AI Regulation: The Dilemma Between Protecting and Falling Behind

Governments worldwide are struggling to regulate AI without stifling innovation, with Europe taking the most systematic approach, the US the most volatile, and China the most interventionist. The core challenge lies in deciding which layer of AI—foundation models, applications, training data, or outputs—to regulate, as each has distinct technical and jurisdictional implications.

A standalone article from the series “AI and You” . There are two ways to end up in a bad place with AI regulation: No government in the world has solved this dilemma yet. What exists is a map of very different responses emerging in parallel: Europe with the most systematic approach — and the most criticized — the United States with the most volatile one, China with the most interventionist, and the rest of the world observing and copying fragments of each model. This article doesn’t advocate for any position. It analyzes the options, their real consequences, and what they mean for anyone who works with AI, builds it, or simply uses it. An honest note before we begin: this is a topic I care about, that touches my field of work, so I have tried to be rigorous with every figure and every date, cross-checking against primary sources whenever possible. But I am not a lawyer or a regulator, and it’s reasonable that I may have missed something or interpreted it incorrectly. What follows is general information organized according to personal judgment — it is not legal advice or an authoritative interpretation of any regulation. If you need to make a real compliance decision, consult a professional and verify the cited sources yourself: I take no responsibility for decisions made based on this text. If you find an error, I’d be grateful if you pointed it out so I can correct it. The most important question a legislator would need to answer is harder than it looks: What exactly are you regulating? And it’s hard not only because those who regulate don’t understand the depth of the technology, but because those of us who do understand it are still defining, discovering, and starting over in an apparently endless evolutionary cycle. AI is not a product with a fixed shape. It is, depending on context, a mathematical model, a software service, a decision-making system, or a communication tool. Depending on which layer you put the rule in, the effect is completely different: Layer 1 — The foundation model : regulating the laboratories that train foundational models OpenAI https://openai.com/ , Anthropic https://www.anthropic.com/ , Google https://www.google.com/ / Alphabet https://abc.xyz/ , Mistral https://mistral.ai/ , Alibaba https://www.alibaba.com/ . The impact is high because very few organizations build the most advanced models. The problem: almost all of them are in the US and China; European regulation collides with the sovereignty of another state. Layer 2 — The application : regulating whoever deploys AI in a specific product an insurance company using AI to assess risks, an HR company using it to screen CVs . This is the layer of the EU AI Act https://artificialintelligenceact.eu/ : the legislator regulates the use, not the model. The challenge: the same model can be deployed for uses with very different risk profiles. Layer 3 — Training data : regulating what data can be used to train models, with what consent, and with what right of deletion. The technical problem is real: removing a specific piece of data from an already-trained model is today technically very costly and in some cases impossible without retraining the entire model — the problem the field of machine unlearning is trying to solve, without a satisfactory solution at scale yet. Layer 4 — Outputs : regulating what an AI system can say or do. This is the hardest layer: the system generates its outputs in real time in response to an endless variety of questions that cannot be anticipated. Holding a company responsible for every response its AI gives to any user in any language and context is, in practice, demanding an impossible level of control. Almost all existing regulations mix these four layers without clearly separating which applies in each case. The consequences of that imprecision are the legal bugs that later generate litigation or paralysis. There is a Layer 5 that no regulatory framework names as such, because it is not a technical feature of the AI system but of the commercial contract between the provider and whoever pays for it: quotas, credits, price changes, the gap between what is promised and what is delivered. We add it here as its own category — it is not an official layer of any existing framework, it’s an observation — because, as we will see later, it is where the first real litigation against a frontier AI provider is emerging and likely not the last, since other providers are acting