EU AI Act: Brussels issues draft guidelines on high-risk AI

The European Commission has published draft guidelines clarifying how companies should handle high-risk artificial intelligence systems under the bloc’s landmark AI Act, marking a crucial step toward the law’s full implementation across member states.

Released this week, the 85-page document aims to help businesses navigate complex compliance requirements before enforcement begins in earnest. The guidelines focus specifically on high-risk AI applications—systems that could pose significant threats to health, safety, or fundamental rights.

What Counts as High-Risk AI

The draft identifies eight specific areas where AI systems face stricter scrutiny. These include biometric identification, critical infrastructure management, educational and vocational training, employment and worker management, access to essential services, law enforcement, migration control, and administration of justice.

But the devil’s in the details. The Commission clarifies that not every AI system touching these areas automatically qualifies as high-risk. Companies must assess whether their specific application genuinely poses substantial risks to individuals’ rights or safety.

That’s where things get tricky for businesses.

Compliance Requirements Take Shape

Organizations deploying high-risk AI systems will need to establish comprehensive risk management frameworks, maintain detailed technical documentation, and implement human oversight mechanisms. The guidelines specify that companies must conduct conformity assessments before bringing systems to market—a process that could involve third-party auditors for certain applications.

Data governance requirements are particularly stringent. Training datasets must be relevant, representative, and free from errors that could lead to discriminatory outcomes. And companies can’t just set it and forget it—they’ll need continuous monitoring once systems go live.

The Commission estimates that compliance costs for high-risk AI providers could range from €10,000 to €400,000 per system, depending on complexity and sector.

Industry Reaction and Timeline

“These guidelines provide much-needed clarity for companies working to align their AI systems with regulatory requirements,” said a Commission spokesperson in a statement accompanying the release. “We’ve worked closely with industry stakeholders to ensure the framework is both protective and practical.”

Yet some technology firms argue the requirements remain too broad. Industry groups have until March 15 to submit feedback on the draft guidelines before the Commission finalizes the text.

The AI Act itself won’t be fully enforceable until mid-2026, though certain provisions—particularly the ban on prohibited AI practices—take effect sooner. Companies are racing to understand obligations that could fundamentally reshape how they develop and deploy artificial intelligence.

So what’s next? The Commission plans to release additional guidelines covering general-purpose AI models and transparency requirements in the coming months. Meanwhile, national regulators across the EU’s 27 member states are establishing the enforcement mechanisms that’ll make these rules stick.