AI Policy at the EU Level: Charting a Balanced Path for Innovation and Protection

The EU landscape for Artificial Intelligence (AI) legislation is evolving rapidly as member states and regulators work to stay competitive while safeguarding citizens. The AI Act (Regulation (EU) 2024/1689) marks a quick response to the meteoric rise of AI-based tools, signalling the EU’s willingness to throw its weight behind AI regulation and address associated risks. Even so, policy analysts and member states are calling for more action on AI.

The much-discussed Draghi Report (compiled by the former Prime Minister of Italy and President of the European Central Bank) speaks to the risks of being left behind in the scramble to develop AI tools and recommends a new EU Cloud and AI Development Act. The Commission, under the continued leadership of Ursula von der Lyon, has signalled its intention to make tech competitiveness a priority by creating a Commissioner for Tech Sovereignty, Security and Democracy post and giving it the Executive Vice-President designation. This post is left in good hands with Henna Virkkunen (EPP), who, as a seasoned Finnish lawmaker and MEP, dealt with Tech files for close to a decade. In her confirmation hearing this week (Tuesday, November 12th), she supported these initiatives, promising to make Europe the “AI Continent.” While promising to draft new acts, she also cautioned, stating, “An act is not the answer to everything.”

As Euratek is a civil society organisation dedicated to promoting the safe and ethical use of AI across academic, societal, and business sectors, we welcome the European Union's ambitious regulatory actions aimed at creating a robust, ethical, and transparent framework for artificial intelligence. We also know more can be done to improve EU competitiveness and encourage innovation in this sector. In the following post, we examine how the current regulations (the EU GDPR and the new EU AI Act) affect AI development, what the Draghi report recommends, and conclude with our proposals to encourage responsible and safe AI development.

The Current Legislation Landscape

At the present moment, there exist close to half a dozen Directives and Regulations that either directly or indirectly affect AI companies and AI development. Before looking at the new AI Act, it’s worth looking at what is already covered in the Digital Services Act (DSA), Digital Markets Act (DMA), Cybersecurity Act, Platform-to-Business (P2B) Regulation, and the much-lauded General Data Protection Regulation (GDPR) as it relates to AI development.

The DSA introduces requirements for algorithmic transparency content moderation, holds online platforms accountable, and ensures that AI-powered recommendation systems do not amplify misinformation or harmful content. At the same time, it risks superficial compliance as it does not explicitly provide guidance on how platforms should disclose their algorithms. In this case, Virkkunen’s experience in tech legislation and her hearing provide reassurance that the EU will not be toothless in applying the act to protect Europeans from the negative impacts of rapid AI development.

The DMA targets large online platforms, or "gatekeepers,” to prevent anti-competitive practices, such as data monopolisation. Promoting a more open data ecosystem benefits smaller businesses and researchers. This regulation is crucial in developing diverse and unbiased AI systems, as it offers fairer access to vital data.

The Cybersecurity Act creates a certification system for ICT products, including AI applications, to enhance Cybersecurity across the EU. This regulation ensures that AI systems, especially those integrated into critical infrastructure, meet a high-security standard. Its flaw comes from the voluntary nature of certification. While the AI Act deals with part of this flaw, it should still be explicit that “high-risk” AI applications require mandatory cybersecurity certifications.

The P2B Regulation promotes transparency in ranking algorithms, specifically helping businesses understand how their content is prioritised. The same flaw emerges that AI is not specifically mentioned, and the regulation could be strengthened by requiring that specific factors and potential biases that affect rankings and can disadvantage businesses are disclosed.

Lastly, the GDPR is becoming again increasingly important regarding AI development. The regulation sets a global standard for data privacy, giving individuals control over their data and limiting how organisations can use this information (creating the ever-present cookie disclosure boxes on websites). These provisions on automated decision-making are consistent with safe and responsible AI use, as they provide a framework for consent and transparency. But as further highlighted in the Draghi report, the GDPR can present itself as a regulatory hurdle for AI development. The focus on data protection can, in some cases, restrict the availability of data necessary for AI training, which is critical for innovation. For example, it can inhibit data sharing for academic research and limit the development of socially beneficial AI applications. The regulatory uncertainty emanating from the interplay of the unequal GDPR implementation across Member States in combination with domestic Member State regulations and supranational ones such as the AI Act disincentivises companies to develop and deploy AI systems in the EU.

The AI Act

No discussion of AI in the EU is complete without a discussion of the much-lauded AI Act, which is the first-ever legal framework on AI worldwide. The act ensures AI systems respect fundamental rights, safety, and ethical principles and addresses the risks of very powerful and impactful AI models. It introduces a risk-based approach to AI regulation, establishing classifications from high-risk to low-risk AI systems. This approach allows for targeted regulations where they are most needed, protecting citizens and consumers from harmful AI applications while minimising unnecessary restrictions on low-risk technologies.

