Less than a year after the EU AI Act entered into force — the world’s first comprehensive regulatory framework for artificial intelligence — the European Commission began dismantling the scaffolding around it. The AI liability directive, which would have given citizens a cause of action when AI systems harmed them, was shelved in February 2025 and formally withdrawn by October. Enforcement of the Digital Services Act entered limbo. The codes of practice that were supposed to give the AI Act teeth pivoted from constraint to encouragement. Raluca Csernatoni, a fellow at Carnegie Europe specializing in defense technology and EU governance, published a working paper in May 2025 that reads this pivot not as pragmatic adjustment but as a structural misdiagnosis: Europe’s AI problem was never too much regulation. It was too little investment, too fragmented a market, and too deep a dependence on infrastructure controlled from Menlo Park and Shenzhen. The deregulatory turn, Csernatoni argues, treats a symptom while abandoning the treatment.
↑ N° 03 · The EU’s AI Act trilogue broke down on the Digital Omnibus reform in late April 2026, with sectoral pre-emption at the center of the dispute — the same tension between horizontal regulation and competitive flexibility that Csernatoni diagnoses here at a structural level.The pivot nobody voted for
Csernatoni traces the EU’s deregulatory turn to a convergence of pressures — the Draghi report, transatlantic friction, and the AI industry’s lobbying apparatus — and finds that the turn was well underway before the AI Act was even finalized.
The working paper opens with a framing that is now standard in Brussels policy circles but rarely stated so bluntly: the EU positioned itself as the world’s AI rule-maker, then lost confidence in the strategy before it could be tested. The AI Act received final legislative approval in March 2024. By February 2025, the Commission’s annual work program was already listing withdrawals of complementary legislation and signaling a shift toward competitiveness rhetoric.
Csernatoni identifies Mario Draghi’s September 2024 report on EU competitiveness as the intellectual anchor of the deregulatory push. The report argued that inconsistent, restrictive regulation was the principal source of Europe’s competitiveness gap. Csernatoni does not dispute the diagnosis of sluggish growth — she presents the data herself — but she contests the prescribed treatment. Deregulation, she argues, might produce short-term competitiveness gains while creating strategic vulnerabilities: reduced oversight of foreign-owned AI infrastructure, weakened bargaining power in international governance forums, and the effective surrender of the EU’s agenda-setting role to private-sector actors and geopolitical rivals.
The timing of the pivot matters. The Commission’s February 2025 work program — which announced the AI liability directive’s withdrawal — landed days after the AI Action Summit in Paris, where U.S. Vice President JD Vance publicly warned Europe against excessive AI regulation. Csernatoni notes that the Commission framed its shift as a response to geopolitical reality, but the lobbying pressure had been building for years. Industry stakeholders and member states, led by France, had already secured significant carve-outs during the AI Act’s legislative process, including article 2’s national-security exemption, which places government AI deployments for surveillance and border control outside the Act’s scope entirely.
Liability without remedy
The withdrawal of the AI liability directive is Csernatoni’s central exhibit for the deregulatory turn — a piece of legislation that would have closed the gap between prevention and accountability.
The AI Act regulates AI systems at the point of market entry: classification, documentation, conformity assessment. What it does not do is provide recourse after harm occurs. That was the liability directive’s job. Proposed in September 2022, it would have introduced a presumption of causality — meaning victims of AI-related harm would no longer need to reverse-engineer opaque algorithmic processes to prove their case — and allowed courts to order disclosure of technical documentation from AI operators.
The directive was never going to be simple. Critics pointed to genuine ambiguities: how it would interact with the revised product liability directive, the machinery directive, national tort law frameworks. Member states couldn’t agree on a final text. But Csernatoni argues that the Commission’s decision to shelve it went beyond pragmatic triage. It represented a substantive policy choice to prioritize market signaling over consumer protection — to show U.S. tech companies, investors, and innovators that Europe was open for business.
The consequences are concrete. Without the directive, EU citizens harmed by AI systems are left navigating a patchwork of national liability regimes. Discrimination, privacy breaches, and purely financial damages caused by algorithmic systems fall into regulatory gaps. And the European Parliament — which had actively debated and supported the directive — found its legislative work sidelined by executive decision, a move Csernatoni frames as a blow to democratic legitimacy.
