EU AI Act Weekly Radar: High-Risk Classification, Enforcement Capacity, and the Emerging Omnibus Timeline

The EU AI Act implementation picture became more concrete this week, even if some of the most important developments are still only partially settled. Taken together, the latest updates suggest that the market is moving from broad legal interpretation to operational questions: Is a system high-risk under Article 6? Which authority will supervise it in practice? And should teams change their implementation timeline if the reported AI Omnibus changes land as described?

For legal, product, and governance teams, the practical takeaway is that the compliance conversation is narrowing around three fronts:

1. Classification of high-risk systems under Article 6 and Annex III;
2. Institutional enforcement capacity at both EU and national level; and
3. Sequencing and timing, especially for businesses planning around high-risk obligations, sectoral product rules, and possible omnibus reforms.

1) Article 6 remains the gating issue for AI Act compliance

A key development this week was reporting on the European Commission’s draft guidelines on identifying “high-risk” AI systems under Article 6, covered by Gowling WLG. According to that summary, the draft guidance is designed to help providers and deployers work through the two main routes into high-risk classification:

• the Annex I product-related route, and
• the Annex III sensitive-use route.

That matters because high-risk classification is not a marginal interpretive issue. It is the threshold question that determines whether an organisation is dealing with a much heavier compliance package, including governance, documentation, risk management, and oversight obligations. In other words, Article 6 is where many AI Act programmes will either expand significantly or narrow.

The reported significance of the draft guidance is not just that it restates the legal structure. Gowling notes that the examples in the draft appear intended to turn Article 6 and Annex III into more usable implementation tests. For organisations, that is important for at least three reasons.

First, classification is becoming a workflow problem, not just a legal memo problem

Many companies no longer need only a one-time interpretation of whether a system might be high-risk. They need a repeatable internal method for deciding:

• whether they are acting as a provider or deployer in the relevant context;
• whether the system falls into a product regime covered by the Act’s high-risk logic; and
• whether the use case maps to one of the sensitive areas associated with Annex III.

That makes the draft guidance especially relevant for internal intake processes, AI inventories, and model/system classification controls.

Second, the provider/deployer distinction is central to accountability

Gowling’s summary specifically highlights the need for providers and deployers to assess whether a system falls within the relevant Article 6 pathways. That is a useful reminder that AI Act obligations do not attach in the same way to every actor in the chain. For governance teams, this means classification exercises need to be linked to role mapping and contract structure, not treated as a standalone regulatory label.

Third, examples may become de facto implementation anchors

In EU digital regulation, formal legal text often leaves room for later operational interpretation through guidance, supervisory practice, and market standardisation. If the Commission’s draft examples gain traction, they may become highly influential in how compliance teams document borderline decisions, particularly where Annex III scoping is contested or fact-specific.

2) Enforcement is no longer abstract: the Commission is building expert support around the AI Office

If Article 6 answers the question of what is regulated, this week’s enforcement news starts to answer who will help interpret and police it.

In an official update, the European Commission announced that AI Act enforcement is getting independent expert support through the appointment of a 60-member Scientific Panel and an Advisory Forum. According to the Commission, these bodies will support the AI Office and national authorities on issues including:

• general-purpose AI (GPAI);
• systemic risk;
• model classification;
• evaluation methods;
• standardisation; and
• cross-border market surveillance.

This is one of the clearest recent signs that AI Act enforcement architecture is moving into a more operational phase.

Why this matters for GPAI and model governance

The Commission’s description is especially notable because it highlights support on GPAI, systemic risk, and model classification. That suggests the enforcement conversation is not limited to downstream deployers of narrow AI tools. It also reinforces the importance of the AI Office as a focal point for technically informed supervision where frontier and general-purpose capabilities are involved.

For companies following the still-evolving General-Purpose AI Code of Practice debate, this is significant even though this week’s source set does not provide a fresh official update on the Code itself. The Commission’s move indicates that the surrounding enforcement ecosystem is being staffed and structured in ways that should affect future oversight of GPAI obligations, classification questions, and evaluation expectations.

Why this matters for cross-border consistency

The Commission also explicitly points to cross-border market surveillance. That is important because one of the biggest practical concerns under the AI Act has been whether businesses will face fragmented national interpretations, particularly where systems are marketed or deployed across multiple Member States.

A stronger expert layer around the AI Office and national authorities does not eliminate divergence. But it does suggest that the EU is trying to build channels for more coordinated supervisory approaches, especially in technically demanding areas where legal text alone may not resolve disputes.

3) National implementation is getting more concrete

EU-level institutional design matters, but companies are ultimately supervised somewhere. This week, one of the more tangible national implementation signals came from Finland.

According to the Finnish Government, proposed national legislation supplementing the Cyber Resilience Act also addresses supervisory arrangements connected to the AI Act. The government said that market surveillance of high-risk AI systems will be handled by the same authorities that supervise AI Act compliance, identifying sectoral bodies including:

• Traficom,
• the Data Protection Ombudsman, and
• the Financial Supervisory Authority.

This is a useful implementation signal for two reasons.

Sectoral supervision is likely to be the lived reality of AI Act enforcement

For many businesses, especially those operating in regulated markets, compliance will not be experienced as a single “AI regulator” relationship. Instead, it may be filtered through sectoral supervisors with different institutional cultures, technical priorities, and enforcement histories. Finland’s announcement points in that direction.

That matters particularly for high-risk AI systems linked to products or functions already familiar to existing authorities. It suggests organisations should be preparing not only for horizontal AI Act obligations, but also for supervisory engagement shaped by telecoms, data protection, finance, and other sector-specific lenses.

