Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2026
Infrastructure
& Privacy
Matilda
Roger Clarke's Web-Site© Xamax Consultancy Pty Ltd, 1995-2026 |
|
|||||
| HOME | eBusiness |
Information Infrastructure |
Dataveillance & Privacy |
Identity Matters | Other Topics | |
| What's New |
Waltzing Matilda | Advanced Site-Search | ||||
Review Draft of 10 May 2026
© Xamax Consultancy Pty Ltd, 2025-26
Available under an AEShareNet 
licence or a Creative
Commons 
licence.
This document is at http://rogerclarke.com/EC/RRE-AIA.html
The Artificial Intelligence Act (AIA) of the European Union has been portrayed as a world-leading regulatory regime that will protect the public against the technological threats inherent in AI, and encourage adoption of beneficial applications. A great deal of analysis has been published since the law was proposed in 2021. This has continued following its passage in 2024, and the coming into force of the first of its provisions in 2025. This contribution evaluates the AIA not as law, but as the underpinnings of a regulatory regime -- or, more specifically, of several separate regimes for different categories of application.
Legal analyses have identified complexities arising from the application of multiple bodies of law in unusual ways. The first contribution of this article is to articulate strangenesses in the key terms and their definitions, which represent barriers to understanding by AI practitioners. A second contribution is examination of the several regulatory regimes the AIA establishes as interventions into complex socio-technical systems, resulting in the identification of a great many ambiguities and exceptions likely to undermine attempts to achieve compliance, to reduce the incidence of negative impacts and implications, and to manage risks.
The work's third contribution is the application of an evaluation framework for regulatory regimes that provides a comprehensive view comprising 16 criteria for an efficacious scheme. The scoresheets provide an indication of the extent to which all of the AIA's regulatory regimes fail against those criteria. The factor-weightings and scores are of course dependent on subjective judgements. On the other hand, the provision of a considerable degree of structure to the assessment of regime performance against defined criteria enables others to refine the analysis, or to conduct their own evaluations against the standard, or against an enhanced or alternative version of the criterion-set. The results of this and subsequent evaluations should assist in the emergence of some future scheme that will be more likely than the AIA to bring order to the current chaos of AI applications.
In recent years, rapid adoption has been evident of several forms of Artificial Intelligence (AI) that appear to embody both significant benefits and significant threats. In an endeavour to placate widespread public concern about the threats, statutory intervention was developed by the European Commission (EC) in the form of the Artificial Intelligence Act (AIA). This was enacted in 2024, with its provisions coming into effect in a series of steps. The legislation is widely seen as being highly influential in all jurisdictions in which AI is being actively developed and applied, including Australia.
The majority of commentary on the AIA has been positive, or at least hopeful, with relatively few works critically examining the proposal or the political economy of its development, passage and implementation. The present paper is offered as a timely, sceptical, and moderately deep assessment of the AIA, its effectiveness in achieving its claimed purposes, and the political realities that undermine it.
Artificial Intelligence technologies are widely acknowledged to have substantial negative impacts and implications and to carry risks (Blauth et al. 2022). An analysis of the risks inherent in AI generally is in Clarke (2019a), and the potentially harmful attributes of generative AI in particular are examined in Clarke (2025a). Reflecting the extent and seriousness of the threats, widespread concern exists about AI's impacts, and there is demand worldwide for regulatory action (Gillespie et al. 2025). The AIA is claimed to be the first substantive endeavour to regulate applications of AI technologies, and is progressively coming into force between March 2024 and August 2027. The EC seeks to encourage development, deployment and use of Artificial Intelligence, in order to extract economic benefits from it. Many writers see the AIA as being likely to exhibit the 'Brussels Effect' (Bradford 2020), by influencing the practice of AI well beyond the European Union (EU) (Greenleaf 2021, 2024) -- although some conclude differently (e.g. Ebers 2024 pp.18-20).
The AIA has been the subject of a vast amount of analysis since its path towards enactment began in April 2021 (EC 2021). It is large and complex, and contains about 90,000 words in 100 pp. of dense text. The Recital alone contains 34,500 words in 180 numbered paragraphs over 31 pp. This has since been augmented by guidance totalling a further 135pp. and 60,000 words, relating to only the first provisions that came into effect (EC 2025a), with a second of 36pp. (EC 2025b) published a mere 18 days before the relevant provisions came into effect. The scale and complexity of the text of the AIA inevitably gives rise to a rich diversity of interpretations.
In their endeavours to address a multi-headed and rapidly-changing phenomenon, the AIA's drafters used a number of key terms in novel ways. The phrase 'AI System' occurs 1,080 times, 'risk' qualified in several ways occurs 776 times, 'high-risk' 472 times and 'systemic risk(s)' 80 times. The usages of the key terms, combined with the richness of their contexts of use in the document, present to regulatees as a blizzard of words, and provide researchers and consultants alike with an intellectual banquet on which to feast.
The analysis presented in this article is not legal scholarship, and it has not been performed by a lawyer. The perspective adopted is that of a consultant and researcher in strategic and policy aspects of transformative and disruptive information technologies, and the focus is on law as an instrument of public policy. It reflects insights in the substantial prior literature in the field of technology law, including early analyses such as Edwards (2022), optimistic ones such as Gstrein et al. (2024) and Cancela-Outeda (2024), and particularly critical works in the business-oriented information systems literature such as Vainionpaa et al. (2023) and Woersdoerfer M. (2024), and in law, such as Veale & Borgesius (2021), Barkane (2022) and Wachter (2024).
The work reported here is intended to complement the many legal analyses of specific aspects of the Act. The focus is on the provisions of the AIA that represent the underpinnings of a regulatory regime. Rather than offering dispassionate, scholarly analysis, the work is motivated by the public policy need for control to be exercised over inherently dangerous and obscure technology. A critique is presented of the likely overall effects of the EU's highly complex scheme, applying a framework for the evaluation of regulatory regimes that is presented in detail in (Clarke 2026). The key terms are defined as follows:
Regulation is the process whereby a socio-technical system adapts its structure and processes in order to accommodate disturbances or damage that it undergoes, so that it operates and adapts as an integrated whole
A Regulatory Regime is a set of mechanisms that influence or control the way entities behave within a socio-technical system, and that thereby contribute to the achievement of economic, social and/or environmental policy objectives
A later section outlines important elements of the framework, including the Objects of Regulation, Required Attributes, a 7-layer Model of Regulatory Mechanisms, and archetypal Players and Plays.
The article commences by outlining the AIA, and drawing attention to aspects of it that are of significance to an assessment of its efficacy as a regulatory instrument. The term 'efficacy' refers to a regime's overall quality, encompassing comprehensiveness, effectiveness. efficiency, flexibility and adaptability. Section 3 identifies and describes each of the categories of objects distinguished by the AIA, of which four are subject to separate regulatory regimes of varying intensity. The focus throughout is on the AIA's capacity to deliver regulatory efficacy, not on the law per se. In each case, a wide range of uncertainties and exceptions is noted, and questions also arise in relation to enforcement arrangements. In section 4, a previously-published Regulatory Design and Evaluation Framework is outlined and key elements are identified. Section 5 then applies the the evaluation framework to each AIA regulatory regime in turn, enabling subjective scores to be assigned against each of 16 criteria. The score-sheets bring into focus the extent to which the uncertainties and exceptions undermine the efficacy of the AIA's provisions. Conclusions are drawn in section 6.
The AIA was prepared during 2021-24 by the European Commission (EC, which comprises over 30,000 public service employees), passed in March 2024 by the EU Parliament (which in a sense represents citizens but is dominated by the EC), and adopted in May 2024 by the Council of the EU (which represents the governments of the member states). The AIA is formally an EU Regulation, 2024/1689, and hence is a law that applies to and within all member states, as part of each member state's law. (EU Directives, on the other hand, set goals for member states to implement). The AIA became EU law on 1 August 2024, with various elements taking effect from 2 February 2025, 2 August 2025, 2 August 2026 and 2 August 2027 (Article 113).
The description in this and the following section draws on the AIA and the EU's high-level summary (EC 2024) and a variety of secondary sources in refereed literatures, which are cited where they are relied upon. The remainder of this section outlines the AIA's purposes and discusses definitional aspects of the key terms it uses. The following section 3 shifts the focus to the regulatory regimes it establishes.
AIA's objective is declared as follows (AIA, Recital (1), emphases added, and reformatted for clarity):
The purpose of this Regulation is
The driver for the AIA is clearly the stimulation of economic development by supporting AI innovation and promoting its uptake. Control over negative impacts, implications and risks is expressed firstly as a constraint on the economic objective ("while ensuring") and then as an apparently secondary objective ("to protect"). Hence, although the large majority of the provisions relate to protections, the ultimate purpose of those protections is to overcome barriers to adoption of AI technologies. Veale & Borgesius (2021) note the strangeness of this approach (p.98):
"The proposal mixes reduction of trade barriers with broad fundamental rights concerns in a structure unfamiliar to many information lawyers ... [which] brings a range of novelties and tensions" (p.98)
Many regulatory regimes focus on the achievement of public trust (i.e. by whatever means), whereas the AIA contains few mentions of 'trust', but 19 of 'trustworthiness', implying an endeavour to earn public trust rather than relying largely on 'public education', in the sense of public relations and marketing.
