Europe's AI Law Might Make Algorithms Less Trustworthy

The EU’s AI Act Has a Trust Problem

The European Union’s AI Act is the most ambitious attempt to regulate artificial intelligence anywhere in the world. It is also, according to a new analysis by three researchers at the Oxford Internet Institute, built on a fundamental confusion. The law aims to make AI “trustworthy.” But its definition of trustworthiness, the authors argue, is dangerously narrow. It equates trustworthiness with something far simpler: the acceptability of risk. If an AI system’s risks are deemed acceptable, the EU says it is trustworthy. That is not how trust works. And the gap between what the law promises and what it can deliver may leave Europeans with algorithms that are technically compliant but genuinely untrustworthy.

The paper, published in Regulation & Governance by Johann Laux, Sandra Wachter, and Brent Mittelstadt, is a systematic narrative review of trust research applied to AI in the public sector. The authors did not run an experiment. They did something more foundational: they asked what the word “trust” actually means in the context of AI, and then checked whether the EU’s regulatory framework matches that meaning. Their answer, bluntly, is no (Laux et al., 2023).

This is not an abstract philosophical quibble. The AI Act will govern everything from hiring algorithms to predictive policing to credit scoring. If its core concept of trust is flawed, the entire regulatory apparatus may produce outcomes that look safe on paper but fail in practice.

What the AI Act Actually Says

The AI Act sorts systems into risk categories. Minimal risk. Limited risk. High risk. Unacceptable risk. The highest tier, unacceptable risk, is banned outright. High risk systems must pass a conformity assessment. They need human oversight, transparency, and technical documentation. The idea is that if you follow these rules, your AI is trustworthy.

Laux, Wachter, and Mittelstadt identify the sleight of hand. The Act does not define trustworthiness as a property of the AI system itself. It defines it as a regulatory outcome. A system is trustworthy if its risks are “acceptable” according to the law. This is a conflation of two very different concepts. Trustworthiness is about whether an entity deserves your trust. Acceptability of risk is about whether a regulator has decided the potential harm is low enough to tolerate. Those are not the same thing (Laux et al., 2023).

The authors trace the problem back to the EU’s own High Level Expert Group on AI, which published Ethics Guidelines for Trustworthy AI in 2019. That document listed seven requirements: human agency, technical robustness, privacy, transparency, diversity, societal well being, and accountability. It was a broad, aspirational framework. The AI Act, when it arrived, operationalized only a subset of these ideals. It focused on the measurable, auditable ones. It left out the messy human dimensions of trust.

The Simple Version of Trust the EU Adopted

The researchers conducted a narrative systematic literature review of trust research in AI and the public sector. They looked at studies on institutional trust, algorithmic trust, and public sector AI deployments. What they found is that trust is not a binary switch. It is not something you can engineer by ticking boxes.

Trust has at least three components, the literature shows: competence, reliability, and benevolence. Competence means the AI can do what it claims to do. Reliability means it does it consistently. Benevolence means it acts in your interest, not just in the interest of the system operator. The EU’s framework focuses almost entirely on competence and reliability. It checks whether the algorithm works as specified. It barely touches benevolence. Does the AI have your back? Is it designed with your welfare in mind, or is it optimized for efficiency, profit, or bureaucratic convenience? The Act does not ask that question (Laux et al., 2023).

This matters because public sector AI is different from commercial AI. A credit scoring algorithm used by a bank is a commercial product. A predictive policing algorithm used by the state is an exercise of power. Citizens do not choose to interact with it. They are subject to it. Trust in that context is not about voluntary adoption. It is about legitimacy. The AI Act, by conflating trustworthiness with risk acceptability, treats citizens as passive risk managers rather than active participants in a relationship of trust.

The Conflation That Undermines Everything

The core argument of Laux, Wachter, and Mittelstadt is that the EU has collapsed a multidimensional concept into a single regulatory dimension. Trustworthiness becomes synonymous with compliance. If a system passes the conformity assessment, it is labeled trustworthy. This creates a dangerous feedback loop. Regulators certify systems as trustworthy. Citizens see those systems deployed and experience their effects. If the effects are negative, citizens lose trust. But the regulatory label says the system is trustworthy. So who is wrong? The citizen, or the law?

The authors point to a body of research showing that trust is built through experience, not certification. People trust algorithms when they see them work, when they understand their limitations, and when they believe the operator has their interests at heart. The AI Act provides none of that. It provides a stamp of approval. That stamp may actually reduce trust if it is perceived as a rubber stamp (Laux et al., 2023).

The paper also notes that the EU’s approach assumes a rational actor model of trust. Citizens are expected to evaluate risk information and calibrate their trust accordingly. But decades of behavioral science show that trust is emotional, social, and contextual. It is influenced by media coverage, personal experience, and cultural attitudes. The AI Act treats trust as a cognitive calculation. It is not.

The Methodology: How They Got There

Laux, Wachter, and Mittelstadt did not conduct a controlled experiment. They performed a narrative systematic literature review. That means they searched for and analyzed existing studies on trust and AI in the public sector, identified key themes and variables, and then mapped those findings onto the AI Act’s framework. The review covered studies on institutional trust, algorithmic fairness, transparency, and public sector AI deployments.

The authors developed a prescriptive set of variables for evaluating trust research. They looked for studies that measured trust as a dependent variable, that distinguished between trust in the algorithm and trust in the institution operating it, and that examined the relationship between risk perception and trust. They then used these variables to assess whether the existing trust literature supports the EU’s regulatory approach.

