Let Europeans use AI
AI progress is fast. This makes the EU’s high-risk AI rules unworkable.
Imagine you’re in the spring of 2028. Over the weekend, a math teacher built a simple tool for his students: at the end of each week, they fill out a quiz measuring their understanding of that week’s material. They then receive automatically generated homework fitting their skill level.
Such a tool can be built today—I created a version of it in 20 minutes. To deploy it in Europe, I would first need to work through a thick layer of regulation. As per the AI Act, Annex III, point 3b, such a system would soon1 be considered “high-risk” because it is
“intended to be used to evaluate learning outcomes, including when those outcomes are used to steer the learning process of natural persons in educational [...] institutions [...]”
What obligations would I face? First I’d need to review guidance documents to understand if the system is high-risk (Article 6). If it is, I’d need to create a risk management system (Article 9), implement data governance measures (Article 10), list the system on an EU database (Article 49), and—if I teach at a public school—provide a fundamental rights impact assessment (Article 27). There are further obligations not listed here.
Now, the AI Act contains various exceptions and qualifications (though I doubt they apply, see footnote2). But the process of understanding if something is considered high-risk or not already creates large amounts of work and, depending on how you decide, legal risk.
Given the state of AI today, these rules are already unworkable. Tasks that can take humans hours, take AI a few minutes. Building something far more advanced than the math tool, it took a Polish doctor only one week to create an AI platform that helps patients navigate their condition after leaving the hospital. This too, might be considered high-risk3. The rules’ effects will become worse as AI improves further. As per research by METR, the complexity of tasks that AI can accomplish is rising rapidly, and both AI company CEOs and forecasters are predicting human-level AI systems to come online in only a few years.
Predicting all the future use cases for AI is a hopeless task—it is a bit like asking someone to predict how electricity might be used in 1882, the year when Edison built Pearl Street Station, the world’s first power plant. But this also makes highly detailed, use-case based AI regulation untenable. Once AI is fully integrated into most people’s everyday lives across the entirety of Europe, the AI Act’s high-risk regulations might get triggered thousands of times each week.
The European Union is currently debating how to change the AI Act, as part of a larger simplification law, the “EU Digital Omnibus”. Looking at the Commission’s proposal for how to amend the AI Act, it contains some obvious improvements: In the original law, Article 6(4) would have required individuals to document why they considered a tool non high-risk and register it on an EU database. However, neither of the high-risk categories (Chapter III, Sections 1–2), nor the actual obligations (Articles 9–15) are simplified or removed.
The economics of EU digital regulation
An obvious rejoinder to the above might be that most individuals and many companies who accidentally use AI for “high-risk” use cases will not know about the AI Act (even though they might face fines). At the same time, the member states tasked with enforcing the AI Act’s high-risk regulations might not have the capacity to track and fine each breach of the law.
This points to a more general rule about regulations: they rarely get enforced. Instead they often end up hitting companies that do not generate much sympathy anyway, from American tech firms that provide much of our digital services, to Chinese e-commerce companies that threaten European retailers. Based on the political economy of the day, rules are used selectively.
I’m not particularly sympathetic to Chinese e-commerce firms. But while European companies might not always be affected by EU regulation, the risk of a multi-million or billion Euro fine is still looming in the background. This depresses investment and economic activity. After GDPR passed, the Economist mostly deemed it a fine law, but US investment into EU ventures then dropped substantially, while no such drop was observed for US ventures. Existing businesses too were harmed by the law: for GDPR, compliance costs were substantial, ranging from $1.7 million for SMEs up to $70 million for large companies. Seeing similar costs for the AI Act is plausible.
Europe could grow by applying AI
Many Europeans are already using AI enthusiastically, with many of them using AI about as much as Americans. Company adoption has been slower, for which there are many different reasons4. The high-risk regulations will further hinder adoption.
Realizing the bureaucratic burden their citizens and companies will soon face, governments like Germany or Denmark are lobbying the Commission to simplify the AI Act’s high-risk regulations. Germany’s new Minister for Digital Affairs, Karsten Wildberger5, has asked to delay the most onerous high-risk regulations. Friedrich Merz talks about reducing EU regulatory burdens all the time. But the same Commission which is taking the lead on amending the AI Act has come up with all these rules in the first place. The Commission’s incentives run against its taking ambitious actions to reduce regulatory overhead.
If you review the commission’s most recent simplification draft, it makes no changes on which use cases are considered high-risk, or on the specific obligations those use cases face. The member states themselves aren’t doing much better—the European Council plans to reinstate Article 6(4) (the requirement for individuals and companies to register systems they considered not being high risk).
The European Union’s inaction should concern those who want a stronger Europe, but also everyone who likes the AI Act’s sensible parts. Its rules for “general-purpose AI systems with systemic risks” are worth preserving: they apply only to the most powerful systems and try to reduce CBRN, cyber, and loss of control risks. Taking the positive potential of AI seriously should both make one wary of the Act’s high-risk rules and favor its measures on preventing worst-case risks. But, if European nations can’t apply AI in the first place, they will continue to fall behind other countries, some of which are adversaries. Frustration with regulations like the AI Act will only grow, making it more likely that both its worst and best parts will be cut.
