Anu Bradford’s most-cited contribution to international regulatory scholarship rests on a sentence she never quite writes that way. The European Union, she argues, regulates the global marketplace without leaving Brussels. The claim was first sketched in a 2012 Northwestern University Law Review article1 and then worked out at book length in 2020.2 It is at once empirical (here are the case studies) and structural (here are the conditions). The EU, in Bradford’s account, is not a normative empire. It is not exporting values through diplomacy or coercion. It is regulating its own market, in detail, with stringency — and the rest of the world catches the regulations on the rebound. Multinational companies, facing the alternative of bifurcating their global production, adopt the European standard everywhere. Foreign governments, facing companies that already comply with European standards, emulate the regulation domestically. The mechanism is unilateral, market-mediated, and — most usefully for the reader — repeatable. Once the conditions are named, the next case becomes predictable.
↑ N° 22 · N° 22 read Bradford’s 2012 Northwestern article — the founding text. This piece reads the 2020 book: the four-case-study expansion that turned the framework into a verified theory and looks ahead to its limits.The puzzle Bradford starts from
The book opens by collecting the obituaries — a steady literature on Europe’s decline — and proposing that they have all missed the same thing.
Bradford writes from a peculiar vantage. She holds the Henry L. Moses chair in Law and International Organization at Columbia, directs Columbia’s European Legal Studies Center, and is a Finnish national who studied and worked in Belgium, France, and Germany before moving to the United States, with the bulk of the 2020 manuscript written from Madrid. She is, in her own framing, both an insider — for whom EU law remains “domestic law, not foreign law” — and an outsider with enough distance to argue with Brussels’ self-image.
The book opens by quoting back the obituaries. “The European unraveling.” “The EU’s Fall and Decline: The Struggle Against Global Irrelevance.” “Why Europe no longer matters.” Bradford’s counter-thesis is that this commentary measures the wrong things. The EU has never been a military power; its economic share is declining as Asia rises; the Euro crisis dented public confidence; Brexit completed the picture of an aging project. All of this is true, and all of it overlooks the dimension where the EU’s power is in fact growing: its unilateral capacity to regulate global markets.
That capacity, Bradford insists, is structural rather than aspirational. The EU does not need cooperation, treaties, or coercion to globalise its rules. Under the right conditions, market forces alone convert an EU regulation into a de facto global rule. The 2012 article gave this phenomenon a name. The 2020 book provides the four case studies — competition policy, digital economy, consumer health and safety, environment — that turn the name into a theory with empirical content.
The five conditions, and why only one jurisdiction meets them
Chapter 2 of the 2020 book is the analytical heart. Bradford names five elements that together explain when a single jurisdiction can globalise its standards.
The five elements are market size, regulatory capacity, stringent standards, inelastic targets, and non-divisibility. Bradford’s claim is that all five are necessary, none is sufficient, and the EU is currently the only jurisdiction in which they coexist.
Market size is the precondition. A jurisdiction with a small internal market cannot generate the gravitational pull that forces foreign companies to adjust. The EU’s market is large and wealthy enough that very few global firms can afford to exit it. Crucially, market size is a relative concept: what matters is the ratio of a firm’s EU sales to its sales elsewhere. The higher that ratio, the more rational it is to comply.
Regulatory capacity is the next layer. Market size alone — Bradford’s counterfactual is the absence of a “Washington Effect” or “Beijing Effect” of comparable scope — does not produce regulatory power. The jurisdiction must also have built the institutional machinery to draft, adopt, and enforce stringent rules. The EU’s Commission, Parliament, Court of Justice, and member-state regulatory authorities form a single regulatory architecture with unusual depth and a long track record of converting political preferences into enforceable detail.
Stringent standards is the political-economy condition. Capacity is necessary but not sufficient; the political coalition inside the regulating jurisdiction must actually want stringent rules. Bradford traces the EU’s preference for stringency to the political economy of integration itself — stringent harmonisation reassured publics that economic integration would not be pursued by lowering protections, and the leading member states (Germany on data protection, Sweden and Denmark on environment) consistently exported their domestic stringency upward.
