On May 19, 2026, the European Commission published three draft guideline documents clarifying how to classify AI systems as high-risk under Article 6 of the EU AI Act. The consultation period runs until June 23, 2026 at 22:00 CET. The August 2, 2026 deadline for many EU AI Act compliance obligations is approximately ten weeks away.
The timing matters. With the August deadline for high-risk AI transparency, documentation, and registration requirements approaching, the draft guidelines arrive at the moment when providers and deployers must make concrete decisions about which of their AI systems require full compliance treatment. A misclassification (treating a high-risk system as low-risk) means missing registration deadlines, omitting required documentation, and potentially violating the Act before enforcement begins.
This guide covers what the three guideline documents say, how the critical Article 6(3) exemption works under the Commission's reading, which Annex III categories are most affected, and what small teams should do before the August deadline.
What the draft guidelines do (and what they do not)
The draft guidelines, issued under Article 6(5) of the EU AI Act, do not add new rules or expand the definition of high-risk AI. They explain how Article 6 should be applied in practice, with examples, to help providers, deployers, and national market surveillance authorities determine whether a specific system falls within the high-risk category.
The Commission published three separate guideline documents, each covering a distinct classification route.
Document 1: General principles. Covers the overarching logic of the Article 6 classification framework, including how to interpret the "material influence" threshold in Article 6(3) and the relationship between the two classification routes.
Document 2: Article 6(1) and Annex I. Covers AI systems that are safety components of products regulated under existing EU product safety harmonization laws, including medical devices, machinery, aviation systems, lifts, and toys. Most small teams are not deployers of Annex I products, but operators of AI-enhanced medical devices or industrial systems should review this document carefully.
Document 3: Article 6(2) and Annex III. Covers the eight use-case categories listed in Annex III: biometric identification, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border management, and administration of justice. This document is the most relevant for technology companies, HR tool vendors, credit scoring platforms, and customer-facing AI deployers.
The guidelines are in draft form. They represent the Commission's current interpretation but are not final. A team making compliance decisions based on the draft should document that they relied on the May 19 draft, note the consultation closing date, and monitor the final guidelines when published later this year.
Article 6(3) exemption: the decision you have to make now
Article 6(3) is the most important provision in the classification analysis for most technology companies. It provides a narrow exception: an AI system listed in Annex III may be treated as non-high-risk if it performs only preparatory tasks, procedural operations, or pattern detection that does not materially influence the outcome of the decision it supports.
The Commission's draft guidelines take a restrictive reading of this exception. The guidelines note it "represents an exception from rules aimed at protecting fundamental rights" and should not be interpreted broadly.
The material influence test. A system materially influences a decision if its output shapes what the human decision-maker decides, even if the human makes the final call. The test is not whether a human is involved. It is whether the AI output has meaningful weight in the decision.
The Commission provides a direct example in the employment context. A CV-screening tool that sorts incoming applications into predefined categories ("meets minimum qualifications" or "does not meet minimum qualifications") using criteria set entirely in advance does not materially influence the hiring decision. The tool performs a procedural operation by matching against fixed criteria. This system qualifies for the Article 6(3) exemption.
The same tool configured to score candidates on a scale, rank applicants by suitability, or assess which candidates are most likely to succeed in the role does materially influence the hiring decision. Even when a human recruiter reviews the scores and makes the final offer, the scores shape which candidates are considered and how much weight each receives. This system is high-risk under the draft guidelines, regardless of human review.
GDPR profiling is an automatic disqualifier. If your AI system performs "profiling" as defined in GDPR Article 4(4), meaning automated processing to evaluate personal aspects of an individual, including work performance, economic situation, health, personal preferences, interests, or behavior, the Article 6(3) exemption does not apply. The Commission reads GDPR profiling as inherently material to decisions about individuals, regardless of how the output is used.
If you use AI to analyze employee behavior patterns, customer purchase intent, health risk scores, or credit signals, and those outputs feed into any human decision, your system cannot rely on Article 6(3).
