After several months of delays, the European Commission published this week the draft guidelines for classifying high-risk AI systems under the AI Act, as covered by IAPP. Public consultation is open until June 23, 2026, and the compliance deadline was pushed to December 2, 2027 for standalone systems and August 2, 2028 for embedded ones. More than 110 European companies had requested a two-year pause; the Digital Omnibus postponement is partial. If your SaaS touches any feature the EU considers "high risk", this is the moment to read the draft and adjust your policies before it becomes mandatory.

The two categories of high risk (and why the difference matters)

The AI Act distinguishes two ways to qualify a system as high risk:

Article 6(1): product safety

AI systems integrated into products already subject to conformity assessment (toys, medical devices, elevators, vehicles). If your SaaS doesn't touch regulated physical products, this category probably doesn't affect you directly.

Article 6(2): eight specific areas

AI systems used in eight defined domains, among others: biometrics, critical infrastructure security, education, employment and HR management, access to essential private and public services, law enforcement, migration, and justice administration. Many B2B SaaS that don't see themselves as "high risk" fall here technically.

Typical cases where a B2B SaaS may fall into high risk (and not know it)

Feature typeArticle 6(2) areaWhy it qualifies
Automated CV filtersEmployment and HRDecision affecting employment access
Credit scoring or delinquencyAccess to essential servicesDetermines access to financial products
Facial recognition in security SaaSBiometricsRemote biometric identification
AI-powered academic evaluation systemsEducationImpacts admissions or evaluation
Employee behavior analysisEmployment and HRMonitoring affecting work conditions

If your SaaS fits any, compliance requires specific documentation, fundamental rights impact assessment (FRIA), EU registration, and transparency obligations that must reflect in your Privacy Policy and Terms of Service.

What your legal policy must include if you fall into high risk

In the Privacy Policy

  • Dedicated section on automated processing and right to explanation under GDPR Article 22
  • Specific system description: what data it consumes, what outputs it produces, how it was trained
  • Information on risk assessment performed (FRIA), even if it's a public summary
  • Procedure for the user to request human review of any decision

In the Terms of Service

  • Use limitation clause (user must not use the SaaS for purposes not contemplated in the assessment)
  • Responsibility for training data if the client provides datasets
  • Technical incident notification protocol related to the model

In operational documentation

  • System technical record per AI Act specifications
  • Log of periodic assessments and results
  • Documented bias mitigation plan

The AI Act crosses with GDPR but doesn't replace it. If your system processes personal data and is high risk, you must comply with BOTH frameworks. New obligations add, don't replace.

The realistic schedule

  1. June 2026: public consultation on the draft closes. If you have technical feedback, this is the moment to formally submit it.
  2. Q4 2026: finalized guidelines (estimate; the Commission did not commit to a date).
  3. December 2027: obligation enters force for standalone high-risk systems.
  4. August 2028: enters force for AI systems embedded in regulated products.

Although it seems far away, FRIA documentation and legal policy adjustments take months to do well. Starting now with a reviewable draft is much cheaper than running in 2027.

What to do in your SaaS in the next 60 days

  1. Audit AI features against the 8 areas of Article 6(2). Document which fall in and which don't.
  2. For those that fall: open a FRIA draft, even if incomplete. The structure already matters.
  3. Update your Privacy Policy with the automated processing section if you don't have it yet.
  4. Review your Terms of Service to include acceptable use clauses for AI features.
  5. If you publish updates, log version: in 2027-2028 any audit will ask for history.

The draft guidelines are "long-awaited" but arrive with a postponed timeline and real possibility of changes after public consultation. The useful interpretation: plan as if it were mandatory in December 2027, but maintain flexibility in detail until Q4 2026 (synthesis of IAPP's analysis).

Conclusion

The high-risk guidelines draft closes a gap that had been making B2B SaaS with AI features uncomfortable for months. Dates were pushed but obligations didn't disappear. The difference between arriving in 2027 with ready policies and arriving improvising is several months of technical-legal work worth starting this quarter.

If you want to centralize the generation of Privacy Policy, Terms of Service, and AUP with AI sections per jurisdiction (GDPR, CCPA, LGPD, PIPL) and version history for future audits, Termerly is free and covers the operational base from day one.