Appendix D: Regulatory Comparison Table
This table is a leadership reference, not a substitute for legal advice. Its purpose is to help executives compare the broad direction of major AI-related regulatory regimes and understand what they imply operationally.
Comparative Table
| Regime | Main focus | Operational implication for leaders | Penalty or exposure signal |
|---|---|---|---|
| EU AI Act | Risk-based AI obligations, prohibited practices, high-risk systems, GPAI rules | Requires classification, documentation, monitoring, and stronger controls for high-risk use | Potentially material fines under Article 99 |
| GDPR | Personal data protection, automated decision-making, lawful basis, data subject rights | AI systems using personal data need lawful use, governance, and rights-aware process design | Up to 4% of global turnover or €20M ceiling |
| Sector regulation | Finance, healthcare, telecom, critical infrastructure, and other domain-specific obligations | Sector rules may raise the assurance standard even when no AI-specific law is central | Exposure depends on sector regulator and use case |
| U.S. direction | Fragmented federal and state approach, agency enforcement, sector and consumer protection focus | Requires monitoring of enforcement trends and state-level obligations rather than one single AI statute | Enforcement, litigation, and sector scrutiny risk |
| Internal policy and contracts | Governance standards, procurement terms, customer commitments, and board expectations | Internal obligations can become binding operating constraints even before law changes | Reputational, contractual, and control-failure exposure |
How to Use This Table
- Start with the legal regime that clearly applies.
- Then identify sector-specific obligations that may raise the control standard.
- Then check whether internal policy, board commitments, or vendor contracts create stricter obligations in practice.