The AI Act Window and the Classification Error: What the May 19 Guidelines Actually Resolve

On 7 May 2026, EU institutions reached political agreement on the Digital Omnibus on AI, moving the enforcement deadline for high-risk AI systems from 2 August 2026 to 2 December 2027. Twelve days later, the European Commission published draft guidelines on the classification of high-risk AI systems, open for consultation until 23 June.

Most coverage focused on the delay. The more consequential document is the one that came after it.

For compliance teams at management companies, TCSPs, and fund administrators, the classification guidelines resolve a question that has been answered incorrectly in most internal AI inventories over the past 18 months. The error is not minor. It changes which systems require conformity assessment, what documentation must be built, and how much of the 16-month extension is actually relevant to the compliance AI in use at these firms.

What the Omnibus Deal Actually Changed

The provisional agreement introduced fixed, separate deadlines for the two main high-risk categories. Annex III systems, the explicit use-case list in the AI Act, now have until 2 December 2027. Annex I systems, AI embedded in products subject to EU product safety legislation, have until 2 August 2028. A smaller deadline applies to transparency obligations for AI-generated content: 2 December 2026.

The agreement also narrows the definition of "safety component" for Annex I purposes. If an AI component merely assists users or optimises performance without creating health or safety risks, it will not trigger high-risk obligations. The Commission gains power to disapply overlapping AI Act requirements via implementing acts where sectoral rules already cover the same ground, a direct response to concerns about regulatory duplication in financial services.

The delay reflects a genuine process failure on the Commission's part. The classification guidelines were originally due 2 February 2026, three months before the August deadline. They were not delivered. More than 110 EU-based businesses lobbied explicitly for a pause, citing the absence of guidance they needed to run conformity assessments in a shrinking grace period. The Omnibus deal acknowledged that firms cannot be held to a deadline that was never supported with adequate regulatory guidance.

The delay is real. So is the problem it exposed: most compliance teams at financial services firms did not know which of their AI systems would have been high-risk under the August deadline in the first place.

The Classification Error

The AI Act's Annex III lists eight use-case categories where AI systems are presumed high-risk. The fifth category covers access to essential private services, and it names three financial services cases: creditworthiness assessment, credit scoring of natural persons, and risk and pricing assessment in life and health insurance.

What Annex III does not include is AML and fraud detection.

Recital 58 of the AI Act states explicitly that AI systems designed to detect fraudulent transactions or assess money laundering risk should not be classified as high-risk under the Act, because the harm they are designed to prevent is directed at third parties rather than the individuals whose data they process. The exemption is written directly into the legislative text and confirmed in the Commission's May 19 guidelines.

This is not an interpretive position. It is the text of the regulation. But it has been misread consistently in internal AI audits and compliance gap assessments, for a straightforward reason: the categories in Annex III are described at a level of abstraction that makes "risk assessment" sound relevant to AML risk assessment, and "scoring" sound relevant to customer risk scoring for compliance purposes. The result has been a pattern of over-classification, where firms treated AML AI as high-risk and built preparation programmes around the wrong obligation set.

The May 19 guidelines provide practical examples across all eight Annex III use-case categories. Their stated function is to clarify the classification methodology and reduce interpretive divergence across member states. For financial services firms that have been working from divergent legal opinions on this point, the guidelines are the first authoritative primary source.

What the Classification Distinction Actually Means

High-risk and non-high-risk AI systems carry entirely different obligation sets under the Act.

High-risk systems, such as credit scoring AI used to assess whether a client qualifies for credit and on what terms, will require conformity assessment before deployment, a quality management system, technical documentation, registration in the EU AI database, and ongoing post-market monitoring with documented evidence. These are significant infrastructure investments. Article 14 of the Act also requires that high-risk systems be designed to allow effective human oversight, with mechanisms for humans to understand the system's outputs, monitor its operations in real time, and override its decisions.

