Guidelines support providers with ‘high-risk’ AI self-assessments

Wesley Horion of Pinsent Masons was commenting after the European Commission published much-anticipated draft guidelines on ‘high-risk’ AI.

The ‘high-risk’ AI regime is one of the most significant features of the EU AI Act with cross-sector relevance. Broadly, it imposes obligations on providers, deployers, importers and distributors of high-risk AI systems around matters such as risk management, data quality, transparency, human oversight and accuracy, as well as registration, quality management, monitoring, record-keeping, and incident reporting. Pinsent Masons has developed its own guide to help businesses understand what constitutes a ‘high-risk’ AI system.

Currently, the rules on high-risk AI systems are due to come into effect on 2 August 2026, though proposals to delay implementation are well-advanced in the EU legislative process. It is expected that ‘Annex III’ AI systems, covering employment, education, and health insurance, now face a compliance deadline of 2 December 2027, while obligations relating to AI embedded in physical products such medical devices or industrial machinery will be delayed until August 2028. The planned delay is designed to provide more time for EU policymakers to formulate standards, tools and guidelines to help businesses meet their obligations under the new regime. The Commission’s publication of draft new guidelines is therefore a significant step in that regard.

“The Commission’s draft guidelines can be framed as a living repository of practice-oriented examples, designed to operationalise the high-risk AI regime under the EU AI Act,” said Horion. “The breadth of the examples, combined with the explicit indication that the list will be continuously updated over time, underscores the Commission’s intention to provide a dynamic interpretative layer rather than a static rulebook. This evolving catalogue is complemented by institutional support mechanisms, including the AI Service Desk and engagement with market surveillance authorities. This ‘guided compliance’ model means remaining ambiguities are expected to be resolved through dialogue rather than classification before the systems are placed on the market.”

“At the core of the guidelines lies a clear reaffirmation of the central role of the provider. Providers are expected to define, and crucially document, all intended and ‘reasonably foreseeable’ uses of the AI system in the technical documentation for those systems, which forms the foundation of the high-risk classification exercise. This elevates the scoping of use cases from a formal requirement to a substantive legal responsibility, as the way in which a system is described will directly determine its regulatory status. In practice, this places a premium on careful product design and documentation across technical and commercial materials,” he said.

The guidelines also make clear that self-assessment by the provider is the foundation of the classification regime. According to Horion, this is not a loophole, but a deliberate regulatory design choice aimed at reducing administrative burdens and avoiding systematic reliance on third-party conformity assessment for classification purposes. However, he said this “significantly raises the stakes for providers”.

“This is because classification decisions have downstream implications for the potential applicability of high-risk obligations and may extend along the value chain – including scenarios where other actors assume provider responsibilities through modification or rebranding,” Horion said. “The result is a system that combines flexibility with accountability, requiring providers to exercise sound and traceable legal judgment.”

Horion said that one of the more practically relevant clarifications contained in the draft guidelines concerns AI systems embedded in complex or modular architectures.

“The Commission makes clear that where multiple components jointly influence a decision, they must be assessed as a single overarching system for the purposes of high-risk classification,” Horion said. “This is a particularly helpful signal in the context of increasingly prevalent agentic and orchestrated AI systems, where functionality is distributed across modules interacting with each other. The guidance effectively closes potential avenues for fragmentation or artificial segmentation, reinforcing that classification must reflect the actual functional configuration and combined impact of the system as deployed.”

The Commission’s draft guidelines are open to public consultation until 23 June.