REGULATING ARTIFICIAL INTELLIGENCE IN THE EUROPEAN UNION: A CONSTITUTIONAL PERSPECTIVE[1]
LA REGULACIÓN DE LA INTELIGENCIA ARTIFICIAL EN LA UNIÓN EUROPEA: UNA PERSPECTIVA CONSTITUCIONAL
Andrea Patroni Griffi
Full Professor of Constitutional Law, University of Naples Federico II
"ReDCE núm. 45. Enero-Junio de 2026"
|
1.- The new world of artificial intelligence: beyond ‘the two cultures’.
2.- The roots of the European model of AI regulation.
3.- From the digital corpus iuris to the AI Act: applied constitutionalism.
4.- The United States and the rise of the ‘digital parastate’.
5.- Towards European digital sovereignty: minimum conditions for a shared framework.
|
1. THE NEW WORLD OF ARTIFICIAL INTELLIGENCE: BEYOND ‘THE TWO CULTURES’.
Artificial intelligence can be described as a new world,[2] which challenges traditional legal categories and requires us to rethink boundaries, sovereignty, responsibility and guarantees. The old categories are no longer sufficient; the new ones have not yet been written. This is where constitutionalism is called upon, including at European level, to face the challenge of governing the algorithm without erecting anachronistic barriers to innovation, whilst not losing sight of fundamental rights.[3]
The metaphor of the ‘new world’ captures the profound transformation of the spatial and conceptual coordinates within which law operates, in the face of a technological revolution that challenges, in an unprecedented way, the relationship between humans and machines.[4] In the “new world” of digital society, traditional legal categories should not be abandoned; rather, they must be tested and, where necessary, reconsidered to navigate a different reality in which new challenges emerge, and the boundaries of legal experience are continuously redefined.[5]
The “boundaries” of artificial intelligence are, indeed, more fluid than ever. At times they appear to vanish altogether, as algorithmic action instantaneously crosses territories and legal systems. More often, however, they shift: decisive points of control no longer coincide with the formal location of the decision-maker but rather with technical architectures, data chains,[6] and the infrastructures that enable decision-making processes. In other cases, these boundaries overlap, as multiple layers coexist within a single operation: public and private,[7] national and supranational, the market, which should be free, and state sovereignty, freedom and control, duties and rights.[8]
Although the issues involved are vast and complex, they may be reduced to at least two fundamental dimensions. The first concerns responsibility – or, more precisely, responsibilities, in the plural.
These extend across the entire chain of actors: those who design and train the models, those who integrate them, those who feed them with data, and those who decide how and in what way to use them. Ultimately, responsibility remains human and institutional, insofar as entrusting a decision to an algorithm is itself a human choice. The central question, therefore, is how to always ensure legal transparency along this chain, although the extent to which this can be achieved remains open to debate. Addressing this challenge requires the definition of duties, mechanisms of oversight, and criteria for legal attribution, as well as, where necessary, the establishment of prohibitions. However, when the outcome arises from complex systems, technical opacity risks translating into legal opacity. And, in a constitutional democracy, opacity always has a cost, as it risks weakening protections, often to the detriment of the most vulnerable and exposed individuals.
The other issue concerns the boundary between public and private. In the new digital space, some private actors effectively perform functions like those of the public sector, without having the same legitimacy and without being subject to the same forms of control and accountability. This represents a new configuration of an old question- the relationship between economic power and the state – but one that now manifests itself in unprecedented ways, because it involves information infrastructures and access rules that reorganise social and political life in tension with constitutional democracy.[9] Here, constitutionalism is also called upon to contend with private powers capable of affecting freedom and equality with an intensity that, in the case of big tech, can even exceed that of public decisions taken by states. This is why AI is not just a technology or a new industrial revolution. It is a point of pressure on the fundamental lexicon of law, especially from the perspective of the post-World War II European constitutional tradition.
To speak of a “new world” ultimately means taking seriously the challenges posed by artificial intelligence and asking what conceptual maps are required today to ensure that law and pluralist constitutions continue to fulfil their role as guarantors. Artificial intelligence cannot be reduced to a mere techné, left solely to the domain of scientists, research and businesses. It has become a political and social topos: a 'place' where human behaviour, powers and expectations are being redesigned, and where a truly new society can take shape, rather than simply an ‘updated’ version of previous ones.
Ubi societas, ibi ius, as the well-known maxim reminds us: where there is society, there is law. Frequently invoked in introductory legal education, it expresses the idea that law arises from society and must remain in constant dialogue with it. This insight is even more relevant in what is often described as the digital society.[10] Even in this new society, if law, understood in an objective sense, must be functional above all to guarantee rights in a subjective sense, this task can truly be accomplished, in the face of the challenges posed by algorithms, by broadening the multidisciplinary dialogue between different fields of knowledge and creating an essential alliance between the two cultures, humanistic and scientific.
Ethical dilemmas and legal issues cannot be addressed while remaining confined within the boundaries of the “two cultures” famously described by Snow in his 1959 book.[11] We need to overcome the barriers between science and humanism in order to avoid blind or obsolete rules. Lawyers, like philosophers, must possess at least a basic understanding of the technologies they seek to govern; otherwise, they risk regulating phenomena they do not fully understand, thereby crystallising misunderstanding or irrelevance into law.
