Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 25, 2026 · 7 min read

The EU Commission Just Missed Its February Deadline for the High Risk AI Guidelines—Released the Draft on May 19, Three Months Late, With Compliance Now Bumped to December 2027 and August 2028 After 110 European Businesses Lobbied for the Extension

The guidelines were due February 2, 2026, the day before the EU AI Act's first prohibitions took effect. They arrived on May 19. The draft runs through public consultation until June 23. New compliance deadlines—December 2, 2027 for standalone high risk AI systems and August 2, 2028 for high risk systems embedded inside other products—are written into the accompanying Digital Omnibus package that 110 EU businesses asked for in March.

An editorial photograph of a Brussels style government building's facade with a row of EU and member state flags against an overcast sky, representing the European Commission's release of long delayed AI compliance guidance

Key Takeaways

  • The European Commission released its draft high risk AI classification guidelines on May 19, 2026—three months past the February 2 statutory deadline.
  • The guidance covers Article 6 of the EU AI Act in two parts: Article 6(1) for AI systems embedded in products with separate safety regulation (Annex I), and Article 6(2) for stand alone systems used in eight specific deployment areas (Annex III) including biometrics, education, employment, and law enforcement.
  • Public consultation runs through June 23, 2026, after which the Commission will revise the draft before finalizing.
  • The Digital Omnibus package, secured by lobbying from more than 110 EU businesses, pushes compliance to December 2, 2027 for stand alone high risk AI and August 2, 2028 for embedded high risk AI.
  • The Commission's deputy framed the goal as providing "legal certainty for the sector, for the innovators," but the long delay between statute and guidance is the single largest source of uncertainty in the AI Act's rollout to date.

What Was Supposed to Happen by Now?

The EU AI Act, formally adopted in 2024, set a rolling implementation schedule with three early milestones: February 2, 2025 for the prohibition list to take effect, August 2, 2025 for general purpose AI obligations, and August 2, 2026 for the high risk classification rules. The Commission was required to publish guidelines explaining how to classify a system as high risk in time for organizations to prepare. The deadline written into the Act for that guidance was February 2, 2026, six months before the rules themselves applied.

February 2 came and went without the guidance. The Commission cited the volume of stakeholder feedback and the complexity of Article 6 as reasons for the delay. Industry groups responded with a formal letter signed by 110 European businesses arguing that without guidance, the August 2, 2026 enforcement date could not be met and that companies needed both a published guideline and a substantial implementation buffer.

The Commission's answer was the Digital Omnibus package, agreed in principle in May 2026, which moves the substantive enforcement dates for high risk AI to December 2, 2027 (standalone) and August 2, 2028 (embedded). The May 19 guidance is the technical companion to that schedule.

How Does Article 6 Decide What Counts as High Risk?

Article 6 splits high risk classification into two distinct paths. Article 6(1) covers AI systems that act as a safety component of a product, or are themselves a product, where that product is already subject to EU safety regulation listed in Annex I. The Annex I list runs across medical devices, machinery, toys, vehicles, lifts, gas appliances, and roughly twenty other product categories. If an AI system is part of one of those products and must already undergo third party conformity assessment under the existing rule, it counts as high risk under the AI Act.

Article 6(2) covers stand alone AI systems deployed in eight areas listed in Annex III: biometric identification and categorization, critical infrastructure, education and vocational training, employment, access to essential services, law enforcement, migration and border control, and administration of justice and democratic processes. Within each of those areas, only specific listed use cases are high risk. A face recognition system at a national border is in. A face recognition system to unlock a personal phone is out.

The guidance the Commission released on May 19 is essentially a long worked example walkthrough of those two paths. Each Annex III deployment area gets several illustrative examples, with reasoning for whether the system falls inside or outside the high risk perimeter. The examples are not exhaustive, and the guidance says explicitly that subsequent updates will add more.

What Counts as a High Risk Deployment in Practice?

A handful of categories from the guidance, with worked examples that show where the lines land:

  • Employment. CV screening that automatically ranks candidates is high risk. A scheduling assistant that drafts interview invitations is not.
  • Education. AI that determines whether a student passes or fails an exam is high risk. AI used to recommend extracurricular activities is not.
  • Essential services. AI used to score creditworthiness for a loan application is high risk. AI used to recommend a savings product is not.
  • Law enforcement. AI used to assess flight risk in a criminal case is high risk. AI used by a department's internal email triage is not.
  • Biometrics. Live face recognition for identification is high risk in nearly every form. Categorization based on biometric data—age estimation, emotion detection—is high risk when used in covered contexts.

The pattern across the examples is consistent: the question is not whether the system uses AI but whether the AI's output materially affects a person's access to a right, a service, or a freedom. Decision affecting systems are in. Convenience systems are not.

What Does an "In Scope" System Actually Have to Do?

A system classified as high risk has a long obligation list: a risk management process across the lifecycle, training data quality controls, technical documentation kept current, automatic logging, human oversight by design, accuracy and robustness testing, cybersecurity controls, and a quality management system that ties it all together. Providers must register the system in an EU wide database and conduct a conformity assessment before placing it on the market. Deployers—the organizations actually using the system on people—have additional obligations including a fundamental rights impact assessment for certain use cases.

The new compliance dates—December 2, 2027 for standalone systems and August 2, 2028 for embedded systems—give providers and deployers eighteen to twenty four months from the final guidance to meet that obligation set. That is the practical timeline most EU based AI work needs to plan against. Penalties for non compliance run up to €35 million or 7% of global annual turnover, whichever is higher, for the most serious breaches.

The 110 business letter that secured the extension argued the original timeline was simply unworkable—companies could not build the documentation, testing, and oversight machinery without first knowing what would be in scope. That argument carried the day with the Commission, but it has not satisfied civil society groups, who view the extension as a quiet capitulation on the EU's most ambitious regulatory project in a decade.

How Does This Fit the Wider Picture?

The EU is not alone in working through high risk AI classifications. The US state level work, including Colorado's SB 189 AI law that got gutted on May 12 and pushed to January 2027, has tracked a similar pattern: ambitious initial scope, industry pushback, extension or rollback. Canada's similar attempt to legislate around AI generated harm has also slowed.

What sets the EU effort apart is the binding statutory deadlines. Colorado moved its own date by ordinary legislation. The EU had to negotiate an omnibus package to do the same thing. The structural friction inside European law means that once the high risk framework does take effect in late 2027 and 2028, it is harder to undo than the equivalent US state laws have proven to be.

For European companies and the global providers that sell into Europe, the practical answer is to treat the May 19 draft as the working specification for the next eighteen months. The final guidance will shift in detail. The structural categories—Annex I, Annex III, the deployment area examples—are unlikely to change. Building the documentation, testing, and oversight scaffolding against the current draft is the lowest cost way to be ready when the formal deadlines arrive.

For privacy and compliance professionals tracking parallel work, the consent and processing requirements baked into the high risk obligations overlap heavily with GDPR Article 22 (automated decision making) and the upcoming e Evidence regime. The same EU regulatory pipeline that is grinding through AI is also grinding through the e-Evidence implementation deadline and several other linked files. Watching one in isolation misses the larger reshape of European tech regulation that is taking place across all of them.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.