Draft Commission Guidelines on the Classification of High-Risk AI Systems Published

31.05.2026 Gülnur Çakmak Ergene

Introduction

The European Union Artificial Intelligence Act (the AI Act or the Act), which entered into force on 1 August 2024, established a harmonized framework for AI systems across the Union. The Act follows a risk-based approach, with 'high-risk' AI systems at its center. Systems falling within this category are subject to comprehensive compliance obligations, including risk management, technical documentation, registration in the European Union (EU) database, transparency, and human oversight.

While Article 6 of the Act defines the scope of high-risk systems, it leaves several questions open as to how to assess in practice whether a given system falls within that scope. Through a set of three draft guidelines published on 19 May 2026[1], the European Commission (the Commission) aims to resolve these ambiguities. The documents address, respectively, the general principles for classification, systems covered by product safety legislation, and the high-risk use cases listed in Annex III.

Although the guidelines are not binding, they are expected to constitute an important interpretive source for supervisory authorities and market operators alike. The stakeholder consultation period, which closed on 23 June 2026, provides interested parties with an opportunity to contribute to the content of the final text.

Draft Commission Guidelines on the Classification of High-Risk AI Systems Published
% 0

General Framework for High-Risk Classification

According to the guidelines, for a system to be classified as high-risk, it must first qualify as an 'AI system' within the meaning of Article 3(1) of the AI Act, and second, its intended purpose must fall within one of the use cases classified as high-risk under Article 6 of the Act.

The decisive concept in this assessment is 'intended purpose'. Pursuant to Article 3(12) of the Act, intended purpose means the use for which the system is intended by the provider, including the specific context and conditions of use, as specified in the instructions for use, technical documentation, and promotional or sales materials.

According to the guidelines, where AI systems offered for a wide range of uses - including multipurpose or general-purpose AI (GPAI) systems - do not clearly and consistently exclude high-risk use cases, the intended purpose of the system may be deemed to encompass those scenarios as well. In this assessment, general disclaimer clauses in terms of service may not suffice on their own; the way the system is marketed, and its product positioning may also be taken into account.

The guidelines further recall that the obligations arising from high-risk classification may not be limited to the provider that originally developed the system. Pursuant to Article 25(1) of the Act, distributors, importers, and deployers who place a high-risk system on the market under their own name, make a substantial modification to the system, or modify its intended purpose in a way that renders it high-risk may also become subject to provider obligations.

Systems Covered by Product Safety Legislation

Article 6(1) of the Act provides a separate high-risk classification for AI systems used in products subject to EU harmonization legislation - such as machinery, lifts, medical devices, toys, radio equipment, and motor vehicles. For an AI system to be classified as high-risk under this provision, two cumulative conditions must be met. The first is that the system must be a safety component of a product covered by the legislation listed in Annex I or must itself constitute a product within the scope of that legislation. The second is that the product concerned must be required to undergo a third-party conformity assessment prior to being placed on the market.

If either of these conditions is not met, the system will not be classified as high-risk within the meaning of Article 6(1). Accordingly, not every AI system used in a product covered by Annex I is automatically high-risk. The assessment must be carried out by considering together the system's relationship with the product concerned, the role it performs from a product safety perspective, and the applicable sectoral legislation.

It is not required that the AI system be physically integrated into the product. AI systems operating as software updates, add-ons, or remotely provided services may also fall within the scope of Article 6(1), depending on the specific circumstances of the case. The decisive factor is not how the system is integrated into the product, but what function it performs from a product safety perspective.

The AI System Itself as a Product

The first manifestation of the first condition is that the AI system itself constitutes a product falling within the scope of the legislation listed in Annex I. This situation arises where the system is independently placed on the market, is designed for a specific intended purpose, and is directly regulated by the relevant sectoral legislation.

The guidelines indicate that, in certain cases, software-based systems may also be regarded as a product directly regulated under the relevant product legislation. It is therefore necessary to examine separately whether the AI system is subject to product safety rules not only as a component of another product, but also in its own right.

The Concept of Safety Component

The second manifestation of the first condition is that the AI system functions as a safety component of a product falling within the scope of the legislation listed in Annex I. The guidelines emphasize that the concept of 'safety component' has an autonomous definition under the AI Act and must be assessed independently of the definitions contained in the sectoral legislation listed in Annex I.

According to the Commission, an AI system may be regarded as a safety component in two scenarios. In the first, the system fulfils a safety function by virtue of its intended purpose. In the second, even if the system was not designed with such a purpose, its failure or malfunctioning could endanger the health and safety of persons or property.