2. THE ROOTS OF THE EUROPEAN MODEL OF AI REGULATION.
If artificial intelligence is, as suggested above, a ‘new world’, it is clear that, from a regulatory point of view, it is crucial to identify the institutional forum in which to establish common rules and, even before that, the values and policies that those rules must express.
Today, however desirable it may be, global governance of AI still seems largely utopian and goes beyond the scope of this work.[12] At the European supranational level, on the other hand, a regulatory model is not only necessary but has already begun to take shape in its essential features, as will be discussed below.
The European Union, in fact, is not just an ‘additional’ regulatory level to national legal systems. Rather, it is the legal expression of a pluralistic society which, despite the diversity of national identities, has progressively developed a shared legal culture and a distinctive method of integration.[13] It is, therefore, the most natural context for a regulation of algorithms that translates into shared standards and effective guarantees.
The roots of this choice are not contingent. They are deeply rooted in the tradition of post-war European constitutionalism and in its underlying premise: that the primary function of constitutional orders is to limit power – not only public power, but also private power – and to ensure that market dynamics do not degenerate into forms of oligopolistic domination, while safeguarding, in particular, the rights of the most vulnerable.[14]
Over time, the common culture of the Union has crystallised into a heritage of principles – dignity, freedom, equality, the rule of law – that guides all legislative activity. The centrality of the human person, understood in both its physical and spiritual dimensions, constitutes the non-negotiable core of the European constitutional tradition. It also helps to explain why the Union has not remained silent in the face of the challenges posed by artificial intelligence and has instead sought to establish a space of “European digital sovereignty”.[15] From this perspective, artificial intelligence cannot be regarded merely as a sectoral matter of internal market regulation. Rather, it represents a test of European identity. AI becomes a litmus test for the integration process itself, insofar as it raises the question of how a political community intends to confront a challenge that is not merely technological but deeply social and political. In this sense, European integration functions as a method for governing global risks while preserving shared constitutional values, beginning precisely with the centrality of the individual.
This approach is particularly evident in the AI Act, which explicitly states that the regulatory framework must be developed in accordance with the values of the Union and fundamental rights and that, as a prerequisite, AI must be an ‘anthropocentric technology’. It adds a dense proposition, which stands as a general criterion: AI “should serve as a tool for people, with the ultimate goal of improving human well-being” (recital 6).
The central issue, therefore, is not to erect barriers to technological development as such, but rather to prevent innovation from generating unacceptable inequalities, reinforcing discriminatory practices, eroding privacy, or shaping the formation of public opinion in ways that undermine the conditions for genuinely free and pluralistic thought – conditions without which pluralist democracy cannot exist.[16]
Such an indispensable prerequisite requires a framework of rules capable of setting boundaries and limits, through a reasonable balance between conflicting rights and interests, between politics and the market, between civil society and the community.[17] At the level of the European Union, therefore, the question is not whether artificial intelligence should be regulated, but rather how such regulation should be designed and through which instruments it should operate. In the case of a technology as pervasive as AI, regulation should not be conceived as the enemy of innovation but, rather, as one of the conditions necessary for preserving the liberal constitutional model itself.
Of course, regulation must be both flexible and firm. Flexible, because technology evolves and cannot be constrained by static frameworks. Firm, because some risks are non-negotiable when they affect dignity, freedom and equality. This idea – flexibility of tools and rigidity of principles – is the hallmark of an intimately constitutional rationality, which aims to govern the algorithm without surrendering it to mere commercial logic.
Recent scholarship has described this development as the emergence of a form of digital constitutionalism:[18] a constitutionalism called upon to contend not only with public power, but also with private powers capable of structuring living spaces and infrastructures that are decisive for freedom.
Seen in this light, the AI Act may be understood as the culmination of a broader European trajectory that, even prior to the emergence of artificial intelligence, sought to bring digital technologies within the sphere of public responsibility and effective protection of fundamental rights. Against this background, the European decision to adopt a specific regulatory model is neither neutral nor intended to be so. Rather, it is consistent with the historical development of European constitutionalism and with the values upon which it is founded.
3. FROM THE ‘DIGITAL CORPUS IURIS’ TO THE AI ACT: APPLIED CONSTITUTIONALISM.
The European regulation on Artificial Intelligence (AI Act), adopted in 2024,[19], did not come out of nowhere; rather, it represents the most recent stage in a regulatory strategy through which the Union has progressively brought the digital space back within a public perimeter of guarantees. In a way, it represents the final destination of a cultural and legal trajectory, with its deepest roots not only in the Charter of Fundamental Rights of the European Union but, on closer inspection, directly in the tradition of post-war European constitutionalism.
Within this framework, the typical function of constitutional democracies is, in a way, transposed into the digital domain: namely, to limit power and ensure the effective protection of rights, even when power is exercised by private actors and through opaque technological mechanisms. This is the already ‘constitutional’ meaning of the European digital corpus iuris, which aims to prevent the market from degenerating into oligopolistic domination and to ensure that rights and freedoms, especially those of the most vulnerable, remain effectively guaranteed.
