EU AI Act: High-Risk Guidelines Make AI Maturity a Board-Level Issue

On May 19, 2026, the European Commission published draft guidelines on the classification of high-risk AI systems under the EU AI Act. The guidelines are intended to help companies, providers, operators, and market surveillance authorities assess whether an AI system qualifies as a high-risk system—and what obligations that entails. Important update to the original news item: The consultation was initially scheduled to end on June 23, 2026, but according to the official EU consultation page, it has been extended by four weeks until July 23, 2026.

Executive Summary

The European Commission’s draft guidelines are more than just a legal technicality. They demonstrate that AI governance in Europe is evolving from an abstract discussion into a verifiable management discipline. In the future, companies will not only need to know whether they are using AI; they will also need to be able to explain for what purposes, with what data, in what risk context, under what human oversight, and with what ongoing monitoring.

Essentially, the EU distinguishes between two categories of high-risk classifications: AI systems that, as safety components or products, fall under specific EU harmonization legislation, and AI systems used in sensitive areas of application as defined in Annex III of the AI Act. These include, for example, employment, education, critical infrastructure, essential private and public services, law enforcement, migration, the judiciary, and democratic processes.

Strategically, this means that AI maturity is no longer merely claimed internally. It is increasingly assessable from the outside through visible structures, competencies, activities, data practices, governance signals, and public communication. An external score is not a definitive judgment. It is a “public-signal score,” an “outside-in maturity estimate,” or a “visible maturity baseline.” The real value is created when companies claim, verify, complete, and purposefully improve this visible assessment.

For CEOs, boards, CIOs, CDOs, and leadership teams, the key question is shifting: It’s no longer “Which AI tools should we use?” but rather “Can we measure, compare, prioritize, and improve our AI maturity over time?”

CorpIn positions itself precisely at this point: as a Swiss platform, an AI maturity benchmark, an index mechanism, and a European standard that companies can use to assess, refine, benchmark, and strategically improve their AI maturity.

What the European Commission Has Published

On May 19, 2026, the European Commission published three draft guideline documents on the classification of high-risk AI systems. They address general principles, the classification of AI systems in connection with regulated products under Annex I, and the classification of AI systems in the sensitive areas of application covered by Annex III. The Commission emphasizes that the examples are not exhaustive and may be updated as needed.

Officially, the guidelines are intended to help providers, operators, and market supervisory authorities determine whether an AI system falls under the high-risk rules. According to the consultation page, the final guidelines are scheduled to be published by the end of 2026. At the same time, the Commission notes that the application of certain high-risk rules has been postponed as part of the AI Omnibus timeline: to December 2027 for standalone high-risk AI systems and to August 2028 for AI systems embedded in regulated products.

The guidelines are not legally binding. Nevertheless, several law firms and experts view them as an important signal because they clarify the most likely interpretive framework of the European Commission and national authorities. Hunton Andrews Kurth points out that the guidelines were originally expected earlier and that the lack of final guidance and technical standards remains a key issue for companies. Bird & Bird describes the draft guidelines as the clearest indication to date of how the Commission and supervisory authorities are likely to assess the “high-risk” issue in practice.

Verified facts, official statements, and external assessments

Verified Facts

The EU AI Act follows a risk-based approach. It distinguishes between different risk levels and sets out comprehensive requirements for high-risk AI systems. These include, among other things, risk management, data and data governance requirements, technical documentation, transparency, human oversight, accuracy, robustness, cybersecurity, and post-market monitoring.

Under Article 6 of the AI Act, an AI system may be considered high-risk, in particular, if it falls under certain EU harmonization acts as either a safety component or a product and is subject to a third-party conformity assessment, or if it is used in one of the Annex III areas. For Annex III systems, Article 6(3) also provides for exceptions if the system performs only a strictly limited procedural task, enhances a human activity that has already been completed, recognizes patterns without replacing or significantly influencing human judgment, or performs a purely preparatory task. However, the profiling of natural persons remains, in principle, high-risk.

If a supplier classifies an Annex III system as “not high-risk,” it must document this assessment before placing the system on the market or putting it into service and must register the system. This is precisely where it becomes clear that “not high-risk” is not an informal gut decision, but rather a governance decision that must be justified.

