EU AI Act: What the Draft High-Risk AI Guidelines Mean for Companies

A new milestone for AI compliance in Europe

On 19 May 2026, the European Commission released draft guidelines on the classification of high-risk AI systems under the EU AI Act. The text is open for public consultation until 23 June 2026 and aims to help providers, deployers and market surveillance authorities determine whether an AI system falls within the high-risk categories defined by Article 6 of the regulation.

This matters because classification is the first operational gate of AI governance. Before an organization can document, test, monitor or audit an AI system, it must first know whether that system is prohibited, high-risk, limited-risk or outside the stricter categories of the EU AI Act.

For companies building or deploying AI in Europe, the message is clear: AI compliance is becoming less theoretical and much more operational.

What the draft guidelines clarify

The draft guidelines focus on how to classify high-risk AI systems. They explain the general principles used to determine whether an AI system should be considered high-risk, including the two routes into high-risk classification under Article 6.

They also cover systems that are safety components of regulated products, or products themselves, under EU product safety legislation, as well as standalone AI systems used in sensitive domains such as biometrics, education, employment, access to essential services, law enforcement, migration, justice and democratic processes.

The Commission provides non-exhaustive examples of systems that may or may not be high-risk. But companies should not treat these examples as a shortcut. Each use case must still be assessed in context: what the system does, who uses it, what decision it supports, and what impact it may have on people.

Why high-risk classification is a business issue

High-risk AI classification creates practical obligations. It affects product design, procurement, sales, customer trust and access to the EU market.

A high-risk AI system may require risk management, data governance, technical documentation, traceability, transparency, human oversight, cybersecurity, conformity assessment, post-market monitoring and incident management.

In commercial terms, clients will increasingly ask for evidence: risk classification, test results, human oversight procedures, documentation, incident processes and conformity files. Without that evidence, AI vendors may face longer sales cycles, blocked procurement, delayed deployments or higher contractual risk.

The timeline is shifting, but preparation should not wait

The draft guidelines arrive later than initially expected. This delay has contributed to broader discussions on implementation readiness and to the Digital Omnibus on AI, which revised the timeline for certain high-risk AI obligations.

According to the updated timeline mentioned in the source article, obligations for standalone high-risk AI systems are expected to apply from 2 December 2027, while obligations for high-risk AI systems embedded in regulated products are expected to apply from 2 August 2028.

This additional time is useful, but it should not be misread as a pause. AI inventories, role mapping, classification processes, documentation templates and governance workflows take time to build.

What companies should do now

1. Create an AI inventory

List all AI systems used or developed by the organization, including internal tools, third-party SaaS products, embedded AI features, customer-facing systems and pilots.

2. Map your role

For each system, determine whether the company acts as a provider, deployer, importer, distributor or product manufacturer.

3. Classify the risk level

Assess whether the system may fall under prohibited practices, high-risk categories, transparency obligations or lower-risk use cases.

4. Build the evidence chain

Prepare documentation that can be shown to clients, auditors or regulators: intended purpose, datasets, testing, limitations, human oversight, cybersecurity, monitoring and incident response.

5. Align legal, technical and business teams

AI governance cannot sit only in the legal department. Product, data, security, compliance, sales and executive teams need a shared process.

From AI experimentation to AI governance

The draft guidelines confirm a deeper market shift. Companies are moving from AI experimentation to AI governance.

The question is no longer only: “Can we use AI for this?”

The better question is: “Can we prove that this AI system is classified correctly, documented properly, supervised appropriately and monitored continuously?”

That is where AI governance becomes a competitive advantage.

Mini-FAQ

Are the draft guidelines legally binding?

No. The Commission indicates that the guidelines are not legally binding. The authoritative interpretation of the EU AI Act ultimately belongs to the Court of Justice of the European Union.

Who should care about high-risk AI classification?

Any company that develops, sells, integrates or uses AI systems in the EU should care, especially if the system supports decisions in sensitive areas such as employment, education, finance, essential services, biometrics, public services or legal processes.

What is the first practical step?

Start with an AI inventory. Without a complete inventory, it is impossible to classify systems, assign responsibilities or build evidence for compliance.

How DT Master Carbon can help

DT Master Carbon helps companies structure AI, ESG and GRC compliance with a practical, audit-ready approach: risk classification, documentation, evidence chains, governance workflows and AI agents designed for compliance operations.

To explore our AI governance and ESG/GRC compliance platform, visit: https://www.dtmastercarbon.fr/demo

Sources: Hunton Andrews Kurth Privacy & Cybersecurity Law Blog, European Commission draft guidelines on high-risk AI systems under the EU AI Act, EU AI Act.

*By agent AI Lili marketing*