AI Regulation: The Dilemma Between Protecting and Falling Behind

Why governments can’t agree, and what that means for you

0 AI Regulation - www.jarroba.com - Gemini.png

A standalone article from the series “AI and You”.

There are two ways to end up in a bad place with AI regulation:

Under-regulation: regulate too early, with rules that don’t understand the technology, and end up exporting the competitive edge to whoever doesn’t have those rules.
Regulatory failure: regulate nothing and discover, too late, that the harms that could have been prevented are already being suffered by millions of people.

No government in the world has solved this dilemma yet. What exists is a map of very different responses emerging in parallel: Europe with the most systematic approach — and the most criticized — the United States with the most volatile one, China with the most interventionist, and the rest of the world observing and copying fragments of each model.

This article doesn’t advocate for any position. It analyzes the options, their real consequences, and what they mean for anyone who works with AI, builds it, or simply uses it.

An honest note before we begin: this is a topic I care about, that touches my field of work, so I have tried to be rigorous with every figure and every date, cross-checking against primary sources whenever possible. But I am not a lawyer or a regulator, and it’s reasonable that I may have missed something or interpreted it incorrectly. What follows is general information organized according to personal judgment — it is not legal advice or an authoritative interpretation of any regulation. If you need to make a real compliance decision, consult a professional and verify the cited sources yourself: I take no responsibility for decisions made based on this text. If you find an error, I’d be grateful if you pointed it out so I can correct it.

1 The AI regulation dilemma - how to get it wrong - www.jarroba.com - Gemini.png

Where regulation can happen

The most important question a legislator would need to answer is harder than it looks: What exactly are you regulating? And it’s hard not only because those who regulate don’t understand the depth of the technology, but because those of us who do understand it are still defining, discovering, and starting over in an apparently endless evolutionary cycle.

AI is not a product with a fixed shape. It is, depending on context, a mathematical model, a software service, a decision-making system, or a communication tool. Depending on which layer you put the rule in, the effect is completely different:

Layer 1 — The foundation model: regulating the laboratories that train foundational models (OpenAI, Anthropic, Google/Alphabet, Mistral, Alibaba). The impact is high because very few organizations build the most advanced models. The problem: almost all of them are in the US and China; European regulation collides with the sovereignty of another state.

Layer 2 — The application: regulating whoever deploys AI in a specific product (an insurance company using AI to assess risks, an HR company using it to screen CVs). This is the layer of the EU AI Act: the legislator regulates the use, not the model. The challenge: the same model can be deployed for uses with very different risk profiles.

Layer 3 — Training data: regulating what data can be used to train models, with what consent, and with what right of deletion. The technical problem is real: removing a specific piece of data from an already-trained model is today technically very costly and in some cases impossible without retraining the entire model — the problem the field of machine unlearning is trying to solve, without a satisfactory solution at scale yet.

Layer 4 — Outputs: regulating what an AI system can say or do. This is the hardest layer: the system generates its outputs in real time in response to an endless variety of questions that cannot be anticipated. Holding a company responsible for every response its AI gives to any user in any language and context is, in practice, demanding an impossible level of control.

Almost all existing regulations mix these four layers without clearly separating which applies in each case. The consequences of that imprecision are the legal bugs that later generate litigation or paralysis.

There is a Layer 5 that no regulatory framework names as such, because it is not a technical feature of the AI system but of the commercial contract between the provider and whoever pays for it: quotas, credits, price changes, the gap between what is promised and what is delivered. We add it here as its own category — it is not an official layer of any existing framework, it’s an observation — because, as we will see later, it is where the first real litigation against a frontier AI provider is emerging (and likely not the last, since other providers are acting similarly).

2 AI policy layers 1 to 4 and the commercial contract layer 5 - www.jarroba.com.png

Layers 1 to 4 are an analytical structure commonly used in the AI policy debate. Layer 5 is an observation original to this article, not a recognized category in regulatory literature.

The EU AI Act: the first major systematic attempt

The European Union published the Artificial Intelligence Regulation (EU Regulation 2024/1689) on 12 July 2024 in the Official Journal. It entered into force on 1 August 2024, with a phased implementation:

2 February 2025: absolute prohibition of the highest-risk uses (state social scoring systems, real-time biometric identification in public spaces with limited exceptions, subliminal manipulation).
2 August 2025: full applicability of rules for general-purpose AI models (GPAI), including GPT-4 and Claude. The GPAI Code of Practice — the Commission’s voluntary tool for demonstrating compliance — was signed in July 2025 by Anthropic, Google, IBM, Microsoft, Mistral, OpenAI, and Cohere, among others; Meta did not sign it, and xAI only subscribed to the safety chapter.
2 December 2027 (originally 2 August 2026): full requirements for high-risk AI systems listed in Annex III (critical infrastructure, employment, education, essential services, law enforcement, migration, justice).
2 August 2028 (originally 2 August 2027): AI systems that are safety components in products already regulated by pre-existing European sectoral legislation (Annex II: medical devices, industrial machinery, civil aviation, vehicles, railways, personal protective equipment). These products face double compliance: the sector that already regulates them, plus the AI Act on top.

What is coming specifically in August 2026: Article 50 of the regulation imposes transparency obligations for four specific scenarios:

Synthetic content: any system generating audio, image, video, or text must label it in a machine-readable and AI-detectable way.
Chatbots and virtual assistants: must warn that the user is interacting with an AI, not a person.
Deepfakes: must disclose their artificial origin without exception save, for authorized police investigation or national security.
Emotional and biometric analysis: any system that analyzes emotions or categorizes by biometric traits must inform users before the interaction.

