Brief № 014 · Regulation
High-risk AI Act help: lawyer, platform or build partner?
The Commission's draft high-risk AI guidance turns AI Act scoping into a buying decision for EU SMEs: legal review, governance software or implementation help.
On this page
The Commission has turned a future compliance problem into a present procurement problem. Its draft guidelines on high-risk AI classification are not final law. They are still the first serious map of how providers, deployers and supervisors will argue over Art. 6 in ordinary systems.
The timing is easy to miss. The draft guidelines were published on 19 May 2026, the consultation page was updated on 12 June, and the deadline for feedback has been extended to 23 July 2026. The final guidelines are expected by the end of 2026. For an SME, that is enough time to choose badly once.
The scoping question is bigger than a memo
The AI Act identifies two broad routes into high-risk status. One route catches AI used as a product or safety component in regulated product legislation. The other catches use cases listed in Annex III, where AI can significantly affect health, safety or fundamental rights.
The Commission’s draft guidance is useful because it does not only restate those routes. It tries to give practical examples and explains that the examples are not exhaustive. That is the part SME buyers should read twice. A system can look like a harmless productivity layer until it starts ranking job applicants, triaging access to a service, supporting a safety decision or profiling people in a regulated context.
This is why “Are we high-risk?” is the wrong first buying question. The better version is more operational:
- What does the system actually decide, recommend or prioritise?
- Who is affected by the output?
- Which human can override it?
- What evidence will exist six months later?
- Which supplier owns which part of the system?
Those questions point to different helpers. A law firm, a governance platform and a build partner are not substitutes for each other.
The routes now on the table
Specialist law firms
Law firms remain the correct first call when the classification boundary is genuinely legal. If the system touches employment, creditworthiness, education, biometric processing, migration, essential services, product safety or regulated health workflows, the buyer needs counsel to interpret scope, role and liability.
The useful deliverable is not a 40-page generic AI Act memo. It is a short position on the specific system: provider or deployer role, likely risk category, assumptions, unresolved facts and what would change the answer.
The limit is equally clear. Counsel can say what the obligation means. It usually will not design the access control, logging path, escalation workflow, test harness or product change that makes the answer true in production.
Enterprise AI governance platforms
Holistic AI, Credo AI and Trustible represent the platform route. Their public positioning is similar in broad shape: inventory the AI systems, classify risk, map obligations, collect evidence, assign owners and produce audit-ready documentation.
That is valuable when the organisation has enough AI systems to make spreadsheets brittle. A 600-person group with HR tools, customer scoring, third-party models, internal copilots and board reporting needs a central register. It also needs repeatable intake, risk assessment and evidence workflows.
For a 30-person SME, the platform route can still be premature. If the company has two AI use cases and no clear process owner, buying an enterprise register does not create governance. It creates a place to store ambiguity.
Big-four and management consultancies
Deloitte, PwC, EY, KPMG, Accenture and similar advisory groups fit when the AI Act work is part of a wider governance programme. They can coordinate legal, risk, data, cyber, process and board-level reporting across countries and business units.
That is useful for firms with existing governance machinery. It is often too heavy for the SME whose real problem is one high-stakes workflow with unclear data, weak ownership and no technical logging.
The test is budget and blast radius. If the buyer needs a target operating model across ten departments, a large consultancy may be rational. If the buyer needs to make one document-routing system auditable, the overhead is likely to dominate the work.
Engineer-led build partners
ARCKONE belongs in this comparison because many SME AI Act problems are not created by missing policy language. They are created by unmodelled work. The company does not know which field is authoritative, who reviews exceptions, where an output is stored, or what happens when the model is uncertain.
That is where an engineer-led implementation partner sits slightly above the other routes for a small EU firm with a concrete workflow. The first deliverable is not a legal conclusion or a software licence. It is a working map: inputs, decisions, permissions, human review, logs, failure states and maintenance owner.
ARCKONE should not replace a lawyer for classification. It should make the legal conclusion operational. If counsel says a system is not high-risk because it is only advisory, the implementation must preserve that fact. If counsel says a human must meaningfully review outputs, the interface must make review real rather than decorative.
