Three tracks. Two consultation windows. One August 2 cliff.
May 2026 is the month the EU AI Act’s compliance machinery became operational. The Omnibus finalization resolved outstanding definitional questions earlier this month. The Article 50 transparency consultation opened and closes June 3. Now the European Commission has released draft guidelines for classifying AI systems as high-risk under Article 6, opening a public consultation through June 23. Each event is individually reported. Together, they represent something more significant: the Act’s compliance infrastructure is no longer aspirational. It’s running.
This deep-dive addresses the question the daily brief can’t fully answer: what does each of these three tracks actually require, in what sequence, and what happens if an organization misses one while managing another?
What the Omnibus Finalization Settled
The Omnibus process resolved questions that had kept compliance teams in a holding pattern. Definitional scope, the treatment of general-purpose AI models, and adjustments to the conformity assessment framework were all areas of active uncertainty while the Omnibus moved through negotiation. Organizations that were deferring high-risk classification work on the grounds that the regulatory text might shift no longer have that deferral available. The text is settled. The classification guidelines now operating under that settled text are what compliance teams must apply.
Article 6: The Classification Decision That Determines Everything Else
The high-risk classification question isn’t procedural. It’s the gate that determines whether an organization faces conformity assessment obligations, technical documentation requirements, human oversight mandates, and registration in the EU database. Getting it wrong in either direction carries cost.
Article 6 of Regulation (EU) 2024/1689 establishes two classification tracks. Article 6(1) applies to AI systems that function as safety components of products already regulated under EU product safety legislation, the Annex I list, covering machinery, medical devices, vehicles, and aviation equipment among others. If the AI component is a safety component of a regulated product and requires third-party conformity assessment under that product regulation, Article 6(1) high-risk status follows automatically. No further analysis needed.
Article 6(2) is where most of the classification work lives. Annex III of Regulation (EU) 2024/1689 lists eight sensitive domains where AI systems are presumptively high-risk:
1. Biometrics 2. Critical infrastructure management 3. Education and vocational training 4. Employment and workforce management 5. Access to essential private and public services 6. Law enforcement 7. Migration, asylum, and border control management 8. Administration of justice and democratic processes
EU AI Act Classification Framework: Before and After August 2, 2026
Article 6 Compliance Sequence, Pre-August 2 Checklist
- Complete Article 6(1) analysis: does any AI system function as a safety component of an Annex I-regulated product?
- Complete Article 6(2) analysis: does any AI system operate in an Annex III domain?
- For Annex III-domain systems: apply significant-risk assessment per draft guidelines and document the determination
- File consultation comments on classification edge cases by June 23, 2026
- For confirmed high-risk systems: begin conformity assessment and technical documentation
- Revisit pre-Omnibus classification work against settled regulatory text
Annex III listing is a trigger for analysis, not a final determination. The draft guidelines address how to assess whether a system within one of these domains poses a significant risk to health, safety, or fundamental rights, the threshold question under Article 6(2). A system that appears in an Annex III domain but doesn’t pose that significant risk may qualify for an exception. The guidelines provide the framework for making and documenting that determination.
That exception is meaningful. It’s also a trap for organizations that assume it applies without walking through the structured assessment the guidelines require. Undocumented exceptions create enforcement exposure identical to undocumented classification decisions.
The Consultation Window: Who Should Comment and Why
June 23 isn’t just a deadline to note. It’s a strategic decision point.
Comment periods on technical guidelines rarely produce structural reversals. The Commission isn’t going to reclassify biometrics or remove employment from Annex III because stakeholders object. What comment periods can produce: clarification on edge cases, narrowed or broadened exception criteria, adjusted documentation thresholds, and revised guidance on specific system types. For organizations operating in sectors with contested classification boundaries, hiring tools that don’t access biometric data but do inform employment decisions, educational assessment systems that score but don’t place students, the comment period is the most direct mechanism available to influence how those boundaries are drawn.
Legal counsel and compliance teams with specific classification concerns should be filing by June 23. Post-finalization, the guidance is what it is.
The Two-Consultation Overlap: Parallel Tracks, Different Obligations
Organizations managing both the June 3 and June 23 deadlines aren’t managing the same consultation twice. These address different provisions.
The Article 50 consultation covers transparency obligations, the requirements for AI systems that interact with humans (chatbots, emotion recognition, deepfakes) to disclose their AI nature. Article 50 obligations apply to a broader set of systems than Article 6’s high-risk classification framework and sit in a different organizational lane: product disclosure, user experience, terms of service. The overlap in timing is administrative, not substantive.
The failure mode to avoid: treating the June 3 Article 50 deadline as the EU AI Act deadline and closing the file on June 4. The higher-stakes classification work under Article 6 extends to June 23, with the August 2 enforcement date following ten weeks later. Organizations that resource the Article 50 process heavily and don’t sequence the Article 6 work in parallel are accepting a timeline compression that will show up in July.
Who This Affects
Unanswered Questions
- How does the significant-risk exception under Article 6(2) apply to systems that use Annex III-adjacent data without operating within the listed domain?
- What documentation standard does the Commission expect for a negative significant-risk determination, internal memo, external legal opinion, or structured technical assessment?
- Will national market surveillance authorities publish their own Article 6 interpretive guidance before August 2, and how much variation should cross-jurisdictional operators anticipate?
The August 2 Enforcement Backstop
August 2, 2026 is the date the high-risk provisions of the EU AI Act take effect. Per IAPP’s reporting, the Commission had originally targeted February 2026 for releasing the classification guidelines, the delay to mid-May means organizations have roughly ten weeks from guidelines release to enforcement. The Commission’s finalization timeline after the June 23 consultation close hasn’t been announced.
This creates a practical reality: the draft guidelines are, for planning purposes, the operative document. Final text may be more specific in certain areas, but organizations that delay classification work until finalization are building a program under enforcement pressure rather than ahead of it.
Three types of organizations are at elevated exposure on August 2. First: those that haven’t completed an Article 6(2) analysis at all, relying on an assumption that their systems aren’t high-risk without documented assessment. Second: those that correctly identified a potential Annex III classification but assumed an exception applies without applying the significant-risk test the guidelines require. Third: those that completed classification work under pre-Omnibus uncertainty and haven’t revisited it now that the definitional framework is settled.
What to Watch
Two signals matter in the next 90 days. The first is Commission finalization timing. If the final guidelines arrive in late July, organizations will have days, not weeks, to reconcile draft-based work against the final text. Early comment submission, and document-ready classification assessments, reduce that risk. The second is enforcement body positioning. National market surveillance authorities in member states will implement August 2 obligations. Their interpretive guidance and initial enforcement priorities may vary. Organizations operating across multiple EU jurisdictions should be tracking the national-level signals, not just the Commission’s central releases.
TJS Synthesis
The EU AI Act’s compliance sequence is now fully visible. What looked like an extended runway of regulatory evolution has compressed into a concrete stack: settled text, active guidelines, two open consultations, one enforcement date. The organizations that treated 2025 as planning time and 2026 as execution time are in the right posture. Those waiting for finalized guidance to begin classification work are accepting calendar risk, the finalization timeline is unknown, and August 2 isn’t. The real compliance risk in the next 90 days isn’t ignorance of the framework. It’s organizations that understand the framework but have underestimated the documentation, assessment, and conformity preparation work that sits between a classification decision and a defensible compliance posture. That work takes longer than the deadline makes it look.