The drafters avoided having to define AI, and instead chose as the focal-point systems that they claim have characteristics that together define the features that make 'AI' a suitable matter for the imposition of regulatory measures. The key term is defined as follows (Art. 3(1), emphases added):
An "AI system" is a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments
The argument can be advanced that AI means too many things to too many people and hence skirting around its meaning is an appropriate strategy. On the other hand, AI researchers, developers, vendors and adopters need to understand the AIA's technological scope in order to gauge the extent to which their technology has the attributes that the definition of "AI system" refers to. Achieving a reliable interpretation turns out to be quite challenging. Multiple features are optional, including 'a high level of autonomy' ("varying levels"), 'adaptiveness' ("may exhibit"), 'explicit objectives' ("explicit or implicit") and any particular form(s) of 'output' ("such as"). The remaining, definitional attributes appear to be (i) 'machine-based', (ii) '(some) autonomy', (iii) 'objectives' and (iv) 'inference from input to generate output'.
It would seem that 'machine' is not intended in its original sense (paraphrasing OED IV.6.b) of 'a device with multiple parts with defined functions, involving mechanical or electrical power in the performance of defined work', but rather a device utilising electrical phenomena for the handling of data, without any requirement that force be applied to any real-world object, i.e. a computer. The following interpretation is therefore suggested as being equivalent to, and more readily understood and applied:
An "AI system", operationally defined, is a computer-based set of interacting processes that has some level of autonomy and some sense of objectives, and that draws inference(s) from input to generate output
A first important consideration is that the notion of 'inference' does not depend on the involvement of a high-level intelligence. All that matters is that input-conditions exist that give rise to an output. The process whereby the output is generated can be expressed in various ways, including algorithmic or process form, or as antecedent-consequent / logical rules. The various generations of software development tool are described in Clarke (1991). Software developed using each of a machine-language, an assembler language, a procedural language, a rule-based expert system, and a purely empirical approach such as artificial neural networks, infers from input to generate output, i.e. each satisfies definitional attribute (iv). Any such item of software can be interpreted as having at least implicit objectives (iii). Each has a delegation to perform its pre-programmed functions and hence operates with a (perhaps low) level of autonomy (ii), and runs in one or more computing devices and is thereby machine-based (i).
The AIA definition of an AI system is therefore not limited to any particular generation of development tool and requires no particular attributes of coding techniques or outcomes that were not already apparent in (at the latest) the very first administrative system (bakery valuations) in November 1951 (Land 2022), which first ran some years prior to the OED recognising the terms 'artificial intelligence' (1955) and 'AI' (1963).
The definition of AI system adopted in the AIA can therefore be argued to fail the test that the Commission set for it, viz.: "the definition should be based on key characteristics of AI systems that distinguish it [sic] from simpler traditional software systems or programming approaches and should not cover systems that are based on the rules defined solely by natural persons to automatically execute operations" (AIA 2024, Recital (12), emphasis added). Ebers (2024) similarly concludes "the AI Act applies not only to machine learning, but also to logic- and knowledge-based approaches (recital 12 AI Act). As a result, even deterministic software systems [may be] subject to the highest requirements" (p.12).
In order to contrast the AIA's definition against past and present understanding among AI practitioners of what the term AI means, the remainder of this section considers two definitions, reflecting the original conception and contemporary usage.
Firstly, the original conception of AI can be reasonably depicted by a paraphrase of McCarthy et al. (1955, p.12, 1st para.):
Artificial Intelligence is accurate simulation on a computer of all aspects of learning and [human] intelligence more generally
AIA's definition of an "AI system" incorporates aspects of computing, autonomy, objectives, inferencing, outputs, decisions, and learning (a related notion to adaptability), but lacks any sense of a simulation of the integral whole implied by the term 'intelligence'.
McCarthy's original conception of AI has come to be referred to as 'artificial general intelligence' (AGI) or 'strong AI', because it is recognised as 'aspirational', or, less charitably, motivational but unachievable. The AGI notion is widely regarded as being inconsistent with AI as it is practised in the 21st century. The large majority of work in the field has long since adopted the approach that human features that contribute to intelligence do not reflect an 'aspiration', but rather are 'inspirational' (Boden 2016, Lieto & Radicioni 2016). An exemplar of this is the metaphorical use of '(artificial) neural networks' to refer to the most common base for the branch of AI called machine learning (AI/ML). The following was proposed in Clarke (2023) as an operational definition of AI as practised during the last three decades. It paraphrases multiple sources, including Albus (1991), Russell & Norvig (2003) and McCarthy (2007):
Intelligence is exhibited by an artefact if it:
I contend that this interpretation of AI provides a suitable basis for distinguishing the AI systems that pose serious threats from conventional systems that use procedural and rule-based approaches. The AIA's definition of 'AI system', however, is far removed from this interpretation. AIA requires only weak forms of perception and goal-driven formulation of action, no element at all of cognition, and autonomy at most up to the point of decision, not action. The AIA notion is therefore both much narrower than conventional use of the term (as discussed immediately above), and much broader (as discussed earlier in this section).
These significant differences between the AIA notion and the conception common among researchers, developers, vendors and adopters of contemporary AI creates a strong likelihood that the provisions of the statute will map poorly to the realities of the relevant artefacts' features. This makes it very likely that the legal requirements will not be comprehensible to the individuals who are intended to comply with them. The fact that there is a great deal of commonality between the AIA's definition and those of the Organisation for Economic Cooperation and Development (OECD 2024, p.4) and the Council of Europe (CoE 2024, p.3) suggests that this incomprehensibility problem may be becoming entrenched.
Generative AI (GenAI) burst into public prominence during 2022-23, during the middle part of the gestation and negotiation period for AIA, 2021-24. GenAI is a form of machine-learning (AI/ML) that is oriented not to drawing inferences from data but rather to responding to requests to produce what appears to be new data. The EC felt the need to react swiftly to its brisk adoption, and, despite the fluidity of an immature technology, sought to ensure that a particular aspect of GenAI was addressed by the Act. The AIA defines one key term as (Art.3(66)):
A "general-purpose AI (GPAI) system" means an AI system which is based on a general purpose AI model [GPAI model], that has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI systems
The AIA defines a further term as (Art.3(63), emphases added):
A "GPAI model" means an AI model, including when trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable to competently perform a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications. This does not cover AI models that are used before release on the market for research, development and prototyping activities
A further term, 'GPAI model with systemic risk' is discussed in section 2.5 below.
The very apparent desire for a 'black-box' / 'technologically neutral' definition has resulted in highly non-specific, even vacuous, expression, which invites an enormous range of interpretations. GenAI artefacts comprise deft combinations of (Clarke 2025a):
The AIA was enacted very early in the maturation process of LLMs, of their combination with other technologies, and of their applications. To address the challenges, the AIA envisages clarifications arising from consultative and advisory bodies. The EU's initial guidance and code have attracted mixed responses from the large corporations that have invested heavily in LLMs. It has been evident from successive EC announcements that industry lobbying has achieved yet more success, culminating in material easing of the AIA's provisions in a further Draft Regulation (EC 2025e). There is considerable doubt as to whether the notion of 'GPAI' can provide the basis for an efficacious regulatory regime.
AIA encompasses five categories of "AI systems", four of which are distinguished on the basis of what it refers to as their level of "risk". It specifies regulatory regimes in relation to four of the five categories, exempting from regulation what are referred to in this article as "Minimal risk AI systems".
In the contexts of security, risk assessment and risk management, the term 'risk' is used in a wide variety of ways, referring variously to a general threat, a specific threat, an incident, harm, the likelihood of harm arising from an incident, or the residual likelihood of harm arising taking into account existing safeguards. The EU's cybersecurity agency, ENISA,+ applies the term 'risk' in a particularly narrow manner, as "a circumstance or event having a potential adverse effect". This is a combination of a generic threat (e.g. lightning) with an instance of a threat (a specific bolt of lightning). Most coherently, risk refers to :
the perceived likelihood of occurrence of harm arising to an asset as a result of a threatening event impinging on a vulnerability (Clarke (2015)
the likelihood that a source of hazard will turn into actual harm (Ebers 2024, p.3)
The US NIST Glossary entry recognises the blurring of the 'likelihood' criterion through some unclear merger with the notion of harm or 'adverse impacts' (NIST 2025):
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence
The EU, rather than treating the degree of harm as an element of analysis, defines risk as (EU 2022, Art 6(9)):
the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident
The AIA adopts a variant of the EU Directive's approach (Art.3(2)):
"Risk" means the combination of the probability of an occurrence of harm and the severity of that harmIt appears likely that the AIA notion of Risk will require a succession of judicial pronouncements before its meaning and application achieve adequate clarity. A critique of the AIA approach to risk assessment is in Novelli, Casolario, et al. (2024).
The definition of one form of the fifth of the five categories addressed by the AIA, GPAI models, uses the novel term "systemic risk". The AIA definition is as follows (Art.3(65), emphases added):
Systemic risk means a risk that is specific to the high-impact capabilities of general-purpose AI models, having a significant impact on the Union market due to their reach, or due to actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or the society as a whole, that can be propagated at scale across the value chain
Two definitions are then combined, as follows (Art.51-1, emphasis added):
A GPAI model with systemic risk is a GPAI model that either: (a) ... has high impact capabilities evaluated on the basis of appropriate technical tools and methodologies, including indicators and benchmarks; or
(b) [is] based on a decision of the Commission, ex officio or following a qualified alert from the scientific panel, it has capabilities or an impact equivalent to those set out in point (a) having regard to the criteria set out in Annex XIII.