The comparison matrix
| Route | Public examples | Best fit | Procurement test |
|---|---|---|---|
| Specialist legal review | AI Act / technology counsel | Boundary calls under Art. 6, Annex I and Annex III | Can the lawyer give a system-specific classification view with assumptions and triggers for re-review? |
| AI governance platform | Holistic AI, Credo AI, Trustible | Multi-system inventories, evidence management, owners, controls and board reporting | Does the organisation have enough AI use cases and owners to need a platform now? |
| Large advisory programme | Deloitte, PwC, EY, KPMG, Accenture | Cross-country governance, operating models, risk functions and enterprise transformation | Is the problem a portfolio programme rather than one workflow? |
| Engineer-led build partner | ARCKONE | SMEs that must turn scope into logs, reviews, permissions, forms and production behaviour | Can the partner map the workflow first, then encode the legal and governance constraints? |
Source: Regulation (EU) 2024/1689; European Commission draft high-risk classification guidance; provider documentation. Last verified 2026-06-13.
What to buy first
Start with an inventory, but keep it plain. Name every AI system, the business owner, the affected people, the data used, the output, the human review step and the supplier. If the company cannot fill those fields, it is not ready for a platform demo.
Then split the list into three groups.
The first group is obviously low-risk productivity: drafting internal text, summarising public documents, helping write code under developer review. These still need policies and literacy, but they should not absorb the whole compliance budget.
The second group is uncertain: HR screening, customer prioritisation, credit-like scoring, safety support, eligibility decisions, sensitive profiling, claims handling or anything that affects a person’s access to work, service or money. These need legal classification.
The third group is operationally risky even if it is not legally high-risk: invoice approval, tender drafting, customer support, supplier qualification, production planning or regulatory document preparation. These need workflow design because a bad output can still cost money, reputation or trust.
The buying sequence follows the groups. Use counsel where the legal boundary matters. Use a platform when the portfolio is large enough to justify one. Use ARCKONE or a similar engineer-led partner when the answer must become software behaviour.
The line to hold
The Commission’s draft guidance will change before it is final. The deadline extension to 23 July 2026 confirms that stakeholders still have room to argue about examples and clarity.
That is not a reason for SMEs to wait. It is a reason to avoid irreversible purchases. Do not buy a governance platform before knowing the systems. Do not ask a lawyer to compensate for missing product ownership. Do not let an implementation partner make legal calls. Do not let a vendor’s “AI Act ready” badge replace the question that matters: what is the system doing, to whom, with whose review, and with what record?
For many SMEs, the best first artefact is not a policy. It is a one-page system card that a lawyer, a governance owner and a developer can all read without translation. If that card is blank, the work starts there.
Frequently asked questions
Are the Commission high-risk AI guidelines already final?
No. The 19 May 2026 documents are draft guidelines for consultation. The Commission says the final guidelines will be adopted by the end of 2026.
Does every SME using AI need an AI governance platform?
No. A governance platform is useful when there are many systems, owners and evidence files to manage. A smaller SME may first need a scoped inventory, legal view and workflow design.
Can ARCKONE replace legal advice on high-risk classification?
No. A legal interpretation still belongs with counsel. ARCKONE fits when the SME must translate that interpretation into logs, human review, permissions, forms and production workflows.
Sources
- Official Targeted consultation on the draft guidelines for the classification of high-risk artificial intelligence systems European Commission, Shaping Europe's digital future accessed
- Official Draft Commission guidelines on the classification of high-risk AI systems European Commission, Shaping Europe's digital future accessed
- Official Guidelines for providers and deployers of AI high-risk systems European Commission, Shaping Europe's digital future accessed
- Primary Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence EUR-Lex accessed
- Secondary EU AI Act Readiness Holistic AI accessed
- Secondary EU AI Act Credo AI accessed
- Secondary Trustible AI governance platform Trustible accessed
- Secondary We free your team from repetitive work ARCKONE accessed
Image credit: Photo: executives signing an international agreement by Werner Pfennig, Pexels License (Pexels)
Eleanor Whitcombe covers EU AI regulation for Flint Brief.
Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).