similarly . Layers 1 to 4 are an analytical structure commonly used in the AI policy debate. Layer 5 is an observation original to this article, not a recognized category in regulatory literature. The European Union published the Artificial Intelligence Regulation EU Regulation 2024/1689 https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32024R1689 on 12 July 2024 in the Official Journal. It entered into force on 1 August 2024, with a phased implementation https://artificialintelligenceact.eu/implementation-timeline/ : What is coming specifically in August 2026 : Article 50 https://artificialintelligenceact.eu/article/50/ of the regulation imposes transparency obligations for four specific scenarios: The first draft of the Code of Practice on content labeling was published in December 2025; the final version was published on 10 June 2026 https://digital-strategy.ec.europa.eu/en/policies/code-practice-ai-generated-content , just before the obligation takes effect. On 8 May, the Commission also published a draft interpretive guidelines on the full scope of Article 50 https://digital-strategy.ec.europa.eu/en/library/draft-guidelines-implementation-transparency-obligations-certain-ai-systems-under-article-50-ai-act : non-binding, but the first official document that specifies which systems fall within scope and what form warnings must take. Systems already deployed before that date have a grace period until 2 December 2026 to comply. This obligation has not been affected by the delay described below. What already got delayed — not what might get delayed : in November 2025, the European Commission proposed, through the Digital Omnibus package, decoupling the strict compliance dates for high-risk requirements from the actual availability of the support tools companies need. On 7 May 2026, the EU Council and the European Parliament closed the final agreement: the high-risk requirements from Annex III move from August 2026 to December 2027 16 months’ delay , Annex II safety components move from August 2027 to August 2028 one year , and the obligation for each member state to have an operational national regulatory sandbox moves from August 2026 to August 2027. The dates in this section already incorporate that agreement; if you see “August 2026” cited as a deadline elsewhere, those sources are likely using the original calendar, which no longer applies. Official calendar in force as of this article July 2026 , already incorporating the May 2026 delay. Between 2028 and 2031, the regulation also sets several purely administrative milestones — periodic Commission reviews every 3–4 years, AI Office evaluation, expiry of delegated powers in 2029 — without new substantive obligations for companies; omitted here for simplicity. Interactive and always-updated timeline at AI Act Explorer . The penalties under the regulation itself, set in its Article 99 https://artificialintelligenceact.eu/article/99/ , are organized in three tiers: up to €35 million or 7% of global annual turnover whichever is higher for the prohibited practices in Article 5 https://artificialintelligenceact.eu/article/5/ ; up to €15 million or 3% for other infringements by operators and notified bodies — including the Article 50 transparency obligations, which fall in this middle tier, not the maximum — ; and up to €7.5 million or 1% for providing incorrect or incomplete information to authorities. For SMEs and startups, the lower of the fixed amount and the percentage always applies. The central mechanism of the EU AI Act is risk classification in four levels: Simplified diagram of the four EU AI Act risk levels . Source: EU Regulation 2024/1689. The logic is sound: concentrate regulation where the potential harm is greatest. The problem is that most real-world systems are hard to classify with certainty until they are used in a specific context. Is a contract-drafting AI high risk if the contract involves employment conditions? What if it only suggests drafts that a lawyer always reviews? Spain was the first country in the European Union to create a body dedicated exclusively to supervising AI https://www.elespanol.com/quincemil/opinion/tribuna-abierta/20230909/explicando-aesia-agencia-espanola-supervision-inteligencia-artificial/793290670 12.html article in Spanish : the Spanish Agency for the Supervision of Artificial Intelligence AESIA https://aesia.digital.gob.es/es , attached to the Ministry of Economic Affairs and Digital Transformation through the State Secretariat for Digitalization and Artificial Intelligence. Its statute was approved by AESIA acts as the national competent authority for applying the EU AI Act in Spain. Its main functions are supervision, investigation of potential infringements, and coordination with equivalent agencies in other member states. What remains unresolved is the division of powers with other already-existing