The Myth of European AI Leadership — and What's Actually Happening

Europe Was First, But "First" Is Not the Same as "Functional"

The EU AI Act entered into force in August 2024 — it was the world's first comprehensive AI law, and that distinction is real. But passing a law and enforcing one are very different things. The Act was built on a phased rollout, and that phasing has been repeatedly stretched under industry and geopolitical pressure.

For high-risk AI systems (Annex III, use-based), obligations have been postponed from August 2, 2026 to December 2, 2027 — a 16-month delay. For Annex I systems embedded in regulated products like medical devices and machinery, the deadline has moved to August 2028. 

How did this happen? After months of pressure from American tech giants and the Trump administration, Brussels officials began discussing delays to parts of the AI Act — a dramatic shift from their earlier stance. In July 2025, a Commission spokesperson had firmly stated: "Let me be as clear as possible, there is no stop the clock. There is no grace period. There is no pause." That reversal came after more than 45 European companies, including Airbus and Mistral AI, called for postponement.

There are also structural reasons, not just political ones. The European standards bodies, CEN-CENELEC, indicate that harmonized standards may not be available until December 2026 or later — meaning requiring compliance before the standards exist would create legal uncertainty and the potential for arbitrary enforcement. In other words, the scaffolding needed to actually implement the law wasn't ready when the law was passed. 

South Korea: Quietly Moving Faster on the Ground

While Europe debated timelines, South Korea was building. On January 21, 2025, South Korea became the first jurisdiction in the Asia-Pacific region to adopt comprehensive AI legislation. Taking effect on January 22, 2026, the Framework Act introduces specific obligations for "high-impact" AI systems in critical sectors including healthcare, energy, and public services, mandatory labeling requirements for generative AI, and substantial public support for private-sector AI development.

Crucially, the law represents one of the first national regulatory regimes to combine AI governance, industrial policy, and risk-management obligations into a single statutory framework — with the stated purpose of protecting human dignity and rights while strengthening national competitiveness through the sound development and trustworthy use of AI. That dual mandate — protection and competitiveness — is something Europe has struggled to balance, often appearing to prioritise one at the expense of the other. 

The Act also consolidated 19 separate AI bills into a unified framework, and unlike purely restrictive regulations, it actively promotes AI development through startup support, talent programs, and industry clustering while maintaining essential guardrails for safety and ethics. This is practically the opposite of Europe's reputation for bureaucratic restriction.

The Naver approval described in the article is an example of this framework in action — a regulator examining a specific deployed system and setting operational conditions rather than writing abstract rules for future systems. That is regulators doing what regulators are supposed to do.

The GDPR Problem — Europe's Own Evidence Against Itself

The article points to a damning fact: AI assistants reportedly violate GDPR and EU AI Act requirements in up to 90% of tested scenarios. This isn't just an indictment of AI companies — it's an indictment of European enforcement. GDPR has been in force since 2018. Eight years later, it is being routinely violated by major AI systems with limited consequence.

South Korea's own data protection law (PIPA) has been recognised as providing an "adequate" level of protection under the EU GDPR — and its March 2026 amendment significantly strengthened enforcement by introducing a 10% aggravated surcharge, CEO accountability, and mandatory cybersecurity certification for certain data controllers. South Korea is not just matching European privacy standards; it is now actively tightening and enforcing them more aggressively than Europe does.

The Three Core Reasons Europe Isn't Actually Ahead

1. Scale vs. Speed. The EU AI Act is ambitious precisely because it tries to regulate everything — from chatbots to medical devices to recruitment tools — through one comprehensive framework. That ambition creates the complexity that causes delay. South Korea's approach is narrower and more targeted, which makes it faster to implement and easier to enforce.

2. Multi-country coordination drag. Reporting obligations under NIS2 vary significantly between EU countries, creating a fragmented compliance landscape — entities in Germany must immediately inform individuals of an incident if instructed by regulators, while other countries differ. This divergence increases administrative and compliance burdens for organizations operating across multiple EU jurisdictions. A law that 27 governments implement differently is functionally a patchwork, not a unified framework. South Korea has a single national regulator and a single implementation.

3. Industry capture and geopolitical pressure. The reversal on enforcement timelines — going from "no grace period, full stop" to a 16-month delay within four months — shows that Europe's regulatory resolve is vulnerable to lobbying. The Digital Omnibus negotiations have not yet concluded, meaning the August 2, 2026 deadline remains legally binding today — any executive who treats the 2027 date as settled law is operating on legislative optimism rather than legal fact. The law is caught between two states simultaneously.

What the Naver Case Actually Demonstrates

The article is right to highlight this as a different model of regulation rather than just a different pace. South Korea's regulator didn't write a law and wait for companies to comply — it evaluated a live product, assessed the specific risks, and issued operational conditions (opt-out controls, prohibited data categories, disclosure requirements). That is adaptive, product-level governance.

Europe's approach is the opposite: write rules broad enough to cover everything, publish implementation guidance after the deadline, and trust that companies will self-certify. The 90% violation rate is the result of that trust being misplaced.

The Honest Summary

Europe still leads in ambition and scope. The EU AI Act, combined with GDPR, NIS2, and the Cyber Resilience Act, forms the most comprehensive digital governance architecture in the world on paper. But South Korea — and increasingly China and individual US states — is leading in operational effectiveness: passing laws with clear implementation pathways, enforcing them quickly, and adapting them to specific real-world products rather than hypothetical risk categories.