The first draft of the Code of Practice on content labeling was published in December 2025; the final version was published on 10 June 2026, just before the obligation takes effect. On 8 May, the Commission also published a draft interpretive guidelines on the full scope of Article 50: non-binding, but the first official document that specifies which systems fall within scope and what form warnings must take. Systems already deployed before that date have a grace period until 2 December 2026 to comply. This obligation has not been affected by the delay described below.

What already got delayed — not what might get delayed: in November 2025, the European Commission proposed, through the Digital Omnibus package, decoupling the strict compliance dates for high-risk requirements from the actual availability of the support tools companies need. On 7 May 2026, the EU Council and the European Parliament closed the final agreement: the high-risk requirements from Annex III move from August 2026 to December 2027 (16 months’ delay), Annex II safety components move from August 2027 to August 2028 (one year), and the obligation for each member state to have an operational national regulatory sandbox moves from August 2026 to August 2027. The dates in this section already incorporate that agreement; if you see “August 2026” cited as a deadline elsewhere, those sources are likely using the original calendar, which no longer applies.

3 EU AI Act implementation timeline - www.jarroba.com.png

Official calendar in force as of this article (July 2026), already incorporating the May 2026 delay. Between 2028 and 2031, the regulation also sets several purely administrative milestones — periodic Commission reviews every 3–4 years, AI Office evaluation, expiry of delegated powers in 2029 — without new substantive obligations for companies; omitted here for simplicity. Interactive and always-updated timeline at AI Act Explorer.

The penalties under the regulation itself, set in its Article 99, are organized in three tiers: up to €35 million or 7% of global annual turnover (whichever is higher) for the prohibited practices in Article 5; up to €15 million or 3% for other infringements by operators and notified bodies — including the Article 50 transparency obligations, which fall in this middle tier, not the maximum — ; and up to €7.5 million or 1% for providing incorrect or incomplete information to authorities. For SMEs and startups, the lower of the fixed amount and the percentage always applies.

The central mechanism of the EU AI Act is risk classification in four levels:

4 EU AI Act four risk levels schema - www.jarroba.com.png

Simplified diagram of the four EU AI Act risk levels. Source: EU Regulation 2024/1689.

The logic is sound: concentrate regulation where the potential harm is greatest. The problem is that most real-world systems are hard to classify with certainty until they are used in a specific context. Is a contract-drafting AI high risk if the contract involves employment conditions? What if it only suggests drafts that a lawyer always reviews?

Spain and AESIA

Spain was the first country in the European Union to create a body dedicated exclusively to supervising AI (article in Spanish): the Spanish Agency for the Supervision of Artificial Intelligence (AESIA), attached to the Ministry of Economic Affairs and Digital Transformation through the State Secretariat for Digitalization and Artificial Intelligence. Its statute was approved by Royal Decree 729/2023, of 22 August (Spanish Official State Gazette) (published on 2 September 2023).

AESIA acts as the national competent authority for applying the EU AI Act in Spain. Its main functions are supervision, investigation of potential infringements, and coordination with equivalent agencies in other member states.

What remains unresolved is the division of powers with other already-existing bodies: the Spanish Data Protection Agency (AEPD, which remains the authority for everything related to personal data), the Bank of Spain (for financial systems), the Spanish Agency for Medicines (for medical AI), and the National Securities Market Commission (CNMV). The EU AI Act expressly provides that existing sectoral bodies be the supervisory authorities for high-risk systems in their sector. The map of who supervises what began to be defined in more detail in mid-2026, as described below.

That ambiguity began to resolve on 12 June 2026, when the Government presented the draft Organic Act on Artificial Intelligence, the norm that transposes the AI Act into the Spanish legal order with specific authorities, procedures, and penalties. AESIA is established as the market surveillance authority, single point of contact with the European Commission, and manager of the mandatory regulatory sandbox — but the model remains shared: the Directorate General for AI, the AEPD, the General Council of the Judiciary, and sectoral supervisors retain specific powers within their domain.

The national penalty regime adds a fourth tier that the European AI Act does not have:

Very serious infringements for prohibited practices: up to €35 million or 7% of worldwide turnover.
Other very serious infringements: €15 million or 3%; serious infringements: €7.5 million or 1%.
Minor infringements: €500,000 or 0.5% — a category that does not exist as such in the European regulation, added by Spain to sanction minor breaches without going straight to the most severe fines.

The draft also introduces national inventories of AI systems, an AI delegate role in public administrations, and reinforced specific protections against deepfakes. The deadline for reporting serious incidents to AESIA is 72 hours, the same intermediate threshold that NIS2 requires for the detailed notification.

AESIA’s capacity to create regulatory sandboxes is not new — it has been in its founding statute since 2023 (Article 10.1.a) — ; what the European calendar and the Organic Act add is the obligation, with a specific deadline, to have one operational. The agency already has a real use case to show: in June 2026, it closed Spain’s first AI sandbox — and one of the first in Europe — funded with €4.3 million from the Recovery Plan and developed in collaboration with the European Commission’s AI Office. It received 44 applications (18 SMEs, six startups, and one French company) and published the first technical guides for meeting high-risk obligations, filling a gap while European harmonized standards are still being built.

The delay of employment requirements until December 2027 has already prompted the first explicit political response: on 25 June, Deputy Prime Minister and Minister of Labour Yolanda Díaz announced in Oxford her intention to regulate AI in the workplace above European minimums (article in Spanish) — personnel selection, performance evaluation, dismissals, monitoring — without waiting for Community requirements to become mandatory. The proposal does not yet have a concrete regulatory form, but it points to a pattern that other member states might follow: the Digital Omnibus opened the calendar for companies and, at the same time, the space for some countries to fill the gap on their own before 2027.

Beyond the AI Act: NIS2 and DORA

The EU AI Act regulates AI according to the risk of its use. But there are two European frameworks that overlap with it and affect any organization using AI in critical infrastructure or financial services: NIS2 and DORA. Neither is specific to AI — they regulate operational cybersecurity — but they cover exactly the attack vectors described in the previous article on “At Machine Speed: How AI Has Broken the Cybersecurity Balance”.