Scrapping the AI liability directive erases critical legal safeguards meant to protect individuals harmed by AI systems — victims of AI-related harm lose a structural legal recourse and are effectively left with risks without rights. — Raluca Csernatoni, Carnegie Europe
German MEP Axel Voss, who had served as rapporteur for the directive, called it a retreat toward a lawless approach to AI liability. The Commission’s own defense — that Henna Virkkunen, Executive Vice-President for Tech Sovereignty, argued the directive would have fragmented rules across member states — is ironic, Csernatoni notes, given that fragmentation is precisely what the directive was designed to prevent.
The numbers behind the gap
Csernatoni marshals the Draghi report’s data to show that Europe’s AI deficit is structural, not regulatory — and that deregulation alone cannot close it.
The figures are stark. Only 11 percent of EU firms use AI, against a stated bloc target of 75 percent by 2030. Since 2017, 73 percent of foundational AI models have originated in the United States, 15 percent in China. Europe is a consumer of AI infrastructure, not a producer. In 2023, the EU attracted $8 billion in AI venture capital, compared with $68 billion in the United States and $15 billion in China. Sixty-one percent of global AI funding flows to American firms; six percent to European ones.
The cloud market tells a similar story. Amazon, Google, and Microsoft together control nearly 70 percent of the European cloud market. The continent’s largest domestic provider holds roughly 2 percent. Europe’s most competitive AI companies — Csernatoni names Mistral and Aleph Alpha — struggle to grow because capital is scarce, talent migrates to higher-paying positions abroad, and the ecosystem that would support rapid scaling simply does not exist at the necessary density.
Csernatoni’s point is that none of these problems are caused by regulation, and none of them are solved by deregulation. The United States and China dominate AI not because of lighter rules but because of aggressive state-backed investment, access to massive computing power, and more integrated public-private partnerships. The GDPR and the AI Act are convenient scapegoats, but the real barriers to European AI leadership are capital markets that are too risk-averse, a digital single market that remains fragmented across 27 member states, and hardware dependencies that leave Europe exposed to supply-chain disruptions and geopolitical leverage.
The paper is careful not to dismiss competitiveness concerns entirely. Perceptions matter: Europe’s reputation for stringent rules deters entrepreneurs and venture capitalists before ideas even reach a prototype. Start-ups opt for safer projects or relocate. But Csernatoni frames this as a problem of signaling and implementation — harmonize enforcement, simplify compliance for small firms, clarify the rules — not of substantive deregulation.
Building the stack
The EuroStack initiative and the Commission’s AI factory program represent Europe’s attempt to invest its way out of dependency — but the scale remains orders of magnitude below what competitors are deploying.
Two infrastructure initiatives sit at the center of Europe’s response. The first is the EuroStack, a concept that emerged from a September 2024 European Parliament conference and was formalized through a Bertelsmann Stiftung report in early 2025. The vision is comprehensive: a European digital infrastructure spanning semiconductors, cloud computing, connectivity, and AI frameworks, designed to reduce dependence on foreign providers. The Bertelsmann analysis estimated the cost at roughly €300 billion over a decade, with an initial €10 billion sovereign tech fund. In March 2025, nearly a hundred industry leaders — from SMEs to defense firms like Airbus and Dassault Systèmes — signed an open letter urging the Commission to commit.
The second is the Commission’s own AI factory program. In December 2024, EuroHPC selected seven consortia to build AI-optimized supercomputing sites across the bloc. Spain partnered with Portugal, Romania, and Turkey; Italy with Austria and Slovenia; Finland with the Czech Republic, Denmark, Estonia, Norway, and Poland. The program carries a €2.1 billion budget. At the Paris AI Action Summit in February 2025, Commission President von der Leyen announced an €8 billion upgrade, alongside a €50 billion investment initiative framed as a catalyst that would unlock ten times its value in private capital.
The comparison with the United States is instructive but not entirely symmetrical. The Stargate project — $500 billion committed by OpenAI, Oracle, SoftBank, and Abu Dhabi’s MGX — dwarfs European spending, but it is private capital operating under regulatory support (streamlined land-use permits, guaranteed access to cheap energy and water). Europe’s model is public-sector-led, inspired by CERN’s collaborative legacy, with the stated goal of aligning private innovation with public interest. Csernatoni argues that the EU approach offers greater transparency, accountability, and equitable access — but acknowledges the scale gap is real.