Despite the many warnings that exist about technological specificity in legislation, the EC seeks to operationalise a key expression in terms of the computational power used (Art.51-2), with the threshold measure adaptable by regulatory instrument (Art.51-3, emphasis added):
A general-purpose AI model shall be presumed to have high impact capabilities ... when the cumulative amount of computation used for its training measured in floating point operations is greater than 10^25
The lengthy Recitals section provides further explanation of "systemic risks" (in this case plural, rather than singular or generic). They "include, but are not limited to, any actual or reasonably foreseeable negative effects in relation to major accidents, disruptions of critical sectors and serious consequences to public health and safety; any actual or reasonably foreseeable negative effects on democratic processes, public and economic security; the dissemination of illegal, false, or discriminatory content" (Recital 110), and "a general-purpose AI model should be considered to present systemic risks if it has high-impact capabilities, evaluated on the basis of appropriate technical tools and methodologies, or significant impact on the internal market due to its reach. High-impact capabilities in general-purpose AI models means capabilities that match or exceed the capabilities recorded in the most advanced general-purpose AI models" (Recital 111, emphasis added). The circular nature of the final words of Recital 111 (effectively limiting it to the 'mostest advanced GPAI model(s)') creates challenges to understanding. An endeavour to disentangle the semantic complexities of 'GPAI with systemic risks' is in Bygrave & Schmidt (2025, pp.8-10).
A Code and Guidelines emerged in July 2025 (EC 2025b, 2025c), but they are heavily process-oriented. One of the few instances of articulation of a substantive nature is Appendix 1.4 of the Code, which identifies four categories of "systemic risks: chemical, biological, radiological, and nuclear (CBRN) attacks or accidents ... ; loss of [human] control ... ; large-scale sophisticated cyber-attacks ... ; and harmful manipulation [of] large populations or high-stakes decision-makers through persuasion, deception, or personalised targeting ... " (EC 2025b, p.37).
The AIA applies to "AI systems" that fit within criteria relating to the risk of harm arising, and that are unable to invoke an escape clause. The high-level summary (EC 2024) says that the AIA places "the majority of obligations" on "providers (developers)", but with some also applicable to "operators". The categories of the entities on which the AIA imposes obligations are defined as follows (Arts.3(3,4,8))
A "provider" is a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge
A "deployer" is a natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity
An "operator" is a provider, product manufacturer, deployer, authorised representative, importer or distributor
In the software and software-as-a-service sectors, a 'developer' performs functions early in a supply-chain, and a wholesaler, a distributor, a re-seller, or indeed the developer themselves adds value further along that chain and hence is a 'provider'in AIA terms. A 'user organisation' may install and operate the software for their own purposes or may depend on a 'service-provider' to do so, each of which is presumably a 'deployer' under the AIA). Attempts to clarify the meaning do not necessarily achieve their aim, e.g. "Those that intend to place on the market [which, in more common business dialect, appears to encompass developers, re-sellers and service-providers] or put into service [which appears to encompass service-providers and "users (deployers)"]". The subsidiary terms "authorised representative", "importer" and "distributor" (but not "product manufacturer") are defined in conventional manner in Art.3(5)-(7).
The Provider's "intended purpose" is defined. It is distinguished from "reasonably foreseeable misuse", which is defined as use "not in accordance with its intended purpose" (Art.3(12)-(13)). Thereafter, the term "intended purpose" occurs many times throughout the Articles, whereas 'misuse' appears only in Arts.9, 10, 13 and 14.
The occurrences in the summary of "user" appear to encompass firstly organisations, and secondly individuals applying the AI system in a self-employed professional capacity, i.e. as an independent contractor, sole trader or business partner. The term "end-user" (which appears only twice in each of the AIA and the EC's high-level summary) appears to apply to employees and contractors acting on behalf of an organisation, and individuals acting in a personal capacity. Given that there are few occurrences in the Articles of "user-organisation/deployer" and "user/end-user", it appears that the EC intends to impose no obligations on such an entity. This has since been confirmed (EC 2025a, p.6, para. (18)).
There is ample scope for uncertainty to arise about the scope of these definitions, and whether all relevant categories of actor are encompassed. After a "provider" has "developed" a product and "placed it on the market", the product may be transacted through chains of organisations before being "used" by a "deployer" for an "intended purpose" and/or a "misuse", or solely for service-provision to other deployers. Clarity is needed about the obligations of, respectively, each organisation in supply chains or networks, and those "deployers" who make the "AI system" available only to "users" within their own organisation and/or "end-users" within or beyond its boundaries.
The following section describes the regulatory regimes created by the AIA, referring back to the definitional discussions in the present section where appropriate.
The AIA distinguishes four categories of "AI systems", depending on their level of "Risk". It claims to create distinct regulatory regimes for three of them. See Table 1, and the discussion in sections 3.1-3.3 above and 5.1-5.4 below.
A fifth category, and the fourth that is subject to a regulatory regime, is a "General purpose AI (GPAI) system", as defined in the previous section. This is addressed in sections 3.4 and 5.5. Enforcement aspects are considered in section 3.5.
"Unacceptable-Risk / Prohibited AI Systems" are defined in a closed-ended manner (Art.5). The eight items describe applications of "AI systems" rather than the characteristics of the artefact, or the process or technique(s) used to achieve an output or outcome. The Article contains 1,750 words of a moderate degree of complexity, posing challenges for both commentators and implementors.
The eight items are subject to over 20 exclusions, based variously on the intended outcomes; the extent to which harm is caused; the attributes of the users and usees (i.e. those who are indirectly impacted); the data involved; the source of the data; or the organisation performing the function or in which the function is performed. [ PREPRINT ONLY: An adapted extract is in Appendix 1.
The scope of exclusions is unclear and may well remain so, but appears to be very broad. For example, to be Prohibited under each of Arts. 5.1(a) deception and 5.1(b) vulnerability exploitation, a very high bar is set, because an AI system must (i)"distort behaviour", and (ii) "cause" (iii) "significant harm". Similarly, Art. 5.1(c)) social scoring (the classification of people based on their social behaviour or personality characteristics) only applies where the data is used out of context or people are treated in a "detrimental or unfavourable" manner, and even then not if the biometric dataset was "lawfully acquired" (which would doubtless be claimed to be the case with most declared uses).
Use for Art. 5.1(d)) 'predictive policing', is permitted if it (i) "augments" (ii) "human assessment". Item (5.1(e)) "compiling facial recognition databases" is not prohibited if it is "targeted" (i.e. the result of personal surveillance -- Clarke 1988), or "untargeted" (i.e. mass surveillance) provided that it is from any source other than "the internet" (which is not a source but a means of communication with sources) or "CCTV footage". Art. 5.1(f)) "inferring emotions" is permitted in most contexts, and even in "workplaces and educational institutions" if "for medical or safety reasons".
In Art. 5.1(g), the "biometric categorisation systems" prohibition only applies to a closed-ended list of what the High-Level Summary (EC 2024) calls 'inferred sensitive attributes', and an exemption is granted for the use of "lawfully acquired biometric datasets". In Art. 5.1(h)), "'real-time' remote biometric identification (RBI) in publicly accessible spaces for the purposes of law enforcement" is not prohibited, but rather authorised, for a wide range of law enforcement activities, subject to some requirements in the 1,150 words of Arts. 5.1(h) and 5.2-5.7. In relation to "the processing of biometric data for purposes other than law enforcement", the GDPR Art.9 prohibitions remain in place.
In short, the prohibitions provisions embody a large array of loopholes, and determining thresholds for each criterion will be fraught, contested, take time, and even then remain uncertain. Legal advisors and consultants are obliged to draw opportunities to the attention of their clients, and to assist their clients in the event that they seek to escape the prohibition by utilising any of the exceptions. Neuwirth (2023), considering an early version of the AIA's prohibition provisions, drew attention to both their importance and the enormous challenges involved in defining boundaries and achieving desired regulatory effects. The Article came into effect on 2 February 2025. A very substantial guidance document was published 2 days later, still in draft (EC 2025a). This appears to generally confirm the impression of the exceptions having very broad scope (e.g. PW 2025). It is reasonable to expect that a great many activities will escape from Art.5, and that relatively few 'unacceptable risk' activities will be prevented.
Even if an AI system escapes prohibition, it may be a "High-Risk / Regulated AI System". This is also defined in terms of applications of "AI systems" rather than the characteristics of the artefact or the process or technique(s) used to achieve an output or outcome or the AI system's impacts. The included AI system applications fall under two headings. [ PREPRINT ONLY: An adapted extract is in See Appendix 2:
Four generic exceptions are declared, in relation to "a narrow procedural task", "improv[ing] the result of a previously completed human activity", adjuncts to "a completed human assessment" and "[being] a preparatory task to an assessment" that is relevant to an Annex III use-case (Art.6.3).
In addition to the four generic exceptions, the eight categories defined in Annex III are subject to a dozen exceptions within their detailed descriptions. In some cases, closed-ended lists are used, which are likely to have the effect of excluding unmentioned sub-categories of applications, whether or not that was the intention, and whether or not the list is inconsistent with text elsewhere. Some forms of exception, such as "except when detecting financial fraud", create the possibility of 'laundering' systems by designing that feature in, and inter-twining its use with some other, at best distantly-related feature. Accidental exceptions may arise where a provision is very difficult to comprehend, such as that for 'predictive policing'.