The AI Act builds a harmonised European framework for AI, explicitly centred on the protection of fundamental rights, democracy, and the rule of law. Its significance can only be fully appreciated when considered alongside the broader body of European digital regulation, embodied in several foundational legislative instruments that have progressively “constitutionalised”, so to speak, the technological sphere.
The GDPR, General Data Protection Regulation, ‘constitutionalises’ data protection at European level as the cornerstone of personal protection.[20] The Digital Services Act (DSA) shifts regulatory attention from purely ex post liability towards ex ante procedural obligations – such as transparency requirements, complaint mechanisms, and access to data for research – thereby reaffirming public oversight over private platform governance.[21] The Digital Markets Act (DMA), aimed at ensuring fair and contestable digital markets, imposes ex ante obligations on so-called gatekeepers, including interoperability, data portability, and prohibitions on self-preferencing, thereby intervening directly in the market structures within which digital freedoms are exercised.[22]
This framework also includes the European ‘data’ acts[23] and, on the democratic side, the Regulation on transparency and targeting of political advertising,[24] which considers information manipulation to be a systemic risk to the integrity of public debate.
Within this broader framework, the Union asserts its determination not to abdicate its public regulatory role, but rather to promote effective conditions for the exercise of rights within the digital society.
The technical and legal core of the AI Act is the risk-based approach.[25] This is not merely a classificatory device, but rather the expression of a regulatory rationality that, in constitutional terms, echoes principles such as proportionality and reasonableness: the greater the risk posed to fundamental rights and democratic processes, the more stringent the regulatory constraints and oversight mechanisms must be.
In this sense, rather than inaugurating an entirely new form of “digital constitutionalism”, the AI Act may be understood as an application of constitutional principles to the digital domain. More specifically, the regulation identifies prohibited practices, establishes a stringent framework for high-risk systems, and introduces specific obligations for general-purpose AI models, particularly regarding systemic risks. The first level, pursuant to Article 5, concerns prohibited practices that pose an unacceptable risk. Here, the prohibitive approach is consistent with the protection of human dignity and self-determination. Practices involving covert or manipulative techniques, the exploitation of vulnerabilities, or forms of surveillance and control incompatible with personal freedom are expressly prohibited.
The question of social scoring must be understood within this framework. Under the AI Act, the prohibition does not extend to all sectoral evaluations as such – such as creditworthiness assessments – but rather to systems that evaluate or classify individuals on the basis of social behaviour or personal characteristics and that, through the attribution of a “score”, lead to prejudicial treatment in unrelated contexts or to treatment that is unjustified or disproportionate.
This distinction must be formulated carefully in order not to conflate prohibited practices with applications that instead fall within the category of high-risk systems and are therefore subject to enhanced safeguards. The second regulatory level concerns high-risk AI systems. These systems are not prohibited, but they are subject to stringent regulatory requirements relating to risk management, data governance and quality, documentation and traceability, transparency towards users, and – above all – meaningful human oversight.
Here the regulation reflects a fundamental insight of constitutionalism: automation cannot serve as a mechanism for dissolving responsibility and legality. Even when outcomes emerge from complex algorithmic systems, responsibility remains human and institutional and must remain legally attributable throughout the entire decision-making chain.[26]
The third level concerns general-purpose AI models, often generative in nature, which may entail systemic risks such as disinformation, discrimination, or manipulation. In this area, the AI Act assigns particular importance to transparency obligations, as well as to requirements relating to risk assessment and mitigation. The regulatory framework is complemented by co-regulatory instruments, most notably Codes of Practice coordinated by the AI Office (European Office for Artificial Intelligence), which acts as a central governance hub and coordinates implementation mechanisms, particularly regarding general-purpose AI models.[27]
Regarding such a risk-based scale, it is worth remembering that risk is by its very nature an open and dynamic category. Precisely for this reason, its translation into administrative practices, technical standards and codes of conduct requires caution. Decisive concepts cannot be absorbed into exclusively technical language to the point of losing their substantive content of guaranteeing rights. From this perspective, we can also understand the previous reference to overcoming the 'two cultures': the implementation of a risk-based model requires mixed skills and, above all, effective public control over the choices that determine, in concrete terms, the level of protection.
In this context, the principle of transparency takes on the function of a true safeguard of ‘due process’ in algorithmic society. In this regard, it has been emphasised that the ‘principle of technological comprehensibility’ is in some way functional to the ‘new technological personalism’.[28] The extraordinary profiling capacity of AI – which increasingly categorises not merely objects but individuals – exposes people to risks of social, cultural, and even health-related discrimination. Without transparency and contestability, technical opacity risks becoming legal opacity. And in a constitutional democracy, opacity disproportionately affects the most vulnerable individuals.
The regulation of deepfakes, in this sense, is emblematic. The AI Act introduces obligations relating to labelling and disclosure; however, legal scholarship has already pointed to the inherent tension between the obligation to declare a piece of content as a deepfake and the typical intention of those who create such content precisely to deceive.[29] For this reason, transparency alone is insufficient: it must be embedded within broader chains of responsibility and accompanied by effective public powers of supervision and sanction. The aim is to prevent generative models from becoming “machines of uncontrolled influence.” As will be discussed below, this approach marks a relatively clear difference from the regulatory model prevailing in the United States, where many such measures remain largely voluntary.
