APREX · EST. 2026
On May 19, 2026, the European Commission presented a detailed draft of guidelines to help developers and users of artificial intelligence determine whether their systems are classified as high-risk under the AI Act. The document is over 130 pages long and contains practical examples, according to the Digital Watch Observatory.
Public consultation is open until June 23, 2026, and all stakeholders — including Norwegian companies and research communities — can submit input.
What is considered high-risk?
The AI Act defines high-risk systems as artificial intelligence used in sectors with a high potential for harm to individuals or society. This includes, among others:
- Recruitment and personnel management
- Biometric identification
- Critical infrastructure
- Education and training
- Migration and border control
The regulation imposes strict requirements on such systems — including documentation, risk management, data quality, and conformity assessments.
Loopholes closed — disclaimers are not enough
One of the most important points in the new draft is that the European Commission makes it clear that providers cannot avoid high-risk classification through broad disclaimers or generic contractual clauses. The assessment will instead take into account all available information about the system's intended use — including marketing materials, user manuals, and terms of use.
Broad disclaimers in contracts are no longer enough to avoid high-risk classification — the EU looks at the entirety of how a system is marketed and actually used.
In addition, the draft states that if several AI systems are part of one larger overall system, the entire configuration will be considered a single high-risk system. This means that individual modules that would otherwise be exempt lose this exemption status if the overall system affects critical decisions.
Claims of human control are also carefully considered: it is not sufficient to say that a human is involved. According to the guidelines, the exception only applies if the AI system performs narrow procedural tasks, or improves an already completed human activity without significantly influencing the outcome.
Industry criticizes the breadth
Despite the guidance being intended to clarify, the industry has long argued that the definition of high-risk itself is too broad. More than 110 EU-based companies lobbied for a two-year pause in enforcement, citing a lack of adequate guidance and standards.
Legal experts from the law firm Clifford Chance have warned that the broad definition could capture simpler software systems that do not pose any real risk of serious harm. The insurance sector, for its part, has complained that a wide range of the industry's AI solutions are automatically categorized as high-risk without a concrete risk assessment, according to research material.
Small companies and startups are particularly concerned about the overall compliance cost. The requirements for documentation and conformity assessment are described by some actors as neither technically feasible nor proportionate.
Extended deadlines give Norwegian actors time
Pressure from the industry — particularly from Germany and a number of industry organizations — has already resulted in extended enforcement deadlines. For high-risk AI in sectors such as employment, biometrics, critical infrastructure, education, and migration, the deadline has been pushed to December 2, 2027. For AI integrated into physical products such as robotics and industrial machinery, the rules apply from August 2, 2028.
This means that Norwegian companies and research communities developing or using AI systems in these categories have approximately 18 months to ensure compliance — provided that the final regulations are not further changed.
Norway is expected to implement the AI Act through the EEA agreement, although the formal incorporation process is still ongoing.
What happens next?
The consultation deadline for the current draft is June 23, 2026. After that, the European Commission will process the input and publish a final version of the guidance. Stakeholders who wish to influence the final content should submit their input by the deadline.
For Norwegian businesses that have already started work on AI Act compliance, it is recommended to carefully review the draft — especially the rules on composite systems and the stricter requirements for interpreting intended purpose.