Under the previous European Commission, the EU passed a swathe of digital initiatives covering issues from digital competition to online safety, cybersecurity and artificial intelligence (Scott Markus et al., 2024). Many of these laws addressed important, even urgent, issues. But they have coincided with a growing perception within Europe that the quality of its law-making has declined. Influential reports commissioned by EU institutions in 2024, echoing complaints by many businesses, have argued that the bloc’s regulation is too complex, cumbersome and uncertain. Those reports advocate simplification of the EU’s digital laws to help address the bloc’s low levels of innovation in information and communication technology (ICT) and its poor productivity growth (Letta, 2024; Draghi, 2024).
Of these laws, the Artificial Intelligence Act (AI Act) has come under particular criticism. AI is critical to Europe’s future economic growth: the gap in productivity between the EU and the US is largely explained by the latter’s ability to quickly adopt and use new technologies across the economy (Draghi, 2024). While the EU has been able to adopt new technologies to boost the efficiency of its manufacturing sector, productivity growth in the services sector – where the EU-US gap is particularly large (Pittaway, 2024; van Ark, 2003) – has been languid for many years. The US saw a huge productivity boom in services from the ICT revolution of the 1990s, but Europe missed out (Gordon & Sayed, 2020). Since services represent 70% of Europe’s economy, AI has significant potential to help Europe’s economic growth catch up (Meyers & Springford, 2023). Yet only 13.48% of European firms say they are actively using AI (Eurostat, 2025), and concerns about the potential impact of the AI Act on the uptake of AI in Europe have only grown. Tech firms appear to have occasionally slowed or paused their rollouts of AI features in Europe at least in part because of the AI Act.
The AI Act itself tries to achieve a balance: it is intended to “promote the uptake of human-centric and trustworthy artificial intelligence (AI) while ensuring a high level of protection of health, safety, [and] fundamental rights” and is intended to “support innovation” (Regulation (EU) 2024/1689, Recital 1). Yet despite being passed by EU lawmakers just last year, the European Commission has already flagged the possibility of adjusting the AI Act to better promote innovation (Gkritsi & Haeck, 2025) and delaying parts of its implementation. These reform proposals raise questions about the degree of reform required to improve the environment for AI rollout in Europe. Views vary from the Commission’s current stated preference for simplifying reporting and administrative requirements, to concerns that the law needs to be revised to better reflect business-model and technology neutrality given market developments since the law was passed, to calls for a broader reconsideration of the EU regulation’s overarching objectives – including its precautionary approach to risk.
In the meantime, however, the EU must implement the AI Act in a way that respects the principles of better regulation – and is therefore most consistent with supporting innovation and competitiveness. In doing so, since competition and market dynamism seem to be the key driver of technology take-up (Adilbish, 2025), the EU must pay particular attention to ensuring the Act does not impose significant barriers to entry into the AI market or barriers to firms adopting and exploiting AI in Europe. In doing so, the Union should focus on three things: interpreting and applying the law proportionately, providing the right balance of flexibility and predictability, and delivering a truly EU-wide approach.
Proportionality
A fundamental principle of better regulation is proportionality: the burden imposed by a regulation should not exceed what is necessary to achieve that regulation’s policy objectives. The AI Act has three elements that reflect this principle and limit unnecessary burdens.
First, the Act is risk-based. It describes several categories of the AI system, based on the level of risk that the type of system is expected to pose, and imposes stricter requirements (up to and including a prohibition on certain uses of AI; Regulation (EU) 2024/1689, Article 6). Under this categorisation, the majority of AI applications will be treated as low-risk and will face very few substantive obligations. Those obligations are mostly related to transparency rather than obligations that would impose significant barriers to entry for small firms. Compliance requirements which could pose significant barriers to entry will apply only to high-risk applications. The categorisation of risks is admittedly crude – for example, all AI used to evaluate learning outcomes in education must be treated as high-risk (Regulation (EU) 2024/1689, Annex III 3(b)), which could limit the use of AI in contexts where it could have significant social benefits. Nevertheless, high-risk use cases are expected to be a small minority of potential AI applications.
Second, key parts of the AI Act set only broad outcomes that companies deploying or developing AI must comply with, or set standards that involve an inherent level of flexibility, rather than imposing prescriptive requirements. For example, providers of general-purpose AI models that pose systemic risks must “mitigate” those risks, rather than entirely eliminate them, which might prove impossible (Regulation (EU) 2024/1689, Article 55(1)(b)). Providers of high-risk AI systems are also required to manage certain risks – but only those that can be “reasonably mitigated or eliminated” (Regulation (EU) 2024/1689, Article 9(3)). Furthermore, these providers only need to mitigate risks to the point that any residual risks are “judged to be acceptable” (Regulation (EU) 2024/1689, Article 9(5)). Many requirements expressly incorporate the concept of proportionality (Regulation (EU) 2024/1689, Recital 64). This means the law’s requirements can evolve, and can help make the law more technologically neutral (Schnurr, 2025, p. 9). For example, terms like “appropriate” may automatically require AI firms to meet higher standards as these standards become more technologically and commercially viable to achieve.