Inelastic targets is the condition most often missed. EU regulation lands disproportionately on consumer markets, which are spatially inelastic — the consumers cannot relocate to escape a stringent rule. By contrast, capital is elastic; it flees high-tax or high-regulation jurisdictions, which is why corporate-law races run to the bottom rather than the top. The US has, by political choice, concentrated on regulating capital and ceded the regulation of consumer markets largely to markets themselves. The EU, by political choice, has done the opposite. That choice is the structural reason European consumer rules generalise while American consumer rules do not.
Non-divisibility is the final condition. Even when the four prior conditions hold, an EU standard becomes a global standard only when companies find it more efficient to comply globally than to bifurcate. Some products are technically or legally divisible — Coca-Cola sweetens differently in different markets, Netflix licenses different catalogues in different territories — and the Brussels Effect breaks down for these. Others are economically non-divisible: a smartphone’s default privacy settings, a chemical’s allowed composition, a vehicle’s emissions architecture. For non-divisible products, one rule wins globally, and that rule is the most stringent rule of any market the company chooses to serve. Which is, by hypothesis, Brussels.
The scorecard is the punchline. The United States fails on stringency and on the consumer-market choice, not on capacity. China fails on non-divisibility — Chinese companies routinely run two different stacks, one for the domestic market and one for the global market — and only partially meets the other conditions. The EU is, on Bradford’s reading, structurally alone.
De facto, then de jure
Bradford’s most useful conceptual move is the two-step. The Effect operates first through firms, only later through states.
The de facto Brussels Effect describes the firm-level mechanism. A multinational company facing EU regulation has two options: serve the EU under one set of rules and the rest of the world under another, or adopt the EU rule globally. For non-divisible products and processes, the second option is almost always cheaper. The company globalises the European standard to itself, voluntarily, for its own commercial reasons. No foreign government has acted. No treaty has been signed. The rule is travelling through balance sheets.
The de jure Brussels Effect is the second step. Once foreign multinationals have adjusted globally to EU rules, they acquire a domestic-political interest in seeing those rules adopted in their home jurisdictions. Their domestic competitors — firms that do not export to the EU — are otherwise undercutting them. So they lobby for EU-style legislation at home. When the lobbying succeeds, the EU rule becomes a foreign rule by formal adoption. Bradford notes that this strict version of the de jure Effect was first developed by David Vogel in the California context; her contribution is to show that it operates at global scale, and to combine it with a looser version that includes diffusion through international institutions, treaty networks, and civil-society pressure.
The two steps matter because they explain why the Effect is more durable than treaty-based regulatory diffusion. A treaty requires ongoing political consensus among signatories; a withdrawn signatory escapes the rule. The de facto Brussels Effect does not depend on consensus at all — it depends on companies’ rational response to market access, which is far harder to roll back. A US administration can withdraw from the Paris Agreement; it cannot, by executive action, unwind the global compliance investments that GDPR has already extracted from American firms.
The Brussels Effect exists whether one likes it or not. — Anu Bradford, Preface to *The Brussels Effect*
The Preface line is austere on purpose. Bradford is at pains to keep the book descriptive rather than normative — she has her own views about the EU, she says, but the argument does not depend on them. Whether the Effect is welfare-enhancing is the question of Chapter 8. Whether it should be welcomed is left to the reader.
The case the framework rides on
The 2016 General Data Protection Regulation is where all five conditions coincided. The digital-economy chapter is the book’s empirical centrepiece.
The architecture is constitutional first. The 1950 European Convention of Human Rights recognised privacy; the 2009 Lisbon Treaty gave legal force to the EU Charter of Fundamental Rights, which elevates personal-data protection to a fundamental right; the 2016 GDPR operationalises that right through detailed obligations on every entity processing the personal data of EU residents. The regulation replaces the 1995 Data Protection Directive and, importantly, applies directly across all member states without further national transposition.