bodies: the Spanish Data Protection Agency https://www.aepd.es/ AEPD, which remains the authority for everything related to personal data , the Bank of Spain https://www.bde.es/ for financial systems , the Spanish Agency for Medicines https://www.aemps.gob.es/ for medical AI , and the National Securities Market Commission https://www.cnmv.es/ CNMV . The EU AI Act expressly provides that existing sectoral bodies be the supervisory authorities for high-risk systems in their sector. The map of who supervises what began to be defined in more detail in mid-2026, as described below. That ambiguity began to resolve on 12 June 2026, when the Government presented the draft Organic Act on Artificial Intelligence https://www.congreso.es/public oficiales/L15/CONG/BOCG/A/BOCG-15-A-97-1.PDF , the norm that transposes the AI Act into the Spanish legal order with specific authorities, procedures, and penalties. AESIA is established as the market surveillance authority, single point of contact with the European Commission, and manager of the mandatory regulatory sandbox — but the model remains shared: the Directorate General for AI, the AEPD, the General Council of the Judiciary, and sectoral supervisors retain specific powers within their domain. The national penalty regime adds a fourth tier that the European AI Act does not have: The draft also introduces national inventories of AI systems, an AI delegate role in public administrations, and reinforced specific protections against deepfakes. The deadline for reporting serious incidents to AESIA is 72 hours, the same intermediate threshold that NIS2 https://eur-lex.europa.eu/eli/dir/2022/2555 requires for the detailed notification. AESIA’s capacity to create regulatory sandboxes is not new — it has been in its founding statute since 2023 Article 10.1.a https://www.boe.es/buscar/act.php?id=BOE-A-2023-18911 — ; what the European calendar and the Organic Act add is the obligation, with a specific deadline, to have one operational. The agency already has a real use case to show: in June 2026, it closed Spain’s first AI sandbox — and one of the first in Europe — funded with €4.3 million from the Recovery Plan and developed in collaboration with the European Commission’s AI Office. It received 44 applications 18 SMEs, six startups, and one French company and published the first technical guides for meeting high-risk obligations, filling a gap while European harmonized standards are still being built. The delay of employment requirements until December 2027 has already prompted the first explicit political response: on 25 June, Deputy Prime Minister and Minister of Labour Yolanda Díaz announced in Oxford her intention to regulate AI in the workplace above European minimums https://www.lamoncloa.gob.es/serviciosdeprensa/notasprensa/trabajo14/Paginas/2026/210626-regulacion-ia-algoritmos.aspx?qfr=2 article in Spanish — personnel selection, performance evaluation, dismissals, monitoring — without waiting for Community requirements to become mandatory. The proposal does not yet have a concrete regulatory form, but it points to a pattern that other member states might follow: the Digital Omnibus opened the calendar for companies and, at the same time, the space for some countries to fill the gap on their own before 2027. The EU AI Act https://artificialintelligenceact.eu/ regulates AI according to the risk of its use. But there are two European frameworks that overlap with it and affect any organization using AI in critical infrastructure or financial services: NIS2 and DORA. Neither is specific to AI — they regulate operational cybersecurity — but they cover exactly the attack vectors described in the previous article on “At Machine Speed: How AI Has Broken the Cybersecurity Balance” https://jarroba.com/en/at-machine-speed-how-ai-has-broken-the-cybersecurity-balance/ . NIS2 https://eur-lex.europa.eu/eli/dir/2022/2555 EU Directive 2022/2555, transposed in Spain from October 2024 extends the scope of cybersecurity regulation to thousands of entities that were previously uncovered: energy, transport, banking, health, digital infrastructure, and ICT service providers, among others. Its two most direct obligations for organizations deploying AI are: managing supply chain risk — including AI tool providers — and reporting significant incidents within 24 hours initial warning , 72 hours detailed report , and one month final report . Penalties for essential entities reach €10 million or 2% of global annual business volume, whichever is higher; for important entities, €7 million or 1.4%. DORA https://www.eiopa.europa.eu/digital-operational-resilience-act-dora en EU Regulation 2022/2554, fully applicable since January 2025 does the equivalent for the financial sector: banks, insurance companies, investment firms, crypto-asset providers, and their critical ICT providers. It adds a specific