Europe AI & Data Rules Hub

National Guidance vs EU Guidance: Managing Conflicts

UpdatedSeptember 1, 2025

ByIuliia Gorshkova

Organizations deploying artificial intelligence and data-driven systems across the European Union frequently encounter a complex regulatory landscape where high-level European frameworks intersect with established national supervisory practices. While the EU aims to harmonize the digital single market, the reality of compliance involves navigating the space between directly applicable regulations and the nuanced interpretations of national authorities. This is particularly evident when an AI provider in one Member State receives guidance from a national regulator that appears to diverge from the technical or ethical expectations set out in EU-level documents, such as the AI Office’s guidelines or harmonized standards. Managing these discrepancies is not merely a legal exercise; it is a core operational challenge that requires a robust risk management framework, meticulous documentation, and a deep understanding of regulatory intent. This article analyzes the mechanisms for resolving such conflicts, offering a practical framework for professionals in AI, robotics, and data systems to align their governance strategies with both European ambitions and national realities.

The Architecture of EU Regulation and National Discretion

To understand how conflicts arise, one must first appreciate the legal architecture of the European Union. The General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AI Act) are prime examples of regulations that are directly applicable in all Member States. This means they create rights and obligations automatically, without the need for national governments to pass specific laws to enact them. However, “direct applicability” does not imply a monolithic, uniform application across the continent. Both regulations contain “opening clauses” or “margin of appreciation” provisions. These clauses grant national supervisory authorities (such as data protection authorities or market surveillance bodies) the discretion to interpret certain aspects of the law, particularly where fundamental rights, public security, or specific national contexts are concerned.

For instance, the GDPR allows Member States to legislate on specific processing situations, such as the processing of employee data or the use of health data for scientific research, provided they respect the regulation’s core principles. Similarly, the AI Act empowers national authorities to designate notifying authorities and to enforce rules on high-risk AI systems within their territories. Consequently, a conflict rarely manifests as a direct contradiction between an EU text and a national law. Instead, it often appears as a divergence in guidance. A national authority might publish an opinion on the interpretation of “high-risk” criteria or the technical requirements for “real-time” biometric identification that seems stricter or broader than the AI Office’s guidance. This creates a dilemma for companies: should they follow the harmonized EU guidance, or the more specific, authoritative interpretation of the national regulator where they operate?

Direct Applicability vs. National Implementation

The distinction between direct applicability and national implementation is the primary source of friction. When an EU regulation is drafted, it often uses broad, technology-neutral language to ensure longevity. The interpretation of this language is then delegated to two main actors: the European Commission (through the AI Office and standardization bodies) and the national authorities. The former issues guidelines and requests the creation of harmonized standards (EN standards) to provide technical presumption of conformity. The latter issues opinions, decisions, and sector-specific guidance that reflect local legal traditions and enforcement priorities.

Consider the concept of “provider” in the AI Act. The definition is harmonized at the EU level. However, a national authority might issue guidance clarifying when a company modifying an existing AI system for a specific, high-risk purpose becomes a “provider” in the eyes of national law. If that guidance appears to expand the scope of responsibility beyond what is strictly defined in the AI Act, it creates a compliance risk. The organization must decide whether to adhere to the stricter national interpretation to avoid enforcement action, or to challenge it based on the supremacy of EU law. In practice, most organizations opt for the path of least resistance, which often means aligning with the strictest interpretation, but this can lead to fragmentation of the single market—the very thing the EU seeks to avoid.

The Role of Supervisory Authorities and the AI Office

The interplay between national authorities and the AI Office is governed by a system of cooperation mechanisms. The AI Act establishes a European Artificial Intelligence Board (EAIB) to facilitate consistent application. However, the day-to-day supervision remains with the Member States. When a national authority issues guidance that conflicts with the AI Office’s interpretation, the EAIB is supposed to issue an opinion to resolve the inconsistency. This process is slow and does not offer immediate relief to a company facing a deadline or an audit.

From a practical standpoint, the “guidance” issued by a national authority often carries the weight of “soft law.” While not legally binding in the same way as a court judgment, it signals the authority’s enforcement stance. If a company deviates from it, they risk being targeted for audits or enforcement actions. Therefore, the conflict is often not between two laws, but between a binding EU law and a persuasive national interpretation. Managing this requires a strategy that respects the legal hierarchy while acknowledging the operational reality of supervisory risk.