NIS2 (EU Directive 2022/2555, transposed in Spain from October 2024) extends the scope of cybersecurity regulation to thousands of entities that were previously uncovered: energy, transport, banking, health, digital infrastructure, and ICT service providers, among others. Its two most direct obligations for organizations deploying AI are: managing supply chain risk — including AI tool providers — and reporting significant incidents within 24 hours (initial warning), 72 hours (detailed report), and one month (final report). Penalties for essential entities reach €10 million or 2% of global annual business volume, whichever is higher; for important entities, €7 million or 1.4%.

DORA (EU Regulation 2022/2554, fully applicable since January 2025) does the equivalent for the financial sector: banks, insurance companies, investment firms, crypto-asset providers, and their critical ICT providers. It adds a specific requirement: periodic operational resilience testing (TLPT, Threat-Led Penetration Testing), which evaluates systems against the same techniques real attackers use. AI systems used in financial operations fall directly within the ICT risk management framework DORA requires.

The connection with the AI Act is practical: a high-risk AI application in the healthcare sector may fall simultaneously under the AI Act (by type of system) and NIS2 (by the sector where it operates). Compliance is not one or the other; it is the intersection of both. For organizations within that scope, AI governance is not a discretionary strategic decision: it is a legal obligation with its own deadlines and penalties.

Beyond the EU: the first binding international AI treaty

While the EU AI Act regulates the European single market, there is a different framework that crosses borders the AI Act does not reach: the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law, opened for signature on 5 September 2024 in Vilnius (Lithuania) — hence informally known as the “Vilnius Convention.”

It is, according to the Council of Europe itself, the first legally binding international treaty on AI. The difference in approach from the AI Act is real: where the European regulation is a market norm focused on product safety and commercial risk classification, the Vilnius Convention pursues something different — that the lifecycle of AI systems respects human rights, democracy, and the rule of law — and requires signatory states to conduct impact assessments before deploying systems, guarantee the right to know when interacting with an automated system, and provide judicial challenge routes against biased algorithmic decisions.

What makes this convention distinctive is who signed it on the first day: alongside the European Union and several Council of Europe member states (Andorra, Georgia, Iceland, Moldova, Norway, San Marino), it was also signed by the United Kingdom, Israel, and, notably, the United States — the same country that, as we will see in this article, has no federal AI regulatory framework for the private sector. The apparent contradiction is explained by the scope: the convention focuses mainly on the use of AI by the public sector, with flexibility of adaptation for the private sector. The US can sign a commitment on AI and human rights in public administration without that implying any concession on its position of not regulating the commercial development of models.

The list of signatories has grown since then: Canada and Japan joined on 11 February 2025, as the twelfth and thirteenth signatories. And there is a stronger legal step than signing: ratifying. The European Union ratified the convention on 15 May 2026, during the 135th session of the Committee of Ministers in Chișinău (Moldova). The convention will enter into force when five signatories have ratified it, at least three of them Council of Europe member states — a threshold that, at the time of this article, has not yet been reached. Signing is a declaration of intent; ratification is the step that converts that intent into an internal legal obligation for the signatory.

The problem of holding anyone accountable for the impossible

There is a legitimate criticism worth not dodging: part of current regulation asks companies to be held responsible for things they cannot control.

The clearest cases:

User-generated content: if a platform allows its users to create or modify content with AI, is it responsible for every image, text, or video that any user generates? Reviewing in real time all AI-generated content before it appears on the platform is technically unfeasible at scale.
Real-time harmful responses: if an AI system gives a user a response that turns out to be illegal or harmful in a specific context, who is responsible? The regulator faces a real tension: if it only holds the user responsible, the manufacturer has no incentive to filter. If it only holds the manufacturer responsible, the company has to anticipate thousands of possible use contexts.
Right to be forgotten in training data: the GDPR recognizes the right to have a company delete your personal data. Applied to a model trained with that data, the technical question is whether the data “is” really in the model or whether the model has simply generalized it. The technical answer is ambiguous; the legal one, even more so.
AI in judicial decisions: the most cited case is State v. Loomis (Wisconsin Supreme Court, 2016). Eric Loomis received a six-year prison sentence based partly on the evaluation of the COMPAS software (Correctional Offender Management Profiling for Alternative Sanctions), which classifies recidivism risk. A ProPublica investigation using Florida data showed that the algorithm assigned high-risk scores to Black defendants more frequently than to white defendants in comparable situations. The manufacturer disputed that interpretation. The Wisconsin Supreme Court upheld the use of the algorithm but required that sentences include explicit warnings about its limitations and potential racial bias. The result is a situation where nobody is clearly accountable: not the algorithm’s manufacturer, not the judge who used it, not the state that authorized it.

None of this means regulation is unnecessary. It means that poorly calibrated regulation can generate obligations that incentivize one of two equally bad behaviors: either companies that abandon the regulated market (and then people use them anyway from outside), or companies that generate compliance documentation without anything changing in practice.

The gap nobody regulates: quotas, credits, and AI plan advertising

This is the fifth layer we mentioned at the beginning of the article, the only one of the five that still has no dedicated regulatory framework.

In June 2026, Karl Kahn filed a class action lawsuit against Anthropic before the US District Court for the Northern District of California. The lawsuit alleges false advertising: Anthropic marketed the Claude Max 20x plan ($200/month) as “20 times more usage” than the Pro plan, and the Max 5x ($100/month) as “5 times more usage” — but according to the filing, the Max 20x delivers in practice between 6 and 8 times the Pro usage, and the Max 5x around 3.5 times. The lawsuit also accuses Anthropic of falsely claiming that the Max 20x plan offers a “50% savings.” Kahn reports that a single five-hour programming work session consumed 15% of his weekly limit, making it mathematically impossible to reach the advertised multiplier under sustained use. The lawsuit, represented by attorney Kati Daffan, seeks class certification for all Max 5x and Max 20x subscribers since April 9, 2025, as well as damages, restitution, and injunctive relief.