Third, the AI Act gives firms choices when deciding how to translate high-level and flexible objectives into a set of concrete compliance practices. Firms that deploy AI systems can make their own judgements about how to achieve the law’s broad outcomes, or they can follow a harmonised standard developed by European standard-setting organisations (ESOs). Compliance with the harmonised standard allows a firm to enjoy a presumption of compliance with the AI Act itself, mitigating the risk that regulators will investigate and potentially challenge a firm’s own compliance decisions. Harmonised standards are therefore likely to be adopted by much of the AI industry in Europe.
Harmonised standards are a form of co-regulation, because the standard-setting process in which ESOs are involved gives firms a large say in determining how to achieve the outcomes that lawmakers require of them. Because these firms will be aiming to achieve the results in the most effective and cost-effective way, co-regulation can be a powerful tool to ensure proportionality. However, this will require the EU to continue to ensure that ESOs are open to all firms that want to participate – including non-European ones, which are likely to be most affected by many parts of the AI Act given that most of the largest AI models have emerged outside Europe. More recently, the Commission has mooted the possibility of delaying enforcement of the AI Act until suitable standards or specifications are in place.
One cautionary tale about abandoning a genuine co-regulatory process may be drawn from the AI Act’s Code of Practice for providers of general-purpose AI. The plan for such a “Code” is embedded in the AI Act in recognition that harmonised standards are not drawn up quickly, especially in a fast-moving and diverse set of technologies like AI. Instead, the Code is a somewhat novel and temporary co-regulatory tool. Similar to a harmonised standard, the Code will translate principles for responsible AI into concrete practices. It will cover issues like how much information about their AI models providers must disclose, how the providers will identify and mitigate risks, and how to ensure models comply with cybersecurity requirements.
The Code of Practice should in principle have been a proportionate instrument, since it was supposed to be primarily drafted by providers of general-purpose AI models and national regulators and only “approved” by the EU’s AI Office (Regulation (EU) 2024/1689, Articles 56(3), 56(6)). However, in practice the European Commission has given players including civil society significant say in the drafting process, leading to a process where it is unclear that the final Code (unpublished at the time of writing) will serve the role of identifying the most efficient ways to achieve the law’s objectives. Consequently, drafts of the Code have been criticised for being disproportionate for two competing reasons. On the one hand, industry argues that the drafts would impose commercially and technically unrealistic demands on firms, contrary to the flexible and principles-based approach the AI Act was meant to espouse (AI Chamber, 2025). On the other hand, some argue the drafts are so prescriptive that they could lead to a “check-box” approach to compliance, which could encourage firms to focus on avoiding engagement with the overarching policy goals that the Act aims to achieve (Larouche, 2025).
Overall, the AI Act adopts characteristics – such as a risk-based approach, flexible standards and co-regulation – which should allow a balance between the protection of fundamental rights, on the one hand, and what is practical and technically possible, on the other. This model can help ensure proportionality, because the law follows neither an excessively precautionary approach nor the techno-libertarian one currently being pursued in the US. Instead, it demands that firms using AI adopt a “responsible” approach to balancing innovation and risk (Larouche, 2025). To protect this approach, the European Commission, its AI Office and national authorities responsible for implementing and enforcing the law will need to ensure co-regulation and close engagement with industry when finalising the Code of Practice along with the slew of upcoming guidelines and other guidance expected to be published in the coming months.
Balancing flexibility and predictability
Beyond setting a proportionate approach to interpreting the AI Act to begin with, a second requirement for better regulation is that laws are predictable. That is especially true in a sector like AI where the underlying investments – such as the need to secure significant computing power to train and deploy AI models – can be very significant. Since virtually no AI firms are profitable today, investors need to make decisions about how to deploy their capital based on long-term expectations about the potential pay-off (or chance of a pay-off). Encouraging such investment will therefore require investors to have confidence that the regulatory regime is relatively stable and predictable. The AI Act poses a number of challenges in this respect.
