The Berlaymont building, headquarters of the European Commission in Brussels, illuminated at dusk with digital circuit patterns overlaid, symbolising European digital regulation.

The debate about the EU AI Act keeps arriving at the wrong destination — not because the questions are wrong, but because both sides refuse to hold two things at once. Compliance costs are real. The documentation burden for a high-risk AI system is not trivial, and for a small team building on a tight runway, regulatory overhead is a genuine constraint. At the same time, the Act provides structural instruments that carry measurable value: the ability to set deployment terms in the world’s largest single market, enforcement leverage over foreign providers, and a regulatory template that other jurisdictions can and do adopt. Neither fact cancels the other. The debate worth having is whether the Act’s costs are proportionate to what it actually delivers — and whether the loudest voices calling for rollback are the ones who would benefit most from the answer they are promoting.

The Debate as It Actually Stands

The case against the AI Act is not monolithic, and treating it as if it were US-manufactured lobbying misses something important. Criticism comes from multiple directions at once.

European startup founders and investor networks have raised substantive points about legal uncertainty in risk classification. Determining whether a product falls under the high-risk category defined in Annex III is not straightforward, and founders without legal resources face genuine ambiguity at the point where a decision to build has to be made. BusinessEurope, representing European employers, has argued that compliance costs fall disproportionately on European firms competing against US hyperscalers who have already built compliance infrastructure at scale. Several EU member states — including France, home to a growing domestic AI sector — have pushed internally for lighter implementation timelines, not as a concession to Washington, but to protect domestic capacity. The European Parliament’s own Research Service flagged during the drafting process that Annex III’s risk criteria were written at a level of abstraction that would require legal interpretation in most real-world cases.

These concerns exist independently of any US pressure and deserve to be evaluated on their own merits. The repeal argument — compliance overhead, innovation throttling, competitive disadvantage relative to the US and China — is not wrong about the costs. It is incomplete about the alternatives and evasive about who benefits most from removing the framework entirely.

External Pressure Is Real — and Strategically Motivated

The external dimension of this debate is well-documented and should not be minimised. At the Paris AI Action Summit on 11 February 2025, US Vice President JD Vance delivered a significant intervention. “We believe that excessive regulation of the AI sector could kill a transformative industry just as it’s taking off,” he said. He warned that “some foreign governments are considering tightening the screws on U.S. tech companies,” and pledged that “American AI will not be co-opted into a tool for authoritarian censorship.” His position was unambiguous: American AI as the global gold standard, deregulation as the default.

Eleven days later, on 22 February 2025, President Trump signed a memorandum directing his administration to consider tariffs against any country that taxes, fines, or regulates American tech companies. The White House specifically named the Digital Markets Act and the Digital Services Act as targets for scrutiny. This was not a suggestion. It was a trade policy instrument.

Two podiums with American and EU flags facing each other across an empty conference hall, representing the geopolitical confrontation over AI regulation.

What matters is separating two distinct claims: that the US has applied sustained, coordinated pressure to weaken European AI regulation; and that all criticism of the Act is therefore an extension of that pressure. The first claim is well-evidenced. The second is not — and conflating them weakens the sovereignty argument by making it unfalsifiable. European founders raising legitimate concerns about legal uncertainty are not doing Washington’s bidding. Treating them as if they are forecloses the internal debate Europe actually needs to have.

The Digital Omnibus: Pressure from Both Directions

In 2025, the European Commission proposed the Digital Omnibus: a package of amendments that delays high-risk AI compliance deadlines by up to 16 months, pushing obligations for organisations deploying AI in hiring, loan assessment, and similar high-risk domains from August 2026 to December 2027. The Council agreed on its position in March 2026.

Framing this purely as capitulation to US pressure is too simple. The Omnibus had significant support from within Europe: from member states wary of compliance costs landing on domestic businesses, from European trade associations that had lobbied for simplification on their own terms, and from Commission officials who concluded that implementation timelines were not achievable as written. WIRED’s account of Washington and American tech giants coordinating to weaken the law is credible and well-sourced. But that coordination worked in part because it aligned with genuine internal European concerns — it did not manufacture them.