  • Safety function: AI systems designed to prevent or mitigate risks to the health and safety of persons or property are considered to fulfil a safety function. The guidelines cite as examples functions such as detecting abnormal behavior, identifying maintenance needs, preventing operation under hazardous conditions, or supervising another safety system. By contrast, functions such as performance optimization, efficiency improvement, user comfort, or quality control that does not serve a safety purpose generally fall outside this scope.
  • Failure or malfunctioning endangering health and safety: Even where a system was not designed for safety purposes, it may still be classified as a safety component if its failure or malfunctioning could endanger the health and safety of persons or property. The guidelines note that failure modes such as incorrect outputs, loss of function, performance instability, timing errors, or misclassification may be considered in this assessment. Reputational harm, pure financial loss, or inconvenience that does not involve a safety hazard fall outside this scope.

Third-Party Conformity Assessment

The second condition under Article 6(1) of the AI Act requires that the product concerned be subject to a third-party conformity assessment. How that assessment is to be conducted is determined not by the AI Act itself, but by the sectoral legislation listed in Annex I. According to the guidelines, what matters is not which procedure the manufacturer has actually followed, but whether the applicable legislation requires a third-party conformity assessment prior to placing the product on the market.

High-Risk Use Cases under Annex III

Article 6(2) of the Act classifies as high-risk, independently of product safety legislation, AI systems used in certain use cases listed in Annex III. Annex III covers eight areas: biometrics; critical infrastructure; education and vocational training; employment and workers' management; access to and enjoyment of essential private and public services and benefits; law enforcement; migration, asylum and border control management; and administration of justice and democratic processes.

The mere fact that a system is used in an area covered by Annex III is not sufficient on its own to automatically give rise to a high-risk classification. The decisive factor is whether the intended purpose of the system corresponds to one of the specific use cases listed in Annex III. Likewise, the fact that a final decision is taken by a human does not automatically exclude the system from scope. Classification must therefore be carried out by considering not only the area of activity, but also the intended purpose of the system, its role in the decision-making process, and the specific context of use.

The guidelines summarize the types of use that may give rise to high-risk classification as follows:

  • Biometrics: Remote biometric identification systems, biometric categorization systems, and emotion recognition systems.
  • Critical infrastructure: Systems capable of affecting physical safety or the safe operation of infrastructure.
  • Education and vocational training: Systems affecting admission, placement, determination of educational level, exam integrity, and summative assessment outcomes.
  • Employment and workers' management: Systems affecting the targeting of job advertisements, the screening or ranking of candidates, recruitment, promotion, task allocation, performance monitoring, and the termination of work-related contractual relationships.
  • Access to and enjoyment of essential private and public services and benefits: Systems relating to public assistance benefits, creditworthiness evaluation, risk assessment and pricing in life and health insurance, and the prioritization of emergency calls.
  • Law enforcement: Systems used for risk assessment, evaluation of the reliability of evidence, polygraph-type tools, and certain systems used in the course of detection, investigation, or prosecution of criminal offences.
  • Migration, asylum and border control management: Systems used for risk assessment of persons seeking to enter or stay, examination of visa, asylum or residence applications, and the detection or identification of natural persons.
  • Administration of justice and democratic processes: Systems intended to assist judicial authorities in researching and interpreting facts and the law or in applying the law to a concrete set of facts, as well as systems intended to influence the outcome of elections or referenda or the voting behavior of natural persons.

Not every system falling within a use case listed in Annex III is automatically classified as high-risk. Article 6(3) of the Act provides a limited exception for systems that do not pose a significant risk to the health, safety, or fundamental rights of persons. This exception may only apply where the system performs a narrowly scoped, auxiliary, or preparatory function.

An important limitation on this exception is the performance of profiling. Where a system performs profiling within the meaning of the General Data Protection Regulation (GDPR) — that is, where it automatically processes personal data for the purpose of evaluating or predicting certain aspects of a natural person — the exception under Article 6(3) is not available.

Conclusion

The Commission's draft guidelines contain the most comprehensive clarifications to date on the classification of high-risk AI systems. Although the guidelines are not binding, it is clear that they will constitute an important interpretive source for both market operators and supervisory authorities.

The approach set out in the guidelines demonstrates that AI systems cannot be classified as high-risk merely by checking the headings in the legislation. In the context of product safety legislation, the role performed by the system and potential failure scenarios must be assessed together; in the context of Annex III, the intended purpose, the degree of influence on decision-making, and the manner in which the system is presented to users must all be considered jointly.

It is therefore important for companies that develop, procure, or use AI systems to assess such systems from legal, technical, and commercial perspectives. In particular, in sectors subject to employment, education, financial services, and product safety legislation, an accurate classification carried out at an early stage is important for managing compliance and enforcement risks.

References
Make us your preferred source on Google
See Erdem & Erdem publications featured in your Google Search results.
Add as preferred source More from erdem-erdem.av.tr

All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.

