Isomorphic English translation based on the German reference version.

Section 1 – Review Protocol

Object

Regulation (EU) 2024/1689 (EU AI Act) in its structure as a governance architecture: definition of the “AI system,” risk classification, duties and compliance regime, enforcement mechanism, as well as target and protected-interest structure.

Review Standard

The analysis is conducted along Review Architecture v1.0 with five categories: abort capability, cost truthfulness, exit capability, power clarity, and institutional consequences. Decisive is not the political expediency of the regime, but its structural logic of effects.

Methodology

The object is first reconstructed in full. This is followed by explicit application of the review standard. Diagnoses are derived exclusively from this combination. No additional evaluative dimensions are introduced.

Section 2 – Reconstruction of the Object

With the definition of the “AI system,” the EU AI Act constructs a regulatable unit. This definition describes machine-based systems with a degree of autonomy that generate predictions, recommendations, or decisions on the basis of data and thereby influence real or virtual environments. The definition is not a technical specification, but a legal stipulation with an ordering function. Heterogeneous technical architectures are bundled into a unified category.

On this ontological foundation, the Act establishes a four-tier risk classification: unacceptable risk, high risk, limited risk, and minimal or no risk. The classification translates the defined category into graduated intensity of obligations. Unacceptable practices are prohibited; high-risk systems are subject to extensive ex-ante obligations; limited risk triggers transparency requirements; minimal risks remain within the general legal framework.

The obligations architecture is coupled to this classification. In the high-risk area, it includes in particular risk management, data governance requirements, technical documentation, logging, transparency obligations, requirements for human oversight, as well as provisions concerning robustness and safety. Conformity must be demonstrated prior to market access and is, where applicable, reviewed by notified bodies. The central steering unit is not the source code itself, but the documented proof of rule-compliant procedures.

Enforcement occurs on an administrative basis. National supervisory authorities monitor the market and conformity, while coordinating mechanisms at EU level ensure coherent application. Sanctions are an integral part of the architecture. Power structurally emerges through the interpretation of indeterminate legal concepts, through conformity decisions, and through sanctioning authority.

The target structure of the regime is dual in nature: protection of fundamental rights, health, and safety on the one hand, and the safeguarding of a functioning internal market on the other. Risk functions as the mediating category between protection logic and market access. Trust is institutionally produced through classification, transparency, and enforceability.

Section 3 – Diagnosis of Architectural Effects

The application of the review standard proceeds along the five categories of Review Architecture v1.0.

Abort Capability

The ontological stipulation of the “AI system” is structurally stable and can only be changed through a formal legislative procedure. The risk classification permits adjustments to individual application lists, but not revision of its underlying logic. The compliance architecture reviews conformity with defined requirements, not their actual quality of effects. Internal feedback that systematically reviews the adequacy of its own underlying assumptions is not provided for. The regime is adaptable in detail, but not self-reflexive in its structure. Abort capability is therefore limited.

Cost Truthfulness

Regulatory burdens primarily arise in system development, documentation, and conformity procedures. Risks are typified through system and application categories, while internal organizational decision architectures and power structures are not independently reviewed. Since relevant risk genesis frequently emerges contextually, a partial asymmetry arises between burden distribution and risk structure. Cost truthfulness is thereby partially decoupled.

Exit Capability

Binding to the regime occurs through access to the EU market. A formal exit is possible through market withdrawal or renunciation of specific application areas. For economically relevant actors, however, the EU market is structurally significant, such that exit becomes factually cost-intensive. The architecture permits evasive movements, but generates adaptation pressure and exerts market-structuring effects. Exit capability is formally present, but economically asymmetrical.

Power Clarity

Responsibility is formally distributed along the value chain. Providers initially classify systems themselves; supervisory authorities monitor, interpret, and sanction. Indeterminate legal concepts require interpretation. Effective steering power concentrates where interpretive authority and sanctioning competence converge. The power structure is formally decentralized, but interpretively centered in its practical effect.

Institutional Consequences

The regime generates durable administrative and compliance structures. Conformity becomes a prerequisite for market access; regulatory requirements integrate into system design and organizational processes. Fixed costs exert relatively stronger effects on smaller actors and favor consolidation tendencies in the high-risk area. At the same time, a political expectation structure of regulatory control emerges. Institutional consequences are highly effective and sensitive to densification.

Section 3a – Architectural Review

The regulatory architecture establishes several structural control axes:

Definition Power

With the legal stipulation of the “AI system,” a regulatable unit is ontologically fixed. Heterogeneous technical architectures are bundled into a normative category.

Classification Power

Risk classification determines the intensity of obligations and market access. Assignment to a risk category functions as the primary steering mechanism.

Conformity Power

Market access is tied to documented procedures, evidentiary obligations, and, where applicable, external review. Steering occurs through reviewability, not through direct system control.

Interpretive Power

Indeterminate legal concepts require interpretation. Effective steering power concentrates where interpretive authority is institutionally anchored.

Sanctioning Power

Administrative enforcement powers secure the binding force of the architecture.