Identifying and Categorizing Conflicts

Before a conflict can be managed, it must be identified and categorized. Not all discrepancies require the same response. A robust compliance team must distinguish between three types of conflicts: semantic divergences, procedural variances, and substantive contradictions.

Semantic Divergences

Semantic divergences occur when the same term is used in EU guidance but interpreted differently by a national authority. For example, the term “significant risk” is central to the AI Act. An EU-level guideline might emphasize the severity of potential harm, while a national authority might emphasize the *likelihood* of harm, leading to different classifications of the same AI system. These conflicts are usually resolved through technical clarification. The solution lies in documenting the reasoning behind the company’s interpretation and, if necessary, seeking a “no-objection” or informal consultation with the regulator to align on the definition.

Procedural Variances

Procedural variances relate to how compliance is demonstrated. The AI Act sets out conformity assessment procedures, but national authorities may have specific requirements for the format of technical documentation, the language of the risk management system, or the accreditation of notified bodies. For instance, a German authority might require a specific DIN standard to be referenced in the technical file, whereas the EU framework might only reference the relevant EN standard. These are not conflicts of law but of administrative practice. The strategy here is to adapt the documentation to the highest common denominator—essentially, satisfying the strictest national procedural requirement to ensure acceptance across the EU.

Substantive Contradictions

Substantive contradictions are rare but critical. This occurs when a national measure effectively prohibits what the EU regulation permits, or vice versa. This can happen during the transitional periods of new regulations, or when a Member State invokes a safeguard clause under Article 95 of the AI Act (or similar provisions in the GDPR) to restrict the free movement of AI systems on grounds of public safety or fundamental rights. If a national authority issues a binding decision that contradicts the AI Act, the company is legally bound to follow the national decision while challenging it through the appropriate legal channels (such as the Court of Justice of the European Union). However, in the context of “guidance,” a substantive contradiction usually signals that the national authority is testing the boundaries of the law, perhaps anticipating future amendments or stricter enforcement.

Risk Management Strategies for Regulatory Divergence

Managing conflicts between national and EU guidance requires a shift from a static “checklist” compliance approach to a dynamic, risk-based governance model. This involves assessing the regulatory risk alongside the technical and operational risks of the AI system.

The Regulatory Risk Assessment

Most organizations conduct technical risk assessments (e.g., failure modes and effects analysis). A regulatory risk assessment applies the same rigor to the compliance landscape. It asks: What is the probability that a national authority will challenge our interpretation of this guidance? and What is the impact of that challenge (fines, market withdrawal, reputational damage)?

To conduct this assessment, teams should map their AI systems against the specific guidance issued by every relevant national authority in the markets where they operate. They should then score the divergence between the EU guidance and the national guidance. A “high” divergence score in a jurisdiction with aggressive enforcement history represents a high regulatory risk. This prioritizes the need for mitigation strategies, such as seeking legal opinions or modifying the system design to meet the stricter standard.

Designing for the “Highest Common Denominator”

One of the most effective strategies for managing fragmentation is to design the AI system and its governance processes to meet the strictest applicable standard across all relevant jurisdictions. This is often referred to as the “Brussels Effect” in reverse—whereby internal market dynamics drive companies to adopt the highest standard globally. If the French data protection authority (CNIL) requires specific anonymization techniques for health data that are not strictly required by the Italian authority, an organization might apply the French standard to all its processing activities to simplify its operational model.

This approach reduces the complexity of maintaining multiple versions of a product or documentation set for different markets. However, it comes at a cost: potentially higher development costs and reduced flexibility. The decision to adopt the highest common denominator must be weighed against the business value of the specific market. For core European markets, this is usually the recommended path. For peripheral markets with conflicting guidance, a localized approach might be justified.

Scenario Planning and “Safe Harbor” Documentation

Organizations should maintain a “regulatory conflict log.” This document tracks instances where national guidance diverges from EU expectations. For each entry, the organization documents:

The specific text of the EU guidance.
The specific text of the national guidance.
The technical or operational impact of the divergence.
The chosen compliance strategy (e.g., adopt stricter standard, seek clarification, challenge).
The legal justification for the chosen strategy.

This log serves as a “safe harbor” document. In the event of an audit or investigation, the organization can demonstrate that it did not ignore the conflict but made a reasoned, documented decision based on a risk assessment. This is crucial for mitigating fines, as regulators often look for evidence of good faith and systematic compliance efforts.

