Imagine serving a 5 year prison sentence because your recursive function had over 42 recursions. Sounds ridiculous, right? But it’s not too far from what is currently happening the EU AI Act, the European Unions latest regulation on programming computer software. In an attempt to regulate rising challenges with “Artificial Intelligence”, the EU created a monstrosity that regulates all algorithms, all software, and all programming of such.
Disclaimer: The two fruit slop images in this article were generated with AI, everything else is personally handwritten. I mark AI generated contents, because my readers demand and deserve it, not because the government asked me to. AI slop can be fun, but only if you get to decide to intentionally consume it. Slop should never be promoted, declared or labelled as human work.
Imprisonment for writing a fruit slop app? Luckily that’s just fearmongering (This image is AI generated)
Good government regulation is Clear and Predictable, Outcome-Oriented as well as Enforceable and Practical. If you drive on the motorway and your speed over ground exceeds the displayed speed limit, you’ll face a traffic fine. If you fly your aircraft below minimum altitude, you risk a fine and may even lose your pilot license. Vehicle traffic and aviation regulations are clear, predictable, outcome-oriented, practical and enforceable. You and me, the people, know exactly when we cross the red line into illegal territory. The EU AI Act is the exact opposite of that.
What even is an AI system?
The EU AI Act defines what types of so called “AI systems” are illegal, and what applications of such systems are illegal. It further defines obligations for a variety of such systems. Article 3 of the EU AI Act defines what an “AI system” actually is, and it’s got very little do to with what you think it is.
(1) ‘AI system’ means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments; (No 1, Article 3, EU AI Act)
You may now ask “What the heck is even that?”. But fear not, the EU Commission has got you covered in their Commission Guidelines on the definition of an artificial intelligence system established by Regulation (EU) 2024/1689 (AI Act).
The term ‘machine-based’ refers to the fact that AI systems are developed with and run on machines. The term ‘machine’ can be understood to include both the hardware and software components that enable the AI system to function. The hardware components refer to the physical elements of the machine, such as processing units, memory, storage devices, networking units, and input/output interfaces, which provide the infrastructure for computation. The software components encompass computer code, instructions, programs, operating systems, and applications that handle how the hardware processes data and performs tasks. (№ 11, Chapter 1, “Machine-based system”)
The definition of machine-based is essentially referring to any computer software that you and I program every day. But just being machine-based is not sufficient, your software also needs to be “designed to operate with varying levels of autonomy”. Isn’t every software designed to operate with varying levels of autonomy?
Central to the concept of autonomy is ‘human involvement’ and ‘human intervention’ and thus human-machine interaction. At one extreme of possible human-machine interaction are systems which are designed to perform all tasks though manually operated functions. At the other extreme are systems that are capable to operate without any human involvement or intervention, i.e. fully autonomously. (№ 16, Chapter 2, “Autonomy”)
At this point, your random number generating systemd service, available through a Restful API, is an “AI system”. But, we still got the “Adaptiveness” criteria to differentiate AI system from any other “autonomous machine-based system”. The EU Commission clearly clarifies what I means by the term “Adaptiveness” in the EU AI Act.
The third element of the definition in Article 3(1) AI Act is that the system ‘ may exhibit adaptiveness after deployment’. The concepts of autonomy and adaptiveness are two distinct but closely related concepts. They are often discussed together but they represent different dimensions of an AI system’s functionality. Recital 12 AI Act clarifies that ‘adaptiveness’ refers to self-learning capabilities, allowing the behaviour of the system to change while in use. The new behaviour of the adapted system may produce different results from the previous system for the same inputs (№ 22, Chapter 3, “Adaptiveness”)
Adaptiveness means that it allows the system to change its behaviour while in use. I’m pretty sure every programmer has experienced software that changed its behaviour while in use. What else would we need a debugger for? However, the details of adaptiveness don’t even matter since the small word “ may ” is included in the requirement of “Adaptiveness”.
