Launching Soon: AI-Powered Balkan Marketplace
On 19 May 2026, the European Commission opened a targeted consultation on the draft guidelines for classifying high-risk AI systems under Annex III of the AI Act. It closes on 23 June. That is thirty days to fix something the guidelines currently get wrong — and that no one in
Gregorio Martín
On 19 May 2026, the European Commission opened a targeted consultation on the draft guidelines for classifying high-risk AI systems under Annex III of the AI Act. It closes on 23 June. That is thirty days to fix something the guidelines currently get wrong — and that no one in the public debate has named precisely.
The guidelines do not distinguish between two fundamentally different categories of AI system.
The first category is a deterministic workflow – a sequence of actions fixed in code before deployment, auditable at design time, whose behaviour under all anticipated conditions can be specified in advance.
The second is what researchers call an ‘agentic system’. Rather than just following a sequence of pre-determined steps, it generates the steps it will take on execution. In other words, an intervention plan that did not exist before the system encountered the specific case.
The distinction matters because it determines whether human oversight is structurally possible. In a deterministic workflow, you can embed oversight in the sequence — because the sequence is known. In an agentic system, the sequence does not exist before execution. Oversight cannot be designed into something that has not yet been generated. It must instead be anchored to the risk profile of each class of action — its irreversibility, its impact on rights — not to a predetermined flow.
A classification framework that does not operationalise this distinction cannot correctly identify the risk profile of the most consequential systems currently in deployment. It will misclassify in both directions: treating deterministic workflow systems as agentic when they are not, and failing to flag agentic systems as high-risk when they are.
The gap is not hypothetical.
In 2021 and 2022, Spain’s intelligence service CNI identified two infections of the President of the Government’s device by Pegasus, a commercial spyware system developed by NSO Group.
Pegasus is agentic in the precise sense above: once deployed, it generates and executes an intervention sequence — initial exploit, privilege escalation, persistent access — in real time, in response to the specific characteristics of the target device. The entry vector — the technical mechanism by which it gained initial access — was never forensically identified.
The Audiencia Nacional, the country’s high court, archived the investigation in 2023. Without an identifiable responsible actor, no prosecution was possible.
Four years later, Pegasus has not been classified as high-risk under any European regulatory framework, because the criterion that would require that classification does not exist.
The argument is not about who infected whom. It is about why no European institution had the instruments to intervene, and why that remains true today for any system with the same architectural profile.
Lack of political will?
The targeted consultation offers a specific remedy that does not require new legislation or treaty amendment.
Article 7 of the AI Act empowers the commission to adopt a delegated act adding use cases to Annex III where two conditions are met: significant risk to health, safety, or fundamental rights, and insufficiency of existing classification criteria.
Both conditions are met by agentic systems that generate and execute intervention sequences on third-party infrastructure at runtime. The commission can act within the current legislative cycle.
Two further steps would make that action enforceable.
First, the commission’s standardisation mandate could be expanded to create a common technical standard that clearly distinguishes between AI systems that independently make or shape decisions and software tools that simply follow predefined workflows. This would mirror the approach used in medical device rules, which distinguish between software that only displays information and software that actively influences clinical decisions.
Secondly, a formal coordination protocol between the commission’s department for communications networks and technology, the department for financial services and capital markets, and the EU’s agency for cybersecurity would address the structural gap that left no European authority with jurisdiction to intervene when Pegasus operated against the device of a member state’s head of government.
None of this requires the political will of an unusual order. It requires a decision, within existing mandates, to operationalise a distinction that the draft guidelines themselves implicitly acknowledge — but do not make enforceable.
The consultation closes on 23 June. The window is open. The question is whether anyone with standing to act will use it.
A formal submission on the criterion described in this article was made to DG CONNECT on 22 May 2026 as part of the targeted consultation.
