How AI Regulation Is Developing Across the U.S., EU, and Asia

The World's First Comprehensive AI Law Passed in the EU — While the U.S. Still Has No Federal AI Statute

On August 1, 2024, the EU Artificial Intelligence Act entered into force — the world's first comprehensive horizontal AI regulation, covering AI systems across industries, use cases, and risk levels. The same month, it applied its first provisions prohibiting the most dangerous AI applications outright. Meanwhile, in the United States, no equivalent federal statute exists. The U.S. approach remains primarily executive action, sector-specific agency guidance, and state-level legislation — a fragmented patchwork that AI companies simultaneously navigate and influence. China, for its part, has adopted a series of targeted regulations covering specific AI capabilities: recommendation algorithms, deepfakes, and generative AI, with more comprehensive legislation under development. These three jurisdictions represent three distinct regulatory philosophies, and their divergence has significant consequences for where AI is developed, deployed, and held accountable.

The EU AI Act: Risk-Based, Horizontal Regulation

The EU AI Act categorizes AI systems by risk level, applying different requirements to each tier. The framework took four years to negotiate — complicated significantly in the final months by the emergence of powerful general-purpose AI (GPAI) systems like GPT-4, which required a new regulatory category not anticipated in the original Commission proposal.

Risk Tier Structure

• Unacceptable risk (prohibited): Social scoring by public authorities, real-time biometric surveillance in public spaces (with narrow exceptions), manipulation of subliminal behavior, exploitation of vulnerabilities in children or disabled persons, and predictive policing based solely on profiling. These uses are banned from August 2024.
• High risk: AI systems used in critical infrastructure, education, employment, essential services (credit, insurance), law enforcement, migration control, and justice administration. These require conformity assessments, risk management systems, data governance documentation, human oversight mechanisms, and registration in an EU database before deployment.
• Limited risk: Chatbots and deepfakes must inform users they are interacting with AI (transparency requirement).
• Minimal risk: Spam filters, AI in video games — no specific requirements beyond existing law.
• General-Purpose AI (GPAI): Foundational models must disclose training data summaries, implement copyright compliance policies, and publish energy consumption data. Models exceeding 10²⁵ FLOPs of training compute face additional systemic risk requirements including red-teaming, incident reporting to the EU AI Office, and cybersecurity measures.

United States: Executive Action and Sector-by-Sector Guidance

The U.S. has relied primarily on non-legislative mechanisms. President Biden's Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (October 2023) was the most comprehensive U.S. AI governance action to date. It directed agencies to develop sector-specific guidance, required developers of the most powerful AI models to share safety test results with the government, established a National AI Safety Institute within NIST, and addressed immigration pathways for AI talent.

The Trump administration revoked that executive order in January 2025 and issued its own order focused on maintaining U.S. AI leadership and reducing regulatory barriers to innovation. This political reversal highlighted the fundamental fragility of executive-order-based governance: it can be undone immediately by a successor administration without congressional action.

Sector-specific regulation is proceeding through existing agencies: the FDA regulates AI medical devices, the FTC applies consumer protection and anti-discrimination frameworks to AI, the EEOC issues guidance on AI in employment decisions, and financial regulators have issued model risk management guidance applicable to AI in banking. California's SB 1047 — which would have imposed safety requirements on frontier AI developers — was vetoed by Governor Newsom in 2024, but California has passed more targeted AI transparency and data privacy legislation.

China: Targeted, Application-Specific Rules

China has taken a different path: regulating specific AI capabilities sequentially rather than through a single comprehensive framework. This approach reflects both the Chinese regulatory style and the ambition to shape AI development while maintaining state control over politically sensitive applications.

UK, Canada, and Japan: Principles-Based Alternatives

Several countries have chosen to avoid binding legislation in favor of principles-based frameworks relying on voluntary codes and existing regulatory authority. The UK government explicitly positioned itself as a "pro-innovation" alternative to the EU's regulatory approach — issuing cross-sector AI principles through existing regulators rather than creating AI-specific law. Japan has adopted a similarly light-touch approach emphasizing international alignment and industry self-governance through its AI Guidelines for Business framework. Canada's Artificial Intelligence and Data Act (AIDA) — included in Bill C-27 — would create a risk-based framework comparable in structure to the EU AI Act, but as of 2025 had not completed the legislative process.

The Governance Gap: What Remains Unaddressed

• Frontier model evaluation: No binding international standard for what safety testing a powerful AI model must pass before deployment. The UK AI Safety Institute and U.S. AISI are developing evaluation frameworks, but participation is voluntary.
• Cross-border enforcement: An AI system trained in the U.S. by a U.S. company and deployed globally faces EU rules for EU users, but enforcement against non-EU companies is legally complex.
• Open-source AI: The EU AI Act provides limited exemptions for open-source GPAI models below the systemic risk threshold, but how to regulate capabilities that are freely downloadable and can be run without accountability to any company is unresolved globally.
• AI in national security and military: Autonomous weapons systems and AI-assisted surveillance are effectively excluded from most civilian AI regulations. The Geneva Conventions and export control law (such as U.S. EAR controls on advanced AI chips to China) are the primary governance instruments, with significant gaps.