Artificial intelligence is now a general-purpose technology embedded in productivity tools, consumer services, critical infrastructure and national security. That ubiquity explains why lawmakers worldwide have moved from principles to enforceable rules—albeit with divergent approaches that reflect different legal traditions and policy priorities. This article surveys the European Union’s far-reaching Artificial Intelligence Act and liability reforms, the United States’ executive and state-level patchwork, the UK-led safety diplomacy, China’s content-and-platform-centric regime, and emerging frameworks from the UN, OECD and G7. It weighs the pros and cons of these models for innovation, accountability and civil liberties, and closes with a pragmatic view on which AI risks are most urgent to govern now—and how.
The EU’s Risk-Based AI Act: Ambition, Timelines and Growing Pains
The European Union has enacted the world’s first comprehensive AI law: the Artificial Intelligence Act, published in the EU Official Journal in July 2024 as Regulation (EU) 2024/1689. It defines prohibited practices, sets rigorous obligations for high-risk systems, and introduces transparency duties for general-purpose AI (GPAI) models, with phased application over several years. Early compliance pressure points include risk management, data-quality governance, human oversight, and post-market monitoring, while GPAI developers face documentation, safety testing and model-card-style transparency. The Act’s legal text and consolidated status are accessible on EUR-Lex and specialist trackers, which also outline the staggered entry-into-application dates and interpretative materials evolving through 2025. [1][2]
Implementation remains a moving target: Brussels has worked on guidance for GPAI and a voluntary Code of Practice to help companies operationalise the Act, but timelines have slipped, prompting debate over legal certainty and competitiveness. Reports in mid-2025 indicated the Code might not arrive until late 2025, even as some provisions start to bite in 2025–2026; EU officials insist the core goals—harmonised, risk-based rules and market safety—stand firm. Meanwhile, industry associations and CEOs have urged a pause or simplification, warning of compliance burdens and ambiguity, while legislators caution against diluting safeguards. These dynamics underline the trade-off at the heart of the EU model: strong ex-ante obligations can foster trust and a level playing field, but if poorly sequenced they risk regulatory friction for startups and cross-border developers. [3][4][5]
Europe’s Liability Overhaul: Product Liability Updated, AI Liability Withdrawn
To complement the AI Act, the EU modernised strict-liability rules for defective products. The revised Product Liability Directive—now in force and due to be transposed by December 2026—explicitly brings software and AI-integrated products into scope, expands compensable harms (including data loss/corruption), and eases the burden of proof in some scenarios. This offers victims clearer redress and incentivises secure-by-design software and lifecycle updates. In parallel, however, the Commission withdrew the proposed AI Liability Directive in early 2025 after limited progress and calls for simplification. The result is a stronger general product-liability baseline without a bespoke AI fault-based instrument—leaving member states to fill gaps or rely on existing tort doctrines. For firms, that means aligning AI safety engineering with product-safety expectations and evidence preservation while watching national transpositions closely. [6][7][8][9]
The US: Executive Action, Federal Guidance and a State-Level Mosaic
At the federal level, the White House’s October 2023 Executive Order on AI set a broad policy agenda: safety testing and reporting for frontier systems; privacy and civil-rights protections; standards development with NIST; content provenance; workforce and competition; and international leadership. The EO’s text and accompanying fact sheet remain foundational references for agencies, standard-setters and industry. In March 2024, OMB’s Memorandum M-24-10 operationalised this within government, mandating Chief AI Officers, inventories, impact assessments and guardrails for safety- or rights-impacting uses, effectively making federal procurement and agency use a lever for ecosystem-wide practices. NIST’s AI Risk Management Framework (AI RMF 1.0) provides voluntary, widely adopted scaffolding for mapping, measuring, managing and governing AI risk across lifecycles. Together, these measures amount to a soft-law-plus-procurement regime while Congress deliberates broader statutory proposals. [10][11][12][13][14]
