Following the European Commission’s withdrawal of the AI Liability Directive, many believe the European Union is adopting a laissez-faire approach to AI governance to pave the way for innovation. Many more have argued that this choice not only places an undue burden on consumers, but also fails to guard them from an incipient, largely unknown technology.

However, both arguments are overlooking one crucial element: The EU already has battle-tested regulations in place.

In the very same Work Programme that shelved the AI Liability Directive, the Commission also upheld the ePrivacy Directive from 2002. This longstanding directive, alongside the General Data Protection Regulation (GDPR) and the Digital Operational Resilience Act (DORA), outlines overarching requirements for organizations to protect consumers’ personal data, regardless of the technology that consumers are using.

The decision not to pass new AI-specific legislation also reflects a pragmatic understanding of technology’s evolution. We can’t possibly legislate all the derivatives of AI; any attempts to do so would result in a framework that’d be rendered obsolete as soon as it was implemented. Instead, a focus on principle-based regulations like GDPR and DORA provides a more sustainable approach to governance.

Strategic Compliance: 3 Ways to Maximize Global Operations in a Complex Regulatory Landscape

GDPR, DORA, and other EU frameworks provide stringent protections that extend well beyond Europe’s borders. For instance, GDPR’s extraterritorial scope applies to any organization that handles the personal data of EU citizens, regardless of where that organization is based. Similarly, any financial services provider that operates in the EU market is beholden to the standards outlined in DORA.

Across the pond, the U.S. takes a more sector-specific approach to data protection and technology regulation. HIPAA governs healthcare data, PCI-DSS handles payment card information, and so on, forming an at times overwhelming patchwork of requirements.

This regulatory divergence between the EU and the U.S. creates a slew of challenges for the leaders of global organizations, particularly when it comes to cloud deployments and data transfers. However, the following strategies can help leaders to steer clear of the costly fines, loss of business, and other consequences that come with noncompliance:

1. Implement A “Highest Common Denominator” Approach To Compliance

Rather than maintaining different standards for different regions, focus on aligning your entire operation with the most stringent requirements first. For example, an organization might use GDPR as its compliance baseline, as GDPR often exceeds other data privacy requirements.

While this approach may demand more time and resources up front, it can prove more cost-effective and operationally efficient in the long run. When companies have smooth compliance workflows in place, they may also choose to opt in to frameworks like NIS and NIST for even closer alignment with security best practices.

2. Pay Particular Attention To Data Localization Requirements

With GDPR’s strict regulation of personal data transfers outside the EU, organizations must ensure they have robust mechanisms in place to control international data flows. Consider implementing regional data centers and establishing clear data sovereignty protocols in your cloud and network architecture.

3. Maintain Flexible Compliance Frameworks That Can Adapt To Evolving Regulations

While the EU chose not to implement the AI Liability Directive this time around, new AI regulations are inevitable. Organizations should build their compliance programs with modularity in mind, allowing for greater resilience and easier adaption. This means investing in robust data governance programs, maintaining comprehensive documentation of security controls, and regularly updating risk assessments to account for new technologies and threats.

These frameworks can be burdensome at times—headaches at best and heavy fines at worst. But it’s important to remember why we have them in the first place: to provide a clear, predictable, and controlled environment for business operations. Organizations that embrace these requirements and build them into their operational DNA will undoubtedly find they have a competitive advantage in not only European markets, but also markets around the globe.

Success in today’s regulatory landscape isn’t just about checking compliance boxes—it’s about embracing these frameworks as catalysts for better business practices. Companies that view regulatory compliance as an opportunity rather than an obstacle will find themselves better positioned to navigate the complex intersection of technology, privacy, and consumer trust. This forward-thinking approach to compliance isn’t just good governance—it’s good business.

This article was originally published in Fast Company.