The use of the term ‘ may ’ in relation to this element of the definition indicates that a system may, but does not necessarily have to, possess adaptiveness or self-learning capabilities after deployment to constitute an AI system. Accordingly, a system’s ability to automatically learn, discover new patterns, or identify relationships in the data beyond what it was initially trained on is a facultative and thus not a decisive condition for determining whether the system qualifies as an AI system. (№ 23, Chapter 3, “Adaptiveness”)
With “varying levels of autonomy” and optional “adaptiveness”, we’re essentially left with a regulation that basically applies to any “machine-based system”. Yes, you read that right. An AI system, by the very definition of the EU Commission, is any piece of software running on a machine, and maybe even your FPGA. By definition, the EU AI Act does not just apply to Large Language Models, Neural Networks or Stable Diffussion, but to any piece of software that is currently out there.
Such a broad definition makes the EU AI Act the world’s first broad regulation on computer programming. Telling you what you are allowed to program, how to document, and how your program is allowed to be used.
/* The world's smallest "AI system" */
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <unistd.h> // Using sleep() to run "autonomously"
int main() {
// Randomizer to give it some "Adaptiveness"
srand(time(NULL));
// Run indefinitely: AI systems don't need human interaction
while (1) {
// To be an "AI system", we need to change over time
time_t t = time(NULL);
struct tm *tm_info = localtime(&t);
/* We "achieve" adaptiveness by showing "Ahoi World"
only after the year 2042 is passed. Remember: by
the definition of the EU AI Act, this wouldn't even
be necessary, but we want to be on the safe side. */
// tm_year represents years since 1900
int current_year = tm_info->tm_year + 1900;
// Determine the number of valid options
// 3 options if year <= 2042, 4 options if year > 2042
int num_options = (current_year > 2042) ? 4 : 3;
// Generate a random index based on the available options
int choice = rand() % num_options;
// Print the corresponding greeting
switch (choice) {
case 0:
printf("Hi World\n");
break;
case 1:
printf("Hello World\n");
break;
case 2:
printf("Hey World\n");
break;
case 3:
printf("Ahoi World\n");
break;
}
// Flush the output buffer to ensure
// it prints immediately on the screen
fflush(stdout);
// Pause for 3600 seconds (1 hour)
// because this code is so agentic
sleep(3600);
}
return 0;
}
The above code is machine-based, it runs autonomously without any human interaction, and it shows a change in behaviour over time. And the best part of it? It runs on any computer, even early PCs from the 1980s.
What you’re not allowed to program
Let’s see what algorithms and software these inventive masterminds in Brussels have left for us to create. The EU AI Act categorizes our creations, and thus our work, into 4 different categories: Minimal Risk, Limited Risk, High Risk and Unacceptable Risk.
Unacceptable Risk — Forbidden!
The EU lists a number of unacceptable risk categories of AI systems. If your software falls into this category, it’s illegal to commercialize and deploy. You can still write it, build it and run it in your lab, as long as you don’t “deploy” it. Deployment means you don’t unleash it to the public, which can be the Internet or the real world.
Article 5, with the title “Prohibited AI Practices”, describes what you are not allowed to program. It goes into very lengthy restrictions of the detection of emotions using biometric data or what isn’t allowed in the context of law enforcement, or prediction of the probability of criminal behaviour.
Article 5 (1)(a) the placing on the market, the putting into service or the use of an AI system that deploys subliminal techniques beyond a person’s consciousness or purposefully manipulative or deceptive techniques, with the objective, or the effect of materially distorting the behaviour of a person or a group of persons by appreciably impairing their ability to make an informed decision, thereby causing them to take a decision that they would not have otherwise taken in a manner that causes or is reasonably likely to cause that person, another person or group of persons significant harm; (№ 1a, Article 5)
Article 5 (1)(a) bans any software that coerces you into causing significant harm to yourself or anyone else. Harm can be physical, psychological, financial, or economic. Psychological harm can be mental suffering or anxiety through acoutistic or visual mood manipulation. One could argue that the Angry German Kid, if it weren’t a parody, went through severe suffering. Unreal Tournament, being the root cause of the psychological suffering of that kid, is likely considered to be an “AI system”.
