Draft Commission Guidelines on the Classification of High-Risk AI Systems Published

General Framework for High-Risk Classification

According to the guidelines, for a system to be classified as high-risk, it must first qualify as an 'AI system' within the meaning of Article 3(1) of the AI Act, and second, its intended purpose must fall within one of the use cases classified as high-risk under Article 6 of the Act.

The decisive concept in this assessment is 'intended purpose'. Pursuant to Article 3(12) of the Act, intended purpose means the use for which the system is intended by the provider, including the specific context and conditions of use, as specified in the instructions for use, technical documentation, and promotional or sales materials.

According to the guidelines, where AI systems offered for a wide range of uses - including multipurpose or general-purpose AI (GPAI) systems - do not clearly and consistently exclude high-risk use cases, the intended purpose of the system may be deemed to encompass those scenarios as well. In this assessment, general disclaimer clauses in terms of service may not suffice on their own; the way the system is marketed, and its product positioning may also be taken into account.

The guidelines further recall that the obligations arising from high-risk classification may not be limited to the provider that originally developed the system. Pursuant to Article 25(1) of the Act, distributors, importers, and deployers who place a high-risk system on the market under their own name, make a substantial modification to the system, or modify its intended purpose in a way that renders it high-risk may also become subject to provider obligations.

Systems Covered by Product Safety Legislation

Article 6(1) of the Act provides a separate high-risk classification for AI systems used in products subject to EU harmonization legislation - such as machinery, lifts, medical devices, toys, radio equipment, and motor vehicles. For an AI system to be classified as high-risk under this provision, two cumulative conditions must be met. The first is that the system must be a safety component of a product covered by the legislation listed in Annex I or must itself constitute a product within the scope of that legislation. The second is that the product concerned must be required to undergo a third-party conformity assessment prior to being placed on the market.

If either of these conditions is not met, the system will not be classified as high-risk within the meaning of Article 6(1). Accordingly, not every AI system used in a product covered by Annex I is automatically high-risk. The assessment must be carried out by considering together the system's relationship with the product concerned, the role it performs from a product safety perspective, and the applicable sectoral legislation.

It is not required that the AI system be physically integrated into the product. AI systems operating as software updates, add-ons, or remotely provided services may also fall within the scope of Article 6(1), depending on the specific circumstances of the case. The decisive factor is not how the system is integrated into the product, but what function it performs from a product safety perspective.

The AI System Itself as a Product

The first manifestation of the first condition is that the AI system itself constitutes a product falling within the scope of the legislation listed in Annex I. This situation arises where the system is independently placed on the market, is designed for a specific intended purpose, and is directly regulated by the relevant sectoral legislation.

The guidelines indicate that, in certain cases, software-based systems may also be regarded as a product directly regulated under the relevant product legislation. It is therefore necessary to examine separately whether the AI system is subject to product safety rules not only as a component of another product, but also in its own right.

The Concept of Safety Component

The second manifestation of the first condition is that the AI system functions as a safety component of a product falling within the scope of the legislation listed in Annex I. The guidelines emphasize that the concept of 'safety component' has an autonomous definition under the AI Act and must be assessed independently of the definitions contained in the sectoral legislation listed in Annex I.

According to the Commission, an AI system may be regarded as a safety component in two scenarios. In the first, the system fulfils a safety function by virtue of its intended purpose. In the second, even if the system was not designed with such a purpose, its failure or malfunctioning could endanger the health and safety of persons or property.

• Safety function: AI systems designed to prevent or mitigate risks to the health and safety of persons or property are considered to fulfil a safety function. The guidelines cite as examples functions such as detecting abnormal behavior, identifying maintenance needs, preventing operation under hazardous conditions, or supervising another safety system. By contrast, functions such as performance optimization, efficiency improvement, user comfort, or quality control that does not serve a safety purpose generally fall outside this scope.
• Failure or malfunctioning endangering health and safety: Even where a system was not designed for safety purposes, it may still be classified as a safety component if its failure or malfunctioning could endanger the health and safety of persons or property. The guidelines note that failure modes such as incorrect outputs, loss of function, performance instability, timing errors, or misclassification may be considered in this assessment. Reputational harm, pure financial loss, or inconvenience that does not involve a safety hazard fall outside this scope.