The practical implication. The Article 6(3) analysis turns on system configuration, not system type. Two companies using the same base AI model for HR screening may reach different classification conclusions depending on whether they have configured the system to sort versus score candidates. If you currently use AI that produces ranked outputs, assessments, or scores about people in any Annex III context, the draft guidelines indicate that system is high-risk.
How the guidelines clarify Annex III categories
The draft guidelines provide examples across several Annex III categories that affect common small-team AI deployments.
Employment and worker management (Annex III, point 4). The guidelines treat this category broadly. Any AI used in recruitment, selection, promotion, contract termination, task allocation, or performance monitoring falls within point 4. AI tools that monitor remote employee productivity, flag attendance patterns, or surface employees for performance review are within scope.
A note on timing: the May 7, 2026 Digital Omnibus provisional agreement extended the compliance deadline for employment high-risk AI from August 2, 2026 to December 2027. This extension covers compliance obligations (documentation, registration, conformity assessment, human oversight mechanisms), not the classification analysis itself. Identifying whether your employment AI is high-risk should happen now. Building the required compliance infrastructure is what has been pushed to December 2027.
Education and vocational training (Annex III, point 3). AI systems that determine access to educational programs, assess student performance, or make decisions about certification fall within this category. Edtech tools that produce automated pass/fail recommendations or prioritize which students receive additional support resources need a classification analysis under the draft guidelines.
Access to financial services (Annex III, point 5). AI used in credit scoring, risk assessment for insurance, or determining access to financial services triggers point 5. The material influence test applies here as well. An AI that provides a credit risk score that a human loan officer uses in a lending decision is high-risk. An AI that only formats application data for human review without producing an evaluative output may qualify for the Article 6(3) exemption, depending on how it is configured.
Biometric identification (Annex III, point 1). This category covers real-time and post-hoc identification using biometric data. Most small teams are not deploying biometric identification systems. But teams using AI-powered access control, facial recognition for attendance, or voice-based identity verification in customer service should assess point 1 directly.
Essential private services (Annex III, point 5, second paragraph). AI systems that determine access to health services, social benefits, utilities, or communications fall within this part of point 5. A small healthtech company using AI to triage patient intake or prioritize service delivery should consider whether its triage outputs materially influence access decisions.
Multi-agent AI systems: the end-to-end assessment rule
The draft guidelines address multi-agent and pipeline AI systems directly. The Commission's position: the entire pipeline must be assessed as a single system, not as separate components.
If you use an orchestration layer (a tool that receives a high-level task and routes it across several AI models or agents), the classification analysis covers the full pipeline. A retrieval model, a reasoning model, and an output-formatting model that work together to produce a hiring recommendation must be assessed as one system.
This matters because individual components may appear low-risk in isolation. A document retrieval model that pulls candidate data from a database looks like a procedural information tool. The same model, when combined with a scoring layer that produces ranked candidate outputs, is part of a high-risk system. The guidelines reject a component-by-component analysis that would allow high-risk pipelines to evade classification.
For small teams using AI orchestration frameworks such as LangChain, CrewAI, custom Python pipelines, or SaaS tools that chain multiple AI steps, classify the full orchestration system as a single unit, not each step separately. If any part of the pipeline produces evaluative outputs about individuals in an Annex III context, the full pipeline is the unit of classification.
What deployers must do differently
The draft guidelines carry specific implications for deployers (companies that deploy AI systems built by others) beyond the classification analysis.
Vendor assurances are not enough. A deployer cannot satisfy its obligations under the EU AI Act by accepting a vendor's statement that its system is low-risk. The guidelines indicate deployers must conduct independent assessment or have contractual protections that specifically allocate classification responsibility. If a vendor tells you their AI hiring tool is not high-risk and you deploy it without independent verification, you cannot rely on the vendor's claim if the system turns out to be high-risk.
