Lowdown: How the EU decides which AI systems are “high-risk” under the AI Act

The European Commission has published draft guidelines defining which AI systems qualify as 'high-risk' under Article 6 of the EU Artificial Intelligence Act. These guidelines, currently open for stakeholder consultation, are not legally binding but provide clarity on how providers should assess their systems before entering the EU market. The high-risk label triggers strict obligations, including risk management systems, technical documentation, data governance controls, human oversight, and conformity assessments. Non-compliance could result in fines of up to €30 million or 6% of global annual turnover, whichever is higher. Providers are responsible for self-certifying whether their AI systems meet the high-risk criteria based on intended purpose, as described in instructions, documentation, and promotional materials. Regulators can challenge these assessments later, but terms of service alone cannot exempt a system from classification if other materials suggest high-risk applications. For general-purpose AI providers, marketing a model for tasks like CV screening or credit scoring—without consistently restricting those uses—triggers full high-risk compliance requirements. An AI system is classified as high-risk if its intended purpose falls into one of eight specific areas outlined in the Act, such as biometrics, critical infrastructure, education, employment, access to essential services, or law enforcement. Only the use cases explicitly listed in Annex III qualify, and amendments to this list require formal legal changes. High-risk classification does not ban the system but mandates accuracy and proper risk management to protect health, safety, and fundamental rights. The eight high-risk areas include remote biometric identification, AI managing critical infrastructure like traffic or utilities, and systems used in education for admissions or evaluations. Employment-related AI, such as candidate screening or performance monitoring, also falls under high-risk, as do systems evaluating eligibility for public benefits, credit scores, or emergency response prioritization. Law enforcement applications, including reoffending risk assessments or evidence evaluation, are similarly regulated. The guidelines emphasize that providers cannot avoid high-risk classification by excluding uses in terms of service if promotional materials or examples imply those applications. The drafts aim to provide clarity before the Act’s full implementation, though the Court of Justice of the EU will have the final say on authoritative interpretations.