What Do the EU AI Act High-Risk Guidelines Mean for UK Businesses?
The European Commission Has Finally Published Draft Classification Guidance. Here Is What It Means, What It Misses, and What You Should Do Next.
On 19 May 2026, the European Commission published its long-awaited draft guidelines on how to classify high-risk AI systems under Article 6 of the EU AI Act. These were originally due on 2 February 2026. They arrived three and a half months late.
The delay was not academic. It contributed directly to the political momentum behind the Digital Omnibus on AI, a legislative amendment that has now pushed the compliance deadline for standalone high-risk AI systems from August 2026 to December 2027, and for high-risk AI embedded in products to August 2028.
For UK businesses that sell into EU markets, supply AI-enabled services to EU clients, or operate across European jurisdictions, this creates a peculiar situation: you have more time to comply, but the rules you need to comply with are still in draft form. The consultation on these guidelines closes on 23 June 2026.
This article breaks down what the draft guidelines say, where the practical gaps sit, and what UK businesses should be doing now.
The Two Categories of High-Risk AI
The EU AI Act classifies AI systems as high-risk through two distinct routes, both set out in Article 6.
Category 1: Product Safety AI (Article 6(1) and Annex I)
An AI system is high-risk under this category if it is used as a safety component of a product, or is itself a product, covered by EU harmonisation legislation listed in Annex I, and that product is required to undergo a third-party conformity assessment. Think medical devices, machinery, toys, lifts, equipment for potentially explosive atmospheres, radio equipment, and civil aviation systems. If the AI is embedded in the product and the product already requires CE marking through a notified body, the AI system is classified as high-risk automatically.
Category 2: High-Risk Use Cases (Article 6(2) and Annex III)
The second route covers AI systems deployed across eight specific areas listed in Annex III. These are the use cases the Commission considers inherently sensitive because of their potential impact on fundamental rights. The eight areas are:
| # | Area | Examples |
|---|---|---|
| 1 | Biometrics | Remote biometric identification, emotion recognition, biometric categorisation in sensitive contexts |
| 2 | Critical infrastructure | AI managing or operating road traffic, energy, water, gas, heating, electricity, or digital infrastructure |
| 3 | Education and vocational training | AI determining access to education, scoring exams, assessing learning outcomes, monitoring behaviour during tests |
| 4 | Employment and workers management | AI used in recruitment, CV screening, promotion decisions, task allocation, performance monitoring, or termination decisions |
| 5 | Access to essential services | AI assessing creditworthiness, insurance pricing, eligibility for public benefits, emergency service dispatch, or triage |
| 6 | Law enforcement | AI for risk assessment of individuals, polygraphs, evidence evaluation, profiling in criminal investigations |
| 7 | Migration, asylum, and border control | AI used in visa processing, border surveillance, or assessment of asylum applications |
| 8 | Administration of justice and democratic processes | AI assisting courts in applying law, or AI used to influence electoral outcomes |
The Narrow Exemption That Matters
Article 6(3) contains a derogation that many businesses will want to rely on but few will qualify for. An AI system listed in Annex III is not considered high-risk if it does not pose a significant risk of harm to health, safety, or fundamental rights. The Commission's examples of systems that may qualify for this exemption are narrow: AI that performs a purely procedural task, AI that improves the result of a previously completed human activity, AI that detects decision-making patterns without replacing human assessment, or AI that performs a preparatory task.
The burden of proof sits with the provider. If you believe your Annex III system is not high-risk, you must document that assessment before the system is placed on the market. National competent authorities can request that documentation at any time. Getting this wrong does not just mean regulatory action. It means your entire compliance architecture for that system may be built on the wrong foundation.
The Commission's Three-Phase Classification Framework
The draft guidelines introduce a structured approach to classification. It is not groundbreaking, but it is useful because it gives businesses a defensible methodology rather than leaving them to interpret the legislation in isolation.
Phase 1: General Principles
The first section covers the overarching concepts that apply to all classification decisions. This includes what constitutes an AI system, how to interpret 'intended purpose', and the relationship between the provider's stated purpose and the system's foreseeable uses. For UK businesses, this is where the extraterritorial reach of the Act becomes relevant. If your AI system is deployed or used in the EU, the classification rules apply regardless of where the provider is based.
Phase 2: Product Safety Assessment (Annex I)
The second section walks through the assessment for AI systems that are safety components of regulated products or are regulated products themselves. The key question is whether the product requires a third-party conformity assessment under the relevant EU harmonisation legislation. If it does, and the AI system is a safety component or the product itself, the system is high-risk. The guidelines provide worked examples across product categories.
Phase 3: Use Case Assessment (Annex III)
The third section addresses the eight Annex III areas. This is where most of the practical value sits. The Commission provides examples of systems that are and are not high-risk within each area. These examples are not exhaustive and will be updated over time, but they give businesses a reference point for their own classification decisions.
