Key Takeaways
- The conversation around the EU AI Act focuses heavily on what the law prohibits, but far less on what it permits.
- Although the AI Act is often presented as a single set of rules for everyone, businesses face far stricter oversight than governments and law enforcement agencies in several key areas.
- Understanding what the AI Act allows as well as the grey areas it leaves unresolved is essential for anyone trying to understand the real regulatory landscape.
- Business data could become part of wider surveillance ecosystems in ways many organisations don’t anticipate.
- The AI Act is shaping not just how organisations use AI but also the broader environment in which AI, data, surveillance, and public accountability will evolve across Europe.
If you run a company that develops, uses, or sells AI systems in Europe, you’ve probably spent the last year hearing the same message on repeat: get compliant or face fines up to 7% of your global turnover (that top tier applies only to the most serious violations, like using prohibited AI systems; for most other breaches, the maximum is 3% of global turnover).
Currently, the conversation around the EU AI Act is loud, urgent, and almost entirely focused on restrictions: what’s banned, what counts as “high-risk”, what documentation you need, what the deadlines are.
That framing isn’t wrong. After all, the Act does impose real obligations, and the penalties are serious. The problem is that it’s dangerously incomplete because it systematically ignores the other half of the law, the one that doesn’t restrict but allows. And what it allows may ultimately prove more consequential for businesses and individuals alike than anything on the prohibited list.
But perhaps an even bigger problem is the assumption that the law applies the same level of scrutiny to everyone involved when, in reality, it clearly doesn’t. And that’s exactly why decision-makers should pay attention to the three issues below.
1. The Regulatory Asymmetry: One Law, Two Standards
The EU AI Act presents itself as a unified framework designed to create trustworthy AI across Europe. But when you look more closely, the idea of equal standards starts to fall apart pretty quickly.
For businesses, the requirements are extensive and very real. If your company uses AI to screen job applicants, assess creditworthiness, manage critical infrastructure, or influence access to essential services, there’s a good chance it falls into the “high-risk” category under the Act. That means mandatory risk assessments, human oversight requirements, technical documentation, conformity assessments, and registration in a public EU database.
And none of that comes cheap. Depending on the types of AI systems involved, compliance costs could range from tens of thousands of euros for smaller businesses to several million euros for large enterprises building full AI governance and monitoring frameworks.
For governments and law enforcement, however, the picture looks very different. The AI Act technically prohibits real-time facial recognition in public spaces, which sounds strict at first. But it also includes exceptions so broad that critics argue they leave the door wide open for expanded surveillance.
Not only can governments use facial recognition systems to search for missing persons, prevent terrorist attacks, and investigate serious crimes — though each use is supposed to require prior judicial authorisation and target a specifically identified individual — but EU member states are also allowed to approve these uses through their own national laws. Moreover, anything classified as national security is completely exempt from the AI Act, regardless of whether the surveillance is carried out directly by the government or by a private company working on its behalf.
Statewatch, which analysed the law in detail, put it quite bluntly: the AI Act “establishes conditions for increased development and use of security AI systems” while making sure those systems remain subject to “extremely limited accountability, oversight and transparency measures.” This didn’t happen accidentally. Governments, along with law enforcement lobbying bodies like Europol, played an active role in shaping these provisions during negotiations.
The conclusion? After years of negotiations and political compromises, the Act quietly carved out broad exceptions for state actors. And those exceptions aren’t just abstract legal possibilities buried somewhere in regulatory footnotes. Real-time facial recognition in public spaces, mass biometric identification systems, and AI-powered surveillance tools operating with limited transparency and accountability are already becoming operational realities. Yet despite their significance, they remain largely absent from the conversation surrounding the AI Act.
2. The Compliance Trap: What Businesses Aren't Being Told
The compliance industry that has grown around the EU AI Act is overwhelmingly focused on what businesses can’t do, with teams cataloguing AI systems, classifying risk tiers, drafting technical documentation, and preparing for enforcement deadlines. This work is necessary, but it’s not sufficient.
The deeper issue is that compliance frameworks built around the Act’s prohibitions can give business leaders a false sense of having understood the regulatory landscape. In reality, most of them haven’t, and that’s because the AI Act isn’t just defined by what it restricts. As mentioned above, it’s also shaped by what it quietly permits as well as the grey areas it leaves unresolved.