With Congress divided, states are advancing comprehensive and sectoral rules. Colorado’s landmark SB 205 (the Colorado AI Act) creates duties of care for developers and deployers of “high-risk” systems to prevent algorithmic discrimination, with transparency, risk-management and incident-reporting obligations and an effective date in 2026. In parallel, California’s privacy regulator finalised 2025 regulations under the CCPA/CPRA introducing mandated risk assessments, annual cybersecurity audits for significant-risk processing, and new rights to access and opt out of Automated Decisionmaking Technology (ADMT), with staged effective dates into 2026–2027. The upshot is a mosaic: anti-discrimination risk controls and consumer rights converging with privacy audits and assessments—potentially a de facto baseline for US companies absent federal AI legislation. [15][16][17][18]
UK-Led Diplomacy: From Bletchley to Seoul—and a Council of Europe Treaty
The UK convened the 2023 AI Safety Summit, yielding the Bletchley Declaration—an intergovernmental statement recognising frontier risks and calling for safety science and international cooperation. A 2024 follow-on summit in Seoul produced the Seoul Declaration and a Statement of Intent to build shared safety-science infrastructure. These diplomatic tracks align with the Council of Europe’s Framework Convention on AI, the first binding international treaty on AI and human rights, democracy and rule of law, opened for signature in September 2024 and subsequently signed by major jurisdictions in 2024–2025. The EU authorised signature on the Union’s behalf, signalling an intent to mesh internal regulation with international norms. While not prescriptive on technical controls, these instruments aim to institutionalise shared baselines—rights impact assessments, redress, transparency—and to spur cooperative research on safety evaluation of advanced models. [19][20][21][22][23]
China’s Activity-Based Controls: Content, Provenance and Platform Responsibility
China’s approach centres on content integrity, platform controls and model governance. The 2022 Deep Synthesis Provisions require watermarking and provenance tools for synthetic media, notice to users, and mitigation of misuse; the 2023 Interim Measures for Generative AI Services impose data-quality, security, bias and content-moderation duties on generative services offered to the public in China, while narrowing scope compared with earlier drafts. Compliance advisories and translations clarify how providers must register services, manage training data legality, and align outputs with lawful/ethical norms. These rules—alongside broader data, cybersecurity and platform regulations—translate into enforceable, service-level obligations that foreground online content risks and platform accountability. [24][25][26][27][28]
UN, OECD and G7: Soft-Law Consensus and Developer Codes
Multilateral norms are consolidating. In March 2024, the UN General Assembly adopted a non-binding resolution on safe, secure and trustworthy AI that emphasises human rights, privacy and risk mitigation; a late-2024 UNGA resolution also addressed AI in the military domain. The OECD AI Principles—adopted in 2019 and now a widely referenced intergovernmental standard—remain the touchstone for rights-respecting, trustworthy AI across policy domains. The G7’s Hiroshima Process published voluntary Guiding Principles and a Code of Conduct for organisations developing advanced AI systems, encouraging safety testing, transparency, and post-deployment monitoring. While these are not enforceable, they shape national guidelines and corporate governance, and increasingly align with risk-management frameworks such as NIST’s AI RMF. [29][30][31][32][33]
Privacy and Automated Decision-Making Rights: GDPR, UK GDPR and CPRA