The European construction of safeguards does not, therefore, take place solely through prohibitions, but above all through a ‘data due process’, i.e. a set of procedural obligations that make digital power verifiable and prevent its arbitrary exercise. This logic underpins the GDPR, the DSA, the DMA, and, in its own way, the AI Act. Its objective is to limit the power of digital giants not merely through declarations of values but through enforceable procedures, data access obligations, auditing mechanisms, transparency requirements, and complaint procedures.
The credibility of the European model also depends on its capacity for enforcement. The AI Act establishes a dissuasive system of sanctions: violations of the prohibitions set out in Article 5 may result in administrative fines of up to €35 million or 7% of global annual turnover; other significant violations may entail penalties of up to €15 million or 3%; and additional sanctions apply in cases involving the provision of inaccurate or misleading information.
The connection with the broader European digital regulatory framework is evident. The DSA provides for penalties of up to 6% of global turnover, while the DMA allows for fines of up to 10% (and up to 20% in cases of repeated infringements), accompanied by periodic penalty payments designed to ensure compliance. Through this enforcement architecture, the Union seeks to give concrete effect to a model of ex ante regulation rather than merely symbolic oversight.
Finally, at the domestic level, reference should be made to Italian Law No. 132 of 23 September 2025, which establishes a framework of principles and delegated powers aimed at ensuring national coordination and sectoral implementation in declared consistency with the European regulatory framework.[30]
4. THE UNITED STATES AND THE RISE OF THE ‘DIGITAL PARASTATE.
In contrast to the European regulatory framework and the national legal systems of the Member States, the United States does not currently possess a comprehensive federal regulatory corpus comparable to the AI Act.[31]
AI governance in the United States remains more fragmented and flexible. It relies primarily on sector-specific interventions, regulatory action by administrative agencies under existing statutory frameworks, and a wide range of voluntary instruments. The NIST AI Risk Management Framework, for example, is explicitly designed as a voluntary tool intended to guide organisations in managing AI-related risks.[32]
More broadly, the prevailing US approach prioritises the promotion of technological leadership, the reduction of regulatory constraints, and a significant reliance on corporate self-regulation and sectoral guidelines. Governance is therefore largely entrusted to market actors themselves, reflecting a regulatory philosophy less inclined towards generalised ex ante obligations.
The deeper roots of this divergence are both cultural and constitutional. The centrality of the First Amendment and its robust protection of freedom of speech, together with the long-standing metaphor of the “free marketplace of ideas,” have historically shaped the American approach to digital regulation. This tradition has fostered a structural distrust of public intervention that could be perceived as restricting freedom of expression. Yet the growing concentration of power in the digital sphere has gradually altered this balance. The emergence of extremely powerful private actors – often associated with a small number of individuals – has shifted the equilibrium of sovereignty and risks relegating politics to a secondary role. The internet, once celebrated as a libertarian promise of decentralised freedom, has increasingly evolved into an environment dominated by a limited number of platforms capable of exerting substantial influence over markets, democratic debate, and the protection of fundamental rights. These actors are no longer merely economic operators. Rather, they have become genuine digital powers performing functions that are, in many respects, quasi-parastatal and in competition with public authorities.[33]
Such a concentration of power ultimately affects the very centre of gravity of sovereignty. This results in the structural risk that politics will take a back seat, while digital platforms and infrastructures effectively exercise regulatory and policy-making functions with public effects, without corresponding democratic legitimacy and without adequate forms of accountability. In a pluralistic democracy, this shift cannot and must not be considered a ‘neutral’ outcome of technological progress. The European Union is much more aware of this than the US.
The technological and digital landscape reveals the emergence of a new form of territoriality: immaterial, networked, and largely detached from traditional geographic boundaries. It constitutes a “borderless” environment in which data flows, platforms, and social networks generate spheres of influence that transcend legal systems and within which classical concepts such as sovereignty and jurisdiction reappear in transformed forms.
If public law retreats, digital sovereignty will, in fact, be exercised by private entities as a substantially absolute power.
For this reason, the question of “jurisdiction over data” and the territorial reach of regulation in the context of cloud computing and artificial intelligence must be reconstructed as an assertion of public regulatory competence, regardless of the physical location of data or the geographic headquarters of large technology companies. Otherwise, the development of digital technologies risks paradoxically returning us to pre-constitutional configurations of power.
At the same time, this perspective also helps to explain the different regulatory posture adopted by the United States, which has thus far refrained from adopting a comprehensive and binding federal framework on artificial intelligence. This position reflects not only a legal tradition historically wary of extensive public intervention but may also be understood as a strategic choice aimed at preserving technological leadership and the global competitiveness of major digital platforms. In such a scenario, the boundary between public and private interests can become remarkably thin, sometimes to the point of disappearing.