Non-high-risk systems, including AML transaction monitoring AI and customer risk scoring AI used solely for AML/CFT purposes within the Recital 58 exemption, carry a much lighter direct obligation set under the Act. Transparency obligations under Article 50 apply in specific circumstances. Voluntary codes of conduct exist. But the conformity assessment process, the Annex III documentation requirements, and the Article 14 human oversight obligations do not apply as mandatory requirements.

For a management company or TCSP whose AI use in compliance is primarily AML-focused, this changes the preparation scope materially. The December 2027 deadline and the conformity assessment process are relevant to credit scoring AI, not to the AML screening or risk-rating tools that dominate most compliance AI deployments at these firms.

The AMLR Floor That Applies Regardless

The classification distinction matters for AI Act preparation. It does not eliminate obligations.

The AMLR, which applies from 10 July 2027, requires that every CDD decision be grounded in documented, auditable reasoning. Whether that decision was made by an analyst, a rules-based system, or a machine learning model is not material to the documentation requirement. The output of any AI-assisted CDD process has to be traceable to the evidence that supported it, the policy it was applied under, and the individual with oversight responsibility who validated or overrode it.

AMLA has been consistent on this. Forvis Mazars, summarising AMLA's emerging supervisory position, paraphrases the principle as: AI tools are not substitutes for human decision-making but rather enablers. The AMLR's accountability structure requires a named human with documented oversight responsibility over AI-assisted decisions. The AI Act exemption for AML AI does not change this. It simply means the firm is building that evidence trail under the AMLR framework rather than also under the AI Act's conformity assessment framework.

For a management company or TCSP using an AI tool for customer risk scoring in the context of CDD, the practical obligation is: document what data the tool used, what output it produced, how that output was reviewed, and what decision was made with human oversight. That documentation is not optional under the AMLR. It is what AMLA's supervisory methodology, and the CSSF and FSC's derivative examination approaches, will examine.

The AI Act exemption removes one layer of obligation. It does not remove the AMLR layer that sits underneath it.

What to Do With the Consultation Window

The May 19 guidelines are open for comment until 23 June. The Commission has not committed to a final publication date or to further consultation rounds after that. The guidelines, once finalised, will be the primary reference for AI Act classification decisions across all member states.

For firms that have already run AI inventories against the pre-Omnibus August deadline, the guidelines are worth a direct comparison to internal assessments. The practical examples in the document illustrate how the Commission expects Article 6(2) and Annex III to be applied across the eight use-case areas. Firms whose assessments concluded that AML or customer risk scoring tools are high-risk under the Act may find the guidelines reduce the scope of what actually requires conformity assessment.

For firms that have not run AI inventories, the guidelines and the December 2027 deadline together define the task: catalogue the AI systems in use across the compliance function, apply the Article 6 classification test using the Commission's examples, and build the obligation set around what results. Credit scoring AI will be in scope. AML screening and risk-rating AI will generally not be, unless the system is used in ways that extend beyond the Recital 58 exemption, for example in creditworthiness-adjacent decisions where AML is only part of the rationale.

The consultation itself is worth engaging with for firms that have views on how the practical examples apply to their specific use cases. The Commission stated that examples "are not to be considered exhaustive and may be updated over time," which means early feedback can shape the final document.

The Position

The 16-month delay is a genuine reprieve. It is not an argument for deferral. The Commission published the classification guidelines within 12 days of the Omnibus agreement. The regulators who extended the deadline simultaneously clarified what firms should be doing with the extra time.

For management companies, TCSPs, and fund administrators in Luxembourg and Mauritius, the practical sequence is specific. Understand whether your AI systems fall inside or outside Annex III scope. Understand that the AML exemption is real but bounded by how the system is actually used. Build the AMLR-required evidence trail around whatever the AI tools produce, regardless of their AI Act classification. The deadline shifted. The obligation to document AI-assisted compliance decisions did not.

The firms that will be ready for December 2027 are not the ones that decided the extension meant they could wait. They are the ones that used the guidelines published on 19 May to answer, correctly, which systems actually require preparation, and started building the infrastructure around those systems now.

If your firm is working through what the Digital Omnibus deal and the May 19 classification guidelines mean for your compliance AI programme, we can help you map the actual scope.