Market Access Control

Access to the EU internal market functions as a structural lever through which adaptation pressure is generated.

Steerability Diagnostics

The underlying logic of the regime is legally fixed and can only be altered through renewed legislation. Adjustments primarily concern application lists and concretizations, but not the risk-based core architecture. Internal institutional self-revision of the defined entity (“AI system”) or of the risk category is not provided for. Feedback occurs through enforcement, market surveillance, and political revision, not through system-internal learning mechanisms. The architecture is adaptable in detail, but not self-reflexive in its underlying structure.

Normative Pre-Structuring

The concept of risk functions as the central mediating category between protected interests and market access. Risk is typified as a system-related or application-related property. The ontologization of the “AI system” as the primary regulatory unit prioritizes technical artifacts over organizational or relational constellations. This establishes an epistemic order in which risk is treated primarily as a property of a system rather than as an emergent relation.

Architecture vs. Implementation

The present analysis exclusively concerns the normative architecture of the legal act. Enforcement practice, political application, or factual enforcement quality are not objects of the review.

System Constants

The following durable stipulations arise from the structure:

• stabilization of the category “AI system” as a regulatable unit
• risk-based core logic as the primary structure
• ex-ante compliance as the dominant steering mechanism
• documentation-centered reviewability
• administrative enforcement through market surveillance
• market access as a structural lever

These constants remain in force as long as the underlying architecture of the legal act is not legislatively revised.

Section 4 – Structural Fracture Points

Three structural fracture points emerge from the intersection of the five review categories.

System-Centeredness and Contextual Genesis of Risk

The regime primarily addresses risks through system definition and application categories. Relevant risk genesis, however, frequently arises in internal organizational decision architectures, incentive structures, and power constellations. The architecture stabilizes the category “AI system” without independently reviewing contextual relations. This results in limited abort capability, partial cost decoupling, and institutional densification under continued context dependence.

Procedural Review and Effectiveness Review

The compliance architecture measures adherence to defined requirements, not their actual effectiveness. Documentation, quality management, and conformity procedures secure formal reviewability, but no systematic feedback concerning real risk reduction. Formal safety may therefore remain decoupled from material effects.

Formal Decentralization and Interpretive Centrality

Responsibility is distributed in role-bound form, but indeterminate concepts and classification decisions require interpretation. Steering power factually concentrates where interpretive authority and sanctioning competence converge. The architecture appears decentralized, yet generates interpretive centrality.

Section 5 – Structural Dependencies of Effectiveness

The material effectiveness of the EU AI Act is tied to specific structural dependencies:

Context Sensitivity

Material effectiveness presupposes factual consideration of deployment and organizational contexts, although the primary address remains system-centered. Without context integration, risk addressing remains categorical.

Interpretive Coherence

The interpretation of indeterminate concepts and risk assignments has a stabilizing effect insofar as it occurs consistently. Divergent interpretation may generate fragmentation or regulatory densification.

Effectiveness Proximity of Compliance

The effectiveness of the compliance architecture depends on the extent to which documented procedures correspond to real risk reduction. Without material feedback, safety remains formal.

Institutional Proportionality

A durable decoupling between regulatory burden and actual risk intensity structurally leads to market shifts or relative burden asymmetry.

Densification Dynamics

Subsequent adjustments may generate cumulative densification of obligations where no structural limiting logic is embedded.

Section 6 – Structural Limits

The EU AI Act is effective as an administrative ordering regime within its established architecture, yet exhibits structural limits in reach.

Contextual power and organizational risks are not primarily addressed. The architecture regulates system categories and procedural requirements, but not institutional decision logics or incentive structures. Risks emerging from relational power constellations lie outside the primary logic of the regime.

The steering architecture is ex-ante and documentation-centered. Continuous, systematic measurement of the real quality of effects of adaptive systems is not provided for. Dynamic or emergent effects are indirectly captured through market surveillance or political revision.

The ontological stipulation of the “AI system” forms a stable starting unit. Structural revision of this category is possible only through renewed legislation. Internal redefinition of the regulated entity is not embedded.

The architecture does not extend into constellations in which risk primarily emerges within organizational and power architectures or dynamically develops beyond documented conformity.

Section 7 – Institutional Judgment of Sustainability

The EU AI Act constitutes an administratively coherent regulatory architecture whose sustainability lies in the categorical definition of the “AI system,” the risk-based classification, and the procedure-based logic of conformity. Steering effects emerge through classification, documented reviewability, and sanction-backed enforcement.

The architecture is system-centered in design. Its structural reach extends primarily to system-related and application-related risks that can be addressed through ex-ante obligations and conformity procedures.

In constellations in which risk primarily emerges from organizational, decision, or power architectures, or dynamically develops beyond documented conformity, the sustainability of the regime is structurally limited.

The institutional judgment is therefore as follows:

The architecture is sustainable as an administrative market and ordering regime within its established categorical logic; its reach ends where risk is not systemically typifiable, but relationally or emergently organized.