Brief IA

High-Risk AI: Brussels Unveils Its List and Loopholes

⚖️ Regulation & Ethics·Tom Levy·

High-Risk AI: Brussels Unveils Its List and Loopholes

High-Risk AI: Brussels Unveils Its List and Loopholes
Key Takeaways
1The European Commission published its guidelines on high-risk AI on May 19, with a delay of 107 days.
2Eight sensitive areas, including education and credit, are targeted, impacting many sectors in France.
3A system can escape the classification of high risk if it meets three specific conditions.
💡Why it mattersCompanies need to adjust their compliance strategies in light of these new guidelines, despite a postponement of deadlines.
Le brief IA que lisent les pros

Le brief IA que les pros lisent chaque soir

Les 7 actus IA du jour, décryptées en 5 min. Gratuit.

Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.

Choisis ton rythme

Gratuit · Pas de spam · Désabonnement en 1 clic

📄
Full Analysis

The European Commission published its long-awaited guidelines on the classification of high-risk artificial intelligence (AI) systems on May 19. This crucial document for businesses was released 107 days later than the initial legal deadline. The context of this publication is marked by the Omnibus agreement, which postponed legal obligations by sixteen months, making the timing of this release particularly delicate.

According to Article 6 of the AI Act, the Commission was required to provide a precise list of AI systems considered "high-risk." Initially scheduled for February 2, 2026, this list was finally made public on May 19, accompanied by an open consultation until June 23. The document is divided into three downloadable sections on the AI Act's single information platform, offering for the first time an official interpretation from the Commission regarding systems subject to the strictest obligations of the European regulation.

Eight Areas Under Surveillance

The guidelines identify two main categories of high-risk systems. The first concerns AIs integrated into products already regulated by European safety legislation, such as medical devices, toys, industrial machines, and elevators.

The second category targets eight sensitive areas, listed in Annex III, which affect a wide audience:

  • Remote biometric identification
  • Management of critical infrastructures (electricity, water, gas, road traffic)
  • Education
  • Employment and personnel management
  • Access to essential services (credit, insurance, social benefits)
  • Law enforcement
  • Border control
  • Administration of justice

In France, these areas concern numerous sectors of the digital economy. Automated CV sorting, bank credit scoring, algorithm-driven insurance pricing, and automated grading in higher education are common practices. With over 1,100 startups operating in these fields, the French AI ecosystem is the largest in continental Europe by volume, according to France Digitale.

A Loophole for Certain Systems

Article 6(3) of the AI Act proposes a loophole for certain systems listed in Annex III. To avoid being classified as high-risk, a system must meet three conditions: perform a narrow procedural task, not profile individuals, and not pose a significant risk to health, safety, or fundamental rights. For example, a tool that extracts keywords from a CV without ranking candidates could be exempted. The guidelines provide practical examples to delineate this boundary, which legal experts and DPOs have been awaiting for months.

An Adjusted Timeline

The timeline for obligations has been modified by the Omnibus agreement of May 7, postponing the application of rules for autonomous systems in Annex III to December 2, 2027, and for those integrated into regulated products to August 2, 2028. This delay offers businesses additional time to comply with the new requirements. The Omnibus is still awaiting formal adoption by the Parliament and the Council, expected before August 2, when the original obligations would apply without it.

In France, the CNIL has been designated as the reference authority for the application of the AI Act, following the vote on the digital aspect of the DDADUE bill in February 2026. The concrete oversight architecture, which monitors what, how, and with what means, is still under construction. Although the guidelines are not binding, they provide a valuable framework for companies that must now adjust their compliance investments.

Brief IA — L'actualité IA en français

L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.