Europe’s AI rules could slow deployment but strengthen trust in critical systems

Europe's artificial intelligence regulation is becoming a design force that determines how AI can be built, tested, secured and scaled in cyber-physical systems, states a new study published in the MDPI journal Electronics.

The review, Impact of EU Laws and Regulations on the Adoption of Artificial Intelligence in Cyber–Physical Systems: A Review of Regulatory Barriers, Technological Challenges, and Cross-Sector Implications, finds that EU laws act both as a brake and a foundation for AI adoption across energy and smart grids, smart buildings, mobility and transport, and industrial manufacturing systems. 

EU regulation is becoming part of AI system design

AI is increasingly embedded in systems that connect software decisions with physical consequences. In cyber-physical systems, AI does not merely process information - it can help forecast energy demand, adjust building systems, detect faults in machines, coordinate transport flows, support industrial automation and guide decisions that affect infrastructure, safety and public services.

This is what makes AI adoption in these environments different from AI adoption in purely digital services. A flawed recommendation, insecure data pipeline or poorly governed model can trigger operational disruption, safety risks, equipment damage or wider public harm. The review argues that this physical dimension is why EU regulation now has direct consequences for system architecture, not only for legal compliance.

The EU Artificial Intelligence Act sets the central horizontal framework for AI systems. The General Data Protection Regulation governs personal data. NIS2 imposes cybersecurity obligations on essential and important entities. The Cyber Resilience Act adds requirements for products with digital elements. The Data Act and Data Governance Act shape access to and sharing of data. The Cybersecurity Act supports certification, while machinery rules matter where AI interacts with equipment and safety-relevant automation.

Cyber-physical AI systems often fall under several of these frameworks at once, the study claims. A smart building system that uses AI to optimize heating, ventilation and energy demand may have to address privacy rules, product cybersecurity, data access obligations and AI governance requirements. A factory using AI for robotics or predictive maintenance may face obligations related to machinery safety, secure software updates, documentation and lifecycle monitoring.

This layered system creates cumulative compliance friction. The challenge is not a single legal ban or one isolated rule. It is the combined burden of making AI systems lawful, secure, traceable, auditable, interoperable and operationally accountable. For developers, operators and regulators, the task is increasingly to translate law into engineering requirements.

It is no longer enough to prove that a model performs well in a test environment. AI systems in cyber-physical settings must be built around privacy-aware data flows, secure connected products, logging, audit trails, human oversight, update governance and clear allocation of responsibility. In practice, compliance becomes part of the system stack.

The review describes this as a move toward regulation-aware systems engineering. AI must be designed from the start with compliance, safety and resilience in mind. Treating legal checks as a final step after technical development is becoming less workable, especially where AI is connected to infrastructure, machines, buildings or public mobility.

Compliance can slow adoption, but it also builds trust

The review identifies several regulatory barriers that can slow AI deployment in cyber-physical systems. High-risk classification under the AI Act can trigger documentation, risk management, logging, transparency, human oversight and post-market monitoring duties. These obligations are especially demanding when AI is embedded in infrastructure or machinery, where the wider technical environment includes older systems, proprietary interfaces and physical safety procedures.

Other barriers include:

Data protection

AI models often perform better when they use rich, continuous and detailed data. But GDPR principles such as data minimization, purpose limitation and storage limits constrain how data can be collected, combined and reused. This is especially relevant in smart buildings and mobility systems, where occupancy data, access patterns, location information and behavioral traces may become personal or privacy-sensitive.

Cybersecurity obligations

Under NIS2 and the Cyber Resilience Act, AI-enabled systems cannot rely on weak devices, insecure gateways or unsupported software components. A strong AI model may still be unsuitable for deployment if it sits inside an insecure operational environment. The review stresses that cybersecurity becomes a precondition for adoption, not an optional technical upgrade.

Responsibility and liability

Cyber-physical systems often involve model developers, equipment manufacturers, system integrators, infrastructure operators, software vendors and human supervisors. When a decision causes harm or disruption, responsibility may not be easy to assign. The problem grows when systems evolve through software updates, model retraining, data drift or changing operating conditions.

Interoperability

Many cyber-physical environments are built from legacy systems, vendor-specific formats and fragmented data architectures. Traceability, human oversight and secure data exchange require visibility across multiple layers of a system. Where interfaces are closed or data standards are weak, compliance becomes harder and AI deployment slows.

The study contends that EU regulation does not simply restrict AI development; it also creates the guardrails needed for public trust. By requiring stronger cybersecurity, clearer accountability, lifecycle monitoring and better data governance, EU rules may support more durable AI adoption in high-impact environments.

