EU AI Act: how the draft guidelines classify agentic systems as high-risk

What is this?

On 19 May 2026, the European Commission published draft guidelines on the classification of high-risk AI systems under Article 6 of the EU AI Act, and opened a targeted stakeholder consultation (reported to run until 23 June 2026). The document is not a technical exploit — it is a regulatory interpretation. But for anyone building or deploying LLM agents in or into the EU, it directly shapes which legal obligations attach to their system, and when.

The guidelines come in three downloadable parts — general principles, classification for regulated products (Annex I), and the stand-alone high-risk use cases (Annex III) — and, per Article 6(5), include practical (non-exhaustive) examples of what should and should not count as high-risk. The most consequential passage for the agent-builder community is how the Commission treats agentic and composite AI systems.

How it works

Article 6 routes a system to “high-risk” through two doors. Article 6(1) covers AI that is a safety component of, or itself is, a product under the EU harmonisation legislation in Annex I that requires third-party conformity assessment. Article 6(2) covers stand-alone systems whose use case falls under an Annex III area — biometrics, education, employment, access to essential public and private services, law enforcement, migration, and the administration of justice, among others.

The draft guidelines clarify how this applies when no single model “is” the system. Their position, as read across the official text and early legal analyses, is that complex systems made up of several interacting AI components — explicitly including agentic AI systems — are assessed holistically. Where multiple components interact and their combined outputs materially influence a decision in a high-risk use case, the whole configuration is treated as one AI system for classification purposes.

The sharp edge is the corollary: even a component that performs only a narrow procedural or preparatory task can be swept into the high-risk regime if, as part of the larger agentic system, it contributes to outputs that materially influence an Annex III decision. This interacts with the Article 6(3) derogations — the carve-outs that let some Annex III systems avoid high-risk status when they perform a narrow procedural task, improve the result of a previously completed human activity, detect decision patterns without replacing human judgment, or carry out a preparatory task. The guidelines signal that these exemptions cannot be used to decompose an agentic workflow into individually “harmless” pieces to engineer your way out of classification.

Why it matters

For teams shipping LLM agents, three practical consequences follow.

First, architecture is now a compliance surface. Splitting a workflow into a planner, a retriever, a tool-caller, and a summarizer does not produce four low-risk sub-systems if their joint output drives a hiring, credit, or eligibility decision. The orchestration is the regulated artifact.

Second, roles blur. In multi-vendor agent stacks, “provider” and “deployer” obligations can attach to parties who assumed they were merely integrating a component. Mapping who owns conformity assessment, logging, human oversight, and documentation across a chain of agents becomes essential.

Third, the clock is real. Annex III high-risk obligations and the Article 73 serious-incident reporting duty apply from 2 August 2026. Article 73 requires providers to report serious incidents to national market surveillance authorities without undue delay and, in any case, within 15 days of awareness (shorter for the most severe categories). A serious incident includes events leading to death or serious harm to health, serious and irreversible disruption of critical infrastructure, or serious breaches of fundamental rights — outcomes an over-permissioned agent can plausibly cause.

Defenses

These are mitigations in the governance sense — concrete steps to reduce legal and operational exposure before August.

• Classify at the system level, not the component level. Document the agent’s end-to-end purpose and ask whether its combined output materially influences an Annex III decision. Treat the orchestration, not just each model, as the unit of analysis.
• Map provider/deployer roles across the chain. For every agent and third-party tool or MCP server, record who is responsible for conformity assessment, technical documentation, logging, and human oversight.
• Do not rely on decomposition to dodge classification. If you intend to invoke an Article 6(3) derogation, document the specific condition and the evidence, and assume regulators will read the workflow holistically.
• Stand up incident detection and reporting now. Build the telemetry and the internal process needed to identify and report a serious incident within Article 73’s 15-day window, including injected-instruction and unauthorized-tool-call events.
• Engage the consultation. The text is still a draft; affected builders can submit feedback through the Commission’s stakeholder consultation before it is finalized.

Status

Item	Detail
Document	Draft Commission guidelines on classification of high-risk AI systems (Article 6)
Published	19 May 2026 (draft, open for consultation)
Legal basis	Article 6(1)/Annex I; Article 6(2)/Annex III; Article 6(3) derogations; Article 6(5) examples
Agentic treatment	Composite/agentic systems assessed holistically; narrow components can be in-scope
Key date	Annex III + Article 73 reporting obligations apply 2 August 2026