There are four further, substantial and largely uncontrolled exceptions in the second bullet, supplemented by heavy qualification in the fourth bullet, whereby "providers" are authorised to self-assess whether any particular AI system is "high-risk", subject to the uncontrolled proviso "must document such an assessment before placing it on the market or putting it into service". See Art.43.2.
On the other hand, "an AI system referred to in Annex III shall always be considered to be high-risk where the AI system performs profiling of natural persons" (Art.6.3). For this purpose, "profiling" means "profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679", commonly known as the General Data Protection Regulation (GDPR) (Art.3(52)). The GDPR definition is (emphases added):
Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
This corresponds to the preparation and use of a model (a 'digital persona') associated with a particular entity or identity (Clarke 1994, 2014):
[A digital persona] is a model of [a particular] individual's public personality based on data and maintained by transactions, and intended for use as a proxy for [that] individual
This is quite different from another longstanding use of the term 'profiling' to refer to the generation and use of an abstract model of the key characteristics of a category of identities, such as a 'drug-mule', or a student who would benefit from a particular form of intervention (Clarke 1993, emphasis added)
[Profiling is] a technique whereby a set of characteristics of a particular class of person is inferred from past experience, and data-holdings are then searched for individuals with a close fit to that set of characteristics
The unequivocal nature of the stipulation that 'all Annex III AI systems that perform profiling are High-Risk' is challenging to interpret. Of the eight categories in Annex III, only '2. Critical infrastructure AI systems' appear unlikely to perform profiling to 'evaluate aspects of a natural person'; whereas it appears that the other seven generally do so. The question arises as to whether the stipulation that they are automatically High-Risk overrides all, some, or even any, of the many exceptions built into the Annex III descriptions.
For those "AI systems" for which an escape-route does not exist, providers are subject to requirements defined in Arts.8-39, which amount to 12,000 words. AIA Chapter III (High-Risk AI Systems) Section 2 (Requirements for high-risk Al systems) is written in a manner that creates interpretation challenges from regulatory and compliance perspectives. It comprises eight Articles, commencing with an introduction (Art.8), followed by substantive requirements in relation to a Risk management system (Art.9), Data and data governance (Art.10), Technical documentation (Art.11), Record-keeping (Art.12), Transparency and provision of information to deployers (Art.13), Human oversight (Art.14), and Accuracy, robustness and cyber-security (Art.15). Art.8.1 declares that "High-risk AI systems shall comply with the requirements laid down in this Section", but the clause uses the passive voice, there appears to be no universal statement that all compliance responsibilities rest with providers, and there are only incidental mentions of "provider" in Arts. 9-10 and 13-15, and none at all in Arts.11 and 12.
To developers, providers, service-providers and deployers of such AI systems, it is something of a mystery as to whether any party has to actually do anything.
Art.13 re Transparency and provision of information to deployers is indicative of how what seem at first to be requirements melt away to nothingness. Providers of high-risk AI systems are nominally required to deliver 'transparency'. However, the relevant clauses are qualified out of existence by omitting any requirement of the AI system to explain the rationale underlying any inference it draws, decision it makes, or action it performs (emphases added):
3. The instructions for use shall contain at least the following information:
(b) the characteristics, capabilities and limitations of performance of the high-risk AI system, including: ...
(iv) where applicable, the technical capabilities and characteristics of the high-risk AI system to provide information that is relevant to explain its output; ...
(vii) where applicable, information to enable deployers to interpret the output of the high-risk AI system and use it appropriately
The associated Art.86 (Right to explanation of individual decision-making) similarly avoids delivering any such right. The active words are "the right to obtain from the deployer clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken" (Art.86-1, emphases added). Neither the 'role' nor the 'main elements' represents an explanation of the rationale. Despite the emptiness of the requirement, the Article also incorporates a string of exceptions, some unclear and extensible.
The complete absence of a right of access to the underlying rationale is reaffirmed by the absence from the 1160 words of Art.26 (Obligations of deployers of high-risk AI systems) of any requirement to explain inferences, decisions and actions to individuals adversely affected by them. See also Varosanec (2022).
The Recitals contain fine words ("The deployer should also inform the natural persons about their right to an explanation provided under this Regulation" in Recital 93, and "Affected persons should have the right to obtain an explanation where a deployer's decision is based mainly upon the output from certain high-risk AI systems" in 171, emphases added). As in many other places, the fine words in the Recitals are a facade, because they are not expressed and articulated in the statute itself.
The notion of accountability by regulatees for their behaviour is a fundamental element of any regulatory scheme. Accountability exists only if a set of requirements is satisfied (Clarke 2019a, pp.428-429, Novelli, Taddeo, et al. 2024). A reviewer of an inference drawn, a decision made or an action taken by an entity needs to be able to assess the reasonableness of the entity's behaviour. Where the behaviour is unreasonable, some form of corrective or compensatory measure is necessary. The reviewer needs to be able to audit the process used by the entity, whether through observation, replication, inspection of records, or demand for and consideration of testimony. At the heart of the review is the requirement that the reviewer have access to a humanly-understandable explanation of the rationale underlying the inference, decision or action.
If the inference, decision or action derives from a process that is obscure, or that cannot be assessed against criteria, or that depends on ephemeral data or data-states that cannot be rediscovered or regenerated, no rationale can be provided. In that case, the reviewer is left with the choice of relieving the entity of accountability, or applying the 'strict liability' principle and determining in the claimant's favour.
Various categories of AI systems, including those using generative AI and recent forms of data analytics, apply 'artificial neural network' or other techniques that are purely empirical, and whose behaviour cannot be usefully modelled by decision-trees, rules, or other expressions of rational processes. Moreover, many such AI systems continually adapt their internal data-states. Those ephemeral data-states are generally not capable of being reconstructed. For these multiple reasons, those categories of AI system cannot generate explanations, and hence are incompatible with the notion of accountability.
Despite some efforts invested into the idea of Xplainable AI (XAI), it has produced little of value and remains aspirational. I contend that it is untenable for a society to abandon accountability principles merely because doing so serves the interests of providers of dangerous technology, nomatter how beguiling the claims about its potential benefits.
Section 3 (Obligations of providers and deployers of high-risk Al systems and other parties) is, on the other hand, a little clearer. Art.16's title refers to "Obligations of providers". Providers have obligations under all of Arts.16-25. Deployers may have obligations arising from Art.20, and do in the case of Art.25 (where, rather confusingly, a deployer is "considered to be a 'provider'"), Art.26 (which is headed "Obligations of deployers of high-risk Al systems", but whose regulatory effect is unclear) and Art.27. There are also various procedural obligations under Articles 28-39. [ PREPRINT ONLY: An adapted extract is in Appendix 3 summarises the obligations arising from Arts.8-39. ]
The "High-Risk / Regulated AI Systems" provisions under Annex III come into effect on 2 August 2026, and those under Annex I on 2 August 2027. Longer deadlines are set for "AI systems that have been already placed on the market / put into service before the AI Act entered into force". The fog surrounding these provisions may be a little less thick by the time they come into force. Alternatively, they may be retracted, or further weakened.
Successive deferrals and adjustments have occurred. Industry lobbying resulted, in November 2025, in an EC Proposal for a further 65-page Regulation 2025/0359 (EC 2025e), which would "address several implementation challenges identified through consultations". See also EP (2025). In relation to high-risk AI systems, providers were to be permitted to process special categories of personal data for bias detection and correction, subject to some conditions, and the implementation timeline of data governance obligations for high-risk AI systems is to be further eased. A further Media Release in May 2026 referred to postponements to late 2027 and 2028, and to further exemptions (EC 2026b).
Art.50 is headed "Transparency obligations for providers and deployers of certain AI systems" (emphasis added). The AIA uses the terms 'non-high risk' and 'not high-risk'. The high-level summary uses the term 'Limited-Risk AI Systems', and that is adopted here. There are five categories, expressed in four sub-paras. of Art.50. A careful analysis of these 'non-high risk' types of AI system is presented in Bygrave & Schmidt (2025, pp.2-11).
The first category is "AI systems intended to interact directly with natural persons" (Art.50-1). Examples used in the EC's high-level summary are "chatbots" and "deepfakes" (which is a pejorative term for synthetic media creations that are designed to appear real, do so, and are or may be intended to deceive observers into thinking they are real). However, the sole obligation arising is on "providers" of "AI systems intended to interact directly with natural persons", and the obligation is merely that "the natural persons concerned are informed that they are interacting with an AI system, unless this is obvious ..." (emphases added). On the other hand, the high-level summary states that the obligation is intended to apply to "deployers": "developers and deployers must ensure that end-users are aware that they are interacting with AI (chatbots and deepfakes)" (EC 2024).
Even outside law enforcement, however, the 'obligations' fade away to nothingness. The assessment of the meaning of "AI system" in section 2.2 concluded that the term is not limited to any particular generation of development tool and requires no particular attributes of coding techniques or outcomes. Hence any computer-based system is "obviously" an 'AI system. Notices such as 'You are using an AI system' are therefore redundant, and the provision can be safely ignored. The sole obligation relating to this category of 'limited risk' activity is valueless, purely nominal, to sceptical observers, a sham.
In any case, Wachter argues (2024, p.683-684) that:
"Transparency alone is insufficient to address these issues ... given the well-established harms that such systems may cause. For example, in the past, chatbots have advised users to take their own lives, given dieting tips to people battling eating disorders, and produced reputation-damaging outputs (e.g., false sexual assault charges against innocent people).