The case is neither isolated nor exclusive to Anthropic. Any developer who has followed the transition of GitHub Copilot to usage-based billing in June 2026, or the quota changes of JetBrains AI Assistant in August 2025 — from a generous free tier that seemed inexhaustible to a paid plan where two queries could already consume the entire weekly credit, with AI Pro setting 10 credits per real dollar of token consumption — sees a similar pattern. The real cost of inference is variable and, as the sector itself has acknowledged, hard to predict even for the provider: one of Anthropic’s enterprise customers accumulated $500 million in a single month, according to a consultant’s account reported by Axios, without the company publicly confirming. Against that variability, “unlimited plans” or “fixed multipliers” tend to be adjusted — almost always downward — over time, with little advance notice and fine print almost nobody reads until they hit the limit. I go deeper into this economic dimension — why the real cost of AI diverges from the announced subscription price, and how that separates those who can afford intensive use from those who can’t — in The Real Cost of AI: From the Democratic Promise to the Enterprise Model, a standalone article that approaches the problem from the business angle rather than the regulatory one.

This is technically a consumer protection and advertising problem — not AI safety or risk classification — so none of the frameworks described in this article cover it. The EU AI Act regulates the risk of the system, not the clarity of a subscription plan; NIS2 and DORA regulate operational resilience, not commercial transparency. It is a real regulatory gap and, judging by the first litigation, already active — simply less visible than the debate about deepfakes or algorithmic bias.

The US model: from executive order to deregulation

On 30 October 2023, the Biden administration signed Executive Order 14110, the most ambitious regulatory framework AI had ever had in the US: reporting requirements for large-scale systems, use of the Defense Production Act to demand transparency from labs and federal AI coordination.

On 20 January 2025, the first day of the Trump administration, that executive order was revoked. The new federal policy became, explicitly, unconstrained AI growth as a priority of national defense and economic competitiveness. For much of 2025, regulation was, in practice, left to the states (with California at the vanguard, with its own active legislation).

That delegation to the states didn’t last long: on 11 December 2025, Trump signed a new executive order that reverses course. It creates a litigation group in the Department of Justice (AI Litigation Task Force) to legally challenge state AI laws, conditions federal broadband funds on states suspending the enforcement of rules that conflict with federal policy, and tasks the FTC with justifying the preemption of state laws via unfair practice prohibitions. At the time of this article, the institutional clash between Washington and the states — California on the front line — remains open in the courts, with no firm resolution.

The result is that, in 2026, the US has the largest concentration of AI laboratories in the world, the largest private capital invested in the sector, and virtually no federal supervisory framework for the most powerful deployed models: what exists is not the absence of regulatory movement, but a push to centralize it in the opposite direction from Europe — not to impose safety obligations, but to eliminate the ones states had begun to impose.

The argument in favor: American innovation speed is maintained because there are no regulatory barriers slowing experimentation. The argument against: if harms materialize at scale, there will be no institutional mechanisms to respond in time.

AI as a geopolitical asset: when you get disconnected overnight

On 13 June 2026, America’s “unconstrained growth” policy showed its other face.

Secretary of Commerce Howard Lutnick sent a directive to Anthropic ordering the immediate suspension of access to its most advanced models — Fable 5 and Mythos 5 — for any foreign national, including the company’s own foreign employees. The trigger: another company claimed to have found a jailbreak (a technique to bypass the model’s security restrictions and make it generate content it would normally block) of Fable 5. That was enough to activate export controls on a commercial AI model for the first time in history.

Anthropic, given the technical impossibility of discriminating users by nationality in real time, deactivated the models for all its customers without exception. The company complied with the order but disagreed. In its official statement, “We oppose the finding of a narrow potential jailbreak justifying withdrawing a commercial model deployed to hundreds of millions of people. Perfect resistance to jailbreaks is probably not achievable currently for any provider.”

The episode comes after Anthropic had spent months in tension with the American Department of Defense, which was using its models in active military operations. Dario Amodei, Anthropic’s CEO, had set two red lines that turned the relationship into an open dispute: its models would not be used for mass surveillance of citizens or for managing autonomous weapons without human oversight. The Pentagon went so far as to classify the company as a “supply chain risk” — a category that prevents contracting with the federal administration.

For Europe, the episode was something different: a concrete reminder of what technological dependence means.

Institutional reactions arrived quickly from various countries:

Bruno Retailleau (France): “A nation that depends on others for its technology can be disconnected overnight.”
Al Carns (United Kingdom): “The most advanced model on the planet has been switched off by a foreign government. British researchers were using it.”
European Commission: limited itself to “taking note,” acknowledging that advanced models “raise serious cybersecurity concerns.”

From the American side, market reaction was more measured. Gary Tan, portfolio manager at Allspring Global Investments, summarized the prevailing logic: US frontier models are already “strategic assets, with strictly controlled access,” a dynamic that will probably persist as long as China remains behind in frontier capability. Anthropic, valued at over $900 billion after its Series H in May 2026, was in private conversations with Treasury officials — including Secretary Scott Bessent himself — about the security concerns that motivated the directive.

The argument in favor of the American decision is the same that justifies export controls on advanced semiconductors: technology with dual use — civil and military — must be subject to state oversight. A model that can find decade-old zero-day vulnerabilities in hours — as Mythos does (see the previous article “At Machine Speed: How AI Has Broken the Cybersecurity Balance”) — is not, from an export control perspective, a SaaS product: it is a cyberoffensive tool. Treating it otherwise would be equivalent to not controlling the export of certain dual-use tools in other industries.