The result is the same either way: a weakened enforcement timeline and a signal that the Act’s ambitions are negotiable. Understanding how that happened matters, because the response looks very different depending on whether the primary problem is external geopolitical pressure, insufficient internal political will, or implementation design failures.

Where the Act Falls Short by Design

An honest assessment of the AI Act must acknowledge that some of its structural weaknesses are design problems, not implementation failures.

The sandbox provisions in Article 62 are a genuine innovation. But the Act delegates sandbox implementation entirely to member states without minimum quality standards, mandatory timelines, or funding guarantees. In practice, sandbox availability across the EU is deeply uneven. A founder in Finland or the Netherlands operates in a materially different regulatory environment than one in a member state that has not yet established a functioning sandbox. This is not bad execution of a good law. It is a decentralised design without a minimum backstop — one that produces predictably unequal outcomes and is unlikely to resolve itself without legislative intervention.

The risk classification framework has a related problem. Annex III’s criteria require legal interpretation in most real-world cases. There are no official safe harbours for lower-risk applications that might technically fall within scope. The result is that founders rationally seek legal counsel before building, not after — a compliance cost that lands before a single line of product code is written. This cannot be resolved by better tooling alone. It requires either narrower legislative language or formally binding guidance with safe harbour effect. The Commission has not yet delivered either, and the Omnibus delay does not address it.

What the Act Does Right for Smaller Builders

Setting aside those design gaps, the Act’s risk-based architecture is correct in one important respect: it concentrates obligations where risk is highest. The majority of AI applications — recommendation systems, document processing tools, internal search functionality — fall outside the high-risk category and face no meaningful compliance burden under the Act itself. The overregulation narrative often conflates the complexity of the full framework with the actual burden on any given builder, and they are not the same thing.

Article 62 of the Act mandates that member states give small and medium-sized enterprises priority access to regulatory sandboxes, with conformity assessment fees explicitly required to be proportional to company size and market reach. The Digital Omnibus extends these protections to a broader category of smaller companies and projects at least €225 million in annual savings. The Commission’s stated target is a 35% reduction in administrative burdens for SMEs by 2029. These provisions exist on paper. The gap between their existence and their operational availability is precisely where the legitimate implementation critique lives — and it is a gap that should be named as such, rather than used to argue that the Act itself is the problem.

It is also worth being precise about what the Act is not responsible for. Europe’s venture capital gap — roughly a 5:1 shortfall versus the US in AI-focused investment, documented by the European Investment Fund — has structural roots: fragmented capital markets, risk-averse institutional investors, and pension funds that do not allocate meaningfully to early-stage ventures. Removing the AI Act would not close that gap. Conflating regulatory overhead with capital market failure is a category error, and one that lets the Commission off the hook for the deeper structural reform it has not yet attempted.

There is a further architectural point worth making carefully: a team running an open-weight model on local infrastructure has a genuinely simpler compliance story than one routing sensitive data through a US cloud API — under the AI Act, under GDPR, and under NIS2 simultaneously. This is true. But it reflects an architectural advantage, not a regulatory strategy in itself. The regulatory environment rewards this architecture; it did not create it, and regulation alone cannot substitute for the infrastructure investment and capital availability that make it viable at scale for the broad market.

The Brussels Effect: Real, with Limits

The concept of the Brussels Effect, developed by Anu Bradford, explains part of why the external pressure on the Act is so sustained. Once the EU sets rules for its internal market, companies worldwide adapt rather than maintaining separate compliance regimes. The GDPR becoming the de facto global privacy standard is the most frequently cited example. The AI Act was designed to replicate this for AI governance. If it succeeds, US firms face cascading global compliance obligations as other jurisdictions align. Weakening the Act at source limits that diffusion. This logic explains the scope of Trump’s memorandum, which targeted not just the AI Act but the DMA, the DSA, and the GDPR: the entire European regulatory stack functions as a market sovereignty instrument, and the external pressure is calibrated accordingly.

A map of Europe rendered as a circuit board with traces radiating from Brussels, visualising the Brussels Effect of EU regulation spreading across borders.