requirement: periodic operational resilience testing TLPT, The connection with the AI Act is practical: a high-risk AI application in the healthcare sector may fall simultaneously under the AI Act by type of system and NIS2 by the sector where it operates . Compliance is not one or the other; it is the intersection of both. For organizations within that scope, AI governance is not a discretionary strategic decision: it is a legal obligation with its own deadlines and penalties. While the EU AI Act regulates the European single market, there is a different framework that crosses borders the AI Act does not reach: the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52024PC0264 , opened for signature on 5 September 2024 in Vilnius Lithuania — hence informally known as the “Vilnius Convention.” It is, according to the Council of Europe itself, the first legally binding international treaty on AI. The difference in approach from the AI Act is real: where the European regulation is a market norm focused on product safety and commercial risk classification, the Vilnius Convention pursues something different — that the lifecycle of AI systems respects human rights, democracy, and the rule of law — and requires signatory states to conduct impact assessments before deploying systems, guarantee the right to know when interacting with an automated system, and provide judicial challenge routes against biased algorithmic decisions. What makes this convention distinctive is who signed it on the first day: alongside the European Union and several Council of Europe member states Andorra, Georgia, Iceland, Moldova, Norway, San Marino , it was also signed by the United Kingdom , Israel , and, notably, the United States — the same country that, as we will see in this article, has no federal AI regulatory framework for the private sector. The apparent contradiction is explained by the scope: the convention focuses mainly on the use of AI by the public sector, with flexibility of adaptation for the private sector. The US can sign a commitment on AI and human rights in public administration without that implying any concession on its position of not regulating the commercial development of models. The list of signatories has grown since then: Canada and Japan joined on 11 February 2025, as the twelfth and thirteenth signatories. And there is a stronger legal step than signing: ratifying . The European Union ratified the convention on 15 May 2026, during the 135th session of the Committee of Ministers in Chișinău Moldova https://www.coe.int/en/web/cm/cm-135-session . The convention will enter into force when five signatories have ratified it, at least three of them Council of Europe member states — a threshold that, at the time of this article, has not yet been reached. Signing is a declaration of intent; ratification is the step that converts that intent into an internal legal obligation for the signatory. There is a legitimate criticism worth not dodging: part of current regulation asks companies to be held responsible for things they cannot control . The clearest cases: None of this means regulation is unnecessary. It means that poorly calibrated regulation can generate obligations that incentivize one of two equally bad behaviors: either companies that abandon the regulated market and then people use them anyway from outside , or companies that generate compliance documentation without anything changing in practice. This is the fifth layer we mentioned at the beginning of the article, the only one of the five that still has no dedicated regulatory framework. In June 2026, Karl Kahn filed a class action lawsuit against Anthropic https://www.engadget.com/2194626/anthropic-hit-with-lawsuit-over-its-claude-max-usage-limits/ before the US District Court for the Northern District of California. The lawsuit alleges false advertising: Anthropic marketed the Claude Max 20x plan $200/month as “20 times more usage” than the Pro plan, and the Max 5x $100/month as “5 times more usage” — but according to the filing, the Max 20x delivers in practice between 6 and 8 times the Pro usage, and the Max 5x around 3.5 times. The lawsuit also accuses Anthropic of falsely claiming that the Max 20x plan offers a “50% savings.” Kahn reports that a single five-hour programming work session consumed 15% of his weekly limit, making it mathematically impossible to reach the advertised multiplier under sustained use. The lawsuit, represented by attorney Kati Daffan, seeks class certification for all Max 5x and Max 20x subscribers since April 9, 2025, as well as damages, restitution, and injunctive relief. The case is neither isolated nor exclusive to Anthropic. Any developer who has followed the transition of GitHub Copilot to usage-based billing in June 2026, or the quota changes of JetBrains AI Assistant in August 2025 — from a generous free tier