Those grey areas aren’t merely theoretical. The Center for Democracy and Technology (CDT) warned that law enforcement agencies could potentially bypass restrictions on real-time biometric identification simply by invoking national security purposes. That’s the kind of loophole critics argue that could easily expand into mass surveillance under the banner of national security while still being framed as perfectly legitimate.
Another significant grey area involves the relationship between law enforcement and national security. On paper, the distinction looks straightforward: law enforcement activities, such as policing and criminal investigations, fall within the Act’s scope and are subject to restrictions, while national security is largely exempt because EU treaties leave those decisions to individual member states.
In practice, however, the line between the two is often blurry. The same AI tool, the same data, or even the same agency can serve both purposes at once, for instance when intelligence gathering feeds into criminal investigations. Yet the Act offers very little guidance on how such cases should be handled. Instead, it pushes that responsibility onto member states, which are already interpreting the rules in very different ways. This creates a patchwork of standards across the EU rather than a coherent, unified framework.
That’s where the real compliance trap starts to appear. While businesses are spending enormous amounts of money making sure their AI systems are explainable, auditable, rights-respecting, and properly documented, state AI systems operating around the same people may be subject to nowhere near the same level of transparency or accountability. So much for equal standards.
The results can already be seen. AlgorithmWatch identified at least 11 EU member states operating police facial recognition systems in 2024, before many of the Act’s prohibited practices had even come into force. But the controversies didn’t stop once those rules kicked in. In March 2025, after the AI Act’s restrictions on real-time facial recognition had already started applying, Hungary passed legislation authorising police to use real-time facial recognition to identify participants at Pride events, raising serious legal and civil liberties concerns.
The Czech Republic had also been running facial recognition systems at Prague Airport for years. Even after the Act’s biometric provisions began taking effect in February 2025, the system reportedly continued operating for another six months before police finally shut it down in August 2025 following regulatory scrutiny.
These aren’t isolated incidents or obscure edge cases. Taken together, they point to something much bigger, revealing how governments are actively testing how far the law can be stretched and how flexible these “exceptions” really are once they move from paper into practice.
For business leaders, there are a few important takeaways here:
- First, the regulatory environment surrounding the AI Act is far less clear and consistent than we’ve been led to believe. Enforcement varies between member states, and several countries missed deadlines for appointing the authorities responsible for overseeing the law in the first place. This isn’t exactly reassuring for the organisations trying to navigate compliance with precision.
- Second, understanding not just what the Act prohibits but also what it allows gives businesses a more accurate picture of the operating environment their employees and customers are actually living in.
- Third, and most importantly, genuine commitment to responsible AI goes beyond simply satisfying the minimum legal requirements. If your organisation cares about employee rights and customer trust, those values are relevant not only to how you use AI but also to how you respond to the broader context the Act is creating.
3. The Hidden Liability: Your Data in a Surveillance Ecosystem
Most companies operating in Europe already know they’re dealing with an increasingly complicated maze of data regulations. With everything coming out of Brussels, organisations are working harder than ever to ensure customer and employee data is collected, stored, protected, and documented in accordance with the law.
But there’s another important point that often gets overlooked: the AI Act doesn’t exist in isolation. It sits alongside the GDPR, Data Act, AI Act, and a broader European data governance framework that increasingly shapes how data held by businesses can be accessed and used by public authorities. Within this ecosystem, governments already have mechanisms for accessing certain categories of business data under specific conditions.
An example of this approach appears in the Digital Omnibus, the first set of amendments to the AI Act agreed in May 2026, which replaced the previous “exceptional need” threshold with a “public emergencies” standard for certain forms of government-to-business data access. While regulators described this as a narrowing of the rules, what qualifies as a “public emergency” could end up being interpreted quite broadly in practice.
At the same time, civil society groups have repeatedly shown how commercial datasets can end up feeding surveillance systems. The Databroker Files investigation, for example, found that data collected through ordinary commercial activities can eventually make its way into government surveillance ecosystems.
And that creates a category of liability many decision-makers aren’t thinking about at all. A company or organisation may collect location data, purchasing behaviour, or even biometric information for perfectly legitimate reasons only to discover later that the same data has flown into state surveillance systems through legal or technical channels it never anticipated or authorised. The striking part is that the legal and technical infrastructure enabling these kinds of data flows is already being built in real time through the AI Act’s exemptions, Digital Omnibus, and national laws.
