The EU and US have taken fundamentally different approaches to AI regulation. The EU has enacted comprehensive, binding legislation. The US relies primarily on voluntary frameworks, sector-specific regulation, and executive action. Organizations operating in both markets must understand both approaches.

Legislative Approach

EU AI Act is a comprehensive, horizontal regulation that applies to all AI systems placed on the EU market, regardless of sector. It classifies AI systems by risk level and imposes binding requirements with significant penalties for non-compliance. It establishes new regulatory infrastructure including national AI authorities and an EU AI Office. It entered into force on 1 August 2024 and applies in phases (see the timeline below).

US approach relies on a patchwork of existing sector-specific regulators (FDA for health AI, SEC for financial AI, FTC for consumer protection), the voluntary NIST AI Risk Management Framework, and state-level legislation. There is no single, comprehensive federal AI law. The federal posture shifted sharply toward deregulation in 2025: Executive Order 14110 (the Biden 2023 AI safety order) was rescinded on 20 January 2025, replaced by Executive Order 14179 (“Removing Barriers to American Leadership in Artificial Intelligence”). The White House released “America’s AI Action Plan” in July 2025, an innovation and infrastructure agenda that also directs NIST to revise the AI RMF. In December 2025, Executive Order 14365 (“Ensuring a National Policy Framework for Artificial Intelligence”) directed federal agencies to challenge state AI laws seen as inconsistent with federal policy and to pursue a preemptive national framework, though preemption ultimately requires action by Congress.

Risk Classification

EU uses a four-tier risk classification (unacceptable, high, limited, minimal) codified in law, with specific requirements for each tier. High-risk categories are enumerated in Annexes and include critical infrastructure, education, employment, essential services, law enforcement, and biometric identification.

US does not impose a uniform risk classification. NIST AI RMF provides a voluntary risk mapping framework. Individual agencies apply their own risk assessments within their jurisdictions. Colorado’s 2024 AI Act introduced a risk-based framework for “high-risk” systems in consequential decisions, but its effective date has been repeatedly delayed (now 1 January 2027 under SB 189, signed May 2026) and the law was rewritten toward a lighter disclosure-and-transparency model, dropping the original duty of care, risk management programs, and impact assessments. It illustrates how unsettled the state-level picture remains.

Key Differences

AspectEU AI ActUS Approach
Legal natureBinding regulationMostly voluntary frameworks
ScopeHorizontal, all sectorsSector-specific
EnforcementFines up to 7% turnoverVaries by agency, FTC enforcement
ConformityRequired for high-riskNot required federally
Pre-marketAssessment before deploymentGenerally post-market oversight
Foundation modelsSpecific GPAI obligationsVoluntary commitments
TransparencyMandatory disclosureVoluntary best practices

Where the Rules Stand in 2026

Both regimes moved significantly in 2025 and 2026, and both moved toward lighter or delayed obligations.

  • EU AI Act enforcement has started, in phases. Prohibitions on unacceptable-risk practices (such as social scoring and most untargeted biometric surveillance) and AI literacy duties applied from 2 February 2025. Obligations for general-purpose AI (GPAI) models applied from 2 August 2025, backed by a voluntary GPAI Code of Practice that offers a presumption of conformity to signatories. The Commission’s power to enforce against GPAI providers begins 2 August 2026.
  • The EU has agreed to delay its high-risk rules. Under the Digital Omnibus on AI (provisionally agreed by the Council, Parliament, and Commission in May 2026, pending formal adoption), the start of high-risk obligations is pushed back: to 2 December 2027 for standalone Annex III systems and to 2 August 2028 for AI embedded in regulated products under Annex I, well beyond the original 2 August 2026 date. The package also narrows the “safety component” trigger and eases some transparency timing.
  • The US shifted toward deregulation and possible preemption. After rescinding Executive Order 14110 in January 2025, the administration issued Executive Order 14179, released “America’s AI Action Plan” (July 2025), and signed Executive Order 14365 (December 2025) targeting state AI laws and seeking a uniform national framework. A statutory moratorium on state AI laws was proposed but not enacted by Congress, so state legislation (Colorado, California, Illinois, Texas, and others) remains the most active source of binding US AI rules.

Implications for Global Organizations

Organizations selling AI products in both markets face an asymmetric compliance burden. EU compliance is more prescriptive but clearer: meet the defined requirements and you can access the market. US compliance is more fragmented: different agencies, different states, different expectations.

A practical strategy is to build to the EU AI Act standard as a baseline (it is generally the stricter regime), then address US-specific requirements at the sector level. Organizations already compliant with the EU AI Act will substantially meet NIST AI RMF expectations, though the frameworks are not identical.

Convergence and Divergence

Both jurisdictions agree on the importance of risk management, transparency, and safety testing. The NIST AI RMF and EU AI Act share conceptual alignment on many topics. However, they diverge sharply on enforcement: the EU mandates compliance with penalties, while the US generally encourages best practices with enforcement only through existing consumer protection and sector-specific authorities.

The trade and innovation implications are significant. The EU’s approach provides legal certainty but raises compliance costs. The US approach allows more flexibility but creates uncertainty as the regulatory landscape continues to evolve through executive action, agency guidance, and state legislation. The 2025 to 2026 trend in both jurisdictions has been toward lighter or delayed obligations: the EU postponed its high-risk rules through the Digital Omnibus, and the US pursued deregulation and a preemption-oriented federal posture.

Sources