Whether or not violent games will be banned is to be decided by the European AI Office and its 125 employees. Lucilla Sioli, an economics PhD graduate from Southampton with 24 years of experience in the European Commission, is currently the director of the European AI office. It’ll be up to her, her team and the respective local authorities to define if an “AI system” is prohibited or not.
(b) the placing on the market, the putting into service or the use of an AI system that exploits any of the vulnerabilities of a natural person or a specific group of persons due to their age, disability or a specific social or economic situation, with the objective, or the effect, of materially distorting the behaviour of that person or a person belonging to that group in a manner that causes or is reasonably likely to cause that person or another person significant harm; (№ 1b, Article 5)
Let’s do a quick reality check here on how that usually works in the EU. The decision on whether your app gets banned or not isn’t done by a group of experts, but by bureaucrats in a back room. You won’t receive a formal letter asking you to make adjustments. Not even Apple received that, because Brussels isn’t even capable of it.
They’ll simply demand your distributors like Steam, the App Store and the Play Store to take down your app immediately or face million dollar fines. They’ll comply, and chances are you won’t even be told about it at all. One morning, your app will just be vanished from the stores without any warning or explanation. We have countless examples of European authorities unlawfully demanding content removal, with Elon Musk’s claims being just one example.
Once removed, the probability of your app to ever resurface will be near zero. The legal proceedings against the EU AI Office’s and local regulator’s will cost anyone north of $250,000, and likely take years to finish after a ping pong between your local administrative court and the General Court of the European Union in Luxembourg.
High Risk
A high risk “AI system” is any software that is part of the security or safety of a product, uses biometric data, is part of critical infrastructure, part of assessment in the educational system, used in the context of employee management (HR), used for public services, law enforcement, migration, asylum seekers, border protection, the legal system, or “democratic processes” such as elections.
Understandibly, you wouldn’t want your voting machines or the counting to be done by an incapable machine learning model or LLM, but does that really require regulation? The AI Act doesn’t even prohibit it, as long as you do the paperwork.
Process for High Risk AI systems as described by the German Bundesnetzagentur
Anyone who distributes or operates such as software needs to have Risk Management (Article 9), Data Governance (Article 10), Technical Documentation (Article 11), Automatic Logging (Article 12), Transparency and Instructors for Use (Article 13), Human Oversight (Article 14), Robustness, Accuracy, and Cybersecurity (Article 15). In addition to that, the providers, you the developer, must have a Quality Management System (Article 17), undergo a formal Conformity Assessment, and register the app in the EU’s database of high risk AI systems.
At the time of writing, said EU database for High Risk AI systems was not yet operational. It’s scheduled to be launched on December 2nd, 2027. If you’ve written an HR software that qualifies applicants based on their submitted data, you have to register right now. It’s likely that the local authorities will keep it in an Excel sheet or a physical folder until the database in Brussels becomes operational.
General-Purpose AI Models
Besides the risk categories, the EU has decided that there’s a separate “General Purpose” category. Your model is general purpose if your training exceeded 10²⁵ floating point operations (FLOPs). That’s a number with 25 zeros. Alternatively, the “ scientific panel ” or the EU Comission itself can define your software or model as General-Purpose AI. Annex 13 of the EU AI Act defines some criteria to be used for that.
segformer_b3_clothes; a General-Purpose model to detect human body parts?
If a panel, bureaucrat or whoever decides that your software is a General Purpose AI model, then you’ll have to write dozens of pages of forms, documentation, usage instruction, and a policy to comply with copyright under Article 4(3) of Directive (EU) 2019/790. The minimum documentation requirements for General Purpose AI models can be found in Annex 12 of the EU AI Act. Uploading your model to a new site? You better be documenting that, as required by the law.
(d) draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. (№ 1d, Article 53)
The form template, provided by the EU AI Office, requires you to explain all your training data, its sources, when you crawled the data, or from whom you obtained it, how long the training took, how many operations it used and whatnot. Good luck doing that for your small CreateML model that took an hour to train on your MacBook.