that seemed inexhaustible to a paid plan where two queries could already consume the entire weekly credit, with AI Pro setting 10 credits per real dollar of token consumption — sees a similar pattern. The real cost of inference is variable and, as the sector itself has acknowledged, hard to predict even for the provider: one of Anthropic’s enterprise customers accumulated $500 million in a single month https://www.fastcompany.com/91550884/claude-ai-costs-climb-company-spent-half-a-billion-dollars-in-a-single-month-report , according to a consultant’s account reported by Axios, without the company publicly confirming. Against that variability, “unlimited plans” or “fixed multipliers” tend to be adjusted — almost always downward — over time, with little advance notice and fine print almost nobody reads until they hit the limit. I go deeper into this economic dimension — why the real cost of AI diverges from the announced subscription price, and how that separates those who can afford intensive use from those who can’t — in The Real Cost of AI: From the Democratic Promise to the Enterprise Model https://jarroba.com/en/ai-regulation-the-dilemma-between-protecting-and-falling-behind/URL PENDING ENGLISH , a standalone article that approaches the problem from the business angle rather than the regulatory one. This is technically a consumer protection and advertising problem — not AI safety or risk classification — so none of the frameworks described in this article cover it. The EU AI Act regulates the risk of the system, not the clarity of a subscription plan; NIS2 and DORA regulate operational resilience, not commercial transparency. It is a real regulatory gap and, judging by the first litigation, already active — simply less visible than the debate about deepfakes or algorithmic bias. On 30 October 2023, the Biden administration signed Executive Order 14110 https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence , the most ambitious regulatory framework AI had ever had in the US: reporting requirements for large-scale systems, use of the Defense Production Act to demand transparency from labs and federal AI coordination. On 20 January 2025, the first day of the Trump administration, that executive order was revoked. The new federal policy became, explicitly, unconstrained AI growth as a priority of national defense and economic competitiveness. For much of 2025, regulation was, in practice, left to the states with California at the vanguard, with its own active legislation . That delegation to the states didn’t last long: on 11 December 2025, Trump signed a new executive order https://www.whitehouse.gov/presidential-actions/2025/12/eliminating-state-law-obstruction-of-national-artificial-intelligence-policy/ that reverses course. It creates a litigation group in the Department of Justice AI Litigation Task Force to legally challenge state AI laws, conditions federal broadband funds on states suspending the enforcement of rules that conflict with federal policy, and tasks the FTC with justifying the preemption of state laws via unfair practice prohibitions. At the time of this article, the institutional clash between Washington and the states — California on the front line — remains open in the courts, with no firm resolution. The result is that, in 2026, the US has the largest concentration of AI laboratories in the world, the largest private capital invested in the sector, and virtually no federal supervisory framework for the most powerful deployed models: what exists is not the absence of regulatory movement, but a push to centralize it in the opposite direction from Europe — not to impose safety obligations, but to eliminate the ones states had begun to impose. The argument in favor: American innovation speed is maintained because there are no regulatory barriers slowing experimentation. The argument against: if harms materialize at scale, there will be no institutional mechanisms to respond in time. On 13 June 2026, America’s “unconstrained growth” policy showed its other face https://time.com/article/2026/06/13/anthropic-fable-mythos-ban-US-security/ . Secretary of Commerce Howard Lutnick sent a directive to Anthropic ordering the immediate suspension of access to its most advanced models — Fable 5 and Mythos 5 — for any foreign national, including the company’s own foreign employees. The trigger: another company claimed to have found a jailbreak a technique to bypass the model’s security restrictions and make it generate content it would normally block of Fable 5. That was enough to activate export controls on a commercial AI model for the first time in history. Anthropic, given the technical impossibility of discriminating users by nationality in real time, deactivated the models for all its customers without exception. The company complied with the order but disagreed. In its official statement, “We