In some phases – and this is particularly evident in the Trump administration – there has been a convergence between government priorities and the priorities of big tech.[34] Deregulation, reduction of constraints, trust in market governance and voluntary standards become a powerful expression of very strong private interests, rather than merely a consequence of the different legal culture overseas. The outcome is a regulatory environment in which private power may expand within relatively limited constraints, while public intervention focuses predominantly on incentives, partnerships, and flexible instruments, systematically avoiding ex ante obligations and structural sanctions.
The European response to these developments is therefore markedly different. As discussed above, it takes the form of a comprehensive regulatory framework that seeks to ensure effectiveness not only through legislation but also through the interpretative role of EU judicial practice.
The well-known sequence of cases Digital Rights Ireland, Google Spain, Schrems I and Schrems II is decisive because it consolidates the Charter of Rights as a control parameter and establishes a clear form of “jurisdiction over data flows”.[35] Within the digital environment, the Court does not evaluate technology in the abstract; rather, it assesses the legal ecosystems within which data circulate and within which digital power is exercised. In Google Spain in particular, the Court applied fundamental rights in a horizontal dimension, extending their relevance to private actors and demonstrating how the protection of rights in the digital sphere necessarily involves relations between private parties. At the same time, it remains essential to maintain a balanced combination of substantive and procedural instruments, avoiding both regulatory inertia and excessive regulatory hypertrophy.
The risk that private powers will proclaim themselves “sovereign” over the network is real and, from a European perspective, cannot be accepted. The Union’s notion of digital sovereignty tends to manifest itself as jurisdiction over data flows: a form of regulatory authority that, while not strictly tied to traditional territorial borders, is nevertheless capable of enforcing European values beyond purely physical territoriality. In this way, the Union reconstructs a form of regulatory territoriality that is independent of both the physical location of data and the formal headquarters of large technology companies.
In this sense, the core of the European model lies in the construction of a regulatory architecture inspired by a deeply constitutional rationality. It reflects the awareness that artificial intelligence, if left exclusively to commercial logics, risks eroding transparency, non-discrimination, informational pluralism, and ultimately the freedom of individual self-determination–an essential precondition for the functioning of pluralistic democracy.
5. TOWARDS EUROPEAN DIGITAL SOVEREIGNTY: MINIMUM CONDITIONS FOR A SHARED FRAMEWORK.
Ultimately, the question is not only what to regulate, but how to make regulatory choices effective, how to transform regulatory design into effective guarantees. The AI Act, together with the broader European digital corpus iuris, has introduced important regulatory mechanisms grounded, as noted above, in principles of responsibility, transparency, and oversight. The decisive test, however, will lie in their implementation and practical effectiveness. This requires the development of technical standards consistent with the underlying principles, the establishment of concrete auditing and monitoring mechanisms, effective coordination among competent authorities, and enforcement practices that are both clear and genuinely dissuasive. Without such an operational dimension, regulation risks remaining a sophisticated normative framework with limited impact on reality – particularly in a context where the pace of technological innovation and the concentration of private technological power tend to outstrip the capacity for public intervention.
It is not enough to have good rules if, in the most sensitive cases, inertia prevails. The protection of rights cannot be entirely left to litigation and therefore to the pathological moment of violation of the rules. Instead, a stable public capacity for intervention is needed, one that makes the guarantee of rights timely, verifiable and not merely contingent.
In conclusion, what is often referred to as the ‘Brussels effect’[36] can be interpreted as a form of regulatory sovereignty that the Union seeks to pursue in the digital field through regulation. Such sovereignty possesses a natural extraterritorial dimension, owing to the structure of global markets and the attractiveness of the European regulatory space. European rules tend to extend beyond the Union’s territorial boundaries because they effectively condition access to an economic and social space of global relevance.
However, it would be reductive to identify ‘digital sovereignty’ solely with the ability to produce regulations.
The first tool of real ‘digital sovereignty’ should be, regardless of the regulatory plan, the capacity for strategic autonomy in the sector. That is, the creation of political and economic conditions, skills and infrastructure in the broadest sense, which enable European companies to be leaders in the competition for artificial intelligence, on which not only market share but also geopolitical positioning and technological leadership depend.
Beyond the strictly regulatory plan, where the Union, as we have seen, has moved promptly and consistently with its traditional values, it is important not to underestimate the fact that regulating a digital market dominated by large non-European platforms is a real political challenge.
Recent transatlantic tensions over digital regulation and the first significant applications of European regulatory instruments demonstrate that regulation alone is insufficient. Effective governance requires strong institutions and, ultimately, political resilience in the context of the global competition with major technological and economic powers such as the United States and China.[37] Without such institutional and political support, regulatory sovereignty risks remaining robust in principle yet fragile in its practical effects.
For this reason, if the Union wishes to remain faithful to its constitutional spirit, it must strengthen its political integration so that it can effectively support, including externally, the framework of transparency, accountability and protection of rights that it has chosen to govern the digital market. There is undoubtedly room for technical and regulatory simplification, as is increasingly advocated in policy debates, where such simplification genuinely enhances effectiveness. Yet this objective must not come at the expense of the safeguards necessary to ensure that algorithmic systems and the power of large digital platforms remain compatible with fundamental rights and democratic principles.