Documentation Strategies: The Evidence of Compliance

In the European regulatory framework, documentation is not just a record of what was done; it is the primary evidence of compliance. When EU guidance and national guidance conflict, the documentation must bridge the gap. It must explain how the system complies with the letter of the law (EU regulation) while respecting the spirit of the local interpretation (national guidance).

Technical Documentation and the “Statement of Conformity”

For high-risk AI systems under the AI Act, technical documentation is mandatory. When facing conflicting guidance, the technical file should explicitly address the divergence. For example, if a national authority expects a specific testing methodology that is not mandated by the harmonized standard, the technical documentation should include a section titled “Supplementary Compliance Measures.” In this section, the organization can state: “While the EN standard X allows for Methodology A, we have adopted Methodology B as recommended by the [National Authority] in their guidance dated [Date] to ensure alignment with national market surveillance practices.”

This strategy achieves two things: it proves compliance with the harmonized standard (satisfying the EU requirement for presumption of conformity) and it demonstrates proactive engagement with national expectations (reducing supervisory friction). It turns a potential conflict into a demonstration of due diligence.

Records of Reasoning (RoR)

The concept of the “Record of Reasoning” is vital in the context of the AI Act, particularly for high-risk systems. This goes beyond the technical documentation and captures the decision-making process of the provider. When a conflict arises, the RoR should contain the legal analysis of the conflict. It should answer: Why did we choose to interpret the regulation this way?

For example, if a company decides to classify a system as “high-risk” despite national guidance suggesting it might fall into a lower category, the RoR must detail the risk assessment. It should cite the EU definition of “high-risk” and explain why the national interpretation is not legally binding or is less specific. This internal legal record protects the organization if the national authority later challenges the classification. It shows that the decision was not arbitrary but based on a rigorous application of the law.

Transparency for Users and Regulators

Transparency obligations under the AI Act and GDPR require that users and data subjects be informed about how their data is used and how AI systems make decisions. If national guidance imposes stricter transparency requirements (e.g., a specific format for the information notice), the organization must update its user-facing documentation accordingly. It is generally not sufficient to provide a generic EU-wide privacy notice if a national authority requires specific disclosures. The conflict management strategy here involves maintaining modular documentation—having a core EU-compliant text and adding national “modules” or addendums where required. This ensures that the information provided to users in a specific country is fully compliant with both the EU regulation and the local interpretation.

Proactive Engagement and Dialogue

Passive compliance is rarely sufficient in a rapidly evolving regulatory environment. Organizations should view national authorities not just as enforcers, but as stakeholders in the development of a trustworthy AI ecosystem. Proactive engagement can resolve conflicts before they escalate into enforcement actions.

Consultation Mechanisms

Many national authorities offer consultation mechanisms. For example, the UK’s ICO (prior to Brexit and still applicable to UK operations) had a “sandbox” approach. In the EU, the AI Act encourages regulatory sandboxes. These are controlled environments where companies can test AI systems under the supervision of the regulator. Participating in a sandbox is an excellent way to clarify how national authorities interpret conflicting guidance. If a company is unsure whether its approach to risk management aligns with national expectations, the sandbox provides a safe space to validate the approach.

Even outside formal sandboxes, requesting a “meeting for information” or submitting a written query to a national authority can be beneficial. The key is to frame the query correctly. Instead of asking, “Do we have to do X?”, which invites a binary response, ask, “We are considering implementing X to address risk Y, in line with EU guidance Z. How does this align with your interpretation of the national framework?” This invites dialogue and demonstrates a commitment to getting it right.

Industry Associations and Standardization

Conflicts between national and EU guidance often stem from a lack of technical standards. The AI Act relies heavily on harmonized standards to provide concrete technical requirements. If a national authority proposes a requirement that is not in the EU standards, it is often because the EU standards are not yet mature. Industry associations play a crucial role here. By participating in the drafting of EN standards (via CEN-CENELEC), companies can influence the technical specifications that will eventually become the “safe harbor” for compliance. If a national authority’s guidance is seen as overly burdensome or divergent, the industry can lobby through these European bodies to ensure the final harmonized standard reflects a practical, pan-European approach.

Legal Recourse and the Hierarchy of Norms

When dialogue fails and a conflict becomes a legal liability, organizations must understand the hierarchy of norms. In the European Union, EU law takes precedence over national law. This principle, established by the Court of Justice of the European Union, means that a national authority cannot enforce a rule that contradicts the AI Act or GDPR.