oppose the finding of a narrow potential jailbreak justifying withdrawing a commercial model deployed to hundreds of millions of people. Perfect resistance to jailbreaks is probably not achievable currently for any provider.” The episode comes after Anthropic had spent months in tension with the American Department of Defense https://abcnews.com/Politics/anthropic-latest-pentagon-contract-bar-ai-autonomous-weapons/story?id=130558898 , which was using its models in active military operations. Dario Amodei, Anthropic’s CEO, had set two red lines that turned the relationship into an open dispute: its models would not be used for mass surveillance of citizens or for managing autonomous weapons without human oversight. The Pentagon went so far as to classify the company as a “supply chain risk” — a category that prevents contracting with the federal administration. For Europe, the episode was something different: a concrete reminder of what technological dependence means . Institutional reactions arrived quickly from various countries: From the American side, market reaction was more measured. Gary Tan, portfolio manager at Allspring Global Investments, summarized the prevailing logic: US frontier models are already “strategic assets, with strictly controlled access,” a dynamic that will probably persist as long as China remains behind in frontier capability. Anthropic, valued at over $900 billion after its Series H in May 2026 https://www.anthropic.com/news/series-h , was in private conversations with Treasury officials — including Secretary Scott Bessent himself — about the security concerns that motivated the directive. The argument in favor of the American decision is the same that justifies export controls on advanced semiconductors: technology with dual use — civil and military — must be subject to state oversight. A model that can find decade-old zero-day vulnerabilities in hours — as Mythos does see the previous article “At Machine Speed: How AI Has Broken the Cybersecurity Balance” https://jarroba.com/en/at-machine-speed-how-ai-has-broken-the-cybersecurity-balance/ — is not, from an export control perspective, a SaaS product: it is a cyberoffensive tool. Treating it otherwise would be equivalent to not controlling the export of certain dual-use tools in other industries. The argument against is Anthropic’s, but it has broader implications: if the criterion for restriction is that any model can be jailbroken in some way, that criterion is applicable to any frontier model, indefinitely. The line between “national security” and “competitive advantage” begins to blur. What the case makes clear is that frontier models are no longer just technology products. They are, for the American administration, strategic assets subject to export controls — exactly like cutting-edge chips. Europe, without its own labs at that frontier level, is left in a position of dependence that the EU AI Act, designed to regulate use , does not resolve. Four days after that directive, on 17 June 2026, Dario Amodei traveled to Évian-les-Bains France for the G7 meeting and, together with Demis Hassabis CEO of Google DeepMind and Sam Altman CEO of OpenAI , proposed to G7 leaders the creation of a US-led international AI coalition : common standards for safe development, coordination in access to frontier models, and chip trade restrictions that exclude China. Canadian Prime Minister Mark Carney was the first to express support. No binding commitment emerged. The resulting picture is hard to ignore: the same executives whose most advanced models — and whose government — had just treated them as national security assets are the ones asking that government to lead an international cooperation framework. The absence of domestic regulation and the aspiration to global leadership prove, for the American administration, to be compatible positions. The case remains open: on 18 June, a bipartisan group of House Representatives sent a formal letter to Lutnick https://www.washingtonpost.com/technology/2026/06/18/house-members-want-answers-export-controls-placed-anthropic-fable/ demanding the legal basis for the controls before 26 June — the legislators question whether EAR § 744.22, a rule designed for physical goods, actually covers access to an inference API. Anthropic has submitted to the Department of Commerce a proposal to lift the block https://www.aol.com/articles/anthropic-floats-proposal-commerce-secretary-180806000.html , and both parties are working toward an agreement https://www.theglobeandmail.com/business/article-anthropic-trump-officials-deal-restore-fable-5-mythos-5/ to restore the models. At the time of this article, Fable 5 and Mythos 5 remain suspended. China has, paradoxically, more AI regulation than the US in some dimensions. The Measures for the Management of Generative Artificial Intelligence Services