The EU’s form template for General-Purpose AI models
Reality check: How likely is it that someone from Brussels, working Monday to Thursday from 10am to 4pm and Fridays from 10am to 1pm, comes knocking on your door? Highly unlikely. Bureaucrats don’t work proactively, they only move when being asked to. If you don’t want any bureaucrat in Brussels or in your local government to ever bother about your AI usage, don’t make it arrive on their desks.
The biggest risk at the moment is possible anticipatory obedience by platforms like HuggingFace. It could likely be that there’ll be more checkboxes and forms to fill for users from the European Union, when they upload models. If that happens, European users will do what they always do and enter rough estimates to ensure they meet the “compliant” criteria. Being compliant, for a bureaucrat, doesn’t mean you’re doing what is asked of you, but that it’s just confirmed in writing that you do.
Fine-tuning, distillation and local learning
The GPAI regulation treats fine-tuned and distilled models, including LoRAs, the same way as their trainer models. If the parent model does not have a “system risk”, the obligations only apply to the fine-tuned training data (“Modification-specific obligations”).
The threshold for fine-tuned models is 1/3 of the parent model’s FLOPs, which is 1/3 of 10²³ FLOPs for all GPAI models and 1/3 of 10²⁵ FLOPs for GPAI models with “systemic risk”. Alternatively, someone in Brussels or within your local regulator can decide that your model is GPAI. You’re essentially dead when that happens. Death by paperwork.
A CoreML model for content categorization, distilled from Google Gemini, that is exempt
Open Source models are “exempt” from all the documentation requirements to the AI office or national authorities, but still need to provide the training data summary publicly and meet the copyright policy requirements. If you want to have your Open Source model exempt, it also needs to have commercial use included in the license. If you charge extra for commercial use, your model is not exempt.
Limited Risk: Less risk, more fun?!
Congratulations, you’re boring, which is a good thing. Whatever you do with your computer, always remember that you’re Limited Risk. There are no reporting obligations in that category, so you want to be in it. Anyone who does not fall into the prior categories is in here. In this category, you only have Transparency obligations, with a wide range of exceptions that can totally nullify these obligations.
Human interaction: “Hi, this is AI!”
Article 50 № 1 requires you to inform real humans when they interact with an AI system. This is kind of funny, considering the vage nature of what an AI system is. The intention is obviously to inform people whether they are talking to a human or a machine. If you don’t really feel like doing that, then Article 50 № 4 has got you covered.
This obligation shall not apply where the use is authorised by law to detect, prevent, investigate or prosecute criminal offences or where the AI-generated content has undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility for the publication of the content. (Article 50 № 4)
The article clearly exempts the labelling when human review or editorial control is in place. Look closely, there’s an “ or ” in there. A teeny tiny loophole. But why is it in there? The answer is: European publishing corporations and legacy media outlets, which heavily rely on it.
Automatically imported news contents from dpa; often generated with LLMs
Automatic content generation in legacy media has been a reality for years. That’s why you’re often reading the same “slop” in every paper. If you do a quick search on the text contents, you’ll find that hundreds of sites all use the same slop. Some of them may even rewrite these stories with an LLM, again. Media companies often don’t even know who wrote their articles or where they’re actually coming from. Do you think that the EU would barr them from doing so? They’re pretty well connected with policy makers.
“Deployers relying on this editorial exception are expected to maintain documented procedures evidencing human oversight, raising the bar for informal or ad hoc review processes.” — Herbert Smith Freehills Kramer LLP
Which bureaucrat do you think will be becoming to your muffy office to do an ad hoc review of your editorial control? No one. In the unlikely event, which is more unlikely than you being visited by extraterrestrials, what do you think they expect of you? A button, a form, a log file? What even is editorial control? What type of almighty bureaucrat is going to do a technical and organizational audit of an editorial control process? It’s not going to happen. The worst that’ll happen is you filling in a form in which you confirm that you have some form of editorial control and oversight.