The second category is "AI systems, including general-purpose AI systems, generating synthetic audio, image, video or text content" (Art.50-2). However, the sole obligation is on "providers", to "ensure that the outputs of the AI system are marked in a machine-readable format and detectable as artificially generated or manipulated" (emphasis added). In addition, four exceptions exist. One is "an assistive function for standard editing", which appears to create an opportunity for avoidance that is very easily exploited. Another is "AI systems" "authorised by law to detect, prevent, investigate or prosecute criminal offences". Detection and prevention activities are not limited to law enforcement agencies, so this loophole is generally available.
The third category is "an emotion recognition system or a biometric categorisation system" (Art.50-3). The sole obligation in this case is on "deployers", to "inform the natural persons exposed thereto of the operation of the system". This is presumably a requirement to inform them that the system is in operation, rather than to inform them how it works. A (potentially large) exception exists for "AI systems used for biometric categorisation and emotion recognition, which are permitted by law to detect, prevent or investigate criminal offences". This appears to grant permission not only to law enforcement agencies, but to all organisations, at least in relation to the detection and prevention of crime. If so, the feature is not a protection, but rather an authorisation, and hence a substantial contribution to the burgeoning surveillance society (Clarke 2022).
The fourth category is "an AI system that generates or manipulates image, audio or video content constituting a deep fake" (Art.50-4). The obligation is again on "deployers", but only to "disclose that the content has been artificially generated or manipulated" (emphasis added). The raft of exceptions include where "authorised by law" as expressed in a preceding paragraph, where "the content forms part of an evidently artistic, creative, satirical, fictional or analogous work or programme", and "where the AI-generated content has undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility for the publication of the content".
The fifth category is "an AI system that generates or manipulates text ..." (Art.50-4) for other than a law enforcement purpose, whose "deployers ... shall disclose that the text has been artificially generated or manipulated" (emphasis added). However, this does not apply if the system's output has "undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility". This exception, applicable to both the fourth and fifth categories, invites such organisations as may be nominally subject to the provision to circumvent it. In addition to all deployers being authorised to generate and manipulate text, if it is done, by any entity, for "a law enforcement process", the entity is absolved even of the minimalist transparency requirement.
The AIA envisages that the EC will "encourage and facilitate the drawing up of codes of conduct", in two cases "to facilitate the effective implementation of the obligations regarding the detection and labelling of artificially generated or manipulated content" (Arts.50-7, 56), and in another case "including related governance mechanisms, intended to foster the voluntary application to AI systems, other than high-risk AI systems, of some or all of the requirements set out in Chapter III, Section 2" (Art.95). Because of the substantial absence of unavoidable obligations, the AIA represents no threat to organisations' use of AI systems, and hence creates no motivation to pay any more than lip-service to such codes of conduct, and no incentive to voluntarily implement safeguards. The self-regulatory aspect of the 'limited risk' regime appears to be even more vacuous than the rest of the provisions.
During the 3-year period during which the AIA was negotiated through the EU's process-bound, administrative processes, and legislative structures, Generative AI (OICT 2023, WIPO 2024, Clarke (2025a) burst on the scene, being "adopted more rapidly than both [PCs and the Internet]" (Bick et al. 2024). The EC responded to this innovation by adding provisions relating to "General purpose AI (GPAI) systems" and "GPAI models".
Obligations similar to those for Lmited-Risk AI Systems are imposed on providers of "general-purpose AI systems, generating synthetic audio, image, video or text content" (Art.50-2). The obligation is to "ensure that the outputs of the AI system are marked in a machine-readable format and detectable as artificially generated or manipulated" (emphasis added). Four exceptions exist, including "an assistive function for standard editing" (which appears to create an opportunity for avoidance), and "[AI systems] authorised by law to detect, prevent, investigate or prosecute criminal offences". It does not appear that any obligations are placed on "deployers" of "GPAI systems", nor on "end-users" of them.
Obligations are also placed on "GPAI model providers" generally, and to a lesser extent on their "authorised representative[s]" in the EU (Arts.53-54, Annexes XI-XIII), to:
These are not unduly onerous, and are in any case a cost of doing business. Some providers will presumably express the required documentation very carefully, so as to be seen to have achieved compliance while minimising the publication of information that may compromise what the provider perceives to be competitive advantage.
Entities that are "providers of GPAI models with systemic risks", as discussed in section 2.5, and as determined by the EC under Art.51, are subject to additional obligations (Art.55), to:
These are also, at least to some extent, appropriate business practices, and requirements of good organisational governance and of insurers. They are also for the most part internal matters subject to only limited external disclosure. Further, it is envisaged that compliance will be facilitated by Codes of Practice and in due course a European standard (Arts.55-2, 56), voted on by governments. On the other hand, Wachter (2024, p.690-691, 692) notes that
... standards bodies ... CEN and CENELEC do not have direct democratic legitimacy ... this lack of democratic legitimacy is even more worrying due to the far-reaching legal, ethical, political, and economic consequences of the widespread deployment of AI. Standards bodies will be tasked with creating frameworks that interpret the AIA
Providers are not only heavily involved in writing the harmonized standards to which they must adhere but also tasked with assessing whether they comply with those standards. This approach creates a major legal loophole
The GPAI models provisions came into effect on 2 August 2025. Longer deadlines are set for AI systems and GPAI models that have been already placed on the market / put into service before the AI Act entered into force. See also Art.113. On 18 July 2025, the Commission published a 36-page guidance document (EC 2025b). This was a mere 15 days before the provisions were due to come into force. This was followed in September 2025 by an FAQ page that attempted to clarify some of the murk (EC 2025e).
The AIA envisages that the EC will "encourage and facilitate the drawing up of codes of conduct, including related governance mechanisms, intended to foster the voluntary application to AI systems, other than high-risk AI systems, of some or all of the requirements", and para.2 envisages that these relate to "deployers" as well as "providers" (Art.95). The very large corporations that operate 'tech platforms' have been strenuously resisting governments' endeavours to impose formal regulation to protect the public (e.g. Kroet 2025). For deployers as for providers, the efficacy of these voluntary measures as a regulatory mechanism is in great doubt.
In Laux (2023), six principles for the design of oversight mechanisms for AI are proposed:
The governance structures and processes created by the AIA deliver on some of those principles, but fall seriously short on others, very importantly (5) Justiciability and Accountability, and (6) Transparency. As was noted in s.3.2 above, the AIA abandons accountability entirely, by denying individuals, and reviewers, a right of access to the rationale underlying inferences, decisions and actions that harm their interests. Transparent explanations are a fundamental requirement for accountability, and without them a court cannot determine the matter and hence the requirement for justiciability also fails.
The AIA's Enforcement, Remedies and Penalties (Arts.74-101) are complex, with provisions extending across about 9,000 words. Even positive reviews anticipate diversity and uncertainty among interpretations and implementations (e.g. Gstrein et al. 2024, pp.13-16). Generally, such enforcement powers as exist are to be the responsibility of each member-nation's 'market surveillance authority'. These powers are exercised primarily under an existing EU Regulation (EU 2019). The responsibilities in relation to some matters are exercised by "National public authorities or bodies which supervise or enforce the respect of obligations under Union law protecting fundamental rights" (Art.77). Arts. 85-86 also place some limited capability is in the hands of beneficiaries of regulation (Wachter 2024, p.693).
The Article 86 right, however, is constructively misrepresented in the heading of the Article as "Right to explanation ...". It does not create a right to understand the rationale. The law merely creates "the right to obtain from the deployer clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken" (emphases added). This limits the right to knowledge of where in the process AI was used, and the highlights (only) of what was done that harmed the victim's interests. There are many aspects of the claims in the Recitals that are not borne out by a careful reading of the Articles; but the misrepresentation of the effect of this Article is simply blatant.
In the specific case of GPAI models, providers are subject to some measures that are the responsibility of an EU-level AI Office (Art.65). The following statement about their "governance" appears in the high-level summary:
How will the AI Act be implemented?
This overlooks the roles to be played by many other actors, in particular the European Artificial Intelligence Board, at least one but probably multiple national regulatory agencies in every country, perhaps including both existing and new agencies, plus data protection agencies at both national and EU levels. Coordination and inter-operation may prove challenging. See in particular Recitals 156-179 and Articles 65-96.
The AI Office has been established, and by early 2026 had over 100 staff (EC 2026a). It appears that the Regulation and Compliance Unit may be swamped by the Office's many other functions, and no regulatory processes or actions were yet evident.
The argument is put by Wachter (2024, p.699, emphasis added) that:
Very limited obligations apply to providers and deployers of GPAI systems ... Governance of GPAI providers overwhelmingly and problematically relies on transparency mechanisms. While it is essential that providers of GPAI models and systems make certain information and documentation available, this is only the first step in adequate governance.
The outlines provided above have identified large numbers of weaknesses in the AIA's provisions, in the institutional arrangements, and in the enforceability of the various measures. The origins of some of these weaknesses arise from the EU's complex governance structures and processes, and the framing of AI regulation within the existing market supervision arrangements (Veale & Borgesius 2021, p.112, emphasis added):
... the Draft AI Act ... has severe weaknesses. It is stitched together from 1980s product safety regulation, fundamental rights protection, surveillance and consumer protection law ... these pieces and their interaction may leave the instrument making little sense and impact. The prohibitions range through the fantastical, the legitimising, and the ambiguous ... Counterintuitively, the Draft AI Act may contribute to deregulation more than it raises the regulatory bar.
