Legal Tech • September 2025

AI REGULATION

Bold in Europe but to be determined in the U.S.

Written By María José “Majo” Castro

As artificial intelligence (AI) reshapes business processes, its regulatory future is becoming clearer but more fragmented. Over the next year, organizations deploying AI will face growing obligations, with the European Union (EU) and U.S. offering very different approaches.

While the EU accelerates the rollout of its landmark AI Act (AIA),1 state level legislation in the U.S. is evolving unevenly, marked by ambitious frameworks in jurisdictions like Texas and Colorado. With compliance deadlines nearing and enforcement mechanisms taking shape, organizations operating across both regions will need to reconcile two fundamentally different lines of regulatory thinking.

The European Union: Centralized Oversight, Phased Deadlines
The EU’s AIA, which entered into force on August 1, 2024, is designed to offer a “harmonized” legal framework for AI, setting a global benchmark in terms of scope, detail, and enforcement power. The AIA adopts a risk-based approach, imposing strict requirements on “high-risk” systems (e.g., education, law enforcement, border control) and banning “unacceptable risk” systems (like social scoring and untargeted facial scraping), while granting greater flexibility to low-risk (spam filters, simple photo filters, basic image recognition, etc.) applications.

Here’s a quick breakdown:

  • February 2, 2025

    • Effective now: Prohibitions on certain
      AI systems (e.g., social scoring, untargeted facial scraping).

  • August 2, 2025

    • General-Purpose AI (GPAI) obligations begin for models placed on the market on or after this date, such as OpenAI’s GPT-4, Google’s Gemini, or Meta’s Llama.

      For example, if Meta releases a new version of Llama after August 2, 2025, it will need to comply immediately with GPAI obligations under AIA.

    • Models released before this date have until August 2, 2027, to comply.

  • August 2, 2026

    • Most remaining obligations, including those for high-risk AI systems (e.g., used in hiring, health care, credit scoring), become enforceable. These include stricter rules around transparency, risk management, human oversight, and bias mitigation.

  • August 2, 2027

    • Full compliance deadline for all AI systems, including previously deployed GPAI models.

Key compliance requirements include:

  • Full documentation of model architecture, training data provenance, and performance metrics;

  • Governance practices ensuring transparency, non-discrimination, and cybersecurity resilience;

  • Copyright and data usage compliance; and

  • Mechanisms to prevent harmful or manipulative outputs.

The European AI Office and AI board will oversee compliance and coordinate enforcement across member states. Penalties for non-compliance can reach up to 7% of global annual revenue, placing them on par with GDPR-level enforcement.

The U.S.: Fragmentation, Fast- Moving States, and a Federal Crossroad
In contrast to the EU’s centralized approach, AI regulation in the U.S. remains fragmented and reactive. Federal legislative progress has been limited, prompting states to fill the regulatory vacuum.

The Texas Responsible Artificial Intelligence Governance Act (TRAIGA), signed into law in June 2025 and effective January 2026, offers one of the most comprehensive state-level frameworks to date. TRAIGA defines “developers” and “deployers,” bans discriminatory or biometric misuse, and requires documentation for transparency. While the law applies to both governmental and private sector actors, certain provisions such as notice and impact assessment requirements focus specifically on government agencies. Key provisions include:

  • Alignment with the National Institute of Standards and Technology (NIST) AI Risk Management Framework, which may serve as an affirmative defense;

  • Expanded biometric data protections under the amended Texas Capture or Use of Biometric Identifier Act (CUBI);

  • Civil penalties ranging from $10,000 to $200,000, along with potential licensing sanctions; and

  • Establishment of the Texas AI Council and a regulatory sandbox for AI innovation.

Additionally, the Texas Data Privacy and Security Act (TDPSA), in effect since July 1, 2024, imposes restrictions on data processing and profiling, intersecting with AI governance in practice.

A recent federal proposal aimed at preempting state-level AI laws in exchange for access to a $500 million AI infrastructure fund has officially collapsed in the Senate. The proposed five-year moratorium failed to gain sufficient support, leaving the current patchwork of state regulations intact.

This development marks a significant moment in the trajectory of U.S. AI governance: Rather than moving toward a unified federal framework, states remain in the driver’s seat, for now. With no clear federal preemption, businesses operating across jurisdictions must continue navigating a fragmented and rapidly evolving legal sphere.

Enforcement is state-specific, timelines vary, and risk classifications lack uniformity. While some states align with national frameworks like the NIST AI Risk Management Framework, the overall landscape remains fragmented, requiring businesses to navigate a patchwork of legal obligations that evolve independently across jurisdictions.2

Strategic Considerations for Your Business
Organizations operating across multiple jurisdictions should prepare for an increasingly divided compliance picture. Recommended actions include:

  1. Conducting AI use case mapping to identify jurisdictional overlaps;

  2. Implementing NIST or ISO/IEC 42001-based risk assessments;

  3. Establishing documentation protocols for AI systems;

  4. Reviewing (and often) consent and privacy practices in light of evolving requirements; and

  5. Engaging legal counsel to navigate both domestic and international compliance obligations.

Early alignment with global governance and industry standards may reduce risk exposure and reinforce organizational credibility in a trustdriven AI economy.

The next 12 months are a turning point for AI governance. With enforcement kicking in overseas and legal chaos brewing at home, organizations will need to make sense of two very different regulatory playbooks: The EU’s structured approach and the U.S.’ state-led legal panorama. Whether these paths eventually align or just keep pulling further apart is still up in the air.3

Notes

  1. AI Act, European Commission (Aug. 1, 2025), https://digital-strategy.ec.europa.eu/en/policies/ regulatory-framework-ai.

  2. Tony Samp, Danny Tobey, Coran Darling, and Ted Loud, Ten-year moratorium on AI regulation proposed in US Congress: Provision in House-passed “reconciliation” bill would bar states and localities from enforcing laws or regulations on AI models, DLA Piper, https://www. dlapiper.com/insights/publications/ai-outlook/2025/ten-year-moratorium-on-ai.

  3. The EU AI Act: Key Milestones, Compliance Challenges and the Road Ahead, Cooley (May 19, 2025), https://cdp.cooley.com/the-eu-ai-act-key-milestones-compliance-challenges-and-the-road-ahead/).

MARÍA JOSÉ “MAJO” CASTROMARÍA JOSÉ “MAJO” CASTRO leads the CastroLand Legal team, which helps businesses navigate legal challenges with practical, proactive advice. She focuses on cybersecurity, privacy, compliance, and business law and is passionate about providing personalized support that makes legal processes clear and approachable for her clients.