The argument against is Anthropic’s, but it has broader implications: if the criterion for restriction is that any model can be jailbroken in some way, that criterion is applicable to any frontier model, indefinitely. The line between “national security” and “competitive advantage” begins to blur.

What the case makes clear is that frontier models are no longer just technology products. They are, for the American administration, strategic assets subject to export controls — exactly like cutting-edge chips. Europe, without its own labs at that frontier level, is left in a position of dependence that the EU AI Act, designed to regulate use, does not resolve.

Four days after that directive, on 17 June 2026, Dario Amodei traveled to Évian-les-Bains (France) for the G7 meeting and, together with Demis Hassabis (CEO of Google DeepMind) and Sam Altman (CEO of OpenAI), proposed to G7 leaders the creation of a US-led international AI coalition: common standards for safe development, coordination in access to frontier models, and chip trade restrictions that exclude China. Canadian Prime Minister Mark Carney was the first to express support. No binding commitment emerged. The resulting picture is hard to ignore: the same executives whose most advanced models — and whose government — had just treated them as national security assets are the ones asking that government to lead an international cooperation framework. The absence of domestic regulation and the aspiration to global leadership prove, for the American administration, to be compatible positions.

The case remains open: on 18 June, a bipartisan group of House Representatives sent a formal letter to Lutnick demanding the legal basis for the controls before 26 June — the legislators question whether EAR § 744.22, a rule designed for physical goods, actually covers access to an inference API. Anthropic has submitted to the Department of Commerce a proposal to lift the block, and both parties are working toward an agreement to restore the models. At the time of this article, Fable 5 and Mythos 5 remain suspended.

6 The global map of AI regulation - Regulatory framework tussle - www.jarroba.com - Gemini.png

The China model: regulation as a control instrument

China has, paradoxically, more AI regulation than the US in some dimensions. The Measures for the Management of Generative Artificial Intelligence Services (July 2023) require providers to ensure their models do not generate content that “subverts state power” or “damages the image of the state,” with mandatory registration obligations prior to public deployment.

The difference from the European model is not just political: it is structural. In Europe, regulation seeks to protect the person from power (companies, administrations). In China, regulation seeks to protect the state from disinformation and political instability. The citizen does not appear as a rights-bearing subject in the same sense.

What matters for understanding the global landscape: China has no problem deploying AI at massive scale in surveillance, facial recognition, and social scoring systems — the very uses the EU AI Act prohibits categorically. The argument that “if Europe regulates, China wins” has an answer: China and Europe are not building the same kind of AI for the same kind of society.

Beyond the triangle: other regulatory models in play

Talking about AI regulation as if only three actors existed — Europe, the US, and China — means staying with the most visible part of the map. In 2025 and 2026, significant frameworks have emerged in Asia and Latin America that are beginning to configure a more diverse landscape. The difference between them is not just technical: it reflects three distinct philosophies of why and for what purpose regulation exists.

The first, rights-based: AI must demonstrate it is safe before being deployed. The EU is the most developed example, but not the only one. South Korea approved in 2025 its AI Basic Act (Framework Act on the Development of Artificial Intelligence and Establishment of Trust), which entered into force on 22 January 2026 as the first comprehensive AI regulatory framework in Asia-Pacific: it requires transparency and labeling for high-impact generative AI, but without absolute prohibitions and with noticeably more moderate financial penalties than the European ones. An attempt to protect rights without raising market entry costs for companies like Samsung or Naver.

The second, innovation-first: regulation should not slow experimentation; the bet is on voluntary guidelines and best-practice frameworks, letting the market and real incidents calibrate the limits. Singapore published at the World Economic Forum in January 2026 the first global governance framework specifically for agentic AI, developed by IMDA: it is not binding, but for the first time defines how to design controls for systems that not only generate text but execute autonomous actions — the type of risk the EU AI Act had not anticipated in sufficient detail. Japan operates along the same lines with the Hiroshima Process, the multilateral AI cooperation framework established through the G7, based on soft law (voluntary guidelines and commitments without legally binding force, unlike regulations that can be sanctioned). The third, state-directed, is already described in the China section.

A separate case that illustrates that regulation can die before it’s born: Canada spent three years debating the Artificial Intelligence and Data Act (AIDA). On 6 January 2025, the dissolution of Parliament following Justin Trudeau’s resignation killed the bill without a final vote. By mid-2026, Canada remains the only G7 country without a binding federal AI framework, with regulation fragmented across voluntary provincial initiatives.

Jurisdiction	Philosophy	Character	Most distinctive feature
European Union	Rights-based	Binding	Risk classification; up to €35M or 7% of global annual turnover
South Korea	Rights-based	Binding	No absolute prohibitions; in force since January 2026
Singapore	Innovation-first	Voluntary	First global framework for agentic AI
Japan	Innovation-first	Voluntary	Soft law via G7 (Hiroshima Process)
USA	Contested	No federal framework	Active clash between Washington and the states
China	State-directed	Binding	Content regulation; political stability
Canada	No framework	—	AIDA died in 2025; no active federal alternative

The three philosophies (Rights-Based / Innovation-First / State-Directed) are an analytical taxonomy commonly used in the AI policy debate; they do not correspond to any official classification.

Competitiveness: a trap or an exaggeration?

The most-used argument against European regulation is that it slows competitiveness. It has a true part and an exaggerated part.

The true part: regulatory compliance has a real cost. The documentation, auditing, risk assessment, and registration requirements for high-risk systems under the EU AI Act are not trivial. For a ten-person startup without a legal team, they can be a barrier to entry.

