The Guidelines Everyone Was Waiting For
On 19 May 2026 the European Commission published 148 pages of draft guidelines for the classification of high-risk AI systems under Article 6 of the AI Act[1]. Consultation runs until 23 June 2026, but the direction is already clear. For boards and compliance leaders, this is the interpretive document the market has been waiting for since the AI Act entered into force.
The legal deep-dive lives on aiactblog.nl for those who want the detail[3]. In this article we focus on the three governance implications you should weigh now, and on the steps that belong on the executive table this week.
Implication 1: Vendor Due Diligence Gets Sharper
Until now, AI vendors could rely on general compliance claims. "Our system is AI Act compliant" was often enough for the procurement conversation. That time has passed.
The Commission clarifies that high-risk classification must be substantiated per system, with explicit reference to the relevant Annex III use case and, if applicable, the Article 6(3) filter condition[2]. A vendor that cannot demonstrate this contractually transfers the reclassification risk to you as deployer.
In practice this means your procurement, contract and risk functions need to ask questions like:
- Which Annex III use case does the system fall under, or why does it fall fully outside?
- If the Article 6(3) filter is invoked, which of the four conditions applies and how is it substantiated?
- Is profiling performed within the meaning of GDPR Article 4(4)? If yes, is the vendor aware that the filter then automatically falls away?
- How is anti-circumvention addressed in modular or agentic architectures?
- What is the filter status as registered in the EU database?
Vendors that don't have clear answers to these questions aren't ready for 2 August 2027.
Implication 2: Your Internal AI Portfolio Needs a Fresh Review
Many organisations have made a first AI inventory over the past two years. Often with a simple three-way split: non-AI, limited risk, high risk. The new guidelines make clear that this level of granularity is no longer sufficient.
For each high-risk classified system you must be able to demonstrate:
- Which specific Annex III use case applies
- Which filter consideration (if any) was made
- What documentation supports the classification
- Who within the organisation is responsible for monitoring upon changes
For the eight Annex III domains, domain-specific examples and pitfalls apply. Virtually every modern HR system is in scope of domain 4. Banks and insurers need double attention to domain 5 because of the interaction with CRR and Solvency II. Public institutions face a mandatory FRIA via Article 27. An overview per domain with use cases[4] helps to make the first scan.
Implication 3: Governance Is No Longer a Project, It's a Process
The Commission makes clear that classification is not a one-off decision. Upon change in intended purpose, actual use, or architecture of a system, the provider must repeat the assessment. For deployers this means that your AI register, vendor monitoring and model lifecycle management must be linked.
In practice we see three maturity levels:
Level 1: ad hoc. A spreadsheet with a first inventory. Possibly updated after a major vendor swap, not through process design. Much of the European market still sits here.
Level 2: documented. An AI register as a formal document, ownership assigned, periodic review (annually). Meets the letter of compliance but not yet the spirit of the new guidelines.
Level 3: embedded. AI classification linked to procurement gates, change management, security gates and risk reporting. Changes to an AI system automatically trigger a reclassification flow.
For most organisations the step from level 1 or 2 to level 3 is no longer optional. It is the implicit expectation that emerges from the Commission guidelines.
What You Can Do This Week
Four concrete steps, in order:
Step 1: pull your AI vendor list. Compile within two weeks an up-to-date list of all AI systems the organisation buys or deploys. Including AI functionality SaaS vendors added in updates.
Step 2: send a vendor questionnaire. Ask your major AI vendors in writing for their Article 6 analysis. Whoever does not provide a substantive answer within four weeks goes on the risk watchlist.
Step 3: lay your internal classification next to the Commission guidelines. For every owned or contracted AI system that touches one of the eight Annex III domains, re-assess classification against the new interpretation.
Step 4: secure AI literacy among decision-makers. Buyers, line managers, risk and compliance officers need to understand what they are assessing in vendor conversations and classification debates. Article 4 AI literacy is the legal basis for this; LearnWize offers sector tracks to operationalise it.
Test directly? Use the Annex III Classifier 2026 on aiactblog.nl: 9 steps, built-in Article 6(3) filter check, personal email report.
How Embed AI Helps
We conduct AI governance scans for mid-size and large organisations that want to test their AI portfolio against the current EU AI Act interpretation, including the new Commission guidelines.
The scan consists of three parts:
- AI inventory and classification: per AI system, mapping which Annex III use case may apply, whether the Article 6(3) filter is relevant, and what documentation exists
- Vendor due diligence assessment: review of your major AI vendors on their Article 6 analysis and classification rationale
- Governance reporting: board report with risk overview, prioritisation and concrete action points for the next twelve months
Schedule a no-commitment conversation about the AI governance scan or read the deep-dive on aiactblog.nl[3] for the legal detail.
The Commission guidelines are still in draft, but the substantive direction is clear. Those who move governance to level 3 now move with time. Those who wait until 2 August 2027 do so under time pressure and with less control.