Official Statements from the European Commission

The Commission presents the guidelines as a practical resource. They are intended to explain how Article 6 of the AI Act can be applied and to use examples to illustrate when AI systems may be considered high-risk under Annex I or Annex III. The final version will be further developed based on the consultation and stakeholder feedback.

The Commission also points out that high-risk AI systems can become relevant in sensitive areas if they have a significant impact on health, safety, or fundamental rights. This logic is central: The AI Act does not simply evaluate “AI” as a technology, but rather the purpose, context, and impact of a specific system.

Ranking of Law Firms and Experts

Several international law firms emphasize that companies should now systematically triage and map their AI use cases. Skadden highlights that the “intended purpose” can be derived not only from contracts but also from technical documentation, product materials, and advertising claims. Similarly, DLA Piper points out that broad product positioning without clear exclusions can increase the risk of being classified as high-risk.

Bird & Bird emphasizes that downstream actors may also become subject to provider obligations if they offer a system under their own name, make significant changes to it, or alter its intended purpose. This is particularly relevant for companies that integrate general-purpose AI systems, external models, or provider platforms into their own processes.

Baker McKenzie classifies the Draft Guidelines as a structured methodology: First, one must determine whether an AI system within the meaning of the AI Act exists at all; next, the intended purpose must be assessed; then, its relevance to Annex I or Annex III must be determined; and finally, possible exemptions under Article 6, paragraph 3, must be considered.

What the draft guidelines specifically show

The most important message is this: High-Risk AI is not merely a category of tools. It is about purpose, context of use, impact on people, integration into processes, and the ability to govern it.

An HR system that sorts applications, ranks candidates, or significantly influences selection decisions may fall under the high-risk category. A tool that merely coordinates interview appointments or organizes resume information in a database may be assessed differently depending on its specific purpose. The official examples in the AI Act Service Desk documentation clearly illustrate this distinction.

The same applies to critical infrastructure or regulated products. An AI system that performs a safety function in an industrial facility—such as detecting hazards or triggering a shutdown—may be assessed differently than a system that merely optimizes efficiency, maintenance planning, or non-safety-related quality.

For companies, this means that the question is not “Should we use AI?” but rather “Where does AI come into play in decision-making, security, fundamental rights, performance evaluations, access to services, or product features?” That is precisely where strategic relevance begins.

Why This Development Is Strategically Relevant for C-Level Executives

Many companies will initially view the draft guidelines as a compliance issue. That is too narrow a view.

The high-risk classification forces companies to develop a management capability that many do not yet possess: a comprehensive, up-to-date, and decision-relevant understanding of their own AI landscape. Those who do not know which AI systems are in use within the company, what data they use, what decisions they influence, who is responsible for them, and how they are monitored cannot seriously assess whether a system is high-risk or not.

This makes AI maturity a board-level issue. Not because every board needs to understand technical models, but because the board needs to know whether the company can effectively manage its AI investments, AI risks, and AI capabilities.

For C-level executives, this raises a competitive question: Is the company investing in AI activities or in AI maturity? For boards, this raises a governance question: Is there an objective basis for assessing risks, priorities, and progress? For CIOs, this raises an architectural question: Are systems, data, and integrations mature enough to deploy AI securely and at scale? For CDOs, this raises a measurement question: Can data quality, data governance, and AI impact be demonstrated across business units? For leadership teams, this raises a prioritization question: Which AI initiatives create value, which ones only generate risk, and which ones need to be halted, documented, or restarted?

The AI Act thus highlights what many companies are already experiencing: AI chaos is merely a symptom. The real problem is a lack of measurability.

What This Trend Reveals About AI Maturity

AI maturity is not simply the number of AI tools in use. AI maturity is a company’s ability to strategically understand AI, use it responsibly, manage risks, make data actionable, build capabilities, measure progress, and prioritize investments relative to the market.

The EU guidelines reflect precisely this logic. They do not focus on “innovation” as a self-narrative, but rather on purpose, context, documentation, data, human oversight, monitoring, and accountability. These are not purely legal categories. They are indicators of maturity.