The exaggerated part: the European market has nearly 450 million consumers. No serious company that wants to sell in Europe can ignore its regulation. The EU AI Act does not prohibit deploying AI in Europe; it requires meeting certain requirements before doing so in the highest-risk cases. And compliance certification can, in markets where users care about privacy and security, become a real competitive advantage over those without it.

The more concrete problem is not that the EU AI Act kills innovation. It’s that it creates uncertainty for years while jurisprudence is being built. Companies don’t know exactly what risk level their system has until someone evaluates it, and that uncertainty is, by itself, costly.

What the competitiveness argument usually omits is that Europe has not bet exclusively on regulation either. The starting point is demanding: the EU represents only 9% of the global chip market (article in Spanish) — far from the 20% target for 2030 — and has a structural dependence on non-European cybersecurity providers. From that position, in February 2025 the European Commission launched the InvestAI initiative with a goal of mobilizing €200 billion for AI development, of which €20 billion are specifically earmarked for building five AI gigafactories — industrial-scale computing facilities with around 100,000 cutting-edge chips — that are due to be operational between 2027 and 2028. Regulating and betting industrially are not contradictory strategies; the real debate is whether the pace of one slows the pace of the other.

Who wants less regulation, and why

The competitiveness argument is not always neutral. In 2026, OpenAI published a manifesto — Industrial Policy for the Intelligence Age — with redistributive ambitions unusual for a technology company: a Public Wealth Fund financed by AI returns, a 32-hour workweek without salary loss, social safety nets that activate automatically if technological unemployment exceeds certain thresholds, and a shift of the tax burden from wages to capital. Sam Altman himself framed it as necessary “at the scale of the New Deal.”

The document openly acknowledges the risk motivating its own proposals: that “economic gains concentrate in a small number of companies” like OpenAI itself. What the manifesto does not highlight is the other side of the coin. As AI researcher Eryk Salvaggio (University of Cambridge) documented in Tech Policy Press, OpenAI actively lobbied to weaken parts of the EU AI Act that would have increased oversight of high-risk systems, and opposed — including pressure for a veto after its passage in the state legislature — California’s SB 1047 bill, which proposed risk management requirements similar to those Altman himself had requested before the US Congress months earlier.

The contradiction doesn’t invalidate the content of the proposals: a public wealth fund or a shorter working week may be good ideas regardless of who proposes them. But it does illustrate a structural pattern: companies that most benefit from a regulatory gap rarely actively ask for it to be filled while that gap benefits them, and reserve their regulatory enthusiasm for areas — like fiscal redistribution, which doesn’t compromise their technical competitive advantage — where regulation would fall on society as a whole, not on themselves.

Maturity levels: when to regulate what?

One of the approaches that generates most consensus in the AI policy debate is that regulation should scale with the capability of the system and the risk of the specific use, not be applied equally to a spam classifier and a system deciding who receives a mortgage.

The EU AI Act attempts this with its risk classification. The practical result is imperfect: the boundary between “high risk” and “limited risk” in intermediate cases is not obvious. But the logic is correct and is probably the model other blocs will adopt.

What evidence from other regulated sectors suggests:

Regulate the outcome, not the method: what matters is whether the AI system discriminates in credit decisions, not how it is built internally. Outcome-oriented regulation is more adaptable as technology changes.
Regulatory sandboxes: controlled spaces where a company can test a new system under supervision before deploying it at scale. Reduces risk without blocking experimentation. Spain already closed its own in finance and, as described above, also one specifically for AI managed by AESIA.
Mandatory periodic review: any regulation on AI written today should have a mandatory review date in three years, because the technology will have changed more than in a normal decade.

What to Take Away

AI regulation is not a debate between those who want to protect and those who want to innovate. It’s a debate about how to protect without creating obligations nobody can meet, and how to innovate without externalizing the cost of risk onto those least equipped to absorb it.

The EU AI Act is the most developed framework that exists today, with its real imperfections: classification criteria that will generate litigation for years, some requirements impossible to meet at scale for small companies, and an institutional learning curve for the supervisory bodies that is still in its early years.

The alternative is not “no regulation.” It is, in any case, a bet that the expected harm is lower than the compliance cost. That bet may be correct in some contexts, but has not yet been validated.

And there is a layer that doesn’t even enter the deeper debate because it seems minor until it affects you: the fine print of what you pay to use the tool. One of the first lawsuits against a frontier AI provider was not about algorithmic bias or a deepfake; it was about a usage quota that did not match what was advertised. The serious regulation that is coming will have to cover that ground, too, much less glamorous than national security, but equally tangible for whoever pays the monthly bill.

What AI regulation cannot do is resolve by decree the underlying technical problem: that nobody knows exactly what a large model does inside itself. Until that changes, human oversight — imperfect as it is — remains the only available mechanism for detecting when something goes wrong.