Labels and watermarks
The EU AI Act requires developers to label generated images and text, and include a machine-readable watermark. Unless it’s an “ assistive function ” to your users’ writing or image editing process. Where does that assistive function end you may ask. It ends where the AI system “substantially alters the input data or its semantics”. Whatever that means is up to the AI office and your local regulators to decide, or not.
Gaming is mostly exempt anyway, so your Meshy.ai game characters and objects don’t need specific labelling in your Unity or Unreal Engine game. This not just applies to gaming, but to any artistic, creative, satirical, or fictional works. You are only required to the “ disclosure of the existence of such generated or manipulated content in an appropriate manner that does not hamper the display or enjoyment of the work ”. A simple footnote somewhere in your game’s launch screen will probably be totally sufficient. You don’t want to hamper the enjoyment of your work, don’t you?
Creative bureaucrats: the EU Commission’s proposed labels for AI (page 36; last page)
The EU Commission wouldn’t be as fun as they are if they wouldn’t have the self confidence to spend millions on designing a standardized “AI Label”. Some obedient people may be thankful that their Brussels overlords have created them a nice circle with two letters in it, but anyone else will likely just ignore that creative odyssey of self expression. The creation of an AI label is surely one of the most pressing challenges of today’s EU.
Large organizations in the European Union will follow their legal teams, invest millions and badge a label on whatever their legal team says. It’s been like that with GDPR, and it’ll be exactly the same with the AI Act. The cookie banners didn’t appear because the regulation specifically demanded them (spoiler it didn’t and doesn’t), but because corporate legal teams said “This should be fine” and called it a day. Everyone else just followed.
Video Restore and the Open Source Python code for fitting new clothes onto someone, as well as all my other apps and code publications are just a Low Risk Assistive Function. Trust me, bro. If everyone slaps an “AI Label” onto everything, then the label is becoming just as worthless as the cookie banners have. Expect a ton of AI labels to appear on random websites by August 2026. They will first confuse consumers, and then make them avoid businesses that carry too many of them.
Government wants you to understand that AI images are dangerous.
Just like the cookie banner, the AI label will likely cost the European economies hundreds of millions in GDP. Confuse consumers with awkward labels, watch revenues and taxes decline, make surprised Pikachu face. The winners will likely be those who avoid the label as much as possible. Would you seriously buy a pair of shoes that have “Generated with AI” labelled on their images? At least the fast food chains won’t have to badge their burger images, because they’re using expensive professional human food photographers to create their fake burger images. That probably summarizes the absurdity of the labelling.
Conclusion
A lot of the the regulations of the EU AI Act are already rolled out to local law. August 2nd, 2026 will be the deadline after which the transparency requirements with labelling and watermarks become mandatory. The Unacceptable Risk and General-Purpose AI (GPAI) regulations are effective for over a year already, with little to no noticable change in anything.
“Life is a tragedy in close-up and a comedy in long shot.” — Rowan Atkinson
The tragedy is millions of tax payer Euros wasted on forms, processes and AI labels that no one actually uses, and the Sword of Damocles hanging over every business, especially software developers, in the European Union. The tragedy is businesses trying to be compliant to something you can hardly comply with, while others try to leech off them, selling courses, tools, consulting and whatnot. The AI Act costs time and resources that businesses desperately need to remain competitive in global markets.
The form template for General-Purpose AI isn’t even a form. You’d have to print it.
It’s a comedy in longshot when you think about the meetings in which bureaucrats discuss finetuning the latest AI label designs. Who even made up the 10²³ FLOPs limit for GPAI? Is 1992’s Wolfenstein 3D an AI system causing severe psychological harm? Generated images need to be labelled, but when I photograph hamburgers made of cardboard it’s okay?
Talking about comedy, the “ Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 (1)(d) of Regulation (EU) 2024/1689 (AI Act) ”, which is a comical name already, isn’t even available for download as a form. You’d have to print it and fill it out with pen and paper, or kindly ask for the Microsoft Word version which the EU Commission provides. You’ve got to love the EU’s “Digitalization”.