Eurostat shows that in 2025, approximately 19.95 percent of EU companies with at least ten employees were using AI; among large companies, the figure was 55.03 percent. At the same time, companies that were considering AI but not using it cited a lack of expertise, unclear legal implications, and data protection and data-related concerns as key obstacles.

This highlights a structural gap: Europe does not just have an AI adoption problem. Europe has a problem measuring AI maturity. OECD analyses of European AI policy indicate that monitoring and public reporting of national AI strategies vary widely and that common indicators would improve comparability.

This is precisely where the strategic leverage comes into play: If companies, industries, and countries cannot measure their AI maturity in a comparable way, they are investing blindly. If they can measure it, AI goes from being a buzzword to a controllable competitive factor.

Companies Become Visible to the Outside World

The new regulatory framework comes at a time when companies are, in any case, becoming increasingly subject to external analysis. Today, an organization sends out public signals that allow conclusions to be drawn about its AI maturity:

• Job Postings for AI, Data, Automation, Governance, or Security
• Publicly Visible AI Roles in Management
• Product Communication and AI Promises on Websites
• Technical documentation, privacy and security notices
• Partnerships with cloud, AI, or data providers
• Patents, Open-Source Activities, and Research Collaborations
• Media Coverage, Case Studies, and Awards
• Governance Statements, Policies, and Responsible AI Communications
• regulatory classifications, certifications, or audit findings

None of these signals, on its own, constitutes a complete assessment. But together, they create a visible baseline of maturity. Companies aren’t evaluated only after they complete an internal assessment; they’re already being categorized today based on their public footprint.

Why Visible AI Maturity Must Become Measurable

A visible AI maturity score is only valuable if it doesn't stop at observation.

Without control, a new risk arises: Companies are evaluated from the outside without actively contributing to the data set, its interpretation, or its improvement. In that case, the market defines the company’s maturity—not the company itself.

That is why visible AI maturity must be translated into a manageable management framework:

1. Claim: The company adopts the visible baseline and uses it as a starting point.
2. Complete: Internal data, self-assessments, governance structures, and contextual information supplement the public view.
3. Benchmark: Your company's position is compared with that of peers by industry, size, region, and maturity level.
4. Prioritize: Leadership teams identify which gaps are strategically relevant.
5. Improve: Investments, skills, data quality, and governance are being specifically improved.
6. Track: Progress becomes measurable over time and can be presented to the board.
7. Evidence: Companies can demonstrate—both internally and externally—that AI maturity is not merely claimed but is actually being developed.

That is the difference between AI activity and AI maturity. Activity generates projects. Maturity generates the ability to manage.

Strategic Implications for Companies

1. AI inventories are becoming a management asset

Companies need an up-to-date overview of AI systems, use cases, providers, data sources, responsibilities, and deployment contexts. Without an AI inventory, it is not possible to conduct a reliable high-risk assessment.

2. Intended Purpose Becomes a Strategic Risk Metric

The official and legal classification shows that the intended purpose of a system can be derived not only from internal contracts but also from documentation, product materials, and public communications. Companies must therefore ensure that Sales, Marketing, Product, Legal, IT, and Governance all convey the same reality.

3. HR, infrastructure, education, finance, and the public sector will be particularly vulnerable

The Annex III framework applies to areas where AI influences decisions regarding people, access, security, or rights. Companies that use AI in HR, lending, insurance, critical infrastructure, education, public services, or regulated products should conduct a structured classification at an early stage.

4. Data maturity becomes an AI ROI factor

AI ROI does not depend solely on models. It depends on whether data is available, representative, relevant, quality-assured, and subject to governance. The AI Act explicitly makes data governance a component of the high-risk requirements.

5. Governance must evolve from a policy document into an operating system for action

An AI policy alone is not enough. Companies need roles, processes, escalation procedures, oversight mechanisms, monitoring, incident handling, and a clear link to strategic prioritization. The requirements for risk management, human oversight, technical documentation, and post-market monitoring point in this direction.