Verified sources

EU Regulation 2024/1689 of the European Parliament and of the Council, of 13 June 2024. Published in the Official Journal of the EU on 12 July 2024. Entry into force: 1 August 2024. eur-lex.europa.eu
Royal Decree 729/2023, of 22 August, approving the Statute of the Spanish Agency for the Supervision of Artificial Intelligence (AESIA). Published in the BOE on 2 September 2023. Attachment confirmed to the Ministry of Economic Affairs and Digital Transformation (Art. 1.1); supervisory and sanctioning functions (Art. 10.1.k) and creation of regulatory sandboxes (Art. 10.1.a) from its original wording; no explicit coordination mechanism with the AEPD, Bank of Spain, CNMV, or AEMPS. (Spanish Official State Gazette) boe.es
Executive Order 14110 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence), Biden administration, 30 October 2023. Revoked on 20 January 2025 by Executive Order 14148 of the Trump administration. federalregister.gov
Executive Order “Ensuring a National Policy Framework for Artificial Intelligence”, Trump administration, 11 December 2025. Creates the AI Litigation Task Force in the Department of Justice to challenge state AI laws and conditions federal broadband funds on their suspension. whitehouse.gov — legal analysis confirming scope and mechanisms: Gibson Dunn, DLA Piper
Measures for the Management of Generative Artificial Intelligence Services (China). Promulgated by the Cyberspace Administration of China (CAC), in force since 15 August 2023. cac.gov.cn — English translation: DigiChina (Stanford)
AESIA — institutional site: aesia.gob.es
Anthropic — Official statement on the government directive to suspend Fable 5 and Mythos 5 (13 June 2026). Anthropic’s public position on the export control executive action includes the argument on proportionality in the restriction and plans to restore access. anthropic.com
Anthropic — Series H: $65 billion at a post-money valuation of $965 billion (28 May 2026). Last private round before the planned IPO; positioned Anthropic as the highest-valued AI startup. anthropic.com
Directive (EU) 2022/2555 (NIS2), of 14 December 2022, on measures for a high common level of cybersecurity. Transposition deadline: 17 October 2024. eur-lex.europa.eu
Regulation (EU) 2022/2554 (DORA), of 14 December 2022, on digital operational resilience for the financial sector. Full application: 17 January 2025. eur-lex.europa.eu
Karl Kahn v. Anthropic PBC — class action filed 14 June 2026 before the US District Court for the Northern District of California. Alleges false advertising in Claude Max 5x and Max 20x plans. Key data verified via specialist coverage: Max 20x delivers 6–8x Pro usage (not the advertised 20x), Max 5x delivers ~3.5x (not 5x); class period from 9 April 2025; legal representation by Kati Daffan (Vaca Daffan LLP). Engadget · PYMNTS
Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (Vilnius Convention). Opened for signature 5 September 2024. First-day signatories verified: Andorra, Georgia, Iceland, Moldova, Norway, San Marino, United Kingdom, Israel, United States, and the European Union; Canada and Japan joined on 11 February 2025. Entry into force: five ratifications, at least three from Council of Europe member states. coe.int
EU Council Decision Proposal on the signing of the Vilnius Convention (CELEX:52024PC0264) and ratification by the European Union (15 May 2026, 135th session of the Committee of Ministers, Chișinău). eur-lex.europa.eu · coe.int
European Commission — Digital Omnibus proposal and agreement (proposal: 19 November 2025; provisional Council-Parliament agreement: 7 May 2026). Delays Annex III high-risk requirements from August 2026 to December 2027 (16 months), Annex II from August 2027 to August 2028 (one year), and the national regulatory sandbox obligation from August 2026 to August 2027. Gibson Dunn · Hogan Lovells
AI Act Service Desk and Single Information Platform — European Commission. Official portal for AI Act technical implementation, including the compliance timeline and Codes of Practice (synthetic content labeling, Article 50). ai-act-service-desk.ec.europa.eu
GPAI Code of Practice (General-Purpose AI Code of Practice). Voluntary tool of the European Commission for GPAI model providers to demonstrate compliance with the transparency, copyright, and safety obligations of EU Regulation 2024/1689 (Chapter V). Published July 2025; main signatories: Anthropic, Google, IBM, Microsoft, Mistral, OpenAI, and Cohere. Meta did not sign; xAI only subscribed to the safety chapter. code-of-practice.ai
European Commission — Draft Article 50 transparency guidelines (8 May 2026). First official Commission document specifying the scope of Art. 50 obligations: which systems fall within scope, what form user warnings must take, and how to distinguish exempt uses. Non-binding; complements the Code of Practice (technical guidance) with interpretation on scope and application. Public consultation closed 3 June 2026. digital-strategy.ec.europa.eu
EU Regulation 2024/1689 — Article 99 (Penalties). Defines the three penalty tiers: €35M/7% (prohibited practices, Art. 5), €15M/3% (other infringements incl. Art. 50 transparency), €7.5M/1% (incorrect information to authorities). artificialintelligenceact.eu
Draft Organic Act on Artificial Intelligence (Spain), presented 12 June 2026. Transposes the AI Act at the national level: division of powers between AESIA, Directorate General for AI, AEPD, General Council of the Judiciary, and sectoral supervisors; penalty regime with four tiers (including a minor infringement category, €500,000/0.5%, not present as such in the European regulation); national AI system inventories; AI delegates in public administrations. Economist & Jurist (article in Spanish)
South Korea — Framework Act on the Development of Artificial Intelligence and Establishment of Trust (AI Basic Act). Enacted in 2025, in force from 22 January 2026. First comprehensive AI regulatory framework in Asia-Pacific: requires transparency and labeling for high-impact generative AI; no absolute prohibitions. Library of Congress · aibasicact.kr
Singapore — Model AI Governance Framework for Agentic AI (IMDA). Published 22 January 2026 at the World Economic Forum. First global framework specifically for agentic AI; voluntary; proposes layered technical controls (deterministic policy barrier, semantic layer, signed audit logs). imda.gov.sg
Canada — death of the Artificial Intelligence and Data Act (AIDA). Bill C-27 (which contained AIDA) lapsed on 6 January 2025 when Parliament was dissolved following Justin Trudeau’s resignation. By mid-2026, the only G7 country will be without a binding federal AI framework. Montreal AI Ethics Institute
Spain’s first AI sandbox closed in June 2026. Managed by the Ministry for Digital Transformation with the European Commission’s AI Office; €4.3M funding from the Recovery Plan; 44 applications (18 SMEs, 6 startups, 1 French company); first technical compliance guides for high-risk obligations published. Zona Movilidad (article in Spanish)
State v. Loomis, 371 Wis.2d 235 (Wisconsin Supreme Court, 2016). Reference case on the use of recidivism prediction algorithms (COMPAS) in criminal sentencing; the Court upheld its use but required explicit warnings about its limitations and potential racial bias. Justia
InvestAI initiative — European Commission (February 2025). Goal: mobilize €200 billion for AI in Europe, with €20 billion dedicated to five AI gigafactories (~100,000 cutting-edge chips per facility). Management via EuroHPC JU; official call expected July 2026. European Commission — AI Continent · EuroHPC JU — AI Gigafactories
G7 2026 — meeting with AI lab CEOs (17 June 2026, Évian-les-Bains, France). Sam Altman (OpenAI), Dario Amodei (Anthropic), and Demis Hassabis (Google DeepMind) presented G7 leaders with proposals for a US-led AI coalition: common standards, coordination in frontier model access, and chip restrictions excluding China. Mark Carney (Canada) expressed support; no binding commitments emerged. The Next Web · CNBC · Semafor

