The European Commission published its long-awaited draft guidelines on “high-risk” AI system classification under the EU AI Act on 19 May. They were due in February. Publication was delayed to incorporate stakeholder feedback — which tells you something about how contested this area was before the ink was even dry.

The guidelines are non-binding. That matters less than it sounds, because market surveillance authorities in each member state will use them as their interpretative reference. And the Court of Justice of the EU ultimately gets the final word — but that takes years. In the meantime, companies need to make compliance decisions now.

The Multi-Purpose AI Problem

The question everyone wanted answered: are general-purpose AI systems like ChatGPT, Microsoft Copilot, or Harvey automatically high-risk because they could be used in high-risk ways?

The Commission’s answer is nuanced but not reassuring for providers. A multi-purpose AI system is not automatically high-risk — but it depends heavily on how the provider presents it. If your terms of service, marketing, product positioning, and technical documentation collectively present the system as “broadly applicable across a generality of contexts” without consistently limiting high-risk applications, the system will be deemed to have a high-risk intended purpose.

This is the paragraph that will keep legal teams up at night: “merely asserting (for example in the terms of service) that high-risk uses are excluded is insufficient to avoid the system from being considered high-risk, where the provider’s overall presentation, examples, or product positioning effectively provides for or promotes such uses.”

In other words: you can’t disclaim your way out of high-risk classification. If your marketing says “use it for HR recruitment, legal research, and public sector decisions” — all Annex III categories — inserting a clause saying “but not for high-risk uses” won’t save you. Your documentation has to be “clearly, concretely, and coherently” consistent across every surface.

The Financial Services Layer

For the financial sector, the guidelines add further precision. Creditworthiness assessment and credit scoring are distinct — and both are potentially high-risk. The Commission clarified that “essential private services” include bank accounts, mortgages, and loans, but not the acquisition of stocks and securities or premium credit cards. The fraud detection exception is narrow: fraud detection must be the main purpose of the AI system, and it does not extend to AML/CFT checks.

This sounds granular, but it’s practically important. Financial institutions have been operating sophisticated algorithmic systems for years under existing regulatory frameworks. The AI Act doesn’t replace those frameworks — it layers on top of them. The interaction between the AI Act and existing financial regulation (Capital Requirements Regulation, Solvency II) is going to be a compliance headache for every institution deploying AI in credit decisions.

What Companies Should Do Now

The consultation closes on 23 July 2026. If you’re a provider of general-purpose AI, this is the moment to submit substantive feedback — particularly on paragraph 12 of the general principles section. Once these guidelines are finalised, the interpretation they enshrine will be embedded in how national authorities approach classification decisions.

For businesses deploying AI in high-risk use cases — particularly in HR, financial services, or public sector decision-making — now is the time to audit your vendor agreements. The draft guidelines make clear that the entity deploying the AI (not just the provider) may bear obligations under Article 25 if the deployment qualifies as high-risk. Your terms of service won’t protect you if your usage pattern looks like a high-risk application.

The Bigger Picture

The AI Act’s high-risk classification is the linchpin of the entire regulatory structure. High-risk systems face the Act’s most demanding requirements: transparency obligations, human oversight mandates, conformity assessments, and registration in the EU database. Get the classification wrong — either by over-classifying and taking on unnecessary compliance burden, or by under-classifying and leaving yourself exposed — and the entire compliance programme is built on the wrong foundation.

These draft guidelines are the Commission’s attempt to give companies a map through that terrain. Whether the map is accurate won’t be clear until cases start reaching the courts. But for now, every AI provider operating in the EU should treat them as the working interpretation of the law.

The consultation closes July 23rd. That’s not much time.