The AI Act’s high-risk regulations sit at an awkward place in the discourse. AI safety advocates don’t talk about their harm, as they possibly fear any change to them will also introduce changes to GPAI rules. Traditional industry groups dislike them somewhat, but their opposition isn’t strong enough, both because they do not yet grasp the profound economic impact AI might soon have, and because some of them worked to have their sectors not be considered high-risk. The Commission drafted the original AI Act and its recent draft amendment, putting them at an advantage in understanding the law’s complicated rules vis-a-vis the EU Parliament and the Council.
The potential damage of fumbling AI adoption from the very beginning should focus people’s minds. Instead of covering all of Europe with fuzzy, hard-to-understand rules, it seems much more straightforward for European governments and their citizens to experiment with AI, observe the effects, and then, if need be, intervene at a national level in cases where the harms outweigh the benefits. Experimentation across Europe will also make it more obvious which rules are sensible, and which aren’t, whereas decreeing the same guidelines across the continent will only allow us to compare ourselves with the United States or China. Prior European rules have already reduced innovation and growth across most of Europe, which we were only able to realize after years and years of lower rates of innovation compared to less regulated, faster-growing countries like the United States or Switzerland.
I believe that both those in favor of making the AI transition go well, and those in favor of European growth (and the many people who hold both priorities) could help reduce the harm of the AI Act’s high-risk regulations. The many groups that advocate for keeping GPAI should keep doing so, but they can increase their credibility with non-safety actors by advocating for easing and removing the AI Act’s many other unworkable sections. Meanwhile, the growing ranks of those who want to see Europe prosper should simply put more focus on the AI Act’s worst components. AI could be crucial for advancing European growth and security. Squandering this opportunity from the start would be a painful oversight.
The regulations come online on August 2nd 2026, though this date might change based on ongoing negotiations.
Does the AI Act even apply here? I’m not a lawyer, so take this with low confidence. Aside from the use case areas that deem something high-risk vs not, there are further rules on what is in scope vs. not. For its scope, the tool isn’t placed on the market, because the teacher isn’t making it available in the course of a commercial activity (Article 3(9)–(10)). However, the teacher is “putting into service” an AI system (Article 3(11)), which brings it into scope (Article 2(1)). None of the exemptions help our teacher: the tool isn’t for research (Article 2(6)) or pre-market testing (Article 2(8)). The teacher is using it at work, so it’s not for use as a “purely personal non-professional activity” (Article 2(10)). I hope this footnote makes it clear that the AI Act creates massive amounts of legal uncertainty about the legality of a large number of AI applications.
What other use cases might soon fall under the AI Act’s high-risk obligations? Maybe an electrician with a small team wants to build an AI tool that suggests which employee to allocate to which service calls, based on employees’ availability and skills. That’s high-risk as per Annex III, 4b. Or, a small water utility develops a system that tracks pipe pressure and predicts future water usage, adjusting valve settings to prevent pipe bursts—high-risk as per Annex III, 2.
A former CEO who wears an Oura ring and listens to Lex Fridman’s podcast. Not yet Dwarkesh, but pretty good for a German minister. His full title is “Bundesminister für Digitales und Staatsmodernisierung”.
The high risk categories read like a list of successful lobbying groups to me, each of which managed to get AI effectively outlawed for their domain (thus protecting their jobs for some time).
I this assume changing them would entail fighting with the same lobbying groups which put them there in the first place.
(Small note: wouldn't your tool, at least as presented, fall outside of the AI act since it was created with AI -though deniably- but doesn't actively use any AI in it's operation?)
____On the risk of downplaying the example you listed:____
I think what’s missing is an alternative. We shouldn’t copy the classic American way of waiting till the harms and externalities play out until something is done. I think it’s foolish to “just let tech work it out.” You present your teaching tool as a benign example, but I think it’s anything but. I could be missing something but i don’t think it precludes you using your invention yourself or for your children, but the risks associated with using it at scale and thereby shifting the way children interact with education and the world around them does merit careful consideration. if you are unsure of those risks, I have a quick 7-10min video by a software developer who has been working in the area since the 80s-he explained it really well.
____Clarifying the issue at hand:____
what is also not clear is how burdensome following the articles you stated are. it could be that its work but its simple, or it could be a mountain of documents. like i think each of the individual steps are actually reasonable and people should follow them, but maybe it is more complicated than appears at face values, and could be implemented in a way that is over engineered.
____On how iterative governance trumps no governance:____
you astutely point out how technology changes and regulation can’t foresee the future and then, in the blog post, point out how that the EU is already looking to update the regulation. I think you are actually highlighting what the EU is doing right, approaching governance as an iterative process adapting to the moment. We should be starting with something, and going from there. laws and regulations should be living breathing documents, not a task to complete and never revisit again. Now, is the EU prices perfect, likely not, but as i read it these are good indications.
____On AI risks:____
I also think that there the post points out how we can’t predict AI in the future, but when mentioning risks it only mentions CBRN, cyber, and loss of control. Of these 3, only 1 (cyber) is here and now. The others are predictions not yet realized. The risks not mentioned that are here and now, are AIs ability to amplify mis and dis information that can divide and degrade society, the use of AI for coercion, the use of AI for generating CSAM, other human rights violations, impacts on development and learning, impacts on the workforce, ability to inform and enable self harm, ability to inform and enable harm to others (e.g. school shootings), etc. The CBRN risk is largely fantastical, uncharacterized, and largely rooted in information leaks from classified to unclassified spheres that could be rooted out pre-training or via post-training methods.