In this context, Europe's vocation is not to build a regulatory 'fortress', but to propose a method where rights are the compass and risk is the operating criterion, with institutions capable of ensuring effectiveness. In this way, Europe may aspire to act as a bridge between different global paradigms–most notably those represented by China and the United States – not through neutrality, but through the capacity to translate values into legal norms and legal norms into effective mechanisms of oversight.
If this is what is at stake, the models put forward in China and the US, with their extreme and therefore partial simplification, are clear. On the one hand, there is pervasive public control that can degenerate into authoritarian regression; on the other, there is laissez-faire which, behind the rhetoric of innovation, risks 'closing' the digital sphere to private oligopolies and a technological heteronomy that is difficult to reverse.
The comparison between these models thus reveals not only a regulatory divergence but also a deeper cultural distance between the European and American approaches, while simultaneously highlighting the need to construct channels of dialogue. The challenge is inherently global: Europe, the United States, and China represent three distinct paradigms that cannot simply compete in isolation but must also develop channels of political, economic, and cultural dialogue capable of avoiding confrontational dynamics based solely on power. The alternative, however, is regulatory fragmentation, which translates into systemic risk. In the absence of at least partially interoperable standards, AI becomes a multiplier of asymmetries and a source of economic conflict that is bound to be reflected at the political level. This is why we need a dialogue capable of establishing a minimum set of common principles: security, responsibility, prohibition of practices that clearly violate fundamental rights, while respecting different contexts, and transparency of generative models in the most sensitive contexts.
Within the limits imposed by its geopolitical position, the European perspective nevertheless offers an important orientation. It seeks to regulate algorithmic systems without demonising technological innovation or relinquishing public responsibility; to promote innovation in a manner compatible with fundamental freedoms, equality, and democratic values; and to contribute, realistically, to the creation of the conditions necessary for forms of multilateral governance capable of ensuring that artificial intelligence remains a tool for human progress rather than a multiplier of conflict and inequality.
This article examines artificial intelligence through the lens of European constitutionalism and argues that the European Union has developed a distinctive regulatory paradigm grounded in human dignity, freedom, equality, democracy, and the rule of law. Moving from the broader European digital corpus iuris – including the GDPR, DSA, DMA, and related data regulation – to the AI Act, the essay interprets the Union’s risk-based approach as a form of applied constitutionalism designed to subject algorithmic power to public responsibility, transparency, and meaningful human oversight.
The article sets this model against the more fragmented and market-oriented approach prevailing in the United States, where sectoral regulation, administrative action, and voluntary standards have left broader space for private digital power to assume quasi-parastatal functions. On this basis, the essay contends that European digital sovereignty cannot be reduced to the production of rules alone, but must also rest on effective enforcement, institutional coordination, political resilience, and strategic technological autonomy. Despite the difficulties of implementation and the pressures of global competition, the European model offers a normative and institutional method for reconciling innovation with fundamental rights and democratic guarantees, while also providing a possible foundation for minimum shared principles in the emerging global governance of artificial intelligence.
AI Act; Digital constitutionalism; European digital sovereignty; Fundamental rights; AI governance.
El presente trabajo examina la Inteligencia Artificial desde la perspectiva del constitucionalismo europeo y sostiene que la Unión Europea ha desarrollado un paradigma regulatorio singular, fundamentado en la dignidad humana, la libertad, la igualdad, la democracia y el Estado de Derecho. Partiendo del más amplio corpus iuris digital europeo —que comprende el RGPD, el DSA, el DMA y la normativa sectorial en materia de datos—, el trabajo interpreta el enfoque basado en el riesgo adoptado por la Unión como una forma de constitucionalismo aplicado, orientado a someter el poder algorítmico a la responsabilidad pública, la transparencia y un control humano efectivo.
El trabajo confronta dicho modelo con el enfoque más fragmentado y orientado al mercado predominante en los Estados Unidos, donde la regulación sectorial, la actuación administrativa y los estándares voluntarios han dejado un amplio margen para que el poder digital privado asuma funciones de naturaleza cuasi-paraestatal. Sobre esta base, el trabajo sostiene que la soberanía digital europea no puede reducirse a la mera producción normativa, sino que ha de asentarse igualmente sobre una aplicación efectiva del Derecho, la coordinación institucional, la resiliencia política y la autonomía tecnológica estratégica. Pese a las dificultades de implementación y a las presiones derivadas de la competencia global, el modelo europeo ofrece un método normativo e institucional para conciliar la innovación con los derechos fundamentales y las garantías democráticas, constituyendo asimismo un posible fundamento para el establecimiento de principios mínimos compartidos en el emergente marco de gobernanza global de la inteligencia artificial.
Reglamento de Inteligencia Artificial (AI Act), constitucionalismo digital, soberanía digital europea, derechos fundamentales, gobernanza de la inteligencia artificial.
