Why the EU's AI Act Is Both the Best and Worst Thing That Could Have Happened

When the European Parliament voted to pass the AI Act in March 2024, MEPs gave each other a standing ovation. They had reason to feel proud. The legislation — years in the making, running to hundreds of pages — was the first comprehensive attempt by any major jurisdiction to regulate artificial intelligence across the board. Nothing like it existed. The United States had executive orders and voluntary commitments. China had sector-specific rules. Europe had a law.

That law is now being implemented. The prohibited practices provisions took effect in February 2025. The requirements for high-risk AI systems are coming into force in stages through 2026. Compliance departments at companies operating in Europe are learning a new vocabulary: conformity assessments, notified bodies, technical documentation requirements, post-market monitoring. The machinery of European regulation is grinding into motion.

And here is the uncomfortable truth: the AI Act is simultaneously one of the most important pieces of technology legislation ever passed, and a regulation that may systematically disadvantage the region it is supposed to protect. Both statements are true. The contradiction is the story.

Start with what the Act actually does, because much commentary treats it as a vague gesture toward responsible AI rather than a specific legal instrument. The Act uses a risk-tiered approach. Certain AI applications are prohibited outright: real-time biometric surveillance in public spaces by law enforcement (with narrow exceptions), social scoring systems of the kind deployed by the Chinese government, AI that manipulates people through subliminal techniques, and systems that exploit vulnerabilities of specific groups. These prohibitions are essentially uncontroversial — few serious people argue that Europe should permit mass facial recognition surveillance in public squares.

The more consequential tier is “high-risk” AI. Systems in this category — including AI used in hiring, credit scoring, educational assessment, law enforcement, migration, and critical infrastructure — face substantial requirements. They must undergo conformity assessments, maintain detailed technical documentation, ensure human oversight mechanisms, and register in an EU database before deployment. Providers of foundation models, the large general-purpose systems that underpin much of modern AI, face their own obligations: transparency about training data, capability evaluations, and cybersecurity measures.

The genuine importance of this framework is hard to overstate. For decades, technology companies have operated in a regulatory vacuum that allowed them to deploy systems affecting millions of people with essentially no accountability structure. Hiring algorithms trained on biased historical data systematically disadvantaged certain groups. Credit-scoring systems made consequential decisions about people’s lives with no meaningful right to explanation. Facial recognition software was deployed by private companies with error rates that varied dramatically by skin color, and nobody was required to disclose this, test for it systematically, or fix it before deployment.

The AI Act changes this calculus. When a company knows that its hiring AI must undergo a conformity assessment, maintain documentation, and submit to potential audit, it has incentives to actually test that system for bias rather than hope nobody notices. The mere existence of legal liability concentrated minds in ways that voluntary guidelines and ethical charters — of which there were many, to essentially no effect — never did. Brussels has a well-documented history of setting global regulatory standards through the “Brussels effect”: companies operating globally find it easier to meet the strictest standard everywhere than to maintain different products for different jurisdictions. GDPR reshaped privacy practices worldwide. The AI Act may do the same.

This is genuinely valuable. The alternative was not a world of responsible, self-regulating AI companies — it was the world we actually lived in before the Act passed, where companies deployed systems affecting millions of people with no external accountability whatsoever.

And yet. The costs of this framework are not distributed equally, and the distributional effects are precisely where the Act’s problems become most acute.

Consider compliance burden. A large American or Chinese AI company deploying systems in Europe faces compliance costs that are, relative to total revenue, manageable. Google spending €50 million on European AI compliance is annoying; it is not existential. A European startup building a hiring AI tool for mid-size companies faces the same compliance requirements with a fraction of the resources. Conformity assessments require third-party auditors who don’t yet exist in large numbers. Technical documentation requirements demand legal and engineering expertise that small teams don’t have. The regulatory cost functions as a floor — anyone below a certain scale cannot afford to operate in the relevant categories.