https://digichina.stanford.edu/work/translation-measures-for-the-management-of-generative-artificial-intelligence-services-draft-for-comment-april-2023/ July 2023 require providers to ensure their models do not generate content that “subverts state power” or “damages the image of the state,” with mandatory registration obligations prior to public deployment. The difference from the European model is not just political: it is structural. In Europe, regulation seeks to protect the person from power companies, administrations . In China, regulation seeks to protect the state from disinformation and political instability. The citizen does not appear as a rights-bearing subject in the same sense. What matters for understanding the global landscape: China has no problem deploying AI at massive scale in surveillance, facial recognition, and social scoring systems — the very uses the EU AI Act prohibits categorically. The argument that “if Europe regulates, China wins” has an answer: China and Europe are not building the same kind of AI for the same kind of society. The first, rights-based : AI must demonstrate it is safe before being deployed. The EU is the most developed example, but not the only one. South Korea approved in 2025 its AI Basic Act https://aibasicact.kr/ The second, innovation-first : regulation should not slow experimentation; the bet is on voluntary guidelines and best-practice frameworks, letting the market and real incidents calibrate the limits. Singapore published at the World Economic Forum in January 2026 the first global governance framework specifically for agentic AI https://www.imda.gov.sg/resources/press-releases-factsheets-and-speeches/press-releases/2026/new-model-ai-governance-framework-for-agentic-ai , developed by IMDA: it is not binding, but for the first time defines how to design controls for systems that not only generate text but execute autonomous actions — the type of risk the EU AI Act had not anticipated in sufficient detail. Japan operates along the same lines with the Hiroshima Process, the multilateral AI cooperation framework established through the G7, based on soft law voluntary guidelines and commitments without legally binding force, unlike regulations that can be sanctioned . The third, state-directed , is already described in the China section. A separate case that illustrates that regulation can die before it’s born: Canada spent three years debating the Artificial Intelligence and Data Act https://ised-isde.canada.ca/site/innovation-better-canada/en/artificial-intelligence-and-data-act AIDA . On 6 January 2025, the dissolution of Parliament following Justin Trudeau’s resignation killed the bill without a final vote. By mid-2026, Canada remains the only G7 country without a binding federal AI framework, with regulation fragmented across voluntary provincial initiatives. The three philosophies Rights-Based / Innovation-First / State-Directed are an analytical taxonomy commonly used in the AI policy debate; they do not correspond to any official classification. The most-used argument against European regulation is that it slows competitiveness. It has a true part and an exaggerated part. The true part : regulatory compliance has a real cost. The documentation, auditing, risk assessment, and registration requirements for high-risk systems under the EU AI Act are not trivial. For a ten-person startup without a legal team, they can be a barrier to entry. The exaggerated part : the European market has nearly 450 million consumers. No serious company that wants to sell in Europe can ignore its regulation. The EU AI Act does not prohibit deploying AI in Europe; it requires meeting certain requirements before doing so in the highest-risk cases. And compliance certification can, in markets where users care about privacy and security, become a real competitive advantage over those without it. The more concrete problem is not that the EU AI Act kills innovation. It’s that it creates uncertainty for years while jurisprudence is being built. Companies don’t know exactly what risk level their system has until someone evaluates it, and that uncertainty is, by itself, costly. What the competitiveness argument usually omits is that Europe has not bet exclusively on regulation either. The starting point is demanding: the EU represents only 9% of the global chip market https://www.eldiario.es/tecnologia/ue-representa-9-mercado-global-chips-ciberseguridad-depende-proveedores-no-europeos 1 13310749.html article in Spanish — far from the 20% target for 2030 — and has a structural dependence on non-European cybersecurity providers. From that position, in February 2025 the European Commission launched the InvestAI https://commission.europa.eu/topics/competitiveness/ai-continent en initiative with a goal of mobilizing €200 billion for AI development, of which €20 billion are specifically earmarked