Scholars writing in the European Journal of International Law have argued that the AI Act’s global reach may prove more “mirage” than Brussels Effect — more symbolic than practical, lacking the direct market-shaping force of the GDPR. This nuance matters and should not be dismissed by the Act’s defenders. The GDPR succeeded in part because data processing is a universal function of almost every digital product. AI system deployment, as defined in the Act, is more targeted in scope. Whether the Brussels Effect replicates is an open empirical question. What the sustained external pressure confirms is that the Act’s perceived strategic value is high — but perceived value and demonstrated reach are not the same thing.

The Risks of Continued Erosion

The GDPR precedent is worth holding onto. Despite sustained US pressure, Europe held the line on enforcement. By January 2026, cumulative GDPR fines had reached €7.1 billion. US tech companies restructured data practices globally to comply with European rules rather than lose access to the world’s largest single market. That outcome was not guaranteed. It required sustained political will at a moment when yielding would have been easier.

The risks of continued AI Act erosion are concrete. Without enforceable rules, the terms of AI deployment in Europe are set by market dominance alone — no European input, no structured oversight. If Europe signals that it will not enforce its own frameworks, other jurisdictions have reduced incentive to adopt comparable standards, and the regulatory vacuum fills with corporate defaults rather than deliberate policy.

One note of precision on a frequently cited anecdote: the European Commission’s AWS infrastructure breach in March 2026, in which over 350 gigabytes of data were extracted from the infrastructure hosting the Europa.eu platform, is real and significant. But it is evidence of a procurement policy failure — the Commission’s own choice to host core public infrastructure on a US cloud provider — not a gap in the AI Act’s scope. The AI Act governs AI system deployment; it does not govern cloud procurement decisions. The more precise lesson is about the distance between Europe’s stated regulatory ambitions and its own institutional practices. That distance is real and consequential, but it is a different problem from the one the Act addresses.

A crack running through the glass facade of a European institutional building, with a subtle balance-scale pattern, representing the fragility of European regulatory sovereignty under external pressure.

What Better Implementation Actually Requires

The EU AI Act does not need to be perfect to be necessary. It does need to be honest about its own gaps — and its defenders need to be willing to name them, rather than attributing every difficulty to implementation failure or external pressure.

Some of what needs to change is implementation: regulatory sandboxes that are funded and operational across all member states, not just the digital leaders; plain-language risk classification guidance that reduces legal dependency for smaller builders; and compliance tooling designed for founders rather than legal departments. These are legitimate demands to make of the Commission and of member states that have treated Article 62 as optional rather than mandatory.

Some of what needs to change is the law itself. The Annex III risk criteria could be sharpened with clearer thresholds and fewer ambiguous proxies. Safe harbour guidance with formal binding effect could reduce the cost of legal uncertainty without weakening the framework’s core protections. These are substantive improvements that can be argued on their merits — and they strengthen the Act rather than erode it.

What is not justified is using legitimate startup friction as rhetorical cover for deregulation that primarily benefits platforms already dominant in the European market. The companies pushing hardest for delays and rollbacks are not ten-person teams building AI tools in Ghent or Tampere. Amazon, Google, and Microsoft have compliance departments. A ten-person team does not — but a blanket rollback does not help that team. It removes the constraints that currently apply to their largest competitors.

Europe’s regulatory ambition and its capacity to support AI innovation are in tension, but not in fundamental conflict. The tension is a delivery problem: slow sandboxes, unclear classification, inconsistent implementation across member states, and institutional documents written for lawyers rather than founders. Addressing that honestly — including the places where the Act’s own design makes delivery harder — is the argument worth having. Framing every critique as capitulation, or every amendment as surrender, forecloses it. The Act is doing important structural work in a hostile environment. It would do that work better if its defenders held it to a higher standard.

Sources

Disclosure: The author has published a separate paper, The Great Return: Why 2026 Marks the Tipping Point for Local AI Migration in Europe (Zenodo, 2026), which examines structural trends in local AI deployment across European regulated sectors. That paper provides background context for some of the architectural observations in this article but is not used as primary evidence for the regulatory analysis above.