Since 2018, the GDPR has given individuals a qualified right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, subject to safeguards—and the UK GDPR reproduces this structure, reinforced by detailed regulator guidance on DPIAs and transparency. In the US, California’s 2025 CPRA rulemaking built out specific rights to access and opt out of ADMT and requires risk assessments for certain processing, while expanding cybersecurity audit obligations—an evolution that, combined with the Colorado AI Act, moves US practice closer to EU-style risk-assessment foundations. Companies building decisioning systems should therefore expect end-user notices, logic explanations, recourse and DPIAs to be table-stakes in many markets. [34][35][36][17]
India: Privacy First, AI Rules Emerging
India enacted the Digital Personal Data Protection (DPDP) Act in 2023, now accompanied by draft and advisory materials. In 2024–2025, the government advanced the IndiaAI Mission and convened expert groups on AI governance, signalling activity-based regulation to start, with broader frameworks to follow. Draft amendments to the IT Rules in October 2025 propose labelling synthetic media (including deepfakes) and stricter platform due diligence. In the near term, India’s AI governance is coalescing around privacy, platform integrity and electoral protections while broader AI-specific duties are scoped. Providers operating in India should monitor DPDP rulemaking, platform advisories and intermediary obligations. [37][38][39][40]
Canada: AIDA’s Setback—and What Fills the Gap
Canada’s bid for comprehensive federal AI legislation—AIDA, embedded in Bill C-27—stalled with the January 2025 prorogation of Parliament, leaving the bill to die on the order paper. Analysts expect a re-introduction or alternative approach after elections, while provincial initiatives and federal guidance continue to shape practice. In the interim, Canada relies on privacy law (federal and provincial), sectoral regulators, and voluntary codes to steer AI governance. For multinational firms, this increases the importance of internal, harmonised risk-management frameworks rather than jurisdiction-specific minimums. [41][42][43]
Key Debates: Accountability, Privacy, Open Models and National Competitiveness
Accountability. The EU prioritises ex-ante conformity assessments, quality management and human oversight, backed by market-surveillance enforcement. The US emphasises voluntary standards, safety evaluations and government procurement levers. China foregrounds service-level responsibility and content governance. Pros: clearer duties, better documentation and redress. Cons: regulatory complexity for SMEs, uneven global alignment, and forum shopping. [1][13][25]
Privacy and data governance. GDPR/UK GDPR offer mature rights (Art 22, DPIAs); California’s 2025 rules extend ADMT rights and audits; India’s DPDP consolidates a national privacy baseline. Pros: risk mitigation for individuals, trust. Cons: cross-regime fragmentation raises compliance costs and data transfer complexities. [34][36][17][37]
Open vs controlled AI models. G7 and OECD guidance encourages safety and transparency without hard bans on open models; the EU AI Act applies obligations proportionate to systemic risk and use context; China imposes content-integrity controls regardless of openness. Pros: open models boost research and competition; cons: misuse risks, provenance and security challenges. [33][31][1][24]
National competitiveness. The EU contends that harmonised guardrails unlock trust and market access; critics warn of chilling effects and regulatory uncertainty as guidance lags. The US leans on standards and procurement to avoid stifling innovation; states are testing targeted rules. China’s tighter platform controls coexist with rapid deployment. The policy question is sequencing: guardrails first (EU), or innovation stimulus plus standards (US), or content/platform controls (China). [44][3][45]
Pros and Cons of Existing and Proposed Regulations (continued)
Pros. Clearer allocation of responsibility across the AI lifecycle (provider, deployer) improves diligence and post-market monitoring (EU) and reduces ambiguity for victims by modernising product liability for software and AI components. Safety-testing expectations for frontier systems and government-procurement guardrails (US) can raise practice without waiting for sweeping federal statutes. Content provenance and watermarking requirements (China’s deep-synthesis rules; G7/OECD guidance) directly target deepfakes and election integrity.
