AI Act High-Risk Classification Just Got 148 Pages of Guidelines

Last month Parliament and Council bought you 16 extra months on AI Act high-risk. Now the Commission has published the 148-page draft guidelines explaining what “high-risk” actually means under Article 6. They’re not legally binding. In practice, they’ll be the document your regulator reaches for when deciding whether your system needs full Chapter III treatment. If you deploy AI in HR, credit scoring, or biometrics, you have until 23 June to read the draft and tell the Commission where they got it wrong.

What Changed in May

The Commission finally classified high-risk AI. In 148 pages.

The draft guidelines landed 19 May, three and a half months late. Three documents, two classification routes, and the closest thing to a user manual the AI Act will ever produce. The most consequential section is the Article 6(3) filter: your system might sit in an Annex III category but escape full Chapter III obligations if it poses “no significant risk.” That one filter could save you months of compliance work or cost you millions in fines (up to €15M or 3% of global turnover).

HR tools, credit scoring, biometrics, access to services and profiling all appear to be uses where general vendor assurances won’t cut it. If your solution “isn’t high-risk,” you need a verifiable, documented justification for that claim. Not a vendor’s word. A file you can hand to a regulator. The consultation closes 23 June. The guidelines are 148 pages whether you’re Germany or Malta.

CNIL fined IQVIA €5M for health data warehouses without multi-factor authentication.

The decision, published 28 May, targeted two IQVIA databases: LRX covering roughly 14,000 pharmacies, and EMR covering thousands of doctors. No MFA on a system processing millions of patient records. Pharmacy software kept transmitting customer data even after patients opted out. CNIL gave IQVIA six months to fix the issues, with a €10,000 daily penalty after that.

This is GDPR enforcement moving from paper to operational reality. With sensitive data, showing policies, permissions and contracts won’t be enough. Your DPA will ask whether MFA exists, whether logs are reviewed, whether individuals are properly informed, and whether an objection in the system actually stops processing. IQVIA failed on all four.

Finland became the first EU country to pass national CRA legislation.

The Finnish government adopted the law on 28 May, giving Traficom centralised authority over market surveillance and sanctions for products with digital elements. Most member states haven’t even published a draft yet. Finland already has notified bodies starting 11 June and vulnerability reporting obligations from 11 September.

Coming Up in June

11 June: CRA notified bodies framework begins. If your member state hasn’t designated conformity assessment bodies, third-party testing for important and critical digital products stalls. That bottleneck is your problem, not the regulator’s.

23 June: AI Act high-risk classification guidelines consultation closes. This is your window to push back on the Article 6(3) filter or flag where the classification doesn’t fit your product.