The European Union's AI Act of 2024 was designed to restrict large-scale AI surveillance in sensitive areas, but member states are finding creative ways to expand surveillance powers anyway, undermining the regulation's core intent. From facial recognition at airports to expanded spyware programs, several EU countries are testing the limits of what the law allows, raising questions about whether Europe's landmark regulation can actually enforce its own rules.

How Are EU Member States Stretching the AI Act's Surveillance Rules?

Since the AI Act took effect, several European governments have pursued expansions of AI surveillance that appear to conflict with the regulation's restrictions. The pattern is striking and widespread across the bloc:

• Luxembourg's Spyware Expansion: Since 2025, Luxembourg has pursued plans to expand its use of Trojan spyware from state security and terrorist threats to encompass a broader range of crimes, including child exploitation, currency counterfeiting, and human trafficking.
• Ireland's Encryption Interception: The Irish government is seeking to expand the powers of the police and Defense Forces to intercept conversations on encrypted platforms like WhatsApp and iMessage, as well as other social media platforms.
• Hungary's Real-Time Facial Recognition: Hungary authorized the police to use real-time facial recognition to identify participants in LGBTQ+ parades in April 2025, a use case that violated the AI Act's protections.

These moves reveal a fundamental tension in European AI governance. While the EU positioned itself as a global leader in AI regulation, member states are treating the AI Act more as a starting point for negotiation than as a binding constraint on surveillance expansion.

What Happens When Member States Break Their Own Rules?

Not all violations go unnoticed. The Czech Republic was forced to end its use of facial recognition at Prague Airport after just six months when it was found to violate the EU AI Act. This case suggests that enforcement mechanisms exist, but they appear reactive rather than preventive. By the time a violation is caught and corrected, the surveillance infrastructure may already be embedded in law enforcement operations.

The broader issue is that national security and public safety arguments create a powerful justification for surveillance expansion. Governments framing these tools as necessary for combating terrorism, child exploitation, or organized crime face less public and political resistance than if they were simply expanding surveillance for its own sake. The AI Act's restrictions on large-scale surveillance in sensitive areas become negotiable when reframed as security imperatives.

Even the European Union itself is exploring AI surveillance technologies that raise similar concerns. The EU is piloting an Automated Border Crossing technology called iBorderCtrl in Greece, Hungary, and Latvia that applies AI lie detectors to immigrants. The system automatically detains immigrants found to be lying for further questioning. Human rights activists and academics have criticized this approach as scientifically weak and potentially discriminatory, yet it continues to be tested and refined.

Why Is Europe's AI Regulation Struggling to Keep Pace?

The core problem appears to be a mismatch between regulatory ambition and enforcement capacity. The EU AI Act represents a genuine attempt to govern AI use in ways that protect privacy, civil rights, and democratic freedoms. However, national governments retain significant autonomy in how they interpret and apply these rules, particularly when they invoke national security or public safety justifications.

This enforcement gap matters because AI surveillance operates at an unprecedented scale and speed. Traditional surveillance required human operators to monitor specific targets; AI-powered systems can monitor millions of people simultaneously, making cost-effective mass surveillance possible in ways it never was before. The EU AI Act was designed to prevent exactly this scenario, but member states are finding ways to pursue it anyway.

The situation reflects a broader pattern in technology regulation. National and international rules have been lagging behind rapid technological innovation. As one observer noted, AI is a neutral tool that can be used for good or bad purposes depending on the decisions of those in power. The application of AI therefore calls for increased scrutiny, accountability, and implementation to safeguard its benefits while preventing it from being hijacked for purposes that undermine democracy and human rights.

For now, the EU AI Act remains the world's most comprehensive AI regulation framework. But its effectiveness depends on whether member states treat it as a binding constraint or as a starting point for negotiation. The pattern of violations and expansions suggests that the latter interpretation is winning out, at least for now.