This is crucial in cyber-physical systems because trust is not a side issue. Operators, regulators, users and the public must have confidence that AI-enabled systems are safe, resilient and controllable. In energy systems, that confidence concerns continuity and grid stability. In transport, it concerns safety and public legitimacy. In factories, it concerns machinery safety and worker-adjacent operations. In buildings, it concerns privacy, comfort and secure automation.

The review frames this as a tension between short-term innovation friction and long-term institutional robustness. EU regulation may slow experimentation and increase costs in the near term, especially for smaller firms and public-sector operators with limited compliance capacity. But it may also produce stronger AI systems that are safer, more secure and easier to trust in critical and semi-critical environments. This balance is key to Europe’s AI strategy. Jurisdictions with lighter rules may deploy faster.

Europe’s potential advantage lies elsewhere: building AI systems that can operate in regulated, physically consequential environments where assurance, safety, privacy and resilience matter as much as speed.

Energy, buildings, transport and industry face different AI bottlenecks

The review’s cross-sector analysis shows that the same EU regulatory framework produces different adoption pressures depending on the domain.

In energy and smart grids, the main issue is infrastructure resilience. AI can support load forecasting, fault detection, predictive maintenance, distributed energy coordination and grid optimization. But because grid systems are critical infrastructure, adoption depends on high reliability, cybersecurity, traceability and operator oversight. The biggest barrier is deploying AI under strict expectations for continuity, resilience and trust.

In smart buildings, the core pressure is privacy-sensitive sensing and fragmented infrastructure. AI can improve heating, ventilation, air conditioning, lighting, predictive maintenance and energy flexibility. But building systems often collect data related to occupancy, routines and indoor behavior. Many buildings also rely on older management systems and vendor-specific devices. The result is a difficult mix of privacy law, cybersecurity requirements and retrofit complexity.

In mobility and transport systems, the dominant challenge is balancing speed, safety and accountability. AI can help with traffic management, fleet coordination, infrastructure monitoring, route planning and automated mobility. But transport systems operate in public space and often involve location data, real-time decisions and safety-sensitive outcomes. AI must be responsive enough to support operations while remaining auditable, secure and accountable.

In industrial and manufacturing systems, the main pressure comes from machinery safety, secure products and lifecycle governance. AI can support predictive maintenance, quality control, process optimization, robotics and production scheduling. But factories often contain long-lived machines, proprietary operational technology and safety-critical processes. AI adoption therefore requires careful integration with machinery rules, cybersecurity controls, update governance and staged retrofitting.

Across all four sectors, the review finds that AI adoption becomes more demanding as systems move closer to direct operational control. AI used for observation, such as monitoring or forecasting, mainly raises data governance, privacy and cybersecurity issues. AI used for advice adds stronger requirements for accountability, explanation and human oversight. AI used for operational control brings the highest demands for safety, traceability, resilience and intervention authority.

This layered view is important because not all AI in cyber-physical systems carries the same level of risk. A model that flags anomalies for human review is different from one that directly adjusts industrial processes or transport signals. The review suggests that regulation-aware architecture must reflect those differences rather than treat all AI deployment as a single category.

The study calls for stronger implementation guidance to help organizations translate legal obligations into technical design. It recommends sector-specific guidance for high-impact AI-enabled cyber-physical systems, cross-sector reference architectures, compliance toolkits for smaller actors, supervised testing environments, stronger cybersecurity-by-design requirements and better data interoperability.

Such support is critical because the burden of compliance is uneven. Large utilities, industrial firms and major technology providers are better positioned to absorb legal, cybersecurity and documentation costs. Smaller firms, municipalities, building operators and specialist system integrators may struggle, even when they have socially valuable AI use cases. Without practical support, regulation could unintentionally favor larger vendors and slow innovation by smaller players.

The review also points to a need for more research on regulation-aware systems engineering. Future studies should examine how organizations actually implement AI governance, cybersecurity rules, data access duties and human oversight in real operational settings. The key research problem is no longer only whether AI can optimize cyber-physical systems, it's whether AI can be embedded in ways that are lawful, secure, explainable, maintainable and operationally useful.

The findings have broad relevance beyond Europe because many economies are grappling with the same problem: how to deploy AI in systems where digital decisions can affect physical safety, infrastructure reliability and public trust. The EU’s approach is unique because it puts legal safeguards, accountability and lifecycle governance at the center of adoption.