Cons. Compliance complexity and uncertain timelines (as guidance for the EU AI Act rolls out in phases) risk deterring SMEs and research labs; uneven US state rules could yield fragmentation and forum shopping until Congress acts; content-centric controls (China) raise speech and competition concerns; and the withdrawal of a bespoke EU AI liability directive leaves potential redress gaps for non-defect harms (e.g., pure economic loss) unless Member States legislate. On balance, a layered model—baseline privacy and safety duties, targeted controls for clearly high-risk uses, and modernised liability—appears most sustainable. [1][6][14][24][33]
Innovation Effects and the “Sequencing” Question
A central policy dilemma is sequencing: do governments ship guardrails first (EU’s ex-ante conformity and GPAI transparency), or stimulate innovation while steering with voluntary standards and public-sector procurement (US), or prioritise platform/content governance with registration and provenance (China)? Evidence in 2025 shows pushback against rushed implementation in Europe—lobby groups and coalitions of major firms have urged a pause to certain AI Act provisions until guidance and codes of practice land—while the Commission has reiterated that legal deadlines are binding. In the US, comprehensive federal legislation remains unlikely in the near term; a House proposal to pre-empt state AI laws via a 10-year moratorium triggered bipartisan resistance and was struck in the Senate, leaving states free to regulate. These dynamics suggest that, in the short run, innovation effects will be shaped less by “big-bang” statutes and more by a tapestry of standards (NIST AI RMF), procurement controls (OMB M-24-10), privacy-led audits (California CPPA), and international soft law (G7/OECD/UN) that converge on good-practice baselines without freezing experimentation. [44][3][45][18][12][14][29]
What Should Be Controlled First: A Pragmatic Priority List
1) Synthetic media provenance and election integrity.
Require interoperable provenance, watermarking or disclosure for AI-generated political content, with rapid-response takedown and penalties for coordinated deception. This aligns with China’s deep-synthesis duties (not their censorship) and the G7/OECD guidance; several democracies are converging on provenance for campaign periods.
2) High-risk uses with rights or safety impact.
Enforce DPIAs/AIAs, human-in-the-loop and post-market monitoring where decisions are legally or similarly significant (credit, employment, health, policing), as in GDPR/UK-GDPR Article 22 guidance and California’s ADMT rules.
3) Frontier model safety reporting.
For models meeting defined capability thresholds, mandate pre-deployment evaluation, red-teaming and incident reporting to independent bodies—initially via procurement conditions and voluntary codes (NIST RMF; G7 Code), moving toward statutory duties if risks increase.
4) Critical-infrastructure and public-sector deployments.
Apply certification and resilience standards for AI used in energy, transport, finance and emergency response; the Council of Europe treaty and UN resolution reinforce rights-respecting baselines.
5) Accountability and traceability.
Require system-level documentation (intended purpose, data governance, evaluation results), secure-by-design software and evidence retention to support liability regimes (EU PLD). Prioritising these five areas addresses the most acute externalities while keeping space for low-risk innovation. [33][31][34][17][14][22][30][6]
Compliance Playbook for Organisations
Across jurisdictions, a practical playbook is emerging. Map systems and uses; classify risk; perform DPIAs/AIAs; implement data-quality and bias controls; build human-oversight and model-evaluation checkpoints; log and preserve evidence; set up incident-reporting and post-market monitoring; and align governance to a recognised framework (e.g., NIST AI RMF). For US-exposed firms, track state privacy/ADMT rules and Colorado’s high-risk duties; for EU-exposed firms, stage AI Act readiness ahead of phased application; for China-exposed firms, register qualifying services, implement provenance and content controls; for India, align with DPDP data duties and deepfake labelling proposals. Public bodies should lead by example via procurement guardrails and open reporting on AI assessments, as OMB M-24-10 requires in the US federal family. [13][15][1][25][17][12][37]
Our View: Regulate the Externalities, Not the Hype
The most credible near-term path is to regulate clear externalities—identity deception, safety-critical uses, discriminatory decision-making, and critical-infrastructure risks—while letting low-risk experimentation run. The EU’s AI Act sets a durable template but must land timely guidance and practicable GPAI duties to avoid chilling smaller innovators. The US should continue to ratchet standards-based governance via procurement and sector regulators while Congress builds consensus on privacy and ADMT rights. China’s content-integrity approach will remain influential for provenance, though its speech controls are neither exportable nor rights-compatible in many democracies. Multilateral soft law (UN/OECD/G7; Council of Europe treaty) provides a floor, not a ceiling. Above all, the priority is capability-agnostic controls tied to impact: the same evaluation, provenance and oversight expectations should scale with system capability and use context, not with brand or geography. [1][31][33][30][22]
Summary
AI regulation has moved from principle to practice. The EU is operationalising a comprehensive, risk-based statute while modernising liability; the US is knitting together standards, procurement and state rules; the UK is steering safety diplomacy; China is enforcing platform-centric content controls; India, Canada and others are iterating privacy-first baselines. The policy challenge is to land enforceable, interoperable guardrails that address actual harms without freezing beneficial innovation. Short-term priorities are synthetic-media provenance, high-risk decision safeguards, frontier model evaluation and critical-infrastructure controls, backed by accountability and modernised liability. Success will be measured not by the boldness of rhetoric but by the steadiness of implementation.