The reach is extraterritorial by design. The GDPR applies to any entity, anywhere, that processes the personal data of persons residing in the EU, regardless of where the processing happens. Non-EU controllers and processors who offer goods or services to EU residents — or who monitor the behaviour of EU residents — fall within scope. Non-EU businesses are required to appoint a representative in the EU. The EU further restricts transfers of personal data to third countries that fail to ensure “adequate” protection, with the determination of adequacy made unilaterally by the Commission.
The sanctions ceiling is the enforcement instrument. Non-compliance can trigger administrative fines of up to €20 million or 4 % of the firm’s total worldwide annual turnover for the preceding financial year, whichever is higher. For a firm with worldwide turnover above €500 million, 4 % is the binding ceiling, and 4 % of global revenue is a number large enough to make bifurcation unattractive even when bifurcation is technically possible.
The empirical de facto outcomes are everywhere. The 2018 enforcement deadline produced the global wave of consent emails. Facebook restructured its corporate architecture in Dublin to align the entire non-US user base with the GDPR. Most global tech firms quietly aligned their worldwide terms of service with the European standard rather than maintain two stacks. The de jure outcomes followed: Brazil’s 2020 Lei Geral de Proteção de Dados mirrors the GDPR almost article by article; California’s CCPA borrowed extensively from it; India’s draft data protection bill goes in some respects beyond it. By the framework’s standards, this is a clean case. All five conditions hold; the de facto mechanism operates; the de jure adoption follows.
Why the United States cedes
Bradford’s most uncomfortable claim, for an American reader, is that the regulatory leadership of Brussels is partly a Washington choice.
The United States has market size larger than the EU’s. It has regulatory capacity — by some measures more enforcement firepower than any single European regulator. What it does not have, in most consumer-facing domains, is stringency. That absence is not a structural fact about the American state; it is a political choice the American polity has repeatedly made. Where the EU regulates data protection as a fundamental right, the US has largely delegated data-handling to private contract. Where the EU regulates chemicals on a precautionary principle, the US regulates on a cost-benefit basis with weaker default protections. Where the EU prohibits hate speech with extensive liability for platforms, the US extends First-Amendment latitude and Section 230 immunity.
Bradford does not say this is wrong. She says it is a choice, and the choice is structural. The US has historically directed its regulatory firepower at capital markets — securities, banking, corporate governance — where capital is elastic, where regulatory races can run to the bottom, and where US deregulation has correspondingly produced the Delaware Effect rather than the California Effect. The EU has directed its firepower at consumer markets, where targets are inelastic. The two great powers have made complementary choices about what to regulate stringently, and the global regulatory architecture that results is one in which capital flows are governed (loosely) from Wilmington and consumer protections (stringently) from Brussels.
This is the asymmetry Bradford asks American readers to notice. The United States has not lost the regulatory race for global consumer rules because it could not compete. It has effectively ceded it by choosing to compete on a different terrain.
The next test: artificial intelligence
The book ends with a chapter on whether the Effect will last. In 2026, the EU AI Act tests the framework directly.
Bradford’s own 2023 follow-up, Digital Empires: The Global Battle to Regulate Technology, applies the framework explicitly to AI.3 The argument extends naturally. The AI Act (Regulation (EU) 2024/1689), in force since 2024 with phased compliance deadlines running through August 2026, deliberately mirrors the GDPR’s extraterritorial architecture.4 Article 2 of the AI Act establishes three connection points: providers placing AI systems on the EU market; deployers established in the EU; and — the limb most third-country providers underestimate — providers and deployers established in third countries where the output produced by the AI system is used in the EU. The third limb is output-based jurisdiction, modelled on GDPR Article 3. Article 22 requires non-EU providers of high-risk systems to appoint an authorised representative inside the EU, again on the GDPR template.
