EU AI Act Weekly Radar: High-Risk Classification Guidance Meets a Possible Omnibus Reset

The EU AI Act story this week is not just about timing. It is about where companies need to focus now.

On one side, the European Commission has adopted its Article 112 review report and market commentary continues to unpack draft guidance on how to determine whether an AI system is "high-risk". On the other, reported details of the AI Act "Omnibus" agreement suggest that some of the most significant high-risk obligations may be deferred, pending formal adoption and publication.

For legal, product, and compliance teams, the takeaway is fairly clear: even if parts of the timetable move, classification analysis cannot wait.

The biggest timing signal: reported Omnibus changes could delay major high-risk obligations

The most consequential timeline update came from Gibson Dunn, which reported that, pending formal adoption and Official Journal publication, the Omnibus agreement would move:

• Annex III high-risk obligations to 2 December 2027; and
• Annex I product-embedded AI obligations to 2 August 2028.

Gibson Dunn also reports two structural changes with potentially major scoping effects: a mechanism intended to reduce overlap with sectoral safety law, and a broad machinery carve-out (Gibson Dunn, "EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes").

If confirmed in final legal text, that would matter enormously for companies building or deploying AI in regulated products, industrial systems, and mixed compliance environments where AI Act duties sit alongside product safety regimes.

But the practical point is not simply, "deadlines moved." It is that the compliance calendar may be turning into a more staggered implementation path, especially for businesses that had been treating all high-risk preparation as a single workstream.

At the same time, the Commission’s high-risk guidance is narrowing the room for casual classification calls

Multiple legal analyses published this week focus on the Commission’s draft guidance on high-risk AI classification. Across those summaries, the central theme is consistent: the guidance is aimed first at classification logic rather than full end-to-end compliance.

Tech Law Blog describes the guidance as concentrating on whether a system falls into high-risk status, broken into general principles plus separate treatment of the Annex I and Annex III routes (Tech Law Blog, "High Risk AI System Guidance Published"). Burges Salmon similarly emphasizes that the draft clarifies the two main pathways to high-risk status under Article 6:

• the Annex I product-safety route; and
• the Annex III use-case route.

Its summary points to concrete examples across biometrics, employment, credit scoring, law enforcement, and justice (Burges Salmon, "EU AI Act: Commission publishes draft guidelines on high-risk AI classification").

That matters because many organizations are still treating "high-risk" as a label that becomes relevant only near launch or procurement. The direction of travel this week suggests the opposite: classification is becoming an early design and governance question.

Article 6 is emerging as the operational pressure point

The most important practical theme in the guidance commentary is not just what counts as high-risk, but how companies should support a conclusion that a system is not high-risk.

Both Tech Law Blog and DWF highlight the significance of the Article 6(3) carve-out for certain Annex III systems. Their readout is that where a provider relies on that exception, it should document its assessment before placing the system on the market and keep records supporting the conclusion that the system should not be treated as high-risk (Tech Law Blog; DWF, "EU AI Act: High-risk guidance and UK impact").

That is a notable governance signal. Even if a company concludes that an Annex III-related use case falls outside high-risk treatment, the burden does not disappear. Instead, it shifts into defensible internal documentation.

For lextrace readers, this is one of the most important developments of the week because it points toward a likely enforcement reality: regulators may eventually ask not only what you classified, but how you reached that classification and when you recorded it.

Intended purpose and system architecture are central to classification

Wilson Sonsini’s analysis adds another layer that product teams should pay close attention to. According to its summary of the draft guidance, the Commission is signaling:

• a broad reading of high-risk classification,
• a strong focus on the system’s intended purpose, and
• in some cases, treatment of combined AI configurations as one system for classification purposes (Wilson Sonsini, "Draft Guidelines Clarify Which AI Systems Are “High-Risk” Under EU AI Act").

That combination has real implications.

First, intended purpose means product claims, deployment context, and internal design rationale may all shape the risk analysis. A company cannot assume that a narrow technical description will control if the actual use context points to an Annex III function.

Second, where several models or components operate together, businesses may not be able to classify them in isolation just because the stack is modular. If the configuration functions as one operational AI system, the classification analysis may need to reflect that integrated reality.

In practice, that raises the importance of architecture mapping, use-case scoping, and documentation discipline at the product level.

