The fairness dilemma in the EU AI Act:

The countdown is ticking inexorably: on 2 August 2026, key requirements of the EU AI Act will come into force and become binding for numerous stakeholders. What for many companies long sounded like an abstract regulation from Brussels is now becoming an operational reality. Anyone who develops, markets or deploys AI systems in Europe will in future have to comply with extensive compliance, risk and governance requirements, the likes of which we have previously encountered mainly in heavily regulated sectors such as finance or healthcare.

However, if, like us, you have been developing and operating machine learning systems in regulated environments for years, many of the fundamental principles of the AI Act will not be new to you. Issues such as traceability, model risks, human oversight and reproducible training processes are already part of our day-to-day work.

For me personally, ethics has always been a central guiding principle in my work. Driven by this deep conviction, I discussed the implications of this development and the resulting strategic steps in depth as early as 2025, together with the Supervisory Board of KENBUN IT AG. We were already aware at that time that AI governance is not a downstream compliance process, but a central component of modern software architecture.

With a view to the deadlines in August 2026, which are now inexorably drawing nearer, I have taken another close look at the Regulation over the past few weeks. Within this framework, the EU sets out a series of non-binding ethical principles intended to serve as a foundation. These seven principles include:

• Human agency and human oversight
• Technical robustness and safety
• Privacy and data governance
• Transparency
• Diversity, non-discrimination and fairness
• Social and environmental well-being
• Accountability

During my renewed in-depth analysis, one term in particular from this list emerged as arguably the greatest regulatory and technical sticking point: the concept of ‘fairness’. Whilst values such as transparency or IT security allow for clear technical standards, fairness remains, at its core, an extremely vague concept.

For several years now, I have been supporting financial institutions and other organisations in the implementation and operation of AI-powered systems. In doing so, I have observed time and again that the greatest challenges rarely arise from the algorithms themselves. The question of how we can document decisions in a traceable manner, control risks and clearly define responsibilities is usually far more complex. It is precisely at this point that regulatory requirements come up against mathematical limits. And these limits are crucial to understanding what you can actually achieve within your organisation under the AI Act.

3. The mathematical reality: Why fairness cannot be unambiguously defined

When we examine the mathematical foundations of machine learning, we quickly encounter a central problem: fairness is not a uniform mathematical concept. There are several established fairness criteria that reflect different notions of justice – and which, under certain conditions, we cannot satisfy mathematically at the same time.

Jon Kleinberg and his co-authors at Cornell University made an important contribution to this understanding in their paper “Inherent Trade-Offs in the Fair Determination of Risk Scores”. They demonstrated mathematically that it is impossible to satisfy certain fairness criteria simultaneously when baseline rates differ between population groups.

In ML practice, three established core metrics usually come into conflict with one another:

1. Predictive parity (calibration): The predictive power of a risk score should be identical for all groups. For example, if a score predicts a probability of occurrence of 80 per cent, this probability should carry the same significance regardless of group membership. 
2. Equalised Odds (equality of error rates): The rates of false positives and false negatives must be comparable across different groups. 
3. Demographic Parity: Positive decisions made by the system must occur with the same frequency across different groups.

However, as soon as groups differ in relevant statistical characteristics, irreconcilable conflicts of interest arise between these requirements. Optimising in favour of one fairness metric inevitably leads, mathematically speaking, to other fairness criteria being met to a lesser extent.

To illustrate these mathematical trade-offs clearly, I have prepared an interactive simulation below. It shows a classic credit scoring model for two groups (A and B) with statistically different historical baseline rates and makes the inexorable mathematical interactions directly visible:

4. Country Focus: Different Approaches in Germany and France

This issue is a key focus for me and my team, and not just from a regulatory perspective. As a company that has been supporting financial institutions and other organisations in several countries for years in the development, implementation and operation of AI systems – including in the field of fraud detection – we regularly see how differently requirements are interpreted in various markets. Through our activities in Germany and a growing presence in France, I have observed interesting differences in approach.

Germany: Focus on governance and traceability

In Germany, structured processes, risk management and traceable documentation are particularly emphasised. Institutions such as the Federal Network Agency (BNetzA) and the Federal Office for Information Security (BSI) help to create an environment that is strongly focused on compliance and traceability. This poses a considerable challenge, particularly for small and medium-sized enterprises. In addition to legal issues, they must also document statistical and technical decisions in a traceable manner – often with limited staff resources.

France: Focus on innovation and practical testing

In the public debate, France places greater emphasis on combining regulation with the promotion of innovation. Supported by national AI initiatives and companies such as Mistral AI, there is intense discussion on how Europe can build technological sovereignty without unnecessarily restricting innovation potential. The French data protection authority, the CNIL, began early on to support companies through guidelines, recommendations and sandbox initiatives. Such regulatory test environments enable organisations to trial new AI applications under controlled conditions and address regulatory issues at an early stage.

Both approaches ultimately pursue the same goal: to promote trustworthy AI systems. However, there is a noticeable difference in the emphasis placed on the various measures.

6. The Often Overlooked Advantage: Regulation as a Competitive Asset 

In many discussions, the EU AI Act is primarily viewed as a regulatory burden. From our practical experience, however, this perspective only tells part of the story.

One of our teams is currently supporting a company in Thailand with the secure introduction of agentic AI solutions. What has surprised us positively is the extent to which existing and emerging regulatory frameworks in Thailand are aligned with European principles. This applies both to data protection requirements under Thailand’s Personal Data Protection Act (PDPA) and to the country’s evolving approach to AI governance, which is being shaped by organisations such as the Electronic Transactions Development Agency (ETDA).

Naturally, there are important legal and regulatory differences between jurisdictions. However, from a technical and organisational perspective, the similarities are often greater than many organisations expect. Our experience in this project has shown that companies which have already internalised the principles of the GDPR and the EU AI Act frequently possess a significant head start when operating in other regulatory environments.

Processes for governance, risk assessment, documentation, human oversight and auditability can often be adapted with relatively limited effort. In practice, this means that investments made today to comply with European regulations may deliver benefits far beyond the European market.

For this reason, I believe it is a mistake to view the EU AI Act solely through the lens of compliance costs. Organisations that build robust and trustworthy AI governance frameworks today are not only preparing themselves for European regulation; they are also strengthening their ability to deploy AI solutions internationally in a responsible and scalable manner.