Sources:
[1] EU Official Journal — Artificial Intelligence Act (Regulation (EU) 2024/1689) — link
[2] AI Act tracker (informational) — link
[3] Reuters explainer — EU AI Act timing and “pause” debate — link
[4] Financial Times reporting — EU AI Act implementation path — link
[5] Financial Times analysis — Industry concerns about EU AI rules — link
[6] European Commission — New Product Liability Directive (transposition by 9 Dec 2026) — link
[7] Latham & Watkins client note — New EU PLD in force — link
[8] Bird & Bird — Proposed EU AI Liability Directive withdrawn — link
[9] European Parliament “Legislative Train” — AI Liability Directive status — link
[10] White House — Executive Order on Safe, Secure and Trustworthy AI (Oct 2023) — link
[11] White House Fact Sheet — EO on AI — link
[12] OMB Memorandum M-24-10 — Federal agency AI governance — link
[13] NIST — AI Risk Management Framework (overview) — link
[14] NIST — AI RMF 1.0 (PDF) — link
[15] Colorado SB24-205 — Consumer Protections for Artificial Intelligence — link
[16] American Bar Association overview — Colorado AI Act — link
[17] California Privacy Protection Agency — 2025 regulations timeline (ADMT, risk assessments, audits) — link
[18] Skadden — California finalises ADMT, risk assessment and audit rules (Oct 2025) — link
[19] UK Government — Bletchley Declaration (Nov 2023) — link
[20] UK Government — Seoul Declaration (May 2024) — link
[21] UK Parliament — Statement on the Seoul Summit — link
[22] Council of Europe — Framework Convention on AI (CETS 225) — link
[23] EU Council Decision authorising signature of the CoE Convention — link
[24] China — Provisions on Deep Synthesis of Internet Information Services (translation) — link
[25] China — Interim Measures for the Management of Generative AI Services (translation) — link
[26] Hogan Lovells — Client note on China’s generative-AI rules — link
[27] CYRILLA — Deep synthesis enforcement material (PDF) — link
[28] CYRILLA — Generative AI measures (PDF) — link
[29] Reuters — UN adopts first global AI resolution (Mar 2024) — link
[30] United Nations press — GA adopts AI resolution — link
[31] OECD — AI Principles — link
[32] OECD — Background on AI Principles — link
[33] G7 — Hiroshima Process: International Code of Conduct for Advanced AI Systems — link
[34] GDPR-info — Article 22 (automated decision-making) — link
[35] UK ICO — ADM and profiling: what UK GDPR says — link
[36] UK ICO — ADM and profiling: additional considerations — link
[37] India — DPDP Act (official materials, MeitY) — link
[38] IndiaAI Mission documentation — link
[39] IAPP — Global AI governance: India overview — link
[40] Times of India — Draft IT Rules update (deepfake labelling) — link
[41] Parliament of Canada — Bill C-27 (AIDA embedded) — link
[42] DLA Piper — Canada privacy & AI horizon update (Jan 2025) — link
[43] University of Toronto (Schwartz Reisman Institute) — What’s next for AIDA — link
[44] Reuters — Tech lobby group urges EU to pause AI Act — link
[45] Reuters — EU Commission: no pause to AI Act implementation — link
beFirstComment