When AI Rules Diverge

AI regulation is splitting across major jurisdictions. This post examines divergent AI regulations across jurisdictions, particularly in the EU, US, and China, and how such divergence generates compliance costs, liability uncertainty, and data localization pressures for technology companies. The present contribution argues that current frameworks are not aligned with the cross-border nature of AI systems. To remedy this hurdle, it proposes some practical solutions such as the harmonisation of regulations, creation of safe harbours, and reasonable imposition of penalty.

The issue of AI governance now implicates broader concerns of geopolitical competition, technological sovereignty, and market access. As AI systems become essential in strategic sectors, states are introducing divergent regulatory approaches that substantially impacts how companies in the tech-sector conduct business internationally.

The EU AI Act, which came into effect in August 2024, establishes a risk-based framework. The EU model combines this risk classification with emphasis on fundamental rights protection in relation to safety, non-discrimination, and accountability. It introduces strict obligations on developers and deployers of high-risk AI systems, an approach in stark contrast with that of the US, where the rescission of Joe Biden’s AI Executive Order 14110 and its replacement with a deregulatory framework under the Trump regime shows a shift that prioritizes economic competitiveness over stringent requirements.

The Chinese model adds another dimension to this divergence. Recent legislative agenda trends promote development, along with sector-specific regulations in finance, emotionally interactive AI services (including AI systems capable of psychological interaction and behavioural influence), and autonomous vehicles.

Compliance Multiplicity and Liability Uncertainty

The main question is whether businesses can smoothly operate across jurisdictions with divergent AI regulatory frameworks, particularly the EU’s risk-based model, China’s content-control approach, and the US’s deregulatory shift, without fundamentally restructuring their operations. Evidence shows that they cannot, at least not without major financial recalibration.

Regulatory fragmentation leads to disproportionate compliance costs. Large organisations with well-established legal/compliance departments can easily bear the burden of maintaining multiple teams for different jurisdictions. Mid-sized organisations, however, face limitations because they have to either constrain their geographic operations or accept costly compliance risk.

The EU’s requirements for AI systems include conformity assessments prior to market placement (Article 43), establishment of risk management systems (Article 9), and ongoing post-market monitoring obligations (Article 72). These require providers to ensure traceability through logging, and implement human oversight systems (Article 16).

At the same time, China’s Labelling Rules (September 2025), and South Korea’s AI Basic Act (January 2026), are regulatory approaches that are not merely additional layers over the EU framework, but altogether distinct paradigms.

China’s approach focuses on ex ante content control, and imposes obligations relating to content moderation, synthetic media labelling, and platform responsibility. Moreover, the Chinese model does not rely on private enforcement, but tends to impose many duties on companies through ex ante content governance obligations.

The Chinese model of ex ante content governance results in a system where legal compliance is discretionary, as regulations are shaped through administrative interpretation and enforcement. Therefore, the Chinese model can reduce litigation exposure, but may increase the risk of selective enforcement.

South Korean law, by contrast, introduces transparency obligations, including the labelling of AI-generated content and disclosure of AI use in services. It further regulates “high-impact AI systems” which affect safety and require risk management and human oversight measures. However, its weakness is that it operates through delegated legislation and soft-law guidelines, which leaves obligations open-textured unless secondary rules are introduced.

This multiplication of divergent regulations across jurisdictions raises several concerns. First, it causes technological conservatism. Companies may hesitate to adopt new AI systems because of costs, choosing to avoid regulatory risks in markets. Second, companies with limited resources, like tech-startups, lack the capital to build and maintain the legal and technical compliance infrastructure that is required to satisfy conflicting regulations simultaneously, which ultimately results in the reduction of competition. Third, this regulatory fragmentation produces arbitrage opportunities where companies operate to exploit permissive jurisdictions and simultaneously access restrictive ones via intermediaries.

Beyond compliance costs, another important factor of corporate hesitation is liability uncertainty. In the EU, the AI Act’s risk-based obligations are operated along with GDPR, product safety principles, and fault-based liability theories for algorithmic harm. Firms therefore face overlapping enforcement risks: including administrative penalties and market withdrawal, without clear due diligence standards governing AI design, development, and deployment.

Hence, corporate decision-makers may rationally delay deployment not because AI is technologically immature, but because the legal consequences of failure are structurally unpredictable. This creates a chilling effect similar to over-compliance as was observed in early stages of GDPR implementation.

Regulatory Fragmentation and Data Localization

Cross-border data transfers are increasingly shaped by enforcement risks rather than formal legal mechanisms. While instruments such as the EU-US Data Privacy Framework and Standard Contractual Clauses formally facilitate cross-border data flows, their practical reliability is uncertain due to enforcement scepticism.

For instance, the €290 million imposed on Uber by the Dutch Data Protection Authority for insufficiencies in the safeguards provided for the transfer of EU drivers’ data to the US shows an increasing regulatory focus. The Data Protection Authority insisted on strict technical compliance, as it rejected Uber’s argument that joint controllership between the US and EU entities did away with the need for transfer mechanisms.

