Regulate to compete: Can Europe's red tape become a lead?

On the one hand, the EU’s regulatory stack – featuring the AI Act, the Cyber Resilience Act, and the Digital Markets Act, to name a few – can feel dense and actively slow down technology development. On the other hand, it can become a competitive weapon in the AI era. 

The conundrum was at the core of the discussions during the EU Digital Summit held in Brussels on June 9. The event brought together a crowd of EU representatives, policymakers, and industry voices for panel discussions around digital technology development in the bloc. 

Yasmine Charafeddine, a senior corporate counsel at Salesforce, described navigating a landscape in which a single cybersecurity incident can simultaneously trigger General Data Protection Regulation (GDPR) obligations, AI Act compliance checks, and NIS2 notifications. "This kind of fragmentation is a real compliance burden," she said, "and it has sometimes stopped Europe from competing." 

To reinforce this feeling, Jens Jeepesen, senior director of corporate affairs at Workday, underscored that large European companies, including ASML, Siemens, and Nokia, are voicing their concerns. Overlapping rules have made it "incredibly hard to keep pace with the speed of technological progress,” he said. 

Betting on purposeful AI 

Part of what makes the debate so charged is a confusion between two different ambitions. When European policymakers talk about AI competitiveness, they often mean adoption — deploying existing large language models, most of them American, at enterprise scale. Alexandra Geese, a member of the European Parliament, pushed back sharply. Adoption means working with models Europe did not build and cannot steer. "That's catch-up, and it's a game we will never win," she said.

Her alternative was a harder question: what kind of AI does Europe actually want to create? “Europe should aim for AI that accelerates drug discovery, processes climate data, and serves verifiable human needs. This is where Europe can lead, not by replicating the Silicon Valley model, but by building something it cannot easily produce: AI that people trust, with governance embedded from the start,” the MEP added. 

However, rules are designed to prevent the bad outcomes of AI, such as manipulative techniques, rather than to enable good ones. 

The AI market is unpredictable

In a session exploring the dynamics of the Generative AI market, Meryem Haraj Touzani, associate principal at RBB Economics, presented evidence that AI foundation models show more contestability than the platform economy ever did.

AI model leadership shifts month to month, with enterprises routinely running five or more models in parallel. To this end, companies are increasingly adopting infrastructure to make switching easier. "Sometimes being integrated doesn't actually translate into an advantage at all," she said. 

Trust as infrastructure

The summit also delved into the rise of cybersecurity. The Cyber Resilience Act is setting standards in the space. Nanna-Louise Linde, vice-president of European Government Affairs at Microsoft, argued that security and innovation are not in tension."People will only use technology that they trust. Good security is the foundation of innovation," she stated. 

Lenovo’s Chief Information Security Officer Jason Ruger then illustrated why sovereignty requires more than regulatory ambition: building a single AI chip for Europe requires rare earths from China, lithography from ASML, chip fabrication from TSMC in Taiwan, and software from American firms. In his view,  sovereignty is not a certificate but a set of managed dependencies, and regulation needs to reflect that complexity.

The Brussels effect

What ties these threads together is GDPR. When the regulation was passed in 2018, predictions ranged from modest to catastrophic for European competitiveness. What followed was something else: European data protection standards became a global benchmark. In a way, meeting tougher standards was more efficient than maintaining separate ones. The Brussels effect — Europe's tendency to export its regulatory standards beyond its borders — turned a domestic rule into an international asset.

To this end, experts suggested that the AI Act could follow the same trajectory. Ruger, speaking as a board member of a US national cybersecurity alliance, recalled telling American peers: "If you want to know what's going to happen to AI regulation around the world, look at the EU AI Act." 

Nevertheless, enforcement must be consistent across all 27 member states. Moreover, rules must differentiate between consumer-facing applications and industrial enterprise deployments, which carry very different risk profiles. And simplification must be pursued with the same energy as expansion. 

If those conditions are met and a certain regulatory framework is established, long-term investment may be attracted. Regulation and innovation don’t have to compete, but rules need to serve the purposes of technological development.