First, the law provides a significant amount of flexibility to its enforcers: understandably, perhaps, since it regulates a technology that is developing rapidly. In part, that flexibility arises because (as noted above) the Act’s standards are inherently flexible and so the requirements imposed on AI firms will evolve as the technology advances. That type of flexibility can be relatively predictable. But the law also hands significant power to the Commission to impose significant new requirements on firms involved in rolling out AI. For example, the Commission may determine that new AI uses should be treated as “high-risk”, and therefore subject to additional regulatory requirements (Regulation (EU) 2024/1689, Articles 7, 97). The Commission may also change the rules about which types of general-purpose AI models pose “systemic risks” and therefore need more onerous safety safeguards (Regulation (EU) 2024/1689, Article 51(1)(b)). The law is relatively unclear even on some basic definitions, such as which firms are considered to be “providing” general-purpose AI models (European Commission, 2025). And there has been a perceived risk that secondary documents, like the Code of Practice, which were meant to interpret the AI Act, may in fact be used to expand or add to the law’s requirements (Martens, 2025).
Public authorities responsible for implementing the law will have to work out how to use the inherent flexibility of the law in ways that protect the law’s objectives without introducing unnecessary unpredictability for investors. Most regulatory regimes involve an element of flexibility and adaptability, and so this dilemma is hardly new. However, the risk of undermining investment certainty is likely to be biggest in nascent sectors where technology is changing quickly or where there is a lot of technical and commercial experimentation, and where market entry involves significant cost and risk. Both of those factors are present in the AI sector. Investors may spend significant amounts of money to design an AI product on the expectation that it would not be considered high-risk, only to see the Commission impose unexpected obligations on that product, potentially destroying the business case for the investment. That implies public authorities ought to prioritise regulatory stability and be cautious about using its powers to expand the scope of the law, at least at this stage. The EU and public authorities could do this by issuing guidelines providing more clarity about whether and how it might change the scope of the law for companies that want to develop or use AI in Europe.
A second problem is that the Act is not technologically neutral in every respect. The Commission’s original proposal focused on a risk-based approach to deploying AI systems, assuming a value chain that divided responsibilities between providers of AI systems (or models), and deployers, importers and distributors of these systems (Larouche, 2025, pp. 9-11). In trilogues, law-makers insisted on the final Act including a specific regime dealing with general-purpose AI models – influenced heavily by the just-announced released of ChatGPT. This new regime creates conceptual complexity in the Act, with unanswered questions about the correct allocation of responsibilities across the AI value chain. It has also led to the law including presumptions about how the AI value chain works, which may not always prove realistic in practice and have been challenged by emerging models like DeepSeek. For example, the law seems to assume that general-purpose AI models will serve as inputs for specific AI applications, and that significant responsibility could be put onto the providers of these models. In practice however, today, many general-purpose AI models are learning from each other – such as by models using other models’ outputs as their own training data (Martens, 2025) – meaning in practice a model provider may not be in a position to provide the assurances the AI Act requires, particularly where open-source AI models are involved since these are subject to fewer regulatory obligations in some cases. It is unclear whether the law is particularly well designed for this market development. In the absence of substantive changes to the AI Act, guidance from public authorities could help provide assurances to firms bringing AI products to market that genuine “best efforts” attempts at compliance will suffice. The Commission’s decision not to proceed with a proposed AI liability directive is unfortunate since – despite the risk that the law would ultimately have introduced even more complexity into the regulatory regime for AI – it could also have provided more certainty to players across the value chain about their respective responsibilities.
Institutional convergence
One way in which EU regulation could support growth is if it genuinely promoted a single market across Europe: allowing innovative firms to quickly scale across member states without changing their business models or compliance practices. One of the most important criticisms of the GDPR is that it failed to deliver this in practice, with many divergent interpretations across and sometimes within EU member states (Meyers, 2024, p. 13).
Currently, the AI Act risks repeating this experience. While the law is generally principles-based rather than prescriptive, it is consequently vulnerable to different interpretations – making it essential that all public authorities that interpret and enforce the law adopt a consistent approach. In practice, however, enforcement of the regulation falls to a complex network of different authorities (Larouche, 2025, pp. 12-16). The AI Office in the European Commission is enforcing the law’s provisions for general-purpose AI models (Regulation (EU) 2024/1689, Article 64). Each EU member state will also have one or more notifying authorities, which will play a role in the conformity assessment process for AI systems, and market surveillance authorities, which will enforce the law for AI systems already on the market (Regulation (EU) 2024/1689, Articles 28-39, 88-94). A range of other institutions, like the AI Board, advisory forum and scientific panel have advisory or co-ordinating roles (e.g. Regulation (EU) 2024/1689, Articles 65-66). This complex network risks inconsistency across two dimensions.
First, different member states are nominating different types of bodies to carry out the same responsibilities under the AI Act. This risks divergent interpretations. An authority whose primary responsibility is data protection, for example, and a product safety authority may interpret the AI Act’s principles very differently.