for building five AI gigafactories — industrial-scale computing facilities with around 100,000 cutting-edge chips — that are due to be operational between 2027 and 2028. Regulating and betting industrially are not contradictory strategies; the real debate is whether the pace of one slows the pace of the other. The competitiveness argument is not always neutral. In 2026, OpenAI published a manifesto — Industrial Policy for the Intelligence Age https://cdn.openai.com/pdf/561e7512-253e-424b-9734-ef4098440601/Industrial%20Policy%20for%20the%20Intelligence%20Age.pdf — with redistributive ambitions unusual for a technology company: a Public Wealth Fund financed by AI returns, a 32-hour workweek without salary loss, social safety nets that activate automatically if technological unemployment exceeds certain thresholds, and a shift of the tax burden from wages to capital. Sam Altman himself framed it as necessary “at the scale of the New Deal.” The document openly acknowledges the risk motivating its own proposals: that “economic gains concentrate in a small number of companies” like OpenAI itself. What the manifesto does not highlight is the other side of the coin. As AI researcher Eryk Salvaggio University of Cambridge documented in Tech Policy Press , OpenAI actively lobbied to weaken parts of the EU AI Act that would have increased oversight of high-risk systems, and opposed — including pressure for a veto after its passage in the state legislature — California’s SB 1047 bill, which proposed risk management requirements similar to those Altman himself had requested before the US Congress months earlier. The contradiction doesn’t invalidate the content of the proposals: a public wealth fund or a shorter working week may be good ideas regardless of who proposes them. But it does illustrate a structural pattern: companies that most benefit from a regulatory gap rarely actively ask for it to be filled while that gap benefits them, and reserve their regulatory enthusiasm for areas — like fiscal redistribution, which doesn’t compromise their technical competitive advantage — where regulation would fall on society as a whole, not on themselves. One of the approaches that generates most consensus in the AI policy debate is that regulation should scale with the capability of the system and the risk of the specific use , not be applied equally to a spam classifier and a system deciding who receives a mortgage. The EU AI Act attempts this with its risk classification. The practical result is imperfect: the boundary between “high risk” and “limited risk” in intermediate cases is not obvious. But the logic is correct and is probably the model other blocs will adopt. What evidence from other regulated sectors suggests: AI regulation is not a debate between those who want to protect and those who want to innovate. It’s a debate about how to protect without creating obligations nobody can meet, and how to innovate without externalizing the cost of risk onto those least equipped to absorb it. The EU AI Act is the most developed framework that exists today, with its real imperfections: classification criteria that will generate litigation for years, some requirements impossible to meet at scale for small companies, and an institutional learning curve for the supervisory bodies that is still in its early years. The alternative is not “no regulation.” It is, in any case, a bet that the expected harm is lower than the compliance cost. That bet may be correct in some contexts, but has not yet been validated. And there is a layer that doesn’t even enter the deeper debate because it seems minor until it affects you: the fine print of what you pay to use the tool. One of the first lawsuits against a frontier AI provider was not about algorithmic bias or a deepfake; it was about a usage quota that did not match what was advertised. The serious regulation that is coming will have to cover that ground, too, much less glamorous than national security, but equally tangible for whoever pays the monthly bill. What AI regulation cannot do is resolve by decree the underlying technical problem: that nobody knows exactly what a large model does inside itself. Until that changes, human oversight — imperfect as it is — remains the only available mechanism for detecting when something goes wrong. ← Previous article: At Machine Speed: AI Has Broken the Cybersecurity Balance https://jarroba.com/en/at-machine-speed-how-ai-has-broken-the-cybersecurity-balance/ · Originally published at https://jarroba.com on June 27, 2026. AI Regulation: The Dilemma Between Protecting and Falling Behind https://pub.towardsai.net/ai-regulation-the-dilemma-between-protecting-and-falling-behind-bc54cb3d6b66 was originally published in Towards AI https://pub.towardsai.net on Medium, where people are continuing the conversation by highlighting and responding to this story.