Third-Party Conformity Assessment

The second condition under Article 6(1) of the AI Act requires that the product concerned be subject to a third-party conformity assessment. How that assessment is to be conducted is determined not by the AI Act itself, but by the sectoral legislation listed in Annex I. According to the guidelines, what matters is not which procedure the manufacturer has actually followed, but whether the applicable legislation requires a third-party conformity assessment prior to placing the product on the market.

High-Risk Use Cases under Annex III

Article 6(2) of the Act classifies as high-risk, independently of product safety legislation, AI systems used in certain use cases listed in Annex III. Annex III covers eight areas: biometrics; critical infrastructure; education and vocational training; employment and workers' management; access to and enjoyment of essential private and public services and benefits; law enforcement; migration, asylum and border control management; and administration of justice and democratic processes.

The mere fact that a system is used in an area covered by Annex III is not sufficient on its own to automatically give rise to a high-risk classification. The decisive factor is whether the intended purpose of the system corresponds to one of the specific use cases listed in Annex III. Likewise, the fact that a final decision is taken by a human does not automatically exclude the system from scope. Classification must therefore be carried out by considering not only the area of activity, but also the intended purpose of the system, its role in the decision-making process, and the specific context of use.

The guidelines summarize the types of use that may give rise to high-risk classification as follows:

• Biometrics: Remote biometric identification systems, biometric categorization systems, and emotion recognition systems.
• Critical infrastructure: Systems capable of affecting physical safety or the safe operation of infrastructure.
• Education and vocational training: Systems affecting admission, placement, determination of educational level, exam integrity, and summative assessment outcomes.
• Employment and workers' management: Systems affecting the targeting of job advertisements, the screening or ranking of candidates, recruitment, promotion, task allocation, performance monitoring, and the termination of work-related contractual relationships.
• Access to and enjoyment of essential private and public services and benefits: Systems relating to public assistance benefits, creditworthiness evaluation, risk assessment and pricing in life and health insurance, and the prioritization of emergency calls.
• Law enforcement: Systems used for risk assessment, evaluation of the reliability of evidence, polygraph-type tools, and certain systems used in the course of detection, investigation, or prosecution of criminal offences.
• Migration, asylum and border control management: Systems used for risk assessment of persons seeking to enter or stay, examination of visa, asylum or residence applications, and the detection or identification of natural persons.
• Administration of justice and democratic processes: Systems intended to assist judicial authorities in researching and interpreting facts and the law or in applying the law to a concrete set of facts, as well as systems intended to influence the outcome of elections or referenda or the voting behavior of natural persons.

Not every system falling within a use case listed in Annex III is automatically classified as high-risk. Article 6(3) of the Act provides a limited exception for systems that do not pose a significant risk to the health, safety, or fundamental rights of persons. This exception may only apply where the system performs a narrowly scoped, auxiliary, or preparatory function.

An important limitation on this exception is the performance of profiling. Where a system performs profiling within the meaning of the General Data Protection Regulation (GDPR) — that is, where it automatically processes personal data for the purpose of evaluating or predicting certain aspects of a natural person — the exception under Article 6(3) is not available.

Conclusion

The Commission's draft guidelines contain the most comprehensive clarifications to date on the classification of high-risk AI systems. Although the guidelines are not binding, it is clear that they will constitute an important interpretive source for both market operators and supervisory authorities.

The approach set out in the guidelines demonstrates that AI systems cannot be classified as high-risk merely by checking the headings in the legislation. In the context of product safety legislation, the role performed by the system and potential failure scenarios must be assessed together; in the context of Annex III, the intended purpose, the degree of influence on decision-making, and the manner in which the system is presented to users must all be considered jointly.

It is therefore important for companies that develop, procure, or use AI systems to assess such systems from legal, technical, and commercial perspectives. In particular, in sectors subject to employment, education, financial services, and product safety legislation, an accurate classification carried out at an early stage is important for managing compliance and enforcement risks.