The Commission’s Article 112 review report points to where future scope debates may land

Alongside the classification discussions, the Commission adopted its Article 112 review report on whether the AI Act’s prohibitions in Article 5 or the Annex III high-risk use cases need to change (European Commission, "Report on the review of prohibitions and high-risk AI").

According to the Commission summary, the report flags possible gaps around AI used to generate:

• child sexual abuse material, and
• non-consensual intimate content.

At the same time, the report says broader evaluation requires more enforcement experience.

That is significant for two reasons.

First, it shows that even as implementation guidance is still being digested, the Commission is already identifying substantive edge cases and potential regulatory gaps.

Second, it suggests that the AI Act’s scope debates are not over. The current framework may still evolve as regulators gather evidence from actual supervision and market practice.

So while much of this week’s attention is on whether some deadlines move back, the Commission is also signaling that certain harm categories may move up the policy agenda.

Why this week matters for providers, deployers, and in-house teams

Taken together, these updates create a more nuanced picture of the EU AI Act implementation timeline.

1. Delayed obligations do not mean delayed governance

If the reported Omnibus deal is finalized as described, some headline high-risk obligations may arrive later than many teams expected. But that does not reduce the importance of doing the classification groundwork now.

In fact, delayed deadlines can increase the value of getting the scoping decision right early, because organizations may use the extra time to build more targeted compliance plans instead of over-preparing every AI system as if it were automatically high-risk.

2. Article 6 assessments are becoming boardroom-relevant

The commentary this week strongly suggests that Article 6 analysis is not a back-office legal memo issue. It is becoming a core control point for:

• go-to-market decisions,
• product positioning,
• procurement reviews,
• provider-deployer responsibility allocation, and
• later regulatory defensibility.

Where a business relies on an exception to high-risk treatment, contemporaneous records may become just as important as the conclusion itself.

3. Annex I and Annex III remain the classification backbone

Burges Salmon’s summary is useful here because it underscores the continuing importance of the AI Act’s two structural routes into high-risk status: product safety integration under Annex I and use-case designation under Annex III. That distinction remains essential for companies trying to sort out whether they are primarily dealing with a regulated product question, a deployment-context question, or both.

4. SMEs and startups still need triage discipline

Even without new SME-specific measures in this week’s source set, the reporting has clear implications for smaller organizations. Startups often assume that high-risk analysis is only for heavily regulated sectors or late-stage enterprise products. The guidance commentary points the other way: if your tool touches an Annex III use case, classification and evidence capture may need to happen much earlier than expected.

For smaller teams, the efficient approach is not full compliance buildout for every feature. It is a repeatable triage process for intended purpose, Annex mapping, and Article 6 documentation.

A practical reading of the week: fewer excuses for fuzzy classification

This week’s developments can be read as a compromise between more time and less ambiguity.

The Omnibus reporting suggests that legislators may be willing to slow some major compliance milestones, especially where overlap with sectoral regimes or machinery rules creates implementation friction. But the guidance commentary suggests the Commission simultaneously wants market participants to be more rigorous about how they classify systems today.

That is a familiar regulatory pattern: where the broader timetable becomes more flexible, expectations around internal reasoning and documentation often become sharper.

For companies, that means the immediate question is not only, "When do Annex III obligations apply?" It is also:

• What is the system’s intended purpose?
• Does Annex I or Annex III provide the more relevant route?
• Are we relying on an Article 6(3) exception?
• If so, what evidence supports that position?
• Are multiple technical components effectively one AI system for classification purposes?

What to watch next

Based on this week’s developments, the next major signals to watch are:

• whether the reported Omnibus agreement is formally adopted and published in final form, including the delayed dates for Annex III and Annex I obligations;
• whether the Commission’s high-risk classification guidance is finalized with the same emphasis on documented Article 6 reasoning;
• whether the Article 112 review report’s flagged gaps feed into future proposals on prohibited practices or additional high-risk use cases; and
• how national authorities and market actors begin to operationalize classification reviews in advance of full enforcement maturity.

Bottom line

This week’s EU AI Act radar is best understood as a shift from countdown mode to classification mode.

Yes, the reported Omnibus deal could materially change implementation timing for key high-risk obligations. But the bigger compliance message is that organizations should not wait for final deadline certainty before building a serious classification record.

The Commission’s direction, as reflected in this week’s reporting and review materials, points toward a simple principle: under the EU AI Act, being able to explain why a system is or is not high-risk may become one of the most important governance capabilities a business can develop.