This effect is not hypothetical. The GDPR precedent is instructive and sobering. When GDPR took effect in 2018, its champions argued it would create a level playing field and force American tech giants to respect European privacy values. What happened instead was more complicated. Large American platforms — Google, Meta, Amazon — hired compliance teams, built data processing agreements into their standard contracts, and continued operating. European startups in the data economy were devastated. A 2020 study found that GDPR had reduced venture capital investment in European tech companies relative to pre-GDPR trends, and had led to market concentration as smaller players couldn’t afford compliance. The regulation that was supposed to protect European citizens from Big Tech ended up, in the data economy, strengthening Big Tech’s competitive position.

The AI Act risks reproducing this dynamic at larger scale. The compliance threshold does not apply uniformly to all AI; it applies specifically to high-risk categories. But many of the most commercially interesting AI applications — hiring, credit, healthcare, education — sit precisely in those high-risk categories. European startups attempting to build in exactly these domains face compliance costs that create competitive disadvantages relative to non-European competitors who can develop and iterate freely before potentially entering the European market later, already mature and well-funded.

The extraterritorial dimension compounds the problem. The Act applies to providers placing AI systems on the EU market regardless of where those providers are located — a provision modeled on GDPR’s extraterritorial scope. This means that a company based in Austin or Bangalore building a hiring AI used by even one European company is technically subject to the Act’s high-risk requirements. In practice, enforcement against non-European companies is difficult. European companies face full domestic enforcement. The result is regulatory asymmetry: European developers operate under rules their foreign competitors can more easily evade.

This creates incentives for what economists call regulatory arbitrage. A European AI founder facing a compliance-heavy regulatory environment and a relatively shallow pool of AI-focused venture capital has a straightforward calculation to make. Incorporating in the UK — which has taken a deliberately lighter-touch approach to AI regulation — or the United States removes the regulatory burden while preserving access to European markets (at the cost of some compliance at the point of sale, rather than development). Several European AI founders have already made this calculation. The trend is not yet a flood, but the direction is legible.

The innovator’s dilemma for European AI takes a specific form. The AI Act is particularly burdensome for development-stage iteration. The requirements for high-risk AI systems assume a relatively stable, defined system that can be documented, assessed, and monitored. Real AI development involves rapid iteration, frequent model updates, and pivots between use cases. Requiring a conformity assessment every time a high-risk model is substantially modified creates friction that does not affect research but does affect the development phase — precisely the phase where European companies are most fragile relative to their better-funded American competitors.

None of this means the AI Act was wrong to pass. The question of whether to regulate consequential AI systems is not seriously debatable; the only real debate is how. The Act’s prohibitions on the most harmful applications are clearly correct. Its requirement that high-risk systems maintain documentation and human oversight addresses genuine problems with accountability-free AI deployment. The foundation model transparency requirements are a reasonable first attempt to manage risks from the most powerful systems.

The more tractable critique is about implementation design rather than regulatory intent. A more effective regime might have staged compliance requirements tied explicitly to company size — imposing full conformity assessment requirements only on companies above certain revenue or deployment thresholds, with lighter-touch certification for startups. It might have created a European AI regulatory sandbox, a structured environment where companies could develop and test high-risk AI under regulatory supervision without triggering full compliance requirements, graduating to full compliance at scale. It might have focused initial enforcement on the largest deployments — the systems affecting the most people — rather than applying the same requirements uniformly to a startup’s beta product and Google’s enterprise offering.

These are not radical suggestions. They are the kind of proportionality mechanisms that sophisticated regulatory design normally incorporates. The AI Act’s architects, to their credit, included some proportionality language. Whether it is sufficient will be visible in the data over the next few years: whether European AI investment grows or contracts relative to global trends, whether European founders continue to relocate, whether the high-risk categories become effectively monopolized by large incumbents.

The standing ovation in the European Parliament was warranted. So is the anxiety in European AI startup offices. History rarely produces regulations that get everything right in the first version. What matters now is whether European policymakers are watching the right metrics and willing to adjust when evidence accumulates — or whether, as has sometimes happened before, they will defend the architecture of a regulation long after the data has indicated its costs.

The Brussels effect is real. The question is whether, this time, the standard Europe exports to the world is one that serves innovation as well as accountability.