For nearly two years, AI developers, deployers, and lawyers across Europe have been asking the same question: is my system high-risk? The European Commission's draft guidelines on Article 6 of the EU AI Act, published in May 2026, are meant to finally answer it. They arrive just months before the high-risk obligations in Article 6 and Annex III become fully applicable in August 2026, leaving providers a narrow runway to retrofit conformity assessments, risk management systems, and post-market monitoring into products that were never designed with this regime in mind.
The guidelines are not law. They are interpretive. But in practice, regulators and national market surveillance authorities will lean on them heavily — and so will plaintiffs, insurers, and procurement teams writing AI clauses into contracts. That makes the document one of the most consequential pieces of soft law the Commission has issued since the AI Act's adoption in 2024.
What Article 6 Actually Says
Under Regulation (EU) 2024/1689, an AI system is 'high-risk' in two situations. First, if it is a safety component of a product already covered by Union harmonisation legislation listed in Annex I (medical devices, toys, machinery, vehicles, and so on). Second, if it falls within one of the eight Annex III use cases — biometric categorisation, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border control, and the administration of justice and democratic processes.
The complication is Article 6(3), introduced late in the legislative process. It says an Annex III system is not high-risk if it does not pose a 'significant risk of harm' to health, safety, or fundamental rights — for instance, where it performs a narrow procedural task, improves the result of a previously completed human activity, detects decision-making patterns without replacing human assessment, or performs preparatory work. That carve-out was hailed by industry as a critical proportionality valve. Civil society called it a loophole. Two years on, no one has been entirely sure which it is.
What the Draft Guidelines Clarify
The draft guidelines work through Article 6(3) in detail, with worked examples for each derogation. They confirm that providers themselves make the initial classification call, but must document the assessment — and that documentation will be reviewable by national competent authorities. The Commission also clarifies that a system used in an Annex III area is presumptively high-risk; the burden sits on the provider to justify a derogation, not the other way round.
Several practical points stand out:
- Profiling kills the carve-out. Any system that profiles natural persons is high-risk, full stop — the Article 6(3) exception is not available. This aligns the AI Act with the GDPR's existing concerns about automated decision-making under Article 22.
- 'Preparatory work' is read narrowly. A CV-screening assistant that pre-ranks candidates does not qualify as merely preparatory if recruiters routinely defer to the ranking.
- Human oversight must be substantive. The 'improvement of human activity' derogation only applies where the human reviewer is genuinely empowered and equipped to override — rubber-stamping does not count.
- Sector-specific lists are coming. The Commission signals further guidance for hiring, education, and credit scoring, where classification has proved most contested.
A Pro-Innovation Read
On balance, this is a useful document. Regulatory certainty is itself a form of innovation policy: every month a startup spends guessing at compliance is a month it is not shipping. The Commission has resisted the temptation to read Article 6(3) out of existence, and the worked examples will materially help in-house counsel scope conformity assessment obligations.
The deeper problem is structural, not interpretive. Conformity assessments, technical documentation under Annex IV, post-market monitoring, registration in the EU database, and incident reporting are heavy lifts even for well-resourced firms. The Commission's own impact assessment, published alongside the original 2021 proposal, estimated per-system compliance costs in the range of €6,000–€7,000 for a high-risk system before adjustment — a figure many independent analyses, including a widely cited study by the Center for Data Innovation, argued was a serious underestimate once quality management system overheads are factored in.
For European SMEs and open-source developers, that math is brutal. The AI Act includes sandboxes and SME support measures, but the conformity machinery is still calibrated for firms that already employ regulatory affairs staff. If the high-risk perimeter ends up being drawn too widely in practice — and providers err on the side of caution to avoid enforcement risk — Europe could see the same dynamic that played out under the GDPR, where smaller players exit categories of activity and incumbents consolidate.
What to Watch
The draft guidelines are open for consultation through summer 2026, with final adoption expected before the August 2026 application date. Three things are worth tracking. First, whether the Commission tightens or relaxes the Article 6(3) derogations in response to feedback — civil society groups including EFF and EDRi have argued the carve-outs are already too permissive, while industry groups want them broadened. Second, how national authorities, especially in Germany, France, and Ireland, signal their enforcement priorities. Third, whether the AI Office's forthcoming guidance on general-purpose AI models meshes with the high-risk regime, or creates parallel compliance tracks that providers must reconcile.
Clarity is welcome. But clarity about a heavy regime is still a heavy regime. The next test for Brussels is whether implementation matches the proportionality language in the law itself — or whether, in practice, 'high-risk' becomes the default, and innovation moves to jurisdictions that draw the line more carefully.