There’s also a trust problem hiding underneath all of this. Individuals who realise that data shared with a company or organisation could ultimately contribute to government surveillance systems may start making very different decisions about who they trust with their information. The AI Act’s law enforcement exceptions make that even murkier, especially because governments are allowed, in some cases, to avoid informing individuals they were subjected to AI-based identification. The irony, of course, is that while businesses are being told transparency is essential, parts of the surveillance ecosystem surrounding them are becoming more opaque by design.
But then there’s a longer-term issue to consider. During the negotiations over the AI Act, the European Digital Rights (EDRi) organisation repeatedly warned that even limited exceptions for biometric mass surveillance could eventually open the floodgates to broader surveillance practices. That warning wasn’t relevant only for policymakers but also for businesses and government agencies, especially because the exceptions written into the Act today are unlikely to remain static.
And there are good reasons to take that warning seriously, not least because law enforcement groups pushed aggressively for the current carve-outs, and there’s little reason to believe those efforts will stop here. In other words, the current exemptions are probably not the final destination.
The takeaway? The organisations paying attention to where this trajectory may lead will be in a much better position to adapt their data practices, employee and supplier relationships, and customer communication strategies before the environment shifts even further.
Understanding the World the AI Act Is Building
Raising concerns about the AI Act’s exemptions isn’t an argument against compliance. The obligations placed on businesses are legitimate and, in many cases, long overdue. Besides, responsible AI governance is good practice whether regulators demand it or not.
However, the bigger point is that compliance alone doesn’t tell the full story. An organisation that understands the AI Act only through the lens of bans, risk categories, and fines is still working from a very incomplete picture of what the law actually does. Because the Act doesn’t just restrict, and it doesn’t just permit. It also empowers governments and law enforcement agencies by giving them room to use AI in ways that would have been politically unthinkable in Europe not that long ago. That creates asymmetries between public and private accountability, changing the environment that businesses, organisations, and individuals have to navigate, whether they realise it yet or not.
Ultimately, the companies that get ahead of this best will probably be the ones asking not only, “Are we compliant?” but also, “What kind of environment is this law creating?”, “What does that environment mean for our organisation, employees, and customers?’, “How do we respond before the rules, expectations, and surveillance capabilities expand even further?” Because in the end, compliance isn’t a box-ticking exercise we can rush through; compliance is a slow and deliberate process that starts with understanding the law for what it actually says, not just for the parts that dominate the headlines.
Nevertheless, the EU AI Act is genuinely historic. It’s the world’s first comprehensive AI regulation, and it will likely shape the development of the technology for generations to come. But the part of the Act most business leaders focus on — the one about bans, obligations, and penalties — is only half the story. The other half, the part about what Europe ultimately decided to allow, is where some of the most important decisions are being made. And yet that part is still barely discussed, even in specialised professional circles.
Extra sources and further reading
- The EU’s AI act: A framework for collaborative governance – Science Direct
https://www.sciencedirect.com/science/article/pii/S2542660524002324
This peer-reviewed review article analyses the EU AI Act as a collaborative governance framework, examining how different institutions and stakeholders are expected to coordinate the regulation, enforcement, and oversight of AI across the EU.. - The AI Act Isn’t Enough: Closing the Dangerous Loopholes That Enable Rights Violations – European Digital Rights (EDRi)
https://edri.org/our-work/the-ai-act-isnt-enough-closing-the-dangerous-loopholes-that-enable-rights-violations/
This article discusses the risks created by broad national security and law enforcement exemptions, including concerns around biometric surveillance, transparency, and democratic accountability. - Navigating Data Governance Risks: Facial Recognition in Law Enforcement Under EU Legislation – Internet Policy Review
https://policyreview.info/articles/analysis/data-governance-risks-facial-recognition
This paper explores the legal, technical, and governance risks surrounding facial recognition in law enforcement, with particular attention to data protection, public security, and the AI Act’s regulatory framework. - European Parliament Research Service (EPRS) — Parliament’s Negotiating Position on the Artificial Intelligence Act
https://www.europarl.europa.eu/RegData/etudes/ATAG/2023/747926/EPRS_ATA%282023%29747926_EN.pdf
This research paper presents a concise overview of the AI Act’s negotiations, key provisions, law-enforcement exceptions, and the political debates that shaped the final regulation.