The final version of AIA is of even less value than the earlier drafts would have been. Wachter (2024, p.672) argues that:
... the strong lobbying efforts of big tech companies and member states were unfortunately able to water down much of the AIA. An overreliance on self-regulation, self-certification, weak oversight and investigatory mechanisms, and far-reaching exceptions for both the public and private sectors are the product of this lobbying
Following industry lobbying, the limited protections afforded by AIA were further weakened in November 2025. The EC announced in the context of its 'Digital Omnibus on AI' that (1) high-risk AI systems providers will be permitted to process special categories of personal data for bias detection and correction, (2) the implementation timeline of data governance obligations for high-risk AI systems will be eased, (3) the obligation on providers and deployers of AI systems to ensure AI literacy of their staff will be withdrawn, and (4) providers and deployers will be offered "more flexibility in the post-market monitoring" (EC 2025e).
The remainder of this article reports on an evaluation of the several regulatory regimes established by the AIA, utilising the understanding of it outlined above. The following section first explains the framework used to conduct the evaluation.
The perspective that the author brings to this matter is that of an information systems professional and researcher much of whose consultancy career has had as its focus strategic and policy aspects of transformative and disruptive information technologies. This has involved assessment of regulatory regimes applicable to many technologies and their applications, as diverse as data matching, drones, wearable cameras, 'big data' analytics, and electronic markets of many kinds, including those delivered by tech platforms as diverse as Airbnb 'homestay' letting and Uber ride-sharing. From this work, conducted over a 30-year period, a framework has been progressively developed, which is consolidated in a companion paper, Clarke (2026). Table 2 provides an overview of the elements of the Regulatory Design and Evaluation Framework, supported by brief descriptions below.
References in this Table are to the companion paper, Clarke (2026)
A regulatory regime can be applied to various categories of objects. In the case of the AIA, the primary focus is artefacts that embody what the AIA refers to as AI technology ("a AI system"), but the regulatory measures apply differentially depending on the particular purposes they are applied to and the risk-level to which the Act assigns them, and the obligations arising from the regulatory regime are assigned to particular enterprise-categories (primarily "providers", but to some extent also "deployers").
The purpose of the Framework is to support the evaluation of the efficacy of regulatory regimes generally. Statutory, code and/or case law is likely to at least influence the process of exercising control over behaviour, and in many cases there will be a substantial body of relevant formal law. The focus of the evaluation framework is not the law, however, but the efficacy of the regulatory regime as a whole, including rather than specifically the law. The term 'efficacy' is used as an overall term to encompass all of the desirable elements, including effectiveness, efficiency, flexibility and adaptability.
The mechanisms are ordered into a hierarchical model of seven layers, with formal law (featuring 'government' and 'compliance') making up the top two, self-regulation (using the catchwords 'governance', 'safeguards' and 'mitigation') the middle three, and systemic governance (comprising infrastructural and natural regulatory features) the foundational two. Three generic entities are distinguished: Regulators, Regulatees and Beneficiaries, with a more detailed model of the players involved presented in Clarke (2025b, Figure 3).
An Evaluation Template is provided, which reflects the set of 16 criteria in Clarke (2026, Table 2). The evaluation process involves assessing the particular regulatory regime's delivery against each of the criteria, assigning two scores: one a simple ternary indicator 'Yes, Some, No', and the other a subjective score on the scale 0-5 for 6 Process factors and 0-7 for 10 Product and Outcome factors, giving an overall score out of 100. Any endeavour to deliver an objective score would be, by its nature, futile. Rather, the contribution of the framework is to provide structure to the assessment of regime performance against defined criteria. Assessors can refine the analysis, or conduct their own evaluations against the criteria, or against an enhanced or alternative version of the criterion-set. The scoring process is a means of encouraging assessors to focus on the criteria and the extent to which the particular regime does and does not satisfy them, and then to generate an indicative, but inevitably contestable, overall score.
An Annex to this article applies the Framework and scoring sheets to the AIA's several regulatory regimes. That evaluation reaches the following conclusions:
The purpose of the work reported in this article was declared as examination of the AIA as the underpinnings of a regulatory regime, assessment of it by means of a separately-published framework for the evaluation of regulatory regimes, and the delivery of a comprehensive view of the AIA's efficacy. The particulars of the assessment are subject to a great many qualifications. I contend, however, that the method (developed over decades, applied many times, and published separately) provides a workable basis for assessment, and is sufficiently explicit to support critique, and to facilitate adaptation by others.
The literature evidences a wide range of views on the many facets of the EC's work. Seen through the lens of the selected evaluation framework, the rosiness pales, the uncertainties and ambiguities pile up, the obligations are exposed as being very limited, the avoidability of obligations through the exploitation of the vast numbers of exceptions becomes very apparent, and the credibility of claims of ease of understanding, application and compliance, and of enforceability, appears to be very low.
A cynical view would be that the EC's objectives of economic progress and the stimulation of innovation entirely dominate its concern for the interests of individuals. The 'Ethics Guidelines for Trustworthy AI' of its Expert Group (EC 2019) were seen as being inconsistent with economic progress. Rather than conducting a program to operationalise those Guidelines, a very different approach to design was adopted, with protections treated not as objectives but as undesirable constraints that required careful manipulation in order to become enablers. The EC was vindicated in that national governments demanded an even weaker scheme, and the European Parliament capitulated, and abandoned its attempts to strengthen the provisions, and that both the EC and the Parliament acceded to the demands of self-interested corporations active in the development and deployment of AI that innovation should not be fettered by protections for the interests of those negatively impacted by that innovation.
A key issue identified in this analysis is the need for individuals and organisations subject to it to be able to discover what provisions of the AIA apply to their work and to their products and services, to understand those provisions, and to relate them to the development and deployment of their products and services. The key terms used in the AIA, viz. 'AI System', 'GPAI', 'risk' and 'systemic risk', verge on incomprehensibility. The circumstances and nature of such obligations as the AIA imposes, and their allocation to actors in the value-chain, are also highly unclear. There is accordingly a very low likelihood of behavioural adjustments by developers and deployers that will deliver public protections.
A systematic literature review of business-oriented literature, reported in Vainionpoaa et al. (2023), identified many concerns about negative impacts of the AIA on innovation, summarised as being premature regulation, excessive scope, ambiguous expression, unclear requirements, incompatibility with existing regulatory regimes, and onerous compliance obligations. On the contrary, the findings of the analysis in the present paper suggest that compliance obligations will be readily avoided by the large majority of providers and deployers of AI systems. The negative impacts are far more likely to arise from time and effort expended in order to understand and exploit the loopholes, and from the failure of the EU and its member-nations to exercise control over harmful impacts, leading to public distrust, thereby creating the risk of public backlash, and of non-adoption and even abandonment of technologies which, with appropriate care, have benefits to offer.The analysis presented above suggests that, contrary to the hopeful tone of many authors, the dysfunctionality of the AIA as a regulatory instrument is deeply embedded in terminology and definitions, and in structures, processes and convoluted expressions. Attempts to adapt individual elements of the regimes in order to deliver effective protections would be piecemeal and pointless. The more appropriate approach is to treat the AIA as a promotional tool for dangerous technologies, with bureaucratic camouflage obscuring its ineffectiveness.
A recent worldwide survey of AI sentiment concluded that "There is a strong public mandate for AI regulation, with 70% believing regulation is necessary. However, only 43% believe current laws are adequate. The analysis in this paper suggests that even such a high level of optimism was unwarranted. People expect international laws (76%), national government regulation (69%), and co-regulation with industry (71%)" (Gillespie et al. 2025, p.5). So the question needs to be addressed about what can be done about the situation.
An approach is available, whereby a far better balance between macro-economic and human interests could be achieved, and reasonable protections against harmful impacts and implications could be devised that constrain business and government only to the extent justifiable. By adopting this approach, the risks of non-adoption, backlash, luddite behaviour by disaffected publics, and negative return on AI investment could all be greatly reduced.
"Co-Regulation ... refers to a regulatory model in which [all] stakeholders have significant input to a set of requirements, and even draft them, but do so within a statutory context that exercises control over the process, and makes the requirements enforceable (Hepburn 2006). A useful term to distinguish such instruments from mere industry codes is 'Statutory Codes'. Elements [of] Formal Regulation are essential, to establish generic legal protections. ... Co-regulation can also be the most effective approach in dealing with the ravages of specific technologies, particularly during a technology's early years of dynamism and opacity" (Clarke 2021). A fuller description of co-regulation, in that case with its focus on Internet privacy, is in Clarke (1999). A specific proposal for a co-regulatory approach to AI is in Clarke (2019). See also Varosanec (2022).
The AIA embodies some of the trappings of a co-regulatory scheme, but falls far short of fulfilling the requirements expressed in Table 5 of Clarke (2026). In particular, the objectives have a strong focus on industry economics, with broader economic and social interests relegated to constraints; and the power-balance among participants in code processes is very heavily weighted in favour of providers, and of private and public sector user organisations.