However, this principle applies to laws and binding decisions, not necessarily to “guidance.” If a national authority issues non-binding guidance that conflicts with EU law, the organization is free to ignore it, but they risk provoking the authority. If the authority then issues a binding order based on that guidance, the organization must appeal the order. The appeal would argue that the authority’s interpretation violates the principle of primacy of EU law.

This is a high-stakes strategy. It requires legal proceedings that can take years. Therefore, it is usually a last resort. The preferred strategy remains the “comply and complain” approach: comply with the strictest interpretation to maintain market access, while actively participating in consultations and industry groups to advocate for alignment with EU guidance.

The Role of the Court of Justice of the European Union (CJEU)

The CJEU is the ultimate arbiter of conflicts between national and EU law. In the context of AI and data, the CJEU has historically taken a strict view on fundamental rights. For example, in the Schrems II case regarding data transfers, the CJEU invalidated the Privacy Shield because US surveillance laws conflicted with EU fundamental rights. This jurisprudence suggests that if a national authority attempts to restrict an AI system based on fundamental rights concerns that are not addressed in the AI Act, the CJEU might side with the national authority if the restriction is proportionate and justified. Conversely, if a national authority tries to impose a commercial barrier disguised as a safety requirement, the CJEU will likely strike it down. Understanding this jurisprudence helps organizations assess the likely outcome of a legal challenge.

Operationalizing the Framework: A Step-by-Step Guide

To bring these concepts into daily practice, organizations should operationalize a conflict management workflow. This workflow integrates legal, technical, and operational teams.

Step 1: Horizon Scanning

Designate a team or individual to monitor the publication of guidance from both the AI Office and relevant national authorities. This includes tracking updates to harmonized standards, opinions from national DPAs, and sector-specific guidance from market surveillance bodies. This information should be centralized in a regulatory intelligence repository.

Step 2: Gap Analysis

Whenever new guidance is published, perform a gap analysis. Compare the new text against the existing compliance posture and the guidance from other jurisdictions. Identify any “red flags” where the new guidance introduces a requirement that is not present in the EU framework or contradicts it.

Step 3: Risk Scoring

Assess the impact of the gap. Is it a minor procedural difference or a fundamental substantive conflict? What is the enforcement risk in that specific jurisdiction? Assign a risk score (e.g., High, Medium, Low).

Step 4: Decision Making

Based on the risk score, the governance board decides on a strategy:

Low Risk: Update internal procedures to align with the guidance where feasible, but no immediate action required.
Medium Risk: Update documentation and technical controls to meet the guidance. Initiate a consultation with the national authority if ambiguity remains.

Table of Contents

AI in Education: Fundamentals & Tools

Understanding AI Basics

Practical AI Tools for Educators

Integrating AI into Teaching

Case Studies & Success Stories

Ethical AI & Inclusive Practices

Ethical & Legal Frameworks for AI Systems

Equity & Inclusion

Transparency & Trust

Algorithmic Bias, Discrimination & Legal Risk

AI Errors, Accountability & Legal Responsibility

Institutional AI Governance & Policy Design

AI, Security & GDPR Compliance

Data Protection & Privacy

Cybersecurity in AI

EU Regulations & Policies

Engaging Parents & Guardians

Data Protection, Privacy & AI Governance

Additional Resources

Glossary of Terms

Templates & Guides

Webinars & Research

AI for Administrative & Pedagogical Support

AI for Time Management

AI in Student Performance Tracking

AI for Automated Communication

AI for Document Management

AI, Robotics & Biotech Regulation in Europe

EU AI Act Explained: Scope, Risk Levels, Obligations

AI-Enabled Products: Robots, Medical Software, Smart Devices

Machinery Regulation & Safety Standards for Intelligent Systems

AI in Healthcare & Biotech: MDR, IVDR, EMA

Liability & Responsibility for AI-Driven Systems

Compliance in Practice: From Risk Assessment to CE Marking

Country-Specific AI Regulation & Enforcement

How EU AI Law Is Applied at National Level

Different Compliance Models

National AI Sandboxes & Regulatory Experiments

Public Sector AI Rules Across Europe

Cross-Border AI Deployment Challenges

When National Law Overrides EU Guidance

Legal Cases, Enforcement & Real-World Precedents

AI Act, GDPR & Algorithmic Decision-Making Cases

Liability Disputes Involving Automated Systems

Robotics Accidents & Legal Responsibility

Medical & Biotech AI Failures: Lessons Learned

What Enforcement Trends Tell Us About Future Regulation