6. AI investments must be prioritized on a risk-adjusted basis

Not every use case with a strong business case makes strategic sense. Some use cases result in significant governance burdens, regulatory uncertainty, or reputational risk. Leadership teams need an objective basis for decision-making to prioritize AI initiatives based on value, maturity, risk, and feasibility.

7. Board Reporting Needs AI Maturity Metrics

Boards should not only ask about AI projects, but also about AI maturity scores, benchmark rankings, governance maturity, data quality, high-risk exposure, capabilities, progress, and prioritized actions.

8. External perception becomes a competitive factor

Customers, partners, investors, talent, government agencies, and the media are increasingly able to assess AI maturity based on public signals. Companies that do not actively manage their visible AI maturity leave their positioning up to the market.

CorpIn: Platform, Benchmark, and Index Mechanism for AI Maturity

CorpIn was built specifically for this new reality. CorpIn is a Swiss AI maturity platform that makes AI maturity measurable, comparable, and manageable—at the corporate, industry, and European levels. Its goal is to provide an objective basis for decision-making regarding AI maturity, benchmarking, governance, data readiness, and strategic prioritization.

CorpIn combines two perspectives:

Outside-in: visible public indicators that establish an initial baseline for AI maturity.

Inside-out: Company data, self-assessments, governance information, capabilities, priorities, and context that verify and supplement this baseline.

The result is an AI maturity profile that companies can assess, supplement, benchmark, and improve over time.

This turns an external assessment into a manageable roadmap for progress. And it transforms scattered AI activities into a comparable “AI Maturity Gold Standard.”

European AI Maturity Awards 2026: From Score to Visibility

The 2026 European AI Maturity Awards provide a visible benchmark and an opportunity for recognition for companies that not only claim AI maturity but also demonstrate and improve it. The value lies in the comparison: Which companies succeed in translating AI governance, data maturity, capabilities, strategic prioritization, and implementation into measurable progress?

This presents a clear next step for companies: claiming their own visible baseline, completing their profile, improving their score, and showcasing their progress in a European comparison.

Europe Needs a Common AI Maturity Benchmark

There is a lot of discussion in Europe about regulation, investment, and competitiveness. But without a common benchmark, it remains unclear which companies, industries, and regions are actually maturing.

In the context of the Digital Decade, the EU itself emphasizes that digital transformation is crucial for competitiveness, strategic autonomy, and resilience. At the same time, analyses by the EU and the OECD show that progress, monitoring, and comparability remain structural challenges.

A European AI maturity benchmark provides a common language for this purpose:

• How does a company compare to its peers?
• Which factors drive or hinder AI maturity?
• Where do governance gaps arise?
• Where is data maturity lacking?
• What skills need to be developed?
• Which investments have the highest strategic priority?
• Which industries are growing faster?
• Where do Europe's competitive disadvantages arise?

Without a benchmark, AI remains a collection of individual projects. With a benchmark, AI maturity becomes manageable.

Claim your company

The EU guidelines on high-risk classification provide a good opportunity to stop treating a company’s AI maturity as merely an internal assessment. For companies that can demonstrate progress in AI maturity, 2026 will also bring an opportunity to gain visibility: the European AI Maturity Awards 2026.

Click the following link to access the CorpIn platform: https://www.corpin.ch

FAQ

What Are High-Risk AI Systems Under the EU AI Act?

High-risk AI systems are AI systems that are subject to specific requirements due to their purpose, context of use, or potential impact on health, safety, or fundamental rights. The AI Act covers, in particular, AI systems that are classified as safety components or products under specific EU legal acts, as well as systems in sensitive Annex III areas such as employment, education, critical infrastructure, essential services, law enforcement, migration, the judiciary, and democratic processes.

What did the European Commission publish on May 19, 2026?

The European Commission has published draft guidelines on the classification of high-risk AI systems. The draft guidelines are intended to assist companies, providers, operators, and public authorities in applying Article 6 of the AI Act and include general principles as well as examples related to Annex I and Annex III.

When does the consultation on the draft guidelines end?

Early reports had indicated that the original deadline was June 23, 2026. The European Commission’s official consultation page has since been updated: The deadline has been extended by four weeks to July 23, 2026.