It has been argued that an element of the co-regulatory approach is embedded in the AIA, in the form of codes of practice, and that it would be beneficial for that code mechanism to be further developed. In Bygrave & Schmidt (2025, p.1, pp.12-25), an important distinction is drawn between codes of practice under Arts. 56, plus 53-4 and 55, and (voluntary) codes of conduct under Art.95:
... codes of practice may be regarded as instruments of meta-regulation that are truly embedded in the Act, whereas codes of conduct are simply instruments for potential meta-regulation. As such, codes of practice will likely play a much more crucial role under the Act than will codes of conduct.
This author's contention in this article is, on the other hand, that the evidence demonstrates that the AIA cannot, and will not, deliver the necessary protections for human interests. The failure to address public expectations undermines achievement of the EC's declared objectives: The AIA cannot assure investors, business and government of public acceptance of AI systems. Commentary on the AIA needs to mature beyond the early excitement about the possibility of effective structures, processes, obligations, enforcement, and hence public confidence and successful AI investments. The AIA needs to be seen in the cold, hard light of day, and its inherent inadequacies and impending failure recognised and factored into discussions about a constructive way ahead.
A far more appropriate solution may be found by shifting the focus away from both AI in general and GPIA in particular. The AIA is presaged on the assumption that the appropriate subject of the regulatory regime is a technology. Many have expressed serious doubts about the appropriateness of putting particular technologies at the heart of regulatory regimes, e.g. Bennett Moses (2017). Other categories of subjects include an industry-sector or -segment, a practice, an impact, an outcome and a profession (Clarke 2026). The AIA's definition, when stripped of unhelpful verbiage, has its focus on "a machine-based system that ... infers ... how to generate ... decisions that can influence physical or virtual environments". Bello Villarino et al. (2025) argue that the focus should be both narrowed and broadened to "[any] system that generate[s] decisions that can influence physical or virtual environments", or in those authors' terms, all automated decision-making systems.
Adapted extract from EC (2024), re Art.5, emphases added. See section 3.1 in this article
The following types of AI system are "Prohibited" according to the AI Act.
Adapted extract from EC (2024), re Art.6, emphases added. See section 3.2 in this article
High risk AI systems are those:
There are 11 Regulations and 9 Directives relating to machinery, toys, lifts, medical devices, and artefacts used in transportation (Annex I).
The eight Use Cases are (Annex III):
Adapted extracts from AIA Arts.8-27. See section 3.2 in this article
AIA (2024) Regulation (EU) 2024/1689, European Union, August 2024, at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
Albus J.S. (1991) 'Outline for a theory of intelligence' IEEE Trans Syst, Man Cybern 21, 3 (1991) 473--509, at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.410.9719&rep=rep1&type= pdf
APA (2004) 'The Truth About Lie Detectors (aka Polygraph Tests)' American Psychological Association, August 2004, at https://www.apa.org/topics/cognitive-neuroscience/polygraph
Barkane I. (2022) 'Questioning the EU proposal for an Artificial Intelligence Act: The need for prohibitions and a stricter approach to biometric surveillance' Information Polity 27 (2022) 147?162, at https://journals.sagepub.com/doi/pdf/10.3233/IP-211524
Bello Villarino J.M., Weatherall K., Carney T., Sinclair A. & Wilcock S. (2025) 'Are We Regulating the Right Digital Systems? Testing Emerging Artificial Intelligence Frameworks Against Real-World Public Sector Systems' UNSW L J 48,4 (December 2025) 1165-1195, at https://www.unsw.edu.au/content/dam/pdfs/law/unsw-law-journal/2020-2029/2025/48(4)-article2-Bello-y-Villarino-et-al.pdf
Bennett Moses L.K. (2017) 'Regulating in the Face of Socio-Technical Change', in Brownsword R., Yeung K. & Scotford E. (eds.), Oxford Handbook of the Law and Regulation of Technology, Oxford University Press, at https://global.oup.com/academic/product/the-oxford-handbook-of-law-regulation-and-technology-9780199680832?cc=au&lang=en&#
Bick A., Blandin A. & Deming D.J. (2024) 'The Rapid Adoption of Generative AI' [US] National Bureau of Economic Research, Working Paper 32966, September 2024, at https://static1.squarespace.com/static/60832ecef615231cedd30911/t/66f0c3fbabdc0a173e1e697e/1727054844024/BBD_GenAI_NBER_Sept2024.pdf
Blauth T.F., Gstrein O.J. & Zwitter A. (2022) 'Artificial Intelligence Crime: An Overview of Malicious Use and Abuse of AI' IEEE Access 10 (2022) 77110-77122, at https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9831441
Boden M. (2016) 'AI: Its Nature and Future' Oxford University Press, 2016
Bradford A. (2020) 'The Brussels Effect: How the European Union Rules the World' Oxford University Press, 2020
Bygrave L.A. & Schmidt R. (2025) 'Regulating Non-High-Risk AI Systems under the EUÅfs Artificial Intelligence Act, with Special Focus on the Role of Soft Law' University of Oslo Faculty of Law Legal Studies Research Paper Series No. 2024-10, 29 January 2025, at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4997886
Cancela-Outeda C. (2024) 'The EU's AI act: A framework for collaborative governance' Internet of Things 27 (October 2024) 101291, at https://www.investigo.biblioteca.uvigo.es/xmlui/bitstream/handle/11093/7442/2024_cancela_eu_ai.pdf
Clarke R. (1988) 'Information Technology and Dataveillance' Commun. ACM 31,5 (May 1988) 498-512, PrePrint at http://rogerclarke.com/DV/CACM88.html
Clarke R. (1991) 'A Contingency Approach to the Application Software Generations' Database 22,3 (Summer 1991) 23-34, PrePrint at http://www.rogerclarke.com/SOS/SwareGenns.html
Clarke R. (1993) 'Profiling: A Hidden Challenge to the Regulation of Data Surveillance' Journal of Law and Information Science 4,2 (December 1993), PrePrint at http://rogerclarke.com/DV/PaperProfiling.html
Clarke R. (1994) 'The Digital Persona and its Application to Data Surveillance' The Information Society 10,2 (June 1994) 77-92, PrePrint at http://rogerclarke.com/DV/DigPersona.html
Clarke R. (1999) 'Internet Privacy Concerns Confirm the Case for Intervention' Commun. ACM 42, 2 (February 1999) 60-67, PrePrint at http://www.rogerclarke.com/DV/CACM99.html
Clarke R. (2014) 'Promise Unfulfilled: The Digital Persona Concept, Two Decades Later' Information Technology & People 27, 2 (Jun 2014) 182 - 207, PrePrint at http://rogerclarke.com/ID/DP12.html
Clarke R. (2015) 'The Prospects of Easier Security for SMEs and Consumers' Computer Law & Security Review 31, 4 (August 2015) 538-552, PrePrint at http://www.rogerclarke.com/EC/SSACS.html
Clarke R. (2019a) 'Why the World Wants Controls over Artificial Intelligence' Computer Law & Security Review 35, 4 (2019) 423-433, PrePrint at http://www.rogerclarke.com/EC/AII.html
Clarke R. (2019b) 'Regulatory Alternatives for AI' Computer Law & Security Review 35, 4 (2019) 398-409, PrePrint at http://www.rogerclarke.com/EC/AIR.html
Clarke R. (2021) 'A Comprehensive Framework for Regulatory Regimes as a Basis for Effective Privacy Protection' Proc. 14th Computers, Privacy and Data Protection Conference, Brussels, 27-29 January 2021, PrePrint at http://rogerclarke.com/DV/RMPP.html
Clarke R. (2022) 'Responsible Application of Artificial Intelligence to Surveillance: What Prospects?' Information Polity 27, 2 (Jun 2022) 175-191, PrePrint at http://rogerclarke.com/DV/AIP-S.html
Clarke R. (2023) 'The Re-Conception of AI: Beyond Artificial, and Beyond Intelligence' IEEE Transactions on Technology & Society 4,1 (March 2023) 24-33, PrePrint at http://rogerclarke.com/EC/AITS.html
Clarke R. (2025) 'Principles for the Responsible Application of Generative AI' Computer Law & Security Review 60 (April 2026) 106231, at http://rogerclarke.com/EC/RGAI-C.html
Clarke R. (2026) 'Regulatory Regimes for Disruptive IT: A Framework for Their Design and Evaluation' Computer Law & Security Review 60 (April 2026) 106231, PrePrint at http://rogerclarke.com/EC/FRR.html
CoE (2024) 'Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law' Council of Europe, 5 September 2024, at https://rm.coe.int/1680afae3c
Ebers M. (2024) 'Truly Risk-based Regulation of Artificial Intelligence: How to Implement the EU's AI Act' European Journal of Risk Regulation (November 2024) 1?20, at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4870387
EC (2021) 'Proposal for a Regulation on a European approach for Artificial Intelligence' European Commission, 21 April 2021, at https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=75788
EC (2024) 'High-level summary of the AI Act' European Union, 27 February 2024, at https://artificialintelligenceact.eu/high-level-summary/https://artificialintelligenceact.eu/high-level-summary/