Similarly, the European Data Protection Supervisor ordered the suspension of the European Commission’s use of Microsoft 365. It cited insufficiency of clarity regarding service-generated data transfers even though the Commission confirmed compliance later. In addition, the US’s Executive Order 14117 on the management of cross-border data flow of sensitive information to countries of concern expresses the American stance on restricting data exports, which is also similar to the European attitude of scepticism towards international data transfer.

The implication here is the rise of data localization. Companies are starting to regionalise their technology infrastructure. They are now finding it prudent to establish isolated data environments to avert the risks associated with transfers across national borders. Each localized environment needs separate compliance.

There are also concerns on enforceability. Data laws treat cross-border transfer as a jurisdictional problem, i.e. once personal data leaves a territory, regulators face lesser investigatory reach and limited remedial enforcement.

Yet, localisation is not inherently privacy-enhancing. Fragmented storage can increase attack surfaces and reduce security oversight. Localisation also runs the risk of becoming an economic regulatory tool which creates barriers to entry and disadvantages smaller firms that cannot replicate infrastructure across jurisdictions.

In the case of AI, localization introduces several challenges. For training AI models, their datasets need to contain information from multiple jurisdictions. Therefore, companies have to grapple with the decision to operate with the limited accuracy offered by training AI, using available datasets or invest significant capital to sustain systems used to train AI in multiple nations.

AI Regulation as Economic Security

National security-driven laws operate through export controls, outbound investment screening, and sanctions-type compliance regimes. These measures have extraterritorial effect and they create legal risk for technology developers as well as cloud service providers.

The discourse of technology regulation also includes national security issues that go beyond commercial interests of companies. The US-China technology rivalry highlights this situation, as both countries have put measures in place to restrict technology transfer and limit investment flows.

US export controls on advanced semiconductors and related equipment have grown more restrictive. In October 2024, the US introduced regulations for an outbound foreign investment programme. This choice increases scrutiny for investments in Chinese companies involved with AI, semiconductors, and quantum information technologies. These restrictions are in effect alongside entity list designations that prevent US companies from supplying designated Chinese firms without federal authorization.

China responded with countermeasures such as export controls on critical minerals and strategic changes to foreign investment rules. Chinese technology policy now focuses on “independent” technology development. Xi Jinping’s advocacy for “safe, reliable, and controllable” AI shows concerns about technological dependence.

This situation affects technology investment choices. Companies need to consider not just current regulations but also possible future restrictions due to geopolitical changes. Sectors dealing with dual-use technologies, which have both civilian and military uses, face particular uncertainty.

The result is legal uncertainty in cross-border contracting, as private agreements include export-control clauses, termination triggers, and representations on end-use. Therefore, geopolitical rivalry is embedded into private law instruments through compliance-driven contracts.

Path Forward

The current direction of technology regulation is unsustainable. Addressing this concern requires coordinated action. A first course of action should be regulatory coordination at the international level. Although it is true that perfect harmonization is impossible due to divergence in policy priorities, greater coordination could reduce unnecessary incompatibilities. Regulatory authorities should create mechanisms for early consultation on regulatory initiatives allowing adjustment measures by companies.

Technical standards organizations must receive adequate resources to develop implementation standards that can play a role in reducing fragmentation by converting high-level legal obligations into operational benchmarks. Standards developed by bodies such as the ISO and IEEE can provide firms with clearer compliance goals. However, there are drawbacks. Technical standards may struggle to capture normative concerns such as fundamental rights, fairness, or societal harms, which require context-sensitive interpretation. Hence, over-reliance on standards may lead to reducing governance questions into matters of purely technical compliance.

A second course of action should be to assess compliance to actual risk levels. If all AI applications are treated as equally concerning, treating low- and high-risk systems identically     can lead to excessive burden on applications that are low-risk in nature and may also result in under-regulation of genuinely concerning applications.

The risk-based approach taken in the EU AI Act is a sound concept, but implementation should guard against overbroad risk classification that categorises broad categories of systems as high-risk. Periodic reviews should assess if risk classifications reflect genuine evidence about actual harms and not hypothetical concerns.

At third course of action should be the mutual recognition of compliance. Countries should create mutual recognition agreements that treat compliance with one framework as satisfying similar requirements in other jurisdictions as well. This method could help establish protocols when substantial requirements are aligned even if procedures differ.

For instance, EU privacy laws offer a model that recognizes non-EU frameworks as offering adequate data protection. Nations can examine this idea for AI safety standards and cybersecurity requirements.

Finally, attention should also be diverted to regulatory clarity, i.e., the need for precise compliance standards that businesses can act upon with confidence. Regulatory uncertainty creates problems as companies deal with unclear standards that may be enforced unpredictably. Regulators should create safe harbours for genuine efforts and impose fair penalties that differentiate between intentional violations and technical non-compliance.

The challenge of governing technology and AI tests regulatory coordination. Moving forward requires acknowledging that unpredictable regulations hinder technological innovation and that international cooperation is necessary to uphold regulatory goals.