European Commission Launches Consultation on High-Risk AI Amidst 78% Compliance Gap
Guidelines published on May 19 aim to unlock companies stalled by classification uncertainty. The market is estimated to reach up to €38 billion in compliance by 2030, with initial costs of up to US$15 million for large corporations.
The European Commission yesterday (19) launched a public consultation regarding the guidelines for classifying high-risk artificial intelligence systems outlined in the AI Act. The document, structured around general principles and two sections dedicated to specific categories, seeks to provide predictability for companies still uncertain about which of their products fall under the stringent regulations. Comments will be accepted for the next 35 days, with a deadline on June 23, and the final version will incorporate contributions prior to its final publication.
The timing is significant given the adoption landscape. A survey published in April revealed that 78% of organisations have yet to take concrete steps towards compliance with the AI Act, and the anticipated costs partially explain this paralysis. Large companies with revenue exceeding €1 billion are expected to invest between US$8 million and US$15 million initially for compliance with high-risk systems. Medium-sized enterprises face projections of US$2 million to US$5 million in initial costs, alongside annual maintenance costs ranging from US$500,000 to US$2 million. Small and medium-sized businesses may incur initial costs between US$500,000 and US$2 million, with compliance assessments per system varying from €5,000 to €50,000 each. An estimate published by Arturs Prieditis on Medium projects the total market for high-risk AI compliance in Europe to be between €17 billion and €38 billion by 2030.
Under the AI Act, systems are classified as high-risk when they pose threats to health, safety, or fundamental rights. This broad formulation has generated interpretative divergence in legal advice among multinational companies, particularly in cases of AI applied to hiring, credit granting, education, critical infrastructure, and justice. The Commission adds practical examples to reduce ambiguity during classification, although the document does not define numerical criteria for risk factors. Fines for non-compliance can reach €35 million or 7% of global turnover, making late or erroneous classification a material financial risk.
Providers, Deployers, and the Burden of Self-Assessment
The consultation is open to a broad list of respondents: providers and deployers of AI systems, businesses, public authorities, academia, research institutes, and citizens. The focus on the term deployer is intentional. Unlike previous regulations that placed the primary burden on the manufacturer, the AI Act redistributes obligations throughout the chain, and companies that merely implement a third-party AI system, such as a bank adopting a credit scoring solution from a vendor, may find themselves classified as high-risk even without having developed the model. The practical consequence is that a financial institution's compliance department may be required to document an impact assessment on fundamental rights for a model whose technical documentation is under NDA with the vendor.
The immediate regulatory landscape adds another layer. On May 7, the European Council and Parliament reached a political agreement on amendments to the AI Act that extend compliance deadlines for high-risk systems, a move widely read as a concession to the industry. The guidelines now opened for consultation act as a bridge between this relaxation and practical application: by detailing how to classify, the Commission reduces the risk of late or incorrect classification by companies that were waiting for clarity to initiate internal compliance processes.
Inventory Before the Final Version
Submissions can be made through the AI Act Single Information Platform. For CIOs and DPOs operating in the European Union, the 35-day window should be used both for formal submission of comments and for internal review of the inventory of AI systems in production. The strategic question is where to allocate budget. Reactive compliance, in which a company only acts after being notified by the authority, is a route contraindicated by the scale of potential fines. Proactive compliance requires a multidisciplinary team with overlap between legal, data, and security, a scarce profile in the European job market. Instead of waiting for the final version of the guidelines in July, the technical reading recommends starting now on the inventory, isolating use cases for scoring, triaging, and automated decision-making that repeatedly appear in the examples in the consultation document.