The answer was mixed. Some studies found that transparency and explainability increase trust. Others found the opposite: too much information about how an algorithm works can reduce trust, especially if the algorithm is complex or its logic is unsettling. Some studies found that people trust algorithms more than humans in some domains and less in others. The takeaway is that trust is not a simple function of any single factor. It is a product of context, history, and relationship (Laux et al., 2023).

What the Research Does Not Prove

This paper does not argue that the AI Act is useless. It argues that the Act’s definition of trustworthiness is incomplete. The Act may still reduce harm. It may still increase transparency. It may still force companies to document their algorithms. All of that is valuable. But it is not the same as making AI trustworthy.

The paper also does not claim that the EU should abandon risk based regulation. Risk assessment is a legitimate tool. The problem is that the EU presents risk acceptability as a sufficient condition for trustworthiness. It is not. A system can have acceptable risks and still be untrustworthy. An algorithm that is 95 percent accurate at predicting recidivism might be deemed low risk by a regulator. But if it systematically misclassifies people from a particular neighborhood, those people will not trust it. Their distrust is rational. The regulatory stamp does not erase it.

The authors also do not provide a simple alternative. They do not say “replace risk assessment with community oversight” or “require algorithmic audits by citizen panels.” They identify the gap. They do not fill it. That is honest. The paper is a diagnosis, not a prescription.

The Public Sector Is Where This Bites

The AI Act applies to both private and public sector uses. But the implications are most acute for public sector AI. When a government deploys an algorithm for welfare eligibility, child protection, or predictive policing, the stakes are different. Citizens cannot opt out. The algorithm wields coercive power. Trust in that context is not about consumer satisfaction. It is about democratic legitimacy.

Laux, Wachter, and Mittelstadt review studies on public sector AI deployments in Europe and elsewhere. They find that trust in algorithmic decision making is lower than trust in human decision making for high stakes decisions. People want a human in the loop. They want the ability to appeal. They want to know that someone is accountable. The AI Act mandates some of these things. It requires human oversight for high risk systems. But the researchers argue that the Act’s definition of human oversight is too thin. It treats the human as a backup, not as a decision maker with genuine authority. The human is there to override the algorithm in exceptional cases. That is not the same as having the algorithm support human judgment (Laux et al., 2023).

The paper also highlights a paradox. The EU wants to build trust by regulating risk. But regulation itself can erode trust if it is perceived as a substitute for genuine accountability. If citizens see a regulatory stamp and then experience a harmful algorithmic decision, they may conclude that the system is rigged. The stamp becomes evidence of capture, not safety.

The Deeper Problem: Trustworthiness vs. Acceptability

The title of the paper uses the word “conflation.” That is the key. The EU has taken two concepts that are related but distinct and treated them as identical. Trustworthiness is a property of the trustee. It is about whether the trustee has the qualities that warrant trust. Acceptability of risk is a judgment by a third party. It is about whether the potential harm is low enough to allow the system to operate. These are different judgments made by different actors with different criteria.

The authors trace this conflation to a broader trend in AI governance. Regulators around the world are struggling to define trustworthiness in a way that is measurable and enforceable. The EU chose a measurable path. It defined trustworthiness as compliance with a set of requirements. That is administratively convenient. But it is conceptually shallow. A system can comply with every requirement and still be untrustworthy. It can be transparent but biased. It can be accurate but unaccountable. It can be robust but deployed in a context where it should not be used at all (Laux et al., 2023).

The paper does not name names, but the implication is clear. The EU’s approach mirrors the logic of “trust but verify.” The problem is that verification becomes a substitute for trust. If you can verify everything, you do not need trust. But you cannot verify everything. AI systems are complex. Their behavior changes over time. Their interactions with social systems produce emergent effects. Verification is always incomplete. That is why trust matters. It fills the gap between what can be verified and what must be assumed.

What This Actually Means

• ▸The AI Act’s definition of trustworthiness is a regulatory shortcut. It equates trustworthiness with compliance to a risk based checklist. That is not how trust works in practice. Trust requires a relationship, not a certificate. If you are building or deploying AI under the Act, do not assume that passing the conformity assessment makes your system trustworthy. It makes it legally permissible. Those are different things.

• ▸For public sector AI, the gap is dangerous. Citizens who are subject to algorithmic decisions need more than a regulatory stamp. They need meaningful human oversight, genuine avenues for appeal, and evidence that the system serves their interests, not just administrative efficiency. The Act provides some of this, but not enough. If you work in government, build trust through ongoing engagement, not just compliance.

• ▸Transparency is not a panacea. The Act requires explainability for high risk systems. But research shows that transparency can backfire. If you explain a complex algorithm in technical terms, you may confuse people. If you explain it in simple terms, you may oversimplify. The authors recommend testing explanations with real users before deploying them. Do not assume that more information means more trust.

• ▸Trust is built over time, not at the point of deployment. The Act focuses on pre market assessment. It checks whether a system is safe before it goes live. But trust is dynamic. It changes as people interact with the system. The Act has weak provisions for post market monitoring. That is a gap. If you are a regulator, push for stronger ongoing evaluation. If you are a developer, build feedback loops that allow you to detect and correct trust failures after deployment.

• ▸The biggest risk is that the Act creates a false sense of security. If citizens and regulators alike assume that an AI Act compliant system is trustworthy, they may lower their guard. They may stop asking critical questions. They may defer to the stamp. That is exactly when things go wrong. The paper is a warning: do not confuse regulatory approval with earned trust. They are not the same. They may never be the same.