Recibido: 18 de febrero de 2026
Aceptado: 4 de marzo de 2026
This contribution revisits and expands upon, with additions and notes, the report presented at the Italy-China Science Week, Beijing, 13 November 2025. ↩︎
Among the first to use the expression in Italy was A. D’ALOIA (ed.), Intelligenza artificiale e diritto. Come regolare un mondo nuovo, Franco Angeli, 2021. ↩︎
On this topic, recent additions to the ever-expanding literature include F. BALAGUER CALLEJÓN, La costituzione dell'algoritmo, Milano, 2023; H. W. MICKLITZ, O. POLLICINO, A. REICHMAN, A. SIMONCINI, G. SARTOR, G. DE GREGORIO (eds.), Constitutional Challenges in the Algorithmic Society, Cambridge University Press, 2021; G. DI COSIMO, Processi democratici e tecnologie digitali, Torino, 2023; F. PARUZZO, I sovrani della rete piattaforme digitali e limiti costituzionali al potere privato, Napoli, 2022; M. PROIETTI, A. VENANZONI, La sovranità digitale tra sicurezza nazionale e ordine costituzionale, Pisa, 2023 and, if desired, A. PATRONI GRIFFI (ed.), Bioetica, Diritti e Intelligenza artificiale, Mimesis edizioni, 2023. ↩︎
N. CRISTIANINI discusses ‘machina sapiens’ in Machina sapiens. L’algoritmo che ci ha rubato il segreto della conoscenza, Bologna, 2024. From a theoretical philosophical perspective, see E. MAZZARELLA, Critica della ragione digitale, Roma, 2026. The debate actually predates the advent of AI: J. OFFRAY DE LA METTRIE, L’uomo macchina, Italian translation by F. Polidori, Sesto San Giovanni, 2015; H. JONAS, Dalla fede antica all’uomo tecnologico, Bologna, 2001 and, in the legal field, V. Frosini, Cibernetica diritto e società, Edizioni di comunità, 1968, reissued in 2023, in open access by Romatre press. ↩︎
See, in particular, F. BALAGUER CALLEJON, La costituzione dell'algoritmo, op. cit.; C. CASONATO, Per un’intelligenza artificiale costituzionalmente orientata, in A. D’ALOIA (ed.), Intelligenza artificiale e diritto. Come regolare un mondo nuovo, cit.; G. MOBILIO, “La coregolazione delle nuove tecnologie, tra rischi e tutela dei diritti fondamentali”, Osservatorio sulle fonti, no. 1, 2024. ↩︎
S. CALZOLAIO, “Introduzione. Ubi data, ibi imperium: il diritto pubblico alla prova della localizzazione dei dati”, Rivista italiana di informatica e diritto, no. 1, 2021. ↩︎
L. TORCHIA, “Poteri pubblici e poteri privati nel mondo digitale”, Il Mulino, no. 1, 2024; G. RESTA, Pubblico, privato, collettivo nel sistema europeo di governo dei dati, Rivista Trimestrale di Diritto Pubblico, no. 4, 2022. ↩︎
G. PINO, Il costituzionalismo dei diritti. Struttura e limiti del costituzionalismo contemporaneo, Bologna, 2017. ↩︎
See F. BALAGUER CALLEJÓN, “Intelligenza artificiale e cultura costituzionale”, lceonline.eu, special issue 2, 2023; A. SIMONCINI, S. SUWEIS, “Il cambio di paradigma nell’intelligenza artificiale e il suo impatto sul diritto costituzionale”, Rivista di filosofia del diritto, no. 1, 2019. ↩︎
E. DI CARPEGNA BRIVIO, A. SANCINO (eds.), La democrazia della società digitale. Tensioni e opportunità, Torino, 2023; E. CELESTE, Digital Constitutionalism: The Role of Internet Bills of Rights, Routledge, 2022. ↩︎
C. P. Snow, The Two Cultures and the Scientific Revolution, Cambridge University Press, 1959 (available online and republished in several languages several times). ↩︎
For a critical analysis of the most relevant doctrinal developments attributable to so-called global constitutionalism, see O. CARAMASCHI, Il costituzionalismo globale: teorie e prospettive, Torino, 2022. ↩︎
If desired, A. PATRONI GRIFFI (ed.), E pluribus unum: le identità in Europa, Diritto Pubblico Europeo Rass. online, no. spec. 1, 2024. ↩︎
Recently, L. DI MAJO, “La vulnerabilità degli utenti in rete”, BioLaw, no. 1, 2024, and the various contributions on ‘technological vulnerability’ in A. PATRONI GRIFFI (ed.), Vulnerabili. Questioni giuridiche, dilemmi bioetici, Sesto San Giovanni, 2025, 591 ff. ↩︎
G. TIBERI, L’irresistibile ascesa della sovranità digitale europea, Napoli, 2022. ↩︎
P. DUNN, Intelligenza artificiale e democrazia: Opportunità e rischi di disinformazione e discriminazione, Milano, 2024, as well as T.E. FROSINI, Liberté, Egalité, Internet, Napoli, 2015; M. MANETTI, “Regolare Internet”, Media Laws, no. 2, 2020, 35 ff.; M.C. GIRARDI, “Libertà e limiti della comunicazione nello spazio pubblico digitale”, Federalismi.it, no. 17, 2024; M. E. BUCALO, “La libertà di espressione in rete fra content moderation dei social network e regolazione dell’Unione Europea”, Dirittifondamentali.it, no. 3, 2022. ↩︎
For an interesting position on the subject, see G. DE MINICO, Libertà virtuali. Costituzione e mercato, Torino, 2024. ↩︎
O. POLLICINO, Costituzionalismo digitale. Pensare la democrazia al tempo dell’IA, Bologna, 2025. ↩︎
