SDA Bocconi Insight Logo
Knowledge

Too much AI regulation? No: regulation that is too poorly coordinated

25 maggio 2026/ByRoberta Pisani Carmelo Cennamo
Innovation, digital transformation and AI
regolamentazione

Even in the field of AI, Europe has built one of the world’s most comprehensive regulatory systems. Yet this very architecture, designed to protect rights, safety, and transparency, risks becoming an obstacle to the spread of AI, above all because it is fragmented across legislative acts that are not sufficiently coordinated, creating uncertainty around data collection and processing.

The second of two studies conducted by SDA Bocconi School of Management with the support of Google finds that the main factor limiting AI adoption is constraints on data access. More specifically, it is the interaction among different regulations (GDPR, AI Act, Data Act, Data Governance Act) that creates frictions making it difficult to collect, share, and reuse data at scale.

Regulation does more than impose constraints: it directly shapes how AI is designed, developed, and used. In Europe, innovation requires the ability to navigate a complex system of data rules.

An integrated view of European regulation

The study contributes to the debate on how to reconcile the development of artificial intelligence with the protection of fundamental rights. Academic literature and European policymaking have already highlighted that, on the one hand, AI depends on large amounts of high-quality data and, on the other, that data protection and security are non-negotiable priorities.

The European Union has responded with an ambitious, multilayered approach: the GDPR for privacy, the AI Act for intelligent systems, alongside new tools for data sharing. The study aims to provide an integrated view of the combined effects of these rules by addressing several questions:

  • How does the European regulatory system concretely influence AI development?
  • What are the main data-related obstacles?
  • How do these constraints vary across sectors (healthcare, finance, industry)?
  • What measures could unlock AI’s potential without weakening protections?

The work offers a systematic analysis of the European regulatory framework and its operational implications, enriched by academic literature, institutional reports, and sector-specific case studies.

The researchers mapped the entire European regulatory “stack” (AI Act, GDPR, Data Act, Data Governance Act, product liability rules), analyzing the interactions among these regulations. They then identified the main bottlenecks through a review of the literature and applied case studies, while also examining several highly regulated sectors in depth (healthcare, finance, pharmaceuticals, energy).

The shape of AI

The analysis identified three main structural criticalities:

Fragmented consent and legal uncertainty. Rules on consent and data reuse are inconsistent across countries and sectors. This creates uncertainty around the secondary use of data (which is essential for training AI models) and leads companies to adopt overly cautious approaches.

Limited interoperability and lack of common standards. Data are often incompatible (formats, APIs, metadata), limiting portability and the creation of large, representative datasets that are essential for advanced models.

Weak incentives for data sharing. Organizations that own data face significant legal and reputational risks, while the benefits remain uncertain. The result is widespread reluctance to share information, especially in the most heavily regulated sectors.

These criticalities are compounded by other factors, including issues related to data quality and governance, contractual constraints and technological lock-in, and uncertainty over liability in cases of AI errors.

In high-risk sectors (healthcare, finance, energy), these frictions have very concrete effects, including a preference for interpretable models over black-box systems; the use of modular architectures and segregated data; growing adoption of privacy-preserving technologies; and the restriction of certain AI applications to highly controlled environments.

In this way, regulation ends up determining the forms that AI development and use can take.

What needs greater clarity

Competitiveness therefore also depends on the ability to govern data and compliance, and the researchers offer several recommendations in this regard. Managers should ensure data quality, traceability, and interoperability, while involving legal and technology teams together from the earliest stages of projects. The adoption of explainable AI models and privacy-preserving technologies is also becoming a necessity.

Europe has often been criticized for excessive regulation, but the study highlights a slightly different problem: the lack of coordination among the various legislative measures. Possible steps forward include clarifying how the GDPR applies to artificial intelligence and supporting technologies that protect data without preventing its use.

Roberta Pisani, Carmelo Cennamo. Data regulation and policy implications of AI adoption.

Authors
Roberta Pisani
Strategy and Operations
View CV
roberta_pisani_cv.jpg
Carmelo Cennamo
Strategy and Operations
View CV
cennamo