APREX · EST. 2026
The European Commission's draft guidelines for classifying high-risk AI systems are setting the tone for one of the most demanding regulatory processes European business has faced in the technology sector. For Norwegian companies that develop or deploy AI falling under the EU AI Act, this is material that demands urgent attention.
What is "high-risk" — and why is it so difficult to determine?
At the heart of the guidelines is the question of when an AI system actually qualifies as high-risk. According to the review of the consultation process, as referenced by Arthur Cox LLP, this is far from straightforward in practice. The "intended purpose" of the system is central to the assessment, and this depends heavily on the specific context of use.
One particularly important point is that if several AI systems form part of a larger combined solution, the entire configuration is treated as a single high-risk system. This means that a potential workaround — splitting systems to avoid classification — has now been explicitly closed off.
Other ambiguities flagged by the industry include what actually qualifies as "sufficient human oversight", what performance thresholds apply, and whether accuracy requirements must be met equally across different user groups.
The entire configuration is treated as a single high-risk system — a potential workaround has now been explicitly closed off.
Pilot audits: Seven in ten systems fail
The figures from early pilot audits are sobering. According to the research source, audits conducted under the AI Act's pilot controls found that 71 percent of the high-risk AI systems evaluated lacked adequate documentation or risk controls. That is a high figure, suggesting that many organisations are still nowhere near compliance.
Timeline: Deadlines Norwegian companies must note
A heavy implementation burden lies ahead
The industry points out that moving from legal understanding to practical compliance is an enormous operational challenge. Requirements for detailed technical documentation and traceability throughout the entire AI system lifecycle — from design through to post-market monitoring — clash with the fast, iterative way in which AI is typically developed.
Compliance work is expected to drive up operating costs, extend time to market, and potentially raise prices for law-abiding AI solutions. The industry has called for at least twelve months to implement technical standards, but the deadline appears to leave far less time than that.
Intense pressure from European industry
In July 2025, more than 45 prominent European companies — including Airbus, ASML, Lufthansa, Mercedes-Benz and Siemens Energy — joined forces to urge the EU to pause the most stringent requirements for at least two years. Their reasoning cited persistent uncertainty, regulatory overload and fears of weakened competitiveness. The European Commission has so far not granted any general delay, according to Arthur Cox LLP's review.
The industry also warns of overlap with existing legislation such as the GDPR and the Digital Services Act (DSA), particularly in relation to generative AI. In the healthcare sector, stakeholders fear that conflicting requirements from medical device regulation could delay the rollout of AI-based medical solutions.
What Norwegian companies should do now
With 2 August 2026 as the first critical deadline, the window for action is narrow. Companies that develop or deploy AI in areas such as biometrics, employment, credit, education, critical infrastructure or healthcare should immediately assess whether their systems qualify as high-risk under the regulation.
Concrete steps include establishing risk management systems covering the full AI lifecycle, ensuring technical documentation and traceability, and putting in place procedures for human oversight and incident reporting. The fines for non-compliance are substantial — meaning the cost of waiting may prove far higher than the cost of acting now.