The energy question lurks beneath both models. EU data centers already consume 2.7 percent of the bloc’s electricity, with power demand projected to rise 28 percent by 2030. Csernatoni notes that DeepSeek’s early 2025 release — a Chinese large language model that claimed substantially lower computing costs and energy consumption — challenged assumptions about inevitable infrastructure bloat. Whether the efficiency gains are replicable at scale remains contested, but the episode reinforced the case for open-source AI models and questioned whether the sheer-scale approach is the only path forward.
The dual-use conundrum
The AI Act’s national-security exemption opens a governance gap that Csernatoni argues will only widen as Europe accelerates military AI development to match its adversaries — and, increasingly, its allies.
The working paper’s final major argument concerns AI’s dual-use nature — the fact that an algorithm optimizing industrial logistics can be repurposed for battlefield targeting. The AI Act, as finalized, does not extend to military uses of AI. Article 2’s national-security exemption was a concession to member states, particularly France, which insisted on sovereign freedom to deploy AI for defense and security purposes without the Act’s compliance obligations.
Csernatoni frames this as a structural contradiction. The EU positions itself as the global champion of human-centric, trustworthy AI, then exempts the use cases most likely to harm people. The exemption is not theoretical: private companies and start-ups are already deploying AI tools in live combat scenarios. Russia’s war in Ukraine has been described as an AI war lab, with firms like Palantir providing AI-driven surveillance and targeting intelligence. In 2024, OpenAI revised its usage guidelines to permit military applications; Alphabet dropped its long-standing ban on AI for weapons development.
European firms are following the same trajectory. Helsing, a German defense AI company, powers drone targeting systems deployed in Ukraine. Mistral has partnered with Helsing to develop battlefield AI that blends large language models with real-time combat decision-making. The EU’s March 2025 defense readiness white paper acknowledged that the future of European defense depends on embracing disruptive technologies — and that Europe has a limited window before it falls behind in the military AI arms race.
Csernatoni’s prescription is not to ban military AI — she recognizes that would be neither feasible nor strategically wise — but to integrate dual-use governance into the AI Act’s framework rather than carving it out. She calls for an EU-wide dual-use AI framework that would define risk tiers and licensing regimes, set common criteria for classifying AI systems with potential military applications, and harmonize export-control requirements across member states. Without such a framework, the EU faces an uncomfortable paradox: championing trustworthy AI governance internationally while its own member states and allied powers experiment with algorithmic targeting under minimal oversight.
Coda
Csernatoni’s working paper is valuable less for its policy recommendations — expand investment, build EuroStack, regulate dual-use — which are by now consensus positions in Brussels, than for its refusal to accept the framing that regulation and innovation are opposed. The false dichotomy, she argues, is itself a strategic construct: imported from Silicon Valley’s libertarian mythology, amplified by U.S. political pressure, and internalized by a Commission anxious about relevance.
The Silicon Valley myth gets its own section in the paper. From Cold War research funding to the internet, GPS, and Apple’s foundational technologies, U.S. innovation has been state-subsidized at every critical juncture. Venture capitalists and private firms entered only after public money had absorbed the risk. The lesson for Europe, Csernatoni argues, is that patient public finance — not deregulation — is the bedrock of enduring innovation. OpenAI itself embodies the pattern: founded as a nonprofit research lab, now restructuring as a for-profit entity. Even firms that begin with societal missions, she notes, ultimately succumb to the financial imperatives of venture capital.
What remains genuinely uncertain is whether the EU possesses the political will to act at the scale the diagnosis demands. €300 billion over a decade for EuroStack alone, in a union that struggles to agree on migration quotas, requires a degree of fiscal solidarity that has historically eluded European governance. What is not uncertain is that the deregulatory turn, taken alone, solves nothing. It makes the Brussels Effect weaker, the liability framework thinner, and the dependency on foreign infrastructure deeper — while the competitors Europe is trying to emulate are investing, not deregulating, their way to AI dominance.