Executive Summary
- What’s new: On 19 May 2026, the European Commission published draft guidelines setting out which systems are “high-risk AI systems” regulated by the AI Act.
- Why it matters: The guidelines, while not strictly binding, will influence regulators’ assessment of whether a given AI system is “high-risk” and thus subject to the bulk of the AI Act’s obligations.
- What to do next: Companies should consider reviewing their existing policies on the triage and mapping of AI use-cases to reflect the Commission guidance.
__________
Background
On 19 May 2026, the European Commission published draft guidelines on the classification of AI systems as “high-risk” under the EU’s AI Act (the Guidelines). Providing or deploying an AI system classified as high-risk triggers the AI Act’s core compliance obligations, such as obligations to maintain technical documentation and enable human oversight.
Although not strictly binding, the Guidelines are likely to influence AI Act regulators’ interpretation of the AI Act and enforcement priorities. The Guidelines are open for consultation until 23 June 2026.
The Commission’s publication of the Guidelines follows the European Parliament’s and European Council’s provisional agreement earlier in May to delay the compliance deadlines for high-risk AI system obligations, which are now expected to come into force in phases starting on 2 December 2027 (see our previous client alert on that agreement).
Categorising High-Risk AI Systems
Under the AI Act, an AI system is high-risk if it is intended to be used:
- as a safety component of a product required to undergo third-party conformity assessments under existing EU laws listed in Annex I of the AI Act, such as EU laws on lifts, toys and vehicles; or
- for a purpose listed in Annex III of the AI Act, such as employment decisions, credit scoring or insurance pricing (though there is an exception for AI systems that “do not pose a significant risk of harm,” for example because they do not “materially influence the outcome” of a decision).
| WHAT THE AI ACT SAYS | WHAT THE GUIDELINES SAY |
|---|---|
|
Intended use: AI systems’ classification as high-risk depends on their “intended use.” |
The intended use of a system may be inferred from a broad range of materials, including promotional materials and technical documentation. Contract terms to the effect that an AI system must not be used for high-risk purposes will not (on their own) be enough to prevent an AI system being classified as high-risk if other materials suggest that the system is intended to be used for high-risk purposes. |
| Safety components: AI systems that are components of products subject to existing EU product safety regulations, such as lifts, toys and vehicles, are high-risk if the AI system is a “safety component” of that system. |
A “safety component” is a component:
|
|
Recruitment: AI systems are high-risk if intended for use “for recruitment or selection” of job candidates or to make work-related decisions, such as promotion decisions. |
The concept of using a system for “recruitment or selection” is wide and can include, for example, AI systems used to generate job descriptions or used to analyse candidates’ CVs and generate “suitability” scores, even if the final hiring decision is made by a human recruiter. Likewise, the concept of “work-related decisions” is broad and includes, for example, decisions about pay and conditions, performance evaluations and promotions, and allocation of tasks based on previous performance metrics (e.g., assigning work shifts to individuals who historically have the highest punctuality). However, decisions must “reach a threshold of significance” so, for example, decisions on the “allocation of office space and … lunch time” are not high-risk under the AI Act. |
| Critical infrastructure: AI systems are high-risk if intended for use as a “safety component” of critical infrastructure, including digital infrastructure, road traffic management or supply of water, gas, heating or electricity. |
The concept of “critical infrastructure” in the AI Act should be interpreted as referring to the essential services of entities that have been designated as critical under the EU’s Critical Entities Resilience Directive. |
| Credit checks: AI systems are high-risk if intended for use to determine “access to and enjoyment of essential private services and essential public services” through “evaluat[ing] the creditworthiness” of a natural person. |
“Essential services” are services “necessary for people to fully participate in society or to improve their standard of living,” such as housing, electricity, water, telecommunications, transport, and basic financial services such as bank accounts and mortgages. Not all financial services are essential. For example, stock trading and premium credit cards are not “essential” financial services. |
What Companies Should Consider Now
- The Guidelines set out the Commission’s approach to interpreting the AI Act’s scope, and are likely to influence national AI Act regulators’ interpretations and enforcement priorities. Companies should consider updating their approach to triaging and risk-assessing AI use-cases, as well as any previously conducted risk assessments, to reflect the Guidelines.
- The Guidelines emphasise that whether an AI system triggers AI Act obligations depends on its intended use, which may be identified based on a wide range of materials including promotional materials and technical documentation. Companies should consider reviewing existing materials prepared by marketing and technical teams, and setting out guardrails for the preparation of future materials, to avoid marketing or technical documents inadvertently bringing AI systems into scope of the AI Act’s high-risk AI obligations.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.