Second, a member state may nominate different authorities to implement the AI Act for different economic sectors. In many scenarios, a sector-specific approach may make good sense: in sectors where there are already market surveillance authorities (for example, for financial services), the Act presumes the existing member state authority should also have the responsibility to enforce the AI Act (Larouche, 2025, p. 35). Integrating AI supervision with existing product safety requirements should make life easier for companies that want to use AI. However, it also poses challenges in how to ensure legal certainty for innovative new uses of AI that might involve multiple sectoral authorities. It also risks “turf wars” between different sectoral regulators and risks putting sectoral regulations in charge of AI regulation when they lack the necessary expertise (Meyers, 2024).
While there are mechanisms to ensure consistency built into the AI Act, such as an AI Board to bring together national regulatory authorities (Regulation (EU) 2024/1689, Articles 65-66), experience with the GDPR shows that these can take a significant period of time before delivering consistency, and these mechanisms cannot always keep up with divergence at a national level, especially in sectors where technology and use cases are evolving quickly. To avoid making life difficult for companies trying to roll out a service across the bloc, EU member states and the Commission will need to work together to ensure a consistent approach to allocating the AI Act’s responsibilities and to how allocated supervisors make decisions. This may require that the EU’s new AI Office takes a much more assertive role in setting guidelines and proactively ensuring consistency before divergences between different countries’ approaches emerge.
Conclusion
The EU is more focused than ever on improving its capacity for innovation – both to boost its digital sovereignty in a world where its biggest trading partner is no longer a reliable ally, and to address Europe’s lack of technology take-up, which is an ongoing constraint on productivity growth.
Currently, there is much debate about whether the EU’s predilection for regulation is inherently anti-regulation. At best, EU-level regulation can reduce barriers to cross-border business by avoiding a fragmented and inconsistent set of national laws among EU member states, while providing legal certainty. And factors other than regulation seem to play a much bigger role in the EU’s meagre economic growth than its regulatory standards (Bradford, 2024).
However, for the AI Act to contribute to innovation in Europe, it must be implemented in ways that reflect good regulatory practice – in particular by providing a proportionate, predictable and consistent single set of rules across the EU. Reforms of the AI Act offer a chance to make the law more proportionate, for example, by reducing reporting requirements. But the real burden of the law is likely to be its substantive demands on AI firms, and these do not seem to be up for debate. That means the EU needs to focus squarely on implementing the law in ways that deliver proportionality, certainty and consistency.
References
Adilbish, O. (2025, February 24). Europe’s productivity weakness: Firm-level roots and remedies. VoxEU.
AI Chamber. (2025, April 3). AI Chamber Issues New Open Letter Warning Against Overregulation in EU AI Code.
Bradford, A. (2024). The false choice between digital regulation and innovation. Northwestern University Law Review, 119(2), 377.
Draghi, M. (2024). The future of European competitiveness. European Commission.
European Commission. (2022, February 2). An EU strategy on standardisation – Setting global standards in support of a resilient, green and digital EU single market (COM(2022)31).
European Commission. (2025, April 22). Commission seeks input to clarify rules for general-purpose AI models [Press release].
Eurostat. (2025, January). Use of artificial intelligence in enterprises.
Gkritsi, E., & Haeck, P. (2025, May 13). EU Commission opens door for ‘targeted changes’ to AI Act. Politico.
Gordon, R., & Sayed, H. (2020). Transatlantic technologies: The role of ICT in the evolution of US and European productivity growth. National Bureau of Economic Research.
Larouche, P. (2025). Legal framework for an effective implementation of the AI Act. Centre on Regulation in Europe.
Letta, E. (2024). Much more than a market. Council of the EU.
Martens, B. (2025, March). How DeepSeek has changed artificial intelligence and what it means for Europe (Policy Brief 12/25). Bruegel.
Martens, B. (2025, March 25). A planned code of practice would reinforce the EU’s artificial intelligence copyright problem. Bruegel.
Meyers, Z. (2024, February). Helping Europe’s digital economy take off: An agenda for the next Commission. Centre for European Reform.
Meyers, Z. (2024). Implementing the AI Act: The Commission’s first big test for better regulation. Centre for European Reform.
Meyers, Z., & Springford, J. (2023, September 14). How Europe can make the most of AI. Centre for European Reform.
Pittaway. (2024). What should the UK learn from ‘Bidenomics’?. CEPR.
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending certain Union legislative acts (Artificial Intelligence Act). Official Journal of the European Union.
Schnurr, D. (2025, February). Effective implementation of requirements for high-risk AI systems under the AI Act: Transparency and appropriate accuracy. Centre on Regulation in Europe.
Scott Marcus, J., Sekut, K., & Zenner, K. (2024, June 6). A dataset on EU legislation for the digital world. Bruegel.
van Ark, B., et al. (2003). ICT and productivity in Europe and the United States: Where do the differences come from? The Conference Board.