The Digital Omnibus: More Time, Not Less Obligation
The delay in publishing these guidelines was one of the drivers behind the Digital Omnibus on AI, agreed between EU institutions in May 2026. Over 110 EU-based businesses lobbied for a pause on high-risk enforcement, arguing that compliance was unreasonable without final guidance and harmonised standards.
The Omnibus delivered adjusted timelines. Standalone high-risk AI systems now have until 2 December 2027 to comply. High-risk AI systems embedded in products have until 2 August 2028. These dates replace the original August 2026 deadline.
But the obligations themselves have not changed. The technical requirements, the documentation standards, the risk management obligations, the conformity assessment procedures: all remain as set out in the AI Act. The Omnibus bought time. It did not buy a lighter regime.
What This Means for UK Businesses
The UK is not bound by the EU AI Act. But if you sell AI-enabled products or services into the EU, if your AI system processes data about EU residents, or if your clients are subject to the Act, the classification rules apply to you in practice even if they do not apply to you in law.
There are five practical steps UK businesses should be taking now.
| # | Action |
|---|---|
| 1 | Map your AI systems against the Annex III categories. Do not assume a system is low-risk because it was not designed for one of the eight areas. Consider whether it could be used in those areas, even if that was not the intended purpose. |
| 2 | Document your classification decisions now. If you intend to rely on the Article 6(3) exemption, the documentation must exist before the system is placed on the market. Retrospective assessments will not withstand regulatory scrutiny. |
| 3 | Respond to the consultation. The comment period closes on 23 June 2026. If your sector or use case is not adequately reflected in the examples, this is your opportunity to shape the final guidance. |
| 4 | Review your contracts. If you are a provider or deployer of AI systems that may be classified as high-risk, your contractual allocation of compliance obligations needs to reflect the Act's requirements. Many existing technology contracts were drafted without these obligations in mind. |
| 5 | Do not treat the extended deadline as a reason to delay. December 2027 will arrive quickly. The organisations that begin classification and compliance work now will be in a materially stronger position than those that wait for the final guidance. |
The Consultation Window
The public consultation on the draft guidelines closes on 23 June 2026. This is not a token exercise. The Commission has explicitly stated that the examples provided are not exhaustive and may be updated. The feedback received during this period will inform the final version of the guidelines.
For UK businesses that operate across EU markets, this is a rare opportunity to influence the practical interpretation of rules that will directly affect your products and services. Trade associations, industry bodies, and individual businesses can all submit responses. If your AI system sits in a grey area between high-risk and not high-risk, the consultation is where you make your case.
Frequently Asked Questions
What are the EU AI Act high-risk AI guidelines?
They are draft guidelines published by the European Commission on 19 May 2026 to help providers, deployers, and market surveillance authorities determine whether an AI system should be classified as high-risk under Article 6 of the EU AI Act. The guidelines include a three-phase classification framework and practical examples of systems that are and are not high-risk.
When do the EU AI Act high-risk rules take effect after the Digital Omnibus?
The Digital Omnibus on AI, agreed in May 2026, extended the compliance deadlines. Standalone high-risk AI systems must comply by 2 December 2027. High-risk AI systems embedded in products must comply by 2 August 2028. These replace the original August 2026 deadline.
How do I know if my AI system is classified as high-risk under Article 6?
There are two routes. Under Article 6(1), your system is high-risk if it is a safety component of a product, or is itself a product, covered by EU harmonisation legislation in Annex I and subject to third-party conformity assessment. Under Article 6(2), your system is high-risk if it falls within one of the eight use case areas listed in Annex III, which include biometrics, critical infrastructure, employment, education, essential services, law enforcement, migration, and justice.
What is the deadline for the EU AI Act high-risk consultation?
The public consultation on the draft guidelines closes on 23 June 2026. Responses can be submitted through the European Commission's consultation portal. The Commission has indicated that the examples in the guidelines may be updated based on feedback received.
Do UK businesses need to comply with EU AI Act high-risk rules?
The UK is not bound by the EU AI Act. However, UK businesses that sell AI-enabled products or services into the EU, process data about EU residents, or have clients subject to the Act will need to comply in practice. The extraterritorial reach of the Act means that the classification rules apply based on where the system is deployed or used, not where the provider is based.
Can I claim my Annex III AI system is not high-risk?
Article 6(3) allows a provider to determine that an Annex III system is not high-risk if it does not pose a significant risk of harm. However, the exemption is narrow and the burden of proof sits with the provider. You must document your assessment before the system is placed on the market, and national authorities can request that documentation at any time.
What should UK businesses do now to prepare for the high-risk AI rules?
Map your AI systems against the Annex III categories, document your classification decisions, consider responding to the consultation before 23 June 2026, review your contractual allocation of compliance obligations, and begin compliance work now rather than waiting for the final guidance. The extended deadline to December 2027 should not be treated as a reason to delay.