After three years of drafting and negotiating, the European Parliament voted 523–46 to pass the EU AI Act. Reporters called it historic. Critics called it a blunt instrument aimed at a fast-moving target.
The Act's core premise: AI systems that make consequential decisions about people's lives deserve scrutiny proportional to the risk they create.
The EU AI Act uses a four-tier risk framework. Unacceptable risk systems are banned outright — government social scoring, real-time biometric surveillance in public spaces. High-risk systems in critical domains face full compliance requirements. Limited-risk systems like chatbots need transparency disclosures. Minimal-risk systems have no specific obligations.
The Act applies to any AI deployed in the EU — regardless of where its developer is based. Like GDPR, it operates extraterritorially.
Matching compliance burden to harm potential — the same principle as product safety law. Medical devices face stricter testing than kitchen appliances not because regulators distrust kitchens, but because the consequences of failure differ dramatically.
High-risk systems — AI in hiring, credit, law enforcement, healthcare, education, critical infrastructure — must meet demanding requirements: an ongoing risk management system, data governance standards, full technical documentation, transparency obligations, human oversight design (systems must not circumvent human review), and accuracy and robustness standards. Both providers (who build) and deployers (who use) have distinct obligations. Penalties reach €35 million or 7% of global annual turnover.
A late addition covers foundation models like GPT-4 and Claude. All GPAI providers must publish training data summaries and usage policies. Models trained above 10^25 FLOPs — the frontier tier — must additionally conduct adversarial testing, report serious incidents, and track energy use. This creates layered liability chains: model provider, application developer, and deployer each have their own obligations — and each depends on the one above for documentation.
Historically, EU regulations shape global standards as companies build one product meeting the strictest requirements rather than jurisdiction-specific variants. The EU AI Act is expected to influence AI governance worldwide.
Choose an AI system (or pick one: predictive policing, university admissions, workplace productivity tracker, medical symptom checker, social media feed, credit scoring model).
Classify it under the four risk tiers. Justify with specific harms, affected parties, and decision types.
The hiring manager had used the AI screening tool for six months before anyone asked how it worked. She did not know. The vendor had called it "bias-free." She had trusted that.
Now an employment lawyer was asking whether she had the technical documentation the EU AI Act required her to maintain. She had a contract and a user guide. Under the Act, that was not enough.
(1) Risk Management System — documented and ongoing throughout the system's lifecycle, not a one-time assessment. (2) Data Governance — training data must be relevant, representative, and examined for discriminatory patterns. (3) Technical Documentation — sufficient for regulators to assess compliance: design, architecture, training methodology, accuracy metrics. (4) Transparency — deployers receive documentation on capabilities, limitations, and oversight procedures. (5) Human Oversight — systems must be designed so humans can understand outputs, intervene, override, or shut down; must not circumvent oversight. (6) Accuracy, Robustness, Cybersecurity — appropriate accuracy for intended purpose, resilience to attacks.
Before market entry, high-risk systems undergo conformity assessment — self-assessment for most categories, mandatory third-party review for biometric and certain sensitive systems. Approved systems enter an EU registry and receive CE marking. Post-deployment monitoring and incident reporting are also required.
Providers (builders) must ensure design meets requirements and maintain documentation. Deployers (users) must use the system within its intended purpose, implement required human oversight, and monitor performance. Both can face enforcement — a company cannot shift all liability by claiming it only purchased the tool.
Fines reach €35 million or 7% of global annual turnover — whichever is higher. This puts EU AI Act penalties in the same severity range as major GDPR violations.
Choose a specific high-risk scenario: hospital AI triage, bank loan decisions, or court risk-scoring tool.
Go through each of the six high-risk requirements. Assess whether a typical organization currently meets each one — and identify the gap.
The original EU AI Act was designed around specific applications — a hiring tool, a medical system, a credit model. Each with a defined purpose and clear provider.
Then came models that could do almost anything. A single model could power hundreds of applications with different risk profiles. Regulators had to go back to the drawing board.
The Act defines GPAI models as AI trained on broad data, capable of performing a wide range of tasks, designed for integration into downstream applications. The paradigm cases: GPT-4, Claude, Gemini, LLaMA. These models have no fixed purpose — their risk depends entirely on how they are deployed. The original Act framework could not handle them and had to be extended in final negotiations.
All GPAI providers must: Maintain technical documentation (training methodology, data sources, compute, capabilities, safety testing). Comply with EU copyright law by publishing a sufficiently detailed training data summary. Publish a usage policy. Cooperate with downstream providers by sharing documentation they need to meet their own compliance obligations.
GPAI models trained above 10^25 floating point operations face additional requirements: adversarial testing (red-teaming before deployment and ongoing), serious incident reporting to the European AI Office, cybersecurity measures, and energy consumption reporting. The compute threshold targets frontier models — but critics note training efficiency improvements may make it an unreliable capability proxy over time.
Foundation model provider, application developer, and deployer each have separate obligations — and each depends on the party above for sufficient documentation. GPAI providers effectively become compliance enablers for their entire downstream ecosystem.
Pick a real AI product built on a foundation model: a legal research tool on GPT-4, a customer service bot on Claude, a coding assistant on LLaMA.
Map all three layers: foundation model provider, application developer, deployer. Assign each layer's specific GPAI obligations.
The EU AI Act entered into force. The European AI Office was stood up. National market surveillance authorities were designated.
What followed was implementation progress, industry lobbying, civil liberties advocacy, and genuine uncertainty about how the rules would work in practice.
Two enforcement levels: National Market Surveillance Authorities handle application-level enforcement in their member states — AI hiring tools, medical systems, credit models. They can investigate, order corrective action, and impose fines. The European AI Office — a new body within the European Commission — supervises GPAI and systemic risk models, coordinates national authorities, maintains the GPAI registry, and can fine providers directly.
Requirements phase in over 36 months: prohibited practices at 6 months, GPAI requirements at 12 months, most high-risk requirements at 24 months, some sector-specific high-risk at 36 months. The delays allow standards bodies to develop technical standards and companies to assess their systems.
The law enforcement biometric surveillance exceptions are too broad. Self-assessment for most high-risk systems lets companies grade their own homework. Individual rights to contest automated decisions are inadequate. Prohibited practice definitions have loopholes wide enough for surveillance systems to pass through.
Compliance costs disadvantage EU startups against US and Chinese competitors. Legal uncertainty discourages investment. Risk classifications may be miscalibrated. Extraterritorial reach creates friction for global product development.
Military and national security AI is explicitly excluded. Personal non-professional activity AI is excluded. Research has broad carve-outs. AI that harms through diffuse societal effects rather than discrete decisions — recommendation algorithms shaping information environments — mostly falls outside the high-risk classification.
Choose a stakeholder: civil liberties advocate, EU startup founder, large US tech company, or affected community group subject to algorithmic decisions.
Construct the strongest critique of the EU AI Act from that perspective — what does it fail to address, what does it get wrong, what would you change?