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Regulation on artificial intelligence). Among the commentaries on the AI Act, SEE M. FINCK, The EU Artificial Intelligence Act: A Commentary, Oxford, 2025; L. C. HUESO, D. U. GALETTA (eds.), The European Union Artificial Intelligence Act. A Systematic Commentary, Napoli, 2025; A. F. URICCHIO, C. CALDEROLA, L’intelligenza artificiale tra regolazione e esperienze applicative. AI ACT (regolamento UE) e disegno di legge governativo, Bari, 2025. ↩︎
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). ↩︎
Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a single market for digital services and amending Directive 2000/31/EC (Digital Services Regulation). ↩︎
Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on fair and contestable markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Regulation). ↩︎
Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Regulation) (Text with EEA relevance) and Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Regulation). ↩︎
Regulation (EU) 2024/900 of the European Parliament and of the Council of 13 March 2024 on transparency and targeting of political advertising. ↩︎
For a systematic, article-by-article analysis of risk-based regulation in the vast literature, see, for example, L. C. HUESO, D. U. GALETTA (eds.), The European Union Artificial Intelligence Act, cit., 181 ff. See also P. DUNN, G. DE GREGORIO, “AI Act, rischio e costituzionalismo digitale”, Media Laws, 22 April 2022; O. POLLICINO, F. PAOLUCCI, “AI Act e diritti fondamentali”, Civiltà della Macchine, no. 2, 2024. ↩︎
At each stage of the process: design, training, integration, use. ↩︎
On the various regulatory instruments referred to in the AI Act, see G. DE MINICO, “Le fonti del diritto: un argine all’intelligenza artificiale”, Rivista AIC, no. 3, 2025. ↩︎
A. SIMONCINI, “Il linguaggio dell’intelligenza artificiale e la tutela costituzionale dei diritti”, Rivista AIC, no. 2, 2023. On this fundamental point, see Council of State, Section VI, judgment no. 2270 of 8 April 2019: “the mechanism through which the robotic decision (i.e. the algorithm) is made must be 'knowable', according to a reinforced interpretation of the principle of transparency, which also implies that a rule expressed in a language other than legal language must be fully knowable'. And again: 'Such knowability of the algorithm must be guaranteed in all aspects: from its authors to the procedure used for its development, to the decision-making mechanism, including the priorities assigned in the evaluation and decision-making procedure and the data selected as relevant. This is in order to verify that the outcomes of the robotic process comply with the requirements and purposes established by law or by the administration itself upstream of that process and to ensure that the methods and rules on which it is based are clear and, consequently, subject to review”. ↩︎
M.E. BUCALO, “Intelligenza Artificiale e deepfakes: le nuove frontiere della disinformazione e i possibili rimedi giuridici”, Media Laws, 2024. ↩︎
F. PAOLUCCI, “La legge italiana sull’intelligenza artificiale: attuazione nazionale dell’«AI Act» e primi nodi applicativi”, Quaderni costituzionali, no. 4, 2025. ↩︎
For a systematic, comprehensive analysis, see M. HU, AI Law and Policy, Aspen Publishing, 2025. For a comparison between the US and the EU, see O. POLLICINO, “Regolazione e innovazione tecnologica nell’«ordinamento della rete»”, Rivista AIC, no. 2, 2025. ↩︎
On this topic, see F. K. CAMERON, NIST’s AI Risk Management Framework plants a flag in the AI debate, Brookings, 2023. ↩︎
On the dangers of capitalism in the age of big tech, S. ZUBOFF, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, New York, 2019, remains essential reading. A. VENANZONI discusses ‘private states’ and ‘platform capitalism’ in “Neofeudalesimo digitale: Internet e l’emersione degli Stati privati”, MediaLaws, no. 3, 2020 and Id., “Cyber-costituzionalismo: la società digitale tra silicolonizzazione, capitalismo delle piattaforme e reazioni costituzionali”, Rivista italiana di informatica e diritto, no. 1, 2020. ↩︎
It suffices to refer to Executive Order No. 14179 of 23 January 2025, Removing Barriers to American Leadership in Artificial Intelligence, issued by the White House on 23 January 2025. ↩︎
G. FINOCCHIARO, La giurisprudenza della Corte di giustizia in materia di dati personali da Google Spain a Schrems, Il diritto dell'informazione e dell'informatica, no. 4-5, 2015, 779-799. ↩︎
A. BRADFORD, The Brussels Effect: How the European Union Rules the World, Oxford University Press, 2020. ↩︎
S. ACETO DI CAPRIGLIA, “Intelligenza artificiale: una sfida globale tra rischi, prospettive e responsabilità. Le soluzioni assunte dai governi unionale, statunitense e sinico. Uno studio comparato”, Federalismi.it, no. 9, 2024. ↩︎