EC (2025a) 'Commission Guidelines on prohibited artificial intelligence practices established by Regulation (EU) 2024/1689 (AI Act)' European Commission, Draft of 4 February 2025, at https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-prohibited-artificial-intelligence-ai-practices-defined-ai-act
EC (2025b) 'The General-Purpose AI Code of Practice' European Commission, 10 July 2025, at https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai
EC (2025c) 'Guidelines on the scope of the obligations for general-purpose AI models established by Regulation (EU) 2024/1689 (AI Act)' European Commission, Draft of 18 July 2025, at https://digital-strategy.ec.europa.eu/en/library/guidelines-scope-obligations-providers-general-purpose-ai-models-under-ai-act
EC (2025d) 'General-Purpose AI Models in the AI Act ? Questions & Answers' European Commission, Brussels, 9 September 2025, at https://digital-strategy.ec.europa.eu/en/faqs/general-purpose-ai-models-ai-act-questions-answers
EC (2025e) 'Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI)' Draft Regulation 2025/0359, European Commission, Brussels, 19 November 2025, at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52025PC0836
EC (2026a) 'European AI Office' European Commission, 14 January 2026, at https://digital-strategy.ec.europa.eu/en/policies/ai-office
EC (2026b) 'EU agrees to simplify AI rules to boost innovation and ban Åenudification' apps to protect citizens' European Commission, 7 May 2026, at https://ec.europa.eu/commission/presscorner/detail/en/ip_26_1024
Edwards L. (2022) 'The EU AI Act: a summary of its significance and scope' Ada Lovelace Institute, April 2022, at https://www.adalovelaceinstitute.org/wp-content/uploads/2022/04/Expert-explainer-The-EU-AI-Act-11-April-2022.pdf
EP (2025) 'Legislative Train Schedule: Digital omnibus on AI' European Parliament, Bussels, 14 December 2025, at https://www.europarl.europa.eu/legislative-train/theme-a-new-plan-for-europe-s-sustainable-prosperity-and-competitiveness/file-digital-omnibus-on-ai
EU (2019) 'Regulation (EU) 2019/1020 on market surveillance and compliance of products' European Parliament and Council, 20 June 2019, at https://eur-lex.europa.eu/eli/reg/2019/1020/oj/eng
EU (2022) 'Directive 2022/2555 on Cybersecurity' European Parliament and Council, 14 December 2022, at https://eur-lex.europa.eu/eli/dir/2022/2555
Gillespie, N., Lockey S., Ward T., Macdade A., & Hassed G. (2025) ' Trust, atttudes and use of artificial intelligence: A global study' The University of Melbourne and KPMG, 29 April 2025, DOI 10.26188/28822919, at https://kpmg.com/au/en/home/insights/2025/04/trust-in-ai-global-insights-2025.html
Greenleaf G. (2021) 'The 'Brussels effect' of the EU's 'AI Act' on data privacy outside Europe' Privacy Laws & Business 1 (2021) 3-7, at https://papers.ssrn.com/sol3/Delivery.cfm?abstractid=3898904
Greenleaf G. (2024) 'EU AI Act: The second most important data privacy law' Privacy Laws & Business, June 2024, at https://papers.ssrn.com/sol3/Delivery.cfm?abstractid=4913686
Gstrein O.J., Haleem N. & Zwitter A. (2024) 'General-purpose AI regulation and the European Union AI Act' Internet Policy Review 13,3 (2024) 1-26, at https://policyreview.info/pdf/policyreview-2024-3-1790.pdf
Hepburn G. (2006) 'Alternatives To Traditional Regulation' OECD Regulatory Policy Division, undated, apparently of 2006, at http://www.oecd.org/gov/regulatory-policy/42245468.pdf
Karanikolas N., Manga E., Samaridi N., Tousidou E. & Vassilakopoulos N. (2023) 'Large Language Models versus Natural Language Understanding and Generation' Proc. PCI, 24?26 November 2023, Lamia, Greece, pp.278-290, at https://dl.acm.org/doi/pdf/10.1145/3635059.3635104Kroet C. (2025) 'Meta rebuffs EU's AI Code of Practice' Euro News, 18 July 2025, at https://www.euronews.com/next/2025/07/18/meta-rebuffs-eus-ai-code-of-practice
Land F. (2012) 'Remembering LEO' in A. Tatnall (ed.) 'Reflections on the History of Computing: Preserving Memories and Sharing Stories', AICT-387, Springer, 2012, pp.22-42, at https://inria.hal.science/hal-01526811/document
Laux J. (2023) 'Institutionalised distrust and human oversight of artifcial intelligence: towards a democratic design of AI governance under the European Union AI Act' AI & Society 39 (2024) 2853?2866, at https://link.springer.com/content/pdf/10.1007/s00146-023-01777-z.pdf
Lieto A. & Radicioni D.P. (2016) 'From Human to Artificial Cognition and Back: New Perspectives on Cognitively Inspired AI Systems' Cognitive Systems Research 39 (September 2016) 1-3, at https://philpapers.org/archive/LIEFHT.pdf
McCarthy J. (2007) 'What is artificial intelligence?' Department of Computer Science, Stanford University, 2007, at http://www-formal.stanford.edu/jmc/whatisai/node1.html
McCarthy J., Minsky M.L., Rochester N. & Shannon C.E. (1955) 'A Proposal for the Dartmouth Summer Research Project on Artificial Intelligence' Reprinted in AI Magazine 27, 4 (2006), at https://www.aaai.org/ojs/index.php/aimagazine/article/viewFile/1904/1802
Neuwirth R. J. (2023) 'Prohibited artificial intelligence practices in the proposed EU artificial intelligence act (AIA)' Computer Law & Security Review 48 (2023) 105798
NIST (2025) 'NIST Glossary' Compjter Security Resource Center, National Institute of Standards and Technology, accessed 25 March 2025, at https://csrc.nist.gov/glossary/term/risk
Novelli C., Casolari F., Rotolo A., Taddeo M. & Floridi L. (2024) 'AI Risk Assessment: A Scenario-Based, Proportional Methodology for the AI Act' Digital Society 3,13 (2024) 1-29, at https://link.springer.com/content/pdf/10.1007/s44206-024-00095-1.pdf
Novelli C., Taddeo M. & Floridi L. (2024) 'Accountability in artificial intelligence: what it is and how it works' AI & Society 39 (2024) 1871?1882, at https://link.springer.com/content/pdf/10.1007/s00146-023-01635-y.pdf
OECD (2024) 'OECD Explanatory Memorandum on the Updated OECD Definition of an AI System' OECD Artificial Intelligence Paper No.8, Organization for Economic Cooperation and Development, March 2024, at https://www.oecd.org/content/dam/oecd/en/publications/reports/2024/03/explanatory-memorandum-on-the-updated-oecd-definition-of-an-ai-system_3c815e51/623da898-en.pdf
OICT (2023) 'Generative AI Primer' UN Office of Information and Communications Technology, 29 Aug 2023, at https://unite.un.org/sites/unite.un.org/files/generative_ai_primer.pdf
PW (2025) 'European Commission Publishes Guidance on Prohibited AI Practices Under the EU AI Act' Paul, Weiss, 25 February 2025, at https://www.paulweiss.com/practices/litigation/artificial-intelligence/publications/european-commission-publishes-guidance-on-prohibited-ai-practices-under-the-eu-ai-act?id=56629
Russell S.J. & Norvig P. (2003) 'Artificial intelligence: a modern approach' 2nd edition, Prentice Hall, 2003, 3rd ed. 2009, 4th ed. 2020
Vainionpaa F., Vayrynen K., Lanamaki A. & Bhandari A. (2023) 'A Review of Challenges and Critiques of the European Artificial Intelligence Act (AIA)' Proc. Int'l Conf. Infor. Syst., 2023, 14, at https://oulurepo.oulu.fi/bitstream/handle/10024/47651/nbnfioulu-202402061598.pdf
Varosanec I. (2022) 'On the path to the future: mapping the notion of transparency in the EU regulatory framework for AI' International Review of Law, Computers and Technology 36,2 (2022) 95?117, at https://www.tandfonline.com/doi/pdf/10.1080/13600869.2022.2060471
Veale M. & Borgesius F.Z. (2021) 'Demystifying the Draft EU Artificial Intelligence Act' Computer Law Review International 22,4 (2021) 97-112, at https://arxiv.org/pdf/2107.03721
Wachter S. (2024) 'Limitations and Loopholes in the EU AI Act and AI Liability Directives: What This Means for the European Union, the United States, and Beyond' Yale Journal of Law & Technology 26,3 (2024) 671-718, at https://yjolt.org/sites/default/files/wachter_26yalejltech671.pdf
WIPO (2024) 'Patent Landscape Report: Generative Artificial Intelligence' World Intellectual Property Organization, 2024, at https://www.wipo.int/web-publications/patent-landscape-report-generative-artificial-intelligence-genai/en/index.html
Woersdoerfer M. (2024) 'Mitigating the adverse effects of AI with the European Union's artificial intelligence act: Hype or hope?' Global Business and Organizational Excellence 43,3 (January 2024) 106-126, at https://papers.ssrn.com/sol3/Delivery.cfm?abstractid=4630087
The analysis and arguments in this article have benefited greatly from feedback received from colleagues, and from the helpful comments of the reviewers and editor.
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professorial Fellow associated with UNSW Law & Justice, and a Visiting Professor in Computing in the College of Systems & Society at the Australian National University.
| Personalia |
Photographs Presentations Videos |
Access Statistics |
 |
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax. From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It had passed 80 million by the end of 2025. Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer, and her Dr Nurse site |
Xamax Consultancy Pty Ltd ACN: 002 360 456 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 6916 |
Created: 24 March 2025 - Last Amended: 10 May 2026 by Roger Clarke
This document is at www.rogerclarke.com/EC/RRE-AIA.html
Mail to Webmaster - © Xamax Consultancy Pty Ltd, 1995-2026 - Privacy Policy