The European Union’s new AI Act is a piece of product regulation. That is its core. It does not grant individual rights. It places duties on the people who make and deploy AI systems in a professional setting. This distinction is worth sitting with for a moment.
The law, which entered into force on August 1, 2024, does not give a citizen the right to sue an AI company directly. It does not create a private cause of action. Instead, it tells the provider of a high-risk AI system, “You must run a conformity assessment. You must meet security and transparency standards. If you do not, the regulator will act.” The individual is a beneficiary of that enforcement, not a plaintiff.
This is a deliberate choice. The Act exempts AI used for military, national security, and research purposes. It also exempts non-professional use. The focus is on commercial and institutional deployment. The logic is straightforward: regulate the product at the point of supply, not at the point of harm. It is the same logic that governs toasters and car brakes. You do not sue a toaster manufacturer because you burned your bagel; the product should not have been unsafe in the first place.
The risk classification system is the mechanism. Four levels: unacceptable, high, limited, and minimal. An additional category exists for general-purpose AI. Unacceptable risk applications are banned outright. That is a hard line. For high-risk applications, the obligations are stringent. They must undergo conformity assessments. They must be transparent about capabilities and limitations. Limited-risk applications face lighter rules, mostly around transparency. Minimal-risk applications face no obligations at all.
This is not a one-size-fits-all approach. It is a ladder. The higher the potential for harm, the more hoops the provider must jump through. The Act’s provisions will come into operation gradually over the next 6 to 36 months. That phased implementation gives industry time to adjust. It also gives regulators time to build capacity.
Some critics will say the Act does not go far enough. No individual rights. No private enforcement. But the Act’s drafters were not aiming for a bill of rights. They were aiming for a regulatory framework that could keep pace with a fast-moving technology. A product regulation approach is easier to update than a rights-based framework. It is also easier to enforce across 27 member states with different legal traditions.
The Act covers most AI systems across a wide range of sectors. That is a broad net. But the exemptions are significant. Military and national security AI are out. Research AI is out. Non-professional use is out. The Act is concerned with AI that is put into the world by businesses and public bodies to do work. That is where the risk of systemic harm lies.
The transparency obligations for limited-risk applications are worth noting. Providers must be open about what their systems can and cannot do. This is not a heavy lift, but it is a meaningful one. It forces companies to articulate the boundaries of their technology. That alone could reduce overclaiming and mis-selling.
The Act is now law. The clock is ticking on implementation. Providers of high-risk systems will need to start their conformity assessments soon. The phased rollout means some obligations will bite before others. But the direction is clear. Europe has chosen to regulate AI as a product, not as a right. That choice will shape how the technology develops in the EU for years to come.
