Brief № 034 · Regulation
The non-high-risk AI file SMEs now need
The Commission's draft Article 6 guidelines turn a small AI Act exception into a documentation job for SME providers.
On this page
The smallest AI Act exception is turning into a file that many SME providers do not yet have. If a system sits in an Annex III area but is claimed not to be high-risk, the useful question is no longer “can we argue this later?” It is “where is the dated assessment?”
On 19 May 2026, the Commission published draft guidelines on the classification of high-risk AI systems. The page says the guidelines are meant to support providers, deployers and market surveillance authorities in applying Art. 6. That makes them practical even before the final version: they show the questions a company will be expected to answer.
The exception is narrow
Art. 6(2) says AI systems referred to in Annex III are high-risk. Art. 6(3) then creates the narrow exit: an Annex III system is not considered high-risk where it does not pose a significant risk of harm to health, safety or fundamental rights, including because it does not materially influence the outcome of decision-making.
The article lists four routes into that exception. The system may perform a narrow procedural task, improve the result of a previously completed human activity, detect decision-making patterns or deviations without replacing proper human review, or perform a preparatory task for an Annex III assessment.
That sounds generous until the last line is read. If the system performs profiling of natural persons, the derogation is not available. A workflow tool that only formats a document may be one thing. A system that ranks applicants, scores workers, sorts borrowers or profiles customers is another.
Make the file before the sale
The timing matters. Art. 6(4) says a provider who considers an Annex III system not high-risk must document the assessment before the system is placed on the market or put into service. The provider must also be ready to provide the documentation to national competent authorities on request.
For an SME supplier, that makes the classification file a pre-sale artefact, not a lawyer’s memo after a customer asks. It does not need to be theatrical. It does need to be precise enough that a buyer, auditor or authority can understand the claim.
| File line | What to record |
|---|---|
| Annex III category checked | The sensitive area that triggered the classification question |
| System function | What the AI output actually does in the workflow |
| Human decision point | Who decides, when, and with what ability to disagree |
| Exception route | Procedural, improvement, pattern-detection or preparatory task |
| Profiling check | Whether natural persons are profiled, and why not |
| Evidence | Screens, logs, product text, workflow notes and source URLs |
| Owner and date | Who approved the assessment before release |
Source: Regulation (EU) 2024/1689, Article 6; European Commission draft high-risk classification guidelines. Last verified 2026-06-30.
The lazy version is a two-page record attached to the product file. The dangerous version is a sales slide saying “not high-risk” with no route through the article.
Deployers should ask anyway
The provider carries the Art. 6(4) documentation duty when it claims the derogation. That does not make the deployer passive. An SME buying a tool near employment, education, credit, essential services, law enforcement, migration or democratic-process categories should ask for the supplier’s classification reasoning.
The question is not hostile. It is basic procurement hygiene. If the vendor says the system only performs a preparatory task, the buyer should know which human step remains decisive. If the vendor says it merely improves a previous human activity, the buyer should see what activity was completed first. If the vendor says it detects patterns without influencing the assessment, the workflow should prove that claim.
The file also helps when the answer is “we are the deployer, not the provider.” A deployer still needs to understand whether a tool is high-risk, what instructions it receives, and whether internal use could change the role analysis.
The useful next step
The draft guidelines do not remove uncertainty. They make uncertainty easier to sort. For each AI system near an Annex III use case, write one page that answers three questions: what category could make it high-risk, which Art. 6(3) route is being relied on, and what evidence shows the system does not materially influence the decision.
If the page cannot be written, the system may not be ready for the exception. If it can be written, keep it with the supplier file before the contract, the release note or the customer questionnaire turns the same issue into a scramble.
Frequently asked questions
Does every Annex III AI system become high-risk?
Not necessarily. Article 6(3) creates a narrow derogation for systems that do not pose a significant risk of harm and do not materially influence decision-making, but profiling keeps the system high-risk.
Who needs the non-high-risk file?
The provider that claims the Article 6(3) derogation needs it before the system is placed on the market or put into service. Deployers should still ask suppliers for the reasoning.
Are the May 2026 guidelines final?
No. The Commission page identifies them as draft guidelines for stakeholder feedback, but they are already a useful map of the classification questions SMEs should document.
Sources
- Primary Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence EUR-Lex accessed
- Official Draft Commission guidelines on the classification of high-risk AI systems European Commission, Shaping Europe's digital future accessed
- Official Guidelines for providers and deployers of AI high-risk systems European Commission, Shaping Europe's digital future accessed
- Official Article 6: Classification rules for high-risk AI systems AI Act Service Desk accessed
Image credit: Photo: person holding documents on a table - Kampus Production, Pexels
Eleanor Whitcombe covers EU AI regulation for Flint Brief.
Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).