Financial threats to indie developers
The fines are 7% or up to €35 million for a violation of the EU AI Act, which are easily several thousand Euros even for a small indie developer. It only takes a single bureaucrat on a vendetta to bankcrupt a small business. Someone just needs to declare your software an “Unacceptable Risk AI System”, and it’ll be deplatformed everywhere. You won’t be able to do anything against it.
Development of business closures in Germany since 2020
The AI Act fines create a threat with uncertainty for small and medium software businesses in Europe. An uncertainty which cripples a region that is desperately in need of economic growth.
Future outlook
There’s light at the end of the tunnel, at least in Germany. The EU’s AI office will only work with global companies like Apple, Google, Amazon etc. Anyone else inside the EU will likely deal directly with their national authority, which is the BNetzA in Germany for me. Since I live in Bonn, where the agency resides, it’s a 5 kilometer or 10 minute drive to their office. It’s fair to say that the BNetzA in Germany isn’t overly keen on dealing with small and medium software businesses, or issuing a €100 fine to a random Helmut for not labelling his AI fruit slop properly.
Regulators aren’t going to hunt down unlabelled fruit slop (This image is totally generated by AI)
The EU AI Act is Not Clear and Not Predictable, and it’s highly uncertain at what stage what software system falls into what category. It’s also not Outcome-Oriented, as the EU regulator’s desired end result is very vague. Enforcement of the AI Act is next to impossible. How do authorities know if an image was generated with Generative AI or carefully crafted by hand for hours in Blender, or even physically with cardboard? They don’t, and they don’t even want to get themselves into it. It’s almost entirely unenforceable.
oecd.org
OECD GUIDING PRINCIPLES
FOR REGULATORY QUALITY AND PERFORMANCEEstablish principles of “good regulation”, drawing on the 1995 OECD
Recommendation on Improving the Quality of Government Regulation.
Good regulation should: (i) serve clearly identified policy goals, and be
effective in achieving those goals; (ii) have a sound legal and empirical basis; (iii) produce benefits that justify costs, considering the distribution of effects across society and taking economic, environmental and social effects into account; (iv) minimise costs and market distortions; (v) promote innovation through market incentives and goal-based approaches; (vi) be clear, simple, and practical for users; (vii) be consistent with other regulations and policies; and (viii) be compatible as far as possible with competition, trade and investment-facilitating principles at domestic and international levels.
The EU AI Act is a poor regulation by the standards of the OECD, of which 22 European Union states are a member of. The policy goals aren’t precisely clear, and the effectiveness questionable through the various exemptions (i). It creates severe cost and market distortions (v) requiring companies to set up comprehensive training, rules and procedures. It’s nowhere near of being clear, simple and practical for users (vi). U.S. businesses refusing to release AI features to the EU, in fear of hefty fines, is evidence for the EU AI Act not being compatible with competition on an international level (viii).
It’s absolute bonkers to think that anyone could effectively apply such a broad scale regulation on computer programming, let alone enforce it. The EU AI Act may very likely go down as one of the poorest regulations ever made. Anything it tries to achieve is already achieved by various other laws and regulations. It’s restrictions are largely redundant with existing rules (e.g., deepfakes regulated under § 22 KunstUrhG in Germany). The further you look at the EU AI Act, the more it may seem to feel like a performative theatrical act of virtue signalling.
I wish one could say this won’t affect us Europeans and we won’t notice it, but the absence of iPhone Screen Mirroring on my Mac for years to this date tells me otherwise.
Fellow Europeans, don’t be demoralized by it. Keep innovating!
Thank you for reading. Jan
All my articles are handicraft, handwritten by me. By reading and sharing my articles, you support my work and you support real human authorship.
I’m a software business owner from Germany, worked in various CTO roles, an active programmer in C++, Go, Swift and passionate technology enthusiast. My programming career started at a young age and I later acquired a professional institutional education in software engineering. My journey on Medium started out as note taking and documenting my projects. Over time, it became more and more popular with you, my beloved readers. Not because I am someone special, but because people crave for thoroughly researched technical articles. Following me, clapping and subscribing is one step forward in keeping technical writing and its community alive.