected individuals, and impact assessment where personal data is involved. The two-year deferral is the implementation runway.

M&A buyers. Target diligence on AI capabilities now has to reach into intended purpose, contractual alignment, and Article 6(3) claims. A target with a portfolio of "out of scope by contract" AI systems is carrying an undiagnosed compliance liability that transfers on close. For the deal-team-specific lens, see how deal teams should diligence AI-heavy targets.

The draft guidelines are the first time the Commission has put its reading of Article 6 on the page at this level of granularity. Between now and 23 June 2026, the stakeholder consultation will narrow some interpretations and widen others. After adoption (most likely Q4 2026) the reading the Commission lands on becomes the working baseline for every supervisor, notified body, and conformity-assessment process in the EU. The companies that map their portfolio against the draft now will spend the next 18 months building the documentation pack the Commission is asking for. The companies that wait will start the same work after 2 December 2027, under enforcement.