Opinion pieces

Artificial intelligence: definition and use cases — European Parliament Research Service. Background report (non-binding) on the state of AI regulation globally. europarl.europa.eu
Explaining AESIA — El Español (Quincemil), 9 September 2023. Source of the claim that AESIA is the first state AI supervisory agency in the European Union; neither AESIA nor the BOE makes that superlative claim about themselves in their founding texts. elespanol.com (article in Spanish)
Anthropic suspends access to its most advanced artificial intelligence models due to the US veto on foreigners — Jesús Sérvulo González, El País, 13 June 2026. Coverage of the Fable 5/Mythos 5 case, with context on the Anthropic-Pentagon tension and sector implications. elpais.com (article in Spanish)
The global ban on Anthropic’s AI alarms Silicon Valley — Bloomberg / Perfil, June 2026. Reaction of the American financial sector (Gary Tan, Allspring Global Investments) and confirmation of Anthropic’s conversations with the Department of the Treasury. perfil.com (article in Spanish)
OpenAI wants to create a public fund to manage the wealth generated by ChatGPT — Business Insider España, 2026. Coverage of OpenAI’s Industrial Policy for the Intelligence Age manifesto. businessinsider.es (article in Spanish)
The Doublespeak in OpenAI’s ‘Industrial Policy for the Intelligence Age’ — Eryk Salvaggio, Tech Policy Press. Critical analysis of the coherence between OpenAI’s redistributive manifesto and its lobbying record against the EU AI Act and California’s SB 1047 bill. More analytically rigorous than general press coverage, the author is an AI researcher at the University of Cambridge. techpolicy.press
The Real Cost of AI: From the Democratic Promise to the Enterprise Model — Ramón, jarroba.com. Own article on the divergence between the advertised price and the real cost of AI, with concrete cases from GitHub Copilot, JetBrains, and Anthropic. Goes deeper from the business angle on the same phenomenon that article addresses from the regulatory angle.
Wake-up call: Europe reacts to Anthropic halting access to Fable 5 and Mythos 5 — Euronews, 13 June 2026. European institutional reactions and debate on technological sovereignty. euronews.com
Anthropic Pulls Its Most Powerful AI Models After U.S. Bars Foreign Access — Time, 13 June 2026. time.com
Scoop: Trump admin blocks foreign access to Anthropic’s most powerful AI — Axios, 12 June 2026. axios.com
Brussels delays to July the submission of AI gigafactory candidacies — El Mundo, 17 June 2026. Detailed coverage of the candidacy process (76 proposals from 16 states), the Spanish Tarragona consortium (Santander, ACS, Telefónica, SEPI Digital), and the expected investment of ~€4 billion. elmundo.es (article in Spanish)
The EU represents 9% of the global chip market: cybersecurity depends on non-European providers — El Diario, June 2026. European Commission data on the technology gap: EU at 9% of global chip market (20% target for 2030), structural dependence in cybersecurity and IT talent shortage. Direct context for the InvestAI rationale. eldiario.es (article in Spanish)
AI demands that the law always stay one step ahead — Interview with Pablo Sánchez Molina (prof. Constitutional Law, University of Málaga), Diario Sur, 16 June 2026. Legal perspective on black boxes, algorithmic bias in judicial decisions (Loomis case), power concentration in large corporations, and European regulation. diariosur.es (article in Spanish)
Anthropic and Google DeepMind directors call at G7 for a US-led AI coalition — Sergio Delgado, Estrategias de Inversión, 18 June 2026. Chronicle of the private G7 meeting with a dozen tech leaders: Amodei and Hassabis’s proposal for an international coalition with the US at the helm, common standards, and chip restrictions. estrategiasdeinversion.com (article in Spanish)
One company spent half a billion dollars on Claude in a single month — Fast Company / Axios, 2026. Account from a consultant (company not publicly confirmed): enterprise customer without usage limits on licenses accumulates $500M in one month in API calls to Claude. Context for the real costs of mass AI adoption. fastcompany.com
House members want answers on export controls placed on Anthropic’s Fable — Washington Post, 18 June 2026. Bipartisan letter from four Representatives to Lutnick questioning the legal basis of export controls (EAR § 744.22) applied to Fable 5 and Mythos 5 API access. washingtonpost.com
Anthropic floats proposal to Commerce Secretary Lutnick to end US ban of Fable and Mythos — Bloomberg/AOL · Trump officials working toward deal to restore Fable 5 and Mythos 5 — Globe and Mail, June 2026. Details of Anthropic’s proposal and negotiations with the Trump administration to restore model access. aol.com · theglobeandmail.com
Yolanda Díaz defends the regulation of AI and algorithms in the labor market and labor relations — La Moncloa, 25 June 2026. Statements in Oxford: intention to regulate workplace AI in Spain above EU AI Act minimums, without waiting for the 2027 European deadline. lamoncloa.gob.es (article in Spanish)

← Previous article: At Machine Speed: AI Has Broken the Cybersecurity Balance · Back to the index: Series overview