Marketing claims provide no protection. If a vendor's marketing materials describe their AI tool as GDPR-compliant or EU AI Act-ready, but the vendor's Data Processing Agreement or terms of service restrict use cases in ways that contradict those claims, the marketing claim has no compliance value. The contractual document governs.
EU database registration. High-risk AI systems must be registered in the EU AI Act database before deployment. Deployers of third-party high-risk systems that are already in production should verify registration status through the publicly accessible EU AI Act regulation portal. If your vendor's system qualifies as high-risk and is not registered, the vendor is in violation and you are operating a non-compliant system.
Documentation obligations. Deployers of high-risk AI must maintain records of the system's use, the decisions it informs, and the human oversight procedures in place. These records must be available to national supervisory authorities on request. Starting this documentation now, before an audit request arrives, is significantly less costly than reconstructing it after the fact.
Should you submit comments by June 23?
The consultation period runs until June 23, 2026. Comments submitted before 22:00 CET on that date will be considered in finalizing the guidelines. Submissions are made through the European Commission's Have Your Say portal.
For most small teams, submitting comments is not necessary. The draft guidelines are detailed, and the Commission's interpretation on the key points, particularly Article 6(3) and the material influence test, is clearly stated. Reading the draft guidelines carefully and documenting your classification rationale is more valuable than a public comment submission.
Two situations where submitting comments makes sense:
Your system involves a use case not addressed by the draft examples. If your specific AI system sits in a gray area the guidelines do not address, and you have concrete evidence that the Commission's interpretation produces an outcome inconsistent with the Act's stated goals, a comment can help shape the final guidance.
Your industry association is coordinating a joint submission. If a sector-wide group is compiling examples to illustrate unintended consequences of the current draft, contributing your case to that joint submission is more effective than a standalone comment.
Final guidelines are expected later in 2026 or in early 2027. The draft is the best available guidance for planning purposes now.
Your pre-August compliance checklist
The August 2, 2026 deadline covers obligations that depend on correct high-risk classification. Use this checklist before the deadline.
Step 1: Map your AI systems against Annex III. List every AI system you deploy that processes data about people or assists in decisions about individuals. Match each against the eight Annex III categories. Any match requires a classification analysis under the draft guidelines.
Step 2: Apply the Article 6(3) filter. For each Annex III-matched system, ask: does the system produce scores, rankings, or assessments that influence decisions about individuals? Does it perform GDPR profiling? Yes to either question means the system is high-risk. If the system only performs fixed-criteria filtering without evaluative output, document your reasoning for applying the Article 6(3) exemption.
Step 3: For GPAI users, note the December 2026 deadline. Transparency obligations for AI-generated content under Article 50 (labeling AI-generated outputs) apply from December 2, 2026 under the Digital Omnibus amendment, not August 2026. If you deploy GPAI models in customer-facing applications, content labeling obligations start December 2026.
Step 4: For employment AI, plan now for December 2027. Employment AI systems identified as high-risk have until December 2027 to achieve full compliance. Use the 18 months to begin documentation, prepare for conformity assessment, and design human oversight mechanisms rather than treating the extended deadline as permission to start late.
Step 5: Verify high-risk system registration. For any system already identified as high-risk and currently in production, check EU database registration status. Unregistered high-risk systems in production after August 2, 2026 expose providers to enforcement action from national authorities.
Step 6: Document your classification rationale. For each system, write a classification memo: the Annex III categories considered, the Article 6(3) analysis, the conclusion, and the person responsible for the assessment. One page per system is enough. This documentation is your first line of defense in a supervisory authority inquiry.
The draft guidelines are publicly available on the European Commission's digital strategy website at digital-strategy.ec.europa.eu. Reading them alongside your existing system documentation is the most productive way to complete this analysis before the August deadline.
The August deadline is not theoretical. National market surveillance authorities in Germany, France, the Netherlands, and Spain have all indicated they will begin active enforcement after August 2, 2026. An organization that cannot produce a classification rationale for its AI systems in an Annex III category will be at a significant disadvantage when enforcement begins.