When do the high-risk rules of the EU AI Act apply?

According to the current official timeline, certain high-risk rules are set to apply to standalone AI systems starting in December 2027 and to AI systems embedded in regulated products starting in August 2028.

What obligations arise in connection with high-risk AI?

Key obligations include risk management, data governance, technical documentation, transparency, human oversight, monitoring, accuracy, robustness, cybersecurity, and post-market monitoring. Depending on their role, providers, operators, and other stakeholders may have different obligations.

Why is this relevant for CEOs and boards?

Because high-risk AI is not just a legal classification, but a matter of corporate governance. Companies need to know which AI systems are in use, what decisions they influence, what data they use, who is responsible, and how risks are monitored. Without an AI maturity baseline, the board lacks an objective basis for decision-making.

Why is an internal AI assessment no longer sufficient?

An internal assessment only reveals what a company itself reports. However, AI maturity is increasingly becoming apparent through public signals as well: job descriptions, product communications, partnerships, governance statements, technical activities, research, patents, and public AI initiatives. That is why a combination of an “outside-in” public-signal score and “inside-out” verification is needed.

What is a public-signal score?

A public-signal score is an external assessment of AI maturity based on publicly visible signals. It is not a definitive judgment, but rather a visible maturity baseline. Companies can adopt this baseline, review it, supplement it, and improve it in targeted ways.

What does "AI Maturity" mean?

AI Maturity describes a company's level of maturity in working with AI. This includes, among other things, strategy, data foundation, technical infrastructure, governance, security, capabilities, culture, responsibilities, a focus on ROI, and the ability to manage AI initiatives in a measurable way.

How exactly does CorpIn help companies?

CorpIn enables companies to visualize and declare their AI maturity, supplement it with internal information, benchmark it against peers, and improve it over time. The platform helps leadership teams strategically prioritize AI investments, governance, data quality, capabilities, and transformation initiatives.

Is CorpIn a compliance tool for the EU AI Act?

CorpIn is not legal advice, nor is it merely a compliance tool. CorpIn establishes a strategic AI maturity baseline that helps companies measure and compare their AI maturity, governance, data capabilities, and priorities more objectively. For detailed legal questions regarding the AI Act, companies should also seek specialized legal counsel.

What are the 2026 European AI Maturity Awards?

The 2026 European AI Maturity Awards are intended to serve as a benchmark and a platform for visibility for companies that are establishing, refining, and measurably improving their AI maturity. The focus is on demonstrable progress in maturity.

Sources Used

• European Commission: Draft Commission Guidelines on the Classification of High-Risk AI Systems, published on May 19, 2026.
• European Commission: Targeted consultation on the Commission's guidelines for the classification of high-risk AI systems under the EU AI Act.
• European Commission: Overview of the AI Act and Implementation Timeline.
• EU AI Act Service Desk: Article 6 – Classification Rules for High-Risk AI Systems.
• EU AI Act Service Desk: General Principles for High-Risk Classification.
• EU AI Act Service Desk: Regulated products and safety components.
• EU AI Act Service Desk: Sensitive Annex III areas.
• EU AI Act Service Desk: Horizontal issues and the Article 6(3) filter.
• EU AI Act Service Desk: Examples related to employment, recruitment, and worker management.
• EU AI Act Service Desk: Risk Management, Data Governance, Technical Documentation, Human Oversight, Deployer Obligations, and Post-Market Monitoring.
• Hunton Andrews Kurth: EU Commission Publishes Draft Guidelines on High-Risk AI Systems.
• Bird & Bird: Initial analysis of the European Commission’s draft guidelines on high-risk AI systems.
• Skadden: Draft Guidelines for the EU AI Act and Implications for High-Risk Classification.
• Baker McKenzie: Guidance on High-Risk AI Classification Under the EU AI Act.
• DLA Piper: European Commission’s Draft Guidelines on the Classification of High-Risk AI Systems.
• Eurostat: Use of Artificial Intelligence in Enterprises, 2025.
• European Commission: State of the Digital Decade 2025.
• OECD / European Commission: Review and Monitoring Considerations for the Coordinated Plan on Artificial Intelligence.

‍