It also tries to make use of the Brussels Effect by de facto externalising the law for all AI systems worldwide. Unfortunately, this is where EU lawmakers may have been too confident and instead put the EU at a disadvantage. The lack of clarity on some AI categories leads to inconsistent interpretation and enforcement, especially when looking at the interplay of the regulation with existing rules mentioned previously. Looking at the example of California-based Apple, due to the unclear regulatory environment, it was hesitant to launch the new “Apple Intelligence” feature in EU countries at launch, meaning EU citizens are at a productivity disadvantage relative to other countries. Effectively, EU Apple devices cost the same but do less. For smaller organisations and startups, the Act may impose high compliance costs, potentially stifling innovation among emerging AI developers while giving larger, more established, and crucially, foreign companies a leg up on European competitors.

Ultimately, due to its novelty and vagueness, much is still left up to interpretation, which for the moment can assuage some reservations as Virkkunen is its chief enforcer. But its long-term effects, as highlighted in the Draghi Report, are still unknown.

What does the Draghi Report have to say?

In his famous and presently controversial report, commissioned to evaluate fears that Europe is falling behind the US and China, the ex-ECB president Mario Draghi lays out how to make Europe more competitive. The Report highlights the importance of closing the innovation gap between the US and China, strengthening security, and reducing dependence on non-European suppliers for critical raw materials and technology imports. As technology is key in improving the productivity of nations and GDPs, no discussion of competitiveness is complete without noting AI, which research has shown massively improves the productivity of workers.

The report identifies three barriers that hinder Europe from competing with other markets. Notably, all the previous concerns with AI regulations fall cleanly into one or more of these key barriers. The report underscores Europe's lack of focus, noting the absence of clear priorities and coordinated actions; regulatory burdens that stifle innovation—particularly for small and medium-sized enterprises (SMEs); and a fragmented Single Market that weakens competitiveness, pushing high-growth companies abroad.

As previously mentioned, the interplay of the AI Act and the GDPR and the regulatory burdens it creates are highlighted in the report:

“While the ambitions of the EU’s GDPR and AI Act are commendable, their complexity and risk of overlaps and inconsistencies can undermine developments in the field of AI by EU industry actors. The differences among Member States in the implementation and enforcement of the GDPR…as well as overlaps and areas of potential inconsistency with the provisions of the AI Act, create the risk of European companies being excluded from early AI innovations because of uncertainty of regulatory frameworks.”

The Report also criticises over-regulation, specifically pointing to high estimated GDPR compliance costs, which it claims have resulted in "decreased data storage by 26% and data processing by 15%" among EU companies compared to their US counterparts.

Draghi’s solution is thus to simplify and harmonise rules (particularly the GDPR), removing their regulatory overlaps with the AI Act. Draghi’s second big proposal is a New EU Cloud and AI Development Act, the development of which will be left to Virkkunen and which she has stated she is interested in perusing. This act would strengthen Europe's capabilities in High-Performance Computing (where it excels in the academic sphere but has not made the jump successfully to the private sector), AI, and quantum technologies and prioritise initiatives for private sector involvement and funding. Key recommendations focus on encouraging EU competitiveness, regulatory harmonisation, and increased support for SMEs.

Suggestions in the Report include: 

• Expand computational resources for AI model training and establish an EU framework for 'computing capital' for SMEs.

• Prioritise AI applications in key EU industrial sectors and encourage company involvement.

• Harmonise national AI sandbox regimes and simplify GDPR implementation across the EU.

• Implement unified cloud service policies, including data residency standards, security for sensitive data, and a Single Market 'passporting' regime.

• Defining a single EU-wide policy and data residency requirements for public administrations' cloud services (requiring as a minimum EU sovereign control of key elements for security and encryption, standardising tenders and facilitating/promoting collaboration between EU companies to scale up commercially and support consolidation in the EU, subject to certain exceptions including defence, home affairs and justice).

Conclusion and Takeaways

The EU has taken commendable strides with the AI Act, creating a regulatory framework for AI systems and their development. Still, significant challenges remain in ensuring these regulations do not unintentionally stifle innovation and economic growth, or more generally, “competitiveness.” The Draghi Report brings to attention the crucial need for a harmonised set of policies to avoid regulatory overlap and remove entry barriers for AI businesses in Europe.

Euratek highlights the following concerns and policy proposals:

1. Reduce Regulatory Complexity: Address overlaps between the AI Act and GDPR to minimise compliance burdens, especially for SMEs.

2. Promote Data Access for Social Good: promote (secure) access to critical companies' data for non-profit research and support the development of AI applications with positive social impact.

3. Strengthen AI Infrastructure: Encourage EU-based cloud solutions with secure data residency and support computational resources dedicated to AI training.

By addressing these areas, the EU can course a balanced path that protects its citizens while enabling innovative AI development across Europe, promoting its long-term competitiveness.