The European Union’s approach to artificial intelligence regulation may be too cumbersome to adapt as the technology and its risks evolve, according to a new study comparing the bloc’s governance system with the more fragmented model used in the United States.

The research, published in the journal Big Data & Society, argues that the EU created an extensive set of regulatory “guardrails” intended to anticipate harms across a wide range of AI uses. But developing those rules required years of negotiation and substantial political effort, leaving a framework that is difficult to revise in response to new evidence, Phys.org reported.

The study was written by Alison Harcourt of the University of Exeter, Claudio M. Radaelli of the European University Institute and Philipp Trein of the University of Lausanne. The researchers describe the EU framework as a “rigidity trap”: rules that are politically and institutionally costly to adjust, even as parts of the system may be vulnerable to removal or dilution.

The authors contend that this inflexibility weakens the EU’s ability to achieve the European Commission’s stated objectives of supporting AI that is trustworthy, centered on people and respectful of fundamental rights. They also say the architecture can make enforcement more difficult because broad, forward-looking requirements must be applied to technologies and risks that were not fully understood when lawmakers designed the system.

The European Union adopted the AI Act in 2024 after a lengthy legislative process. The law established a risk-based system in which obligations differ according to how an AI application is used and the potential harm it presents. According to the University of Exeter account of the study, the original framework was due to take effect in stages but has already been overtaken by the 2026 AI Simplification Act. The researchers characterize the recent changes as a partial regulatory retreat before the original law was fully implemented.

That development is central to their argument. A comprehensive regime may appear more protective on paper, the study suggests, but its value depends on whether regulators can update requirements, resolve ambiguities and enforce the rules as markets and technical capabilities change. AI systems can acquire new functions through software updates, be deployed in settings their developers did not anticipate and create harms that cross conventional boundaries between industries.

“The EU has opted for a design that has limited room for adaptive regulation,” Radaelli said, according to Phys.org.

Harcourt said the EU’s architecture reflects an attempt to anticipate the development of AI risks and protect values identified by European institutions. That prescriptive orientation, however, makes the construction of a comprehensive set of safeguards particularly difficult. Companies and courts are already seeking to influence or revise the practical results of the AI Act, she said.

The study contrasts that model with regulation in the United States, where no equivalent single, cross-economy AI statute governs the entire field. Instead, rules have developed through state legislation and measures aimed at particular industries or identifiable harms. The researchers call these mechanisms regulatory “leashes” because authorities can tighten them when a specific danger emerges.

In the authors’ assessment, the US approach is more concrete and easier to enforce in areas including deepfakes, election integrity, labeling of AI-generated material and individual rights. State-level experimentation also allows policymakers to observe whether one jurisdiction’s intervention works before similar provisions spread elsewhere.

The comparison does not mean that the United States planned a coherent adaptive system, the researchers note. Its flexibility emerged at least partly from a decentralized political and legal structure. Nor does a reactive approach necessarily prevent harm before it occurs. Rather, the study focuses on whether rules can be changed and enforced as regulators gather evidence about specific technologies and applications.

Trein said the EU’s practical framework became so politically costly and administratively heavy that changing it in light of evidence has proved more difficult than repealing elements of it. By contrast, he said, the US system created more room for regulatory learning, as much by accident as by deliberate policy design.

The debate reflects a fundamental problem in AI governance: lawmakers must decide how much to regulate in advance and how much discretion to preserve for future decisions. Broad rules can create common standards, reduce inconsistencies between jurisdictions and signal that certain uses are unacceptable. Yet detailed requirements may become outdated when technical practices, business models or patterns of misuse change faster than formal legislation.

A sector-based model offers a different set of trade-offs. Regulators responsible for elections, consumer protection, employment, health care or financial services can address harms within areas they already understand. Such an approach may produce narrower and more enforceable duties, but it can also leave gaps when an AI system falls outside existing legal categories or operates across several sectors at once.

The EU’s risk-based model was designed in part to avoid those gaps by applying a common structure across the bloc. It distinguishes among categories of use rather than treating every AI system identically. That principle is intended to concentrate the strongest obligations on applications with the greatest potential effect on safety or fundamental rights. The new study does not simply dispute the need for safeguards; it questions whether the institutional design permits those safeguards to evolve effectively.

Implementation is especially important because AI legislation generally depends on technical standards, guidance, oversight decisions and court interpretations. The statutory text is only one part of the regulatory system. Authorities must determine which systems fall within particular categories, what evidence companies need to provide and how compliance will be assessed. If those processes move slowly, legal certainty and rights protections can both suffer.

The researchers’ US comparison also highlights the role of policy experimentation. When states adopt different responses to a defined problem, officials can compare their effects and potentially reproduce successful measures. But a patchwork of state laws can increase compliance complexity for companies operating nationally and may provide uneven protection depending on where people live. The study’s argument centers on the capacity for learning within that patchwork rather than claiming it eliminates such disadvantages.

The paper, titled A question of style? Regulating artificial intelligence in the European Union and the USA, was published in 2026. Its warning arrives as governments continue to balance innovation, enforceability and rights protection in a field where both technical capabilities and commercial uses can shift quickly. For the EU, the researchers suggest, the central challenge is no longer only writing ambitious protections. It is ensuring that those protections can be revised and applied before technological change makes them obsolete.

Sources: EU AI Act