The CRA and AI Act should be read together in product governance planning

The Finnish update also matters because it sits at the intersection of the Cyber Resilience Act and the AI Act. Even without overreading the national proposal, the message is clear: businesses building smart devices, software-enabled products, or regulated digital systems should avoid treating EU digital product laws as separate workstreams.

From a governance perspective, classification, cybersecurity, market surveillance, technical documentation, and authority engagement are increasingly converging. Teams that keep CRA and AI Act implementation entirely siloed may create unnecessary friction later.

4) The reported AI Omnibus deal could reshape timing and overlap for high-risk systems

The biggest potential roadmap change this week comes from a secondary summary of the reported AI Omnibus outcome.

In a client update, DLA Piper says EU bodies have reached a provisional agreement on the AI Omnibus package. According to that summary, the deal would include:

• delayed high-risk deadlines;
• reduced overlap with sectoral product laws;
• new bans; and
• practical implications for organisations with extra-territorial exposure to the AI Act.

Because this source is a law firm summary describing a provisional agreement, the immediate significance is directional rather than definitive. Still, if the account is accurate, the implications are substantial.

A possible reset for implementation sequencing

A delay to high-risk deadlines could materially affect how organisations prioritise compliance resources. Companies that have been racing to operationalise high-risk controls may decide to rebalance effort across:

• AI inventory and scoping,
• prohibited-practice assessment,
• GPAI-related monitoring,
• product-law alignment, and
• documentation readiness.

But a potential delay should not be mistaken for a reason to pause classification work. If anything, this week’s Article 6 guidance story suggests the opposite: organisations still need to know whether they are in scope before they can sensibly respond to any revised timeline.

Reduced overlap with sectoral product laws would be commercially significant

The possibility of reduced overlap is especially important for businesses whose AI systems sit inside regulated products or product compliance frameworks. One of the recurring concerns around the AI Act has been duplication or unclear interaction with existing product-law obligations. If the Omnibus package genuinely reduces overlap, that could simplify compliance architecture for a meaningful class of high-risk systems.

Extra-territorial exposure remains a live issue

DLA Piper also highlights the implications for organisations with extra-territorial exposure. That is a reminder that the AI Act is not only an EU-incorporated-company issue. Businesses placing systems on the EU market, or otherwise falling within the Act’s scope, still need a defensible view of role, product exposure, use case, and jurisdictional reach.

5) What these updates mean when read together

The most important value in this week’s developments is not any single announcement. It is the way they fit together.

The EU is moving from legal text to operating system

The Article 6 draft guidance story points toward more granular interpretive support on high-risk classification. The Commission’s enforcement announcement shows the EU building the expert infrastructure needed to supervise complex technical questions. Finland’s update illustrates how national enforcement may work in sectoral practice. And the Omnibus reporting suggests that the legislative timetable and scope architecture may still be refined while implementation continues.

That combination is typical of a regulatory regime entering its operational phase: classification guidance, supervisory bodies, national authority allocation, and timeline recalibration all begin to move at once.

High-risk AI remains the central organising concept

Even with GPAI and systemic-risk discussions growing in importance, high-risk classification still appears to be the core organising problem for many organisations. That is because so many downstream obligations, market surveillance expectations, and product-law interactions depend on whether Article 6 is triggered.

Enforcement capacity is becoming a strategic variable

The Commission’s new Scientific Panel and Advisory Forum signal that enforcement quality may increasingly depend on access to technical expertise, not just legal interpretation. Companies should expect a more informed supervisory environment over time, especially where model classification, evaluation methods, or systemic-risk claims are involved.

6) Practical implications for providers, deployers, and compliance leads

Based on this week’s developments, organisations should be thinking in terms of decision readiness, not just legal awareness.

For providers

Providers should ensure they have a documented approach for determining whether systems fall within Article 6 pathways, especially where products, components, or sensitive-use cases may bring Annex I or Annex III into play. They should also monitor how any Omnibus timing changes interact with existing product compliance obligations and market-entry plans.

For deployers

Deployers should not assume high-risk status is solely a provider-side issue. Gowling’s summary of the draft guidelines indicates that deployers also need to assess whether a system falls within the relevant classification logic. In practice, this means procurement, implementation, and governance teams should be aligned on use case, context, and role allocation.

For SMEs and startups

Smaller organisations may welcome any delay in high-risk deadlines if the reported Omnibus terms are confirmed. But this week’s updates also suggest that basic governance maturity still matters: a credible AI inventory, role mapping, use-case analysis, and product-law awareness are increasingly necessary just to understand where the business stands.

For cross-functional AI governance teams

This is a good moment to bring legal, product, compliance, security, and public policy teams into the same planning cycle. The Finnish update in particular shows why AI Act readiness cannot be separated cleanly from broader digital product regulation and national supervisory structures.

Bottom line

This week’s EU AI Act radar does not deliver a single headline rule change. Instead, it shows the regulation becoming more real.

The key developments are cumulative:

• reported draft guidance is sharpening how organisations think about Article 6 high-risk classification;
• the European Commission is building enforcement support through a new Scientific Panel and Advisory Forum;
• national implementation is becoming more concrete, with Finland indicating how high-risk AI market surveillance may be allocated among sectoral authorities; and
• the reported AI Omnibus provisional agreement may yet alter timing and overlap for high-risk obligations.

For lextrace readers, the practical message is straightforward: do not wait for every political and legal detail to settle before improving your classification, governance, and supervisory-mapping processes. Even if the timeline shifts, the direction of travel is clear. The AI Act is moving from theory to administration, and organisations that understand their high-risk exposure early will be better positioned for whatever final implementation path emerges.