The Hot Potato of Compliance
From GDPR to the EU AI Act, a recurring pattern emerges: European regulation lands in procurement, spreading responsibility, caution, and friction.
I have been noticing a pattern for some time now, without quite knowing how to name it.
As an entrepreneur, and earlier inside larger organisations, I kept encountering the same kind of friction. Deals that looked straightforward would slow down late in the process. Not because of price or technology, but because of questions that appeared at the moment contracts were about to be signed.
I first saw this clearly with GDPR. Now, with the EU AI Act and the emerging idea of AI literacy, I recognise the same dynamic returning.
Where regulation actually lands
We tend to picture regulation as something that happens after the fact. Inspectors, fines, enforcement actions. In practice, much of European digital regulation lands much earlier.
It lands at procurement.
That is the point where responsibility becomes fixed. Once a contract is signed, an organisation cannot easily claim ignorance or shift liability elsewhere. So uncertainty flows downhill until it reaches the place where a signature is required.
Procurement becomes the final gate, not by design of the organisation, but by design of the law.
A familiar pattern from GDPR
With GDPR, this became highly visible.
The regulation was intentionally abstract. Concepts like “appropriate measures” and “demonstrable compliance” were left open. That openness created space for interpretation, but also for anxiety.
Organisations responded by internalising that uncertainty. Procurement processes became more defensive. Vendor questionnaires expanded. Standard clauses multiplied. Sales cycles slowed, especially for smaller suppliers.
This was often framed as bureaucracy. Seen differently, it was regulation working as intended.
Spreading responsibility, spreading risk
European regulation often spreads responsibility across the market rather than centralising enforcement.
That is efficient. Supervisors do not need to inspect everything. Organisations are incentivised to police themselves, and each other, through contracts.
But there is a side effect. Responsibility spreads, and so does risk aversion.
Procurement teams often end up holding a kind of hot potato. They do not own the technology, nor the policy goals, yet they are asked to absorb uncertainty on behalf of the organisation. Saying “yes” can feel riskier than saying “no”.
Why AI intensifies this effect
With AI, this dynamic becomes sharper.
AI systems are complex, probabilistic, and often hard to explain fully, even by their creators. Asking procurement to confidently assess such systems is asking them to manage uncertainty they are not structurally equipped to resolve.
The result is not outright rejection, but friction. Slower decisions. More documentation. More caution.
From experience, I see the same lines forming again. Not yet fully drawn, but recognisable.
A very European logic
Regulation via procurement is not new. It has existed for decades in areas like environmental standards, safety, and finance.
What feels distinctly European is how deeply this logic is now applied to digital infrastructure and AI. Responsibility is embedded ex ante, at the moment of decision, rather than enforced primarily after harm has occurred.
Whether this ultimately hampers innovation or builds long-term trust is still an open question. Probably both.
What seems clear to me is this: when procurement slows things down, it is not simply being difficult. It is where policy becomes real.
And perhaps that is exactly the point.
Rob Hoeijmakers
Rob Hoeijmakers
Rob Hoeijmakers