The EU Just Defined 'High-Risk' AI — and Quietly Delayed the Rules
The European Commission published draft guidelines on what counts as 'high-risk' AI, even as a new deal pushes the EU AI Act's toughest obligations back to 2027.
The short version: The European Union has finally spelled out what makes an AI system "high-risk" under its landmark AI Act, the label that triggers the law's heaviest obligations, even as a separate deal quietly pushes the deadline for meeting those obligations back to 2027.
What the Commission published
On 19 May 2026, the European Commission released draft guidelines on how to classify high-risk AI systems under Article 6 of the EU AI Act, alongside worked examples, and opened a public consultation running until 23 June 2026. The guidance was statutorily due by 2 February 2026 but slipped, with the Commission citing a revised timeline to absorb stakeholder feedback.
How "high-risk" is decided
The guidelines explain the two routes to high-risk status. An AI system is high-risk if it is used as a safety component in products already subject to EU third-party conformity assessment (Annex I), or if it falls into one of eight listed use-case areas (Annex III), which include biometrics, education, employment and law enforcement. The classification matters enormously: high-risk systems must meet requirements for risk management, data governance, logging, human oversight, conformity assessment and registration. Until now, companies had no official line on borderline cases.
The quiet delay
The guidance lands alongside the "Digital Omnibus on AI", a political agreement reached by the European Parliament and Council on 7 May 2026, the first amendment to the AI Act since its 2024 adoption. The deal postpones the high-risk obligations: stand-alone Annex III systems move from 2 August 2026 to 2 December 2027, and high-risk AI embedded in regulated products to 2 August 2028. It also adds two newly banned practices: AI generating non-consensual intimate imagery, and child sexual abuse material. The Omnibus is not yet law; it still needs a Parliament plenary vote, expected around 7 July 2026, plus Council adoption and publication, so the original 2 August 2026 date technically stands until then.
Why it matters beyond Europe
The AI Act reaches any provider or deployer placing AI on the EU market, or whose system's output is used in the EU, so US, UK and Asian vendors are directly bound. The delay also reflects intense industry pressure: more than 110 European businesses had lobbied for a two-year pause, which fed into the new deadlines, a notable case of industry reshaping the AI Act's timeline.
Frequently asked questions
Are the high-risk rules in force now? Not yet. The draft guidelines are open for consultation until 23 June 2026, and the Digital Omnibus deal, once finalised, pushes the main high-risk obligations to December 2027.
Does this only affect EU companies? No. The AI Act applies to anyone placing AI on the EU market or whose output is used in the EU, including non-EU vendors.
What counts as high-risk? AI used as a safety component in regulated products, or AI in eight listed areas such as biometrics, hiring, education and law enforcement.