How should Europe enforce data protection when AI chatbots operate across borders? In a notable move, Berlin’s Data Protection Authority invoked the Digital Services Act (DSA) Article 16 to ask Apple and Google to delist DeepSeek, the famous Chinese AI chatbot, over alleged GDPR-breaching transfers of EU users’ data to China. The request uses a tool designed for illegal online content to tackle a complex AI data-flow issue—raising big questions for AI governance.

How do the AI Act and DSA collide in shaping Europe’s AI future? This paper uncovers hidden gaps in systemic risk oversight, exposing costly “over-assessment” that stifles innovation. By calling for smarter, simplified regulation, it argues for a path that safeguards rights without derailing AI progress in the EU. The analysis offers a blueprint for balancing accountability with competitiveness in the digital era.

With the majority of obligations for general-purpose AI (GPAI) models set to take effect on 2 August 2025 (AI Act, Chapter V, Art. 53), the European Commission has published the long-awaited GPAI Code of Practice on 10 July 2025. The document—developed by independent experts—serves as voluntary guidance to help GPAI providers prepare for compliance under the EU AI Act. It focuses on three key areas: Copyright, Transparency, and Safety & Security.

On 8 May 2025, the Danish Parliament adopted a bill aimed at introducing additional provisions for the regulation of artificial intelligence in Denmark, in accordance with the EU AI Act. The text lays down the designation of national competent authorities and the penalties for violations of the EU AI Act, the law as well as related national legislation and implementing acts.

In a decisive move early on July 1, the U.S. Senate voted 99–1 to pass an amended version of the One Big Beautiful Bill (OBBBA), stripping out a controversial provision that would have blocked state-level regulation of artificial intelligence. The amendment, introduced by Sen. Marsha Blackburn (R-TN), eliminated a proposed 10-year moratorium that had tied state compliance to access to federal funds.

The French data protection authority (CNIL) published two new practical fact sheets designed to help actors developing AI systems to comply with the GDPR. The CNIL shares its recommendations on the use of legitimate interest as a legal basis for the development of AI systems and focuses on the collection of data through web scraping.  

This analysis explores the EU AI Continent Action Plan’s approach to implementing the AI Act within a complex multi-level governance system. The paper assesses how simplification efforts can influence consistency, legal clarity, and the broader goal of establishing Europe as a global AI leader.

This article examines the intersection of biometric data and facial recognition in the EU, highlighting the legal and cybersecurity frameworks that shape their use. Drawing on GDPR requirements and current debates on ethical deployment, it explores how EU regulations seek to balance innovation with the protection of privacy and fundamental rights.

Governments face significant barriers to AI procurement due to the complexity of EU AI law and a lack of clear implementation guidance. Key challenges include definitional ambiguity around AI and a significant knowledge gap between public procurers and AI vendors. Data quality and technology infrastructure issues are also hampering the effective use of AI. The article highlights the critical need for clearer, practical guidance at both EU and national level to ensure compliant AI procurement.

Explore the pressing challenges at the intersection of military AI and international humanitarian law. Discover why current regulations may not be sufficient to address the unpredictable nature of AI-powered weapons, and the critical need for adaptive legal review to ensure the protection of civilians in an era of increasing autonomy in warfare.

The definition of systemic risk in Article 3(65) of the EU AI Act presents challenges of interpretation due to potential ambiguities. This working paper analyses these ambiguities and how the GPAI Code of Practice attempts to categorise these risks through a taxonomy. A key concern is the potential for exploitation of these systemic risk definitions by GPAI model providers.

The AI Regulation Chair is proud to announce its significant contribution to the book “The EU Artificial Intelligence (AI) Act: A Commentary”. This comprehensive work contains analyses from numerous experts and academics in the field. The Chair’s contribution includes a commentary on Articles 16 and 17 of the AI Act, which deal with the obligations of providers of high-risk AI systems and the implementation of a quality management system.