A chain of sandwich stores must comply with all manner of laws from food hygiene to allergen labelling. It faces unannounced visits from local authority officers. If it mislabels sandwiches, it risks prosecution. On the other hand, the chain's AI system that screens potential employees' CVs operates under no equivalent regime.

As Professor Stuart Russell OBE put it: "there are more regulations on sandwich shops than there are on AI companies".

This gap is about to narrow. The EU AI Act – the world's first comprehensive AI law – will impose binding obligations on companies that build or deploy AI systems, including high-risk systems. When the AI Act starts to apply (see below), non-compliance with it could result in fines of up to €15 million (about £13 million) or 3% of global annual turnover. 

In this article, we explain what the European Commission's recent publications mean for businesses, set out the new timelines for compliance and identify what you should be doing now. 

The European Commission has recently published:

• long-awaited draft guidelines on the classification of high-risk AI systems (which are also out for consultation until 23 June 2026: Targeted consultation on the draft guidelines for the classification of high-risk artificial intelligence systems).
• a report on the review of prohibitions and high-risk AI, which examines whether the list of high-risk systems and prohibited systems in the AI Act needs updating. 

Put simply, the draft guidelines clarify what is currently caught and provide more detail on what businesses need to know to comply with the AI Act, whereas the report identifies what might be caught by the AI Act in the future. 

We set out below what businesses need to be thinking about now.

Push back of the dates when obligations kick in

Under the Commission's AI Digital Omnibus proposal, the application dates for high-risk AI system obligations have been pushed back, although this has yet to be formally written into law: 

• 2 December 2027: rules for high-risk AI systems used in designated high-risk areas (employment decisions, credit scoring, law enforcement, and others) will apply from this date.
• 2 August 2028: rules for high-risk AI systems integrated into regulated products (such as lifts, toys, or medical devices) will apply from this date. 

These delays give organisations a bit more time to comply (for more information, see our article here). The original timeline would have required compliance by 2 August 2026 for standalone high-risk systems, and the absence of finalised guidance and harmonised standards was making that deadline unrealistic for many businesses.

Even so, organisations developing or deploying AI in these areas should be working towards compliance now. 2 December 2027 is eighteen months away. That sounds generous until you factor in the time required to audit existing AI systems, implement risk management frameworks, prepare technical documentation, and (where needed) undergo conformity assessment. 

1. A reminder of what's high risk

The AI Act classifies AI systems as high risk through two routes. 

• Under Article 6(1), if an AI system is a safety component of a product (or is itself a product) covered by EU harmonisation legislation listed in Annex I (such as machinery, medical devices, toys, vehicles) and that product requires third-party conformity assessment.
• Under Article 6(2), if an AI system's intended purpose falls within one of the specific use cases listed across eight areas in Annex III.

These eight areas are:

• biometrics;
• critical infrastructure;
• education and vocational training;
• employment, workers management and access to self-employment;
• access to essential private and public services;
• law enforcement;
• migration and border control; and
• administration of justice and democratic processes.

The list of use cases set out within each area in the AI Act is exhaustive, but not everything in these sectors triggers high-risk classification. For example, Annex III refers to "remote biometric identification systems" but clarifies that this doesn't include "AI systems intended to be used for biometric verification the sole purpose of which is to confirm that a specific natural person is the person he or she claims to be". 

Nature of the draft guidelines

The guidelines: 

• help providers, deployers and market surveillance authorities determine whether a specific AI system is classified as high-risk under Article 6 of the AI Act;
• set out the Commission's interpretation of certain concepts that are relevant for classification purposes and also contain practical examples of AI systems that should or should not be classified as high-risk;
• provide details on the Article 6(3) exception mechanism, which allows providers to demonstrate that a system listed in Annex III does not pose a significant risk and can therefore avoid high-risk classification. Under Article 6(3), a system won't be treated as high risk where it doesn't pose a significant risk of harm to health, safety, or fundamental rights, provided it meets one of four conditions. However, any system that profiles natural persons is always classified as high risk, regardless of these conditions. The guidelines provide detailed guidance on how to apply this filtering step;
• provide details on what happens once a system is classified as high risk. The guidelines address requirements including: risk management systems; data governance; technical documentation; record-keeping; transparency and information provision to deployers; and human oversight measures; and
• provide details on conformity assessment procedures. The guidelines clarify when a third-party conformity assessment is required versus when self-assessment is sufficient.

2. What businesses should do now about the draft guidelines

The guidelines aren't final. They're open for consultation until 23 June 2026 and may be revised further before adoption. They're also non-binding: authoritative interpretation of the AI Act ultimately rests with the Court of Justice of the European Union. 

That said, these are the most detailed materials the Commission has published on high-risk classification to date, and they signal how regulators are likely to approach enforcement. We'd suggest the following steps:

First, map your AI systems against the classification criteria. Use the guidelines' examples and the Article 6(3) exception mechanism to determine which of your systems are caught. If you operate in any of the eight Annex III areas assume your systems will face scrutiny. 

Second, if you believe a system falls within Annex III but qualifies for the Article 6(3) exception, document that assessment now. Article 6(4) requires providers to document their reasoning before placing the system on the market, and to register the system under Article 49. This isn't a decision you can make retroactively.

Third, start building the compliance infrastructure. High-risk obligations cover risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness and cybersecurity. None of this can be assembled overnight.

Fourth, consider responding to the consultation if you have concerns about how the guidelines interpret the classification rules, particularly where they may capture (or exclude) systems in ways that don't reflect commercial reality. The deadline is 23 June 2026.

3. What's in the report

The report also highlights areas which are flagged for potential future expansion of the high-risk and prohibited categories. These include:

• AI companions and mental health chatbots;
• AI systems capable of generating non-consensual nude and sexually explicit deepfakes;
• AI systems intended for facilitating scams and financial fraud;
• AI in debt collection and enforcement;
• AI in tenant screening and access to essential services beyond life and health insurance;
• AI in political disinformation via deepfakes; and
• AI in critical infrastructure beyond safety components.

What businesses should do now about the report

The report doesn't change the law today. But it reveals where the Commission sees gaps and where future rulemaking may be heading. If you're developing or deploying AI in any of these flagged areas, consider the report as an early warning.

The practical message is straightforward: don't wait for the final legislative text to start preparing. Professor Russell's sandwich shop may still face more day-to-day regulation than most AI companies. But the gap is closing. And for businesses building or deploying high-risk AI systems, the compliance burden heading their way could well make a food hygiene inspection look simple.