Other Contents

New Obligations Imposed on Gaming Companies under Law No. 5651
Newsletter Articles
New Obligations Imposed on Gaming Companies under Law No. 5651

Today, the internet has become an integral part of social life and serves as one of the most widely used means of mass communication. While the internet offers significant opportunities in many areas, such as access to information, communication, and digital services…

IT Law and Artificial Intelligence 31.05.2026
The Use of Generative AI Tools Such as ChatGPT and Google Gemini in the Workplace
Newsletter Articles
The Use of Generative AI Tools Such as ChatGPT and Google Gemini in the Workplace

Generative AI technologies, particularly tools such as ChatGPT, Microsoft Copilot, and Google Gemini, have rapidly created a transformative impact on the business world. By generating original outputs that closely resemble human-produced content, drawing…

IT Law and Artificial Intelligence 28.02.2026
Processing of Personal Data in the Context of Artificial Intelligence Models
Newsletter Articles
Processing of Personal Data in the Context of Artificial Intelligence Models

The European Data Protection Board (“EDPB”) issued Opinion 28/2024 addressing key data protection concerns related to the processing of personal data in the context of artificial intelligence (“AI”) models. This Opinion was prepared in response to the Irish Supervisory Authority’s request under Article 64(2) GDPR...

IT Law and Artificial Intelligence 31.01.2025
Artificial Intelligence in Arbitration
Newsletter Articles
Artificial Intelligence in Arbitration

As technology advances, artificial intelligence (“AI”) is steadily making its way into dispute resolution, promising enhanced efficiency. Practitioners are carefully weighing its capabilities against its limitations...

IT Law and Artificial Intelligence 31.10.2024
Framework Convention on Artificial Intelligence
Newsletter Articles
Framework Convention on Artificial Intelligence

The Framework Convention on Artificial Intelligence (Convention) is an international treaty proposed by the Council of Europe that was recently opened for signature . This is the first legally binding international framework regulating the entire lifecycle of Artificial Intelligence (AI) systems. The Convention ensures...

IT Law and Artificial Intelligence 30.09.2024
Reflections of the European Union Artificial Intelligence Act on Actors in Turkiye
Newsletter Articles
Reflections of the European Union Artificial Intelligence Act on Actors in Turkiye

The "Brussels Effect" refers to the phenomenon where European Union (“EU”) regulations influence or set standards globally. Since the EU is a significant market, global companies often find it practical and economically beneficial to adopt EU standards across all their operations rather than comply with multiple...

IT Law and Artificial Intelligence 31.08.2024
Amendments Introduced to the Law on Regulation of Internet Publications
Newsletter Articles
Amendments Introduced to the Law on Regulation of Internet Publications
IT Law and Artificial Intelligence March 2014
Constitutional Court's Annulment Decision on Certain Provisions of the Internet Law No. 5651
Newsletter Articles
Constitutional Court's Annulment Decision on Certain Provisions of the Internet Law No. 5651

With its decision dated 11.10.2023 and numbered 2020/76 E., 2023/172 K. published in the Official Gazette dated 10 January 2024 and numbered 32425 ("Decision"), the Constitutional Court ("Constitutional Court") evaluated the requests for the annulment of certain articles of the Law No. 7253 on the...

IT Law and Artificial Intelligence 29.02.2024
Latest Development As Regards to the Social Network Providers
Newsletter Articles
Latest Development As Regards to the Social Network Providers

The Information Technologies and Communications Board adopted the Procedures and Principles for Social Network Providers (“Procedures and Principles”) with its decision dated 28.03.2023 and numbered 2023/DK-ID/119. The said decision was published in the Official Gazette dated 01.04.2023, and entered into...

IT Law and Artificial Intelligence 31.07.2023
Artificial Intelligence Act Adopted by the European Parliament
Newsletter Articles
Artificial Intelligence Act Adopted by the European Parliament

The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...

IT Law and Artificial Intelligence 31.07.2023
ChatGPT: A Grey Zone Between Privacy, Cybersecurity, Human Rights and Innovation
Newsletter Articles
ChatGPT: A Grey Zone Between Privacy, Cybersecurity, Human Rights and Innovation

ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...

IT Law and Artificial Intelligence 30.04.2023
Did Social Network Platforms Comply with the New Regulations in Turkey?
Newsletter Articles
Did Social Network Platforms Comply with the New Regulations in Turkey?
IT Law and Artificial Intelligence January 2021
What Has Come About through the Social Media Regulation?
Newsletter Articles
What Has Come About through the Social Media Regulation?
IT Law and Artificial Intelligence June 2020
Internet Actors in Law No. 5651
Newsletter Articles
Internet Actors in Law No. 5651
IT Law and Artificial Intelligence June 2020

For creative legal solutions, please contact us.