The five conditions transfer. Market size holds. Regulatory capacity holds, with the AI Office and notified bodies now standing up. Stringency is by political design — the high-risk regime in Chapter III imposes risk management, data governance, technical documentation, transparency, human oversight, accuracy, and post-market monitoring obligations more demanding than any other jurisdiction’s. Inelasticity is more subtle than for personal data: EU end-users of AI outputs cannot relocate, but EU markets for AI services are more elastic than EU markets for consumer goods. Non-divisibility is the open empirical question. A foundation model can in principle be re-weighted or filtered differently for EU output than for non-EU output, but the engineering and audit costs of running two model stacks may, in practice, push providers toward a single globally compliant stack. The framework predicts the outcome; the test is now running in production.
- Bradford coins "the Brussels Effect" in Northwestern University Law Review
- GDPR adopted; Lisbon-Charter privacy right operationalised
- GDPR enforcement begins; global compliance wave
- Book-length argument: five conditions, four case studies
- Digital Empires extends the framework to AI
- AI Act enters into force (Reg. 2024/1689)
- High-risk AI obligations apply (August)
For a thesis on the interoperability of the AI Act with the NIST AI Risk Management Framework, the analytical implication is direct. Bradford’s framework predicts that NIST-aligned American providers of high-risk AI systems will be pulled toward EU-aligned compliance through the de facto channel — not because Washington has changed its mind, but because the European market is non-trivial to walk away from and the US providers are running models too costly to bifurcate. The de jure step, on this prediction, would follow: domestic American competitors of those globally-compliant providers will eventually seek the level playing field that legislation provides. Whether the prediction holds will depend, finally, on the non-divisibility condition for AI specifically — and that is an empirical question the next five years will answer.
What the framework leaves standing
Three things are uncertain. One is not.
The first uncertainty is technological. A framework written for data, chemicals, and competition law presumes a world of non-divisible products. AI systems may be more divisible than that. If the engineering economics of inference make jurisdictional partitioning cheap, the Brussels Effect for AI weakens; firms will simply run a European stack and a non-European stack, and the European stack will not pull the global one. The 2020 book’s discussion of “technological change” as a future threat (Chapter 9) anticipates this; the empirical answer is not yet in.
The second uncertainty is American. The framework treats the US choice to cede consumer-regulatory ground as durable. A second Trump administration’s deregulatory turn may go further than the prior posture and begin attacking the capacity condition — not by deregulating EU-aligned compliance but by hollowing out the agencies (NIST, FTC, FDA) that would otherwise build interoperability with European regimes. That is a different attack on the framework: not stringency, capacity. Bradford did not anticipate it in 2020. It is the live political question of 2026.
The third uncertainty is Chinese. Digital Empires names China as a third regulatory power with its own model — state-driven, security-centred — that increasingly competes with the EU’s rights-driven model for adoption in third countries, particularly through digital infrastructure exports. The de jure channel of the Brussels Effect runs partly through emulation; if the alternative model becomes attractive enough, the European rule no longer travels by default.
What is not uncertain is the GDPR case. Within five years of adoption, the regulation became the de facto global default for data-protection law, with formal adoption by jurisdictions accounting for a substantial share of world GDP. The book’s framework correctly predicted this trajectory, and the case studies — competition, digital economy, consumer health, environment — supply four further demonstrations of the same dynamic. For empirical purposes, the theory is validated for the digital domain.
What the reader is left with is an analytical instrument rather than a verdict. Bradford supplies the conditions under which a single jurisdiction can globalise its rules; she leaves the application to the reader. The conditions are diagnostic, not value-laden. They can be applied to the AI Act, the Data Act, the Cyber Resilience Act, and to whatever comes next from Brussels, and they will yield a defensible prediction about whether the rule will travel. For a research programme on regulatory interoperability between European and American AI governance, the framework is the anchor text. Everything that follows is its application.