I spent the first week of June in Dublin at the IAPP’s AI Governance Global Europe conference. It was a fun few days around the Guinness factory, whiskey tours, a day of AI training workshops, AI incident response in the morning and the EU AI Act in the afternoon, then two days of keynotes, panels, and corridor conversations with the people building Europe’s AI governance machinery.

It was hard to imagine a better venue. Ireland is weeks away from taking up the presidency of the Council of the EU. Dublin hosts the European headquarters of Meta, Google, OpenAI, and Anthropic, and its diaspora ties make it a natural bridge between European regulation and North American AI. If Europe has an AI hub, this is it.

The moment that stayed with me was Lucilla Sioli, Director of the EU AI Office, updating practitioners on what the Commission is building. It brought a sense of reality, and of urgency: around the room, firms from inside and well outside the EU (anywhere with an EU client base, really) were in final preparations for 2 August 2026, when the Article 50 AI Act transparency rules become enforceable. The Isle of Man, in a sense, doesn’t feel ready for it yet.

I went to Dublin to understand how the Isle of Man should position itself relative to the EU’s regime. I came back with a more uncomfortable conclusion: for a meaningful slice of the island’s economy working to adopt AI, the positioning question has already been answered before the next Island Plan.

Convergence on the EU rulebook

The clearest pattern across three days: companies are not building bespoke AI governance frameworks for each market. They are looking to adopt a single baseline that satisfies the EU AI Act, because they want access to the European market without running parallel compliance systems. The technical vocabulary is converging too. NIS2, ISO 42001, and the EU’s emerging standards are becoming the de facto language of AI governance in many countries, including in places the EU has no formal authority.

This is the gravitational pull of the European market, operating exactly as it did with the GDPR. Yes, there is the UK GDPR, and Isle of Man GDPR, but they are still versions based on the EU GDPR. This has a sharp implication for a small jurisdiction weighing its own AI framework: the question is no longer whether to align with the EU baseline. In a sense, the market will decide that. The question is what a small jurisdiction can offer on top of convergence.

You may already be caught by the EU AI Act

This is not talked about enough in the Isle of Man. Article 2(1)(c) of the EU AI Act extends the Regulation to providers and deployers established in non-EU countries “where the output produced by the AI system is used in the Union.”

Maybe read that again with an Isle of Man law firm in mind (since I work in one). A firm uses an AI system, be it CoCounsel, Lexis+ AI, or ChatGPT, to help produce a mediation opening speech, a template contract for a client’s business, a set of advice letters. The client is based in Dublin, or Frankfurt, or Paris. The output is used in the European Union.

On my reading, that firm is a “deployer” under the EU AI Act, and the deployer obligations attach to the firm, not to Microsoft or the model provider. I should be clear that this is an argued position rather than settled doctrine: how far “output used in the Union” stretches is one of the live interpretive debates, and the AI Office’s guidance pipeline may yet narrow it. But the better view, I think, is that routine cross-border professional services are caught. If your business is serving EU clients from a non-EU third country, which describes a large part of the Isle of Man’s professional services sector, you should be planning on that basis.

The timeline is uncomfortable, as the Island is currently so busy with Moneyval. The European AI Office and national market surveillance authorities acquire formal enforcement powers, including the power to levy significant administrative fines on non-EU entities, on 2 August 2026. That is eight weeks away.

Some of the AI Act is already in force. The AI literacy obligation in Article 4 has applied since 2 February 2025. There is no transition period left to run. It requires training calibrated to each person’s role and the context in which they use AI. The speakers in Dublin were blunt that a single generic e-learning module rolled out firm-wide does not discharge it. If you haven’t started, you are not early. You are behind.

The next wave lands in August: transparency obligations for AI-generated content. Client-facing material that could be mistaken for human-authored work must be disclosed as AI-generated. For a law firm, that could reach into engagement letters, advice, and client correspondence.

One more thing the conference made unambiguous: deployer liability cannot be outsourced. You can’t contract it away to your AI vendor, and one shouldn’t take vendor claims of “AI Act compliant” at face value, because the harmonised European standards that would make such claims verifiable don’t yet exist. Self-certification is the current norm. Caveat emptor, with fines attached.

The EU Timeline

From a distance, the AI Act looked like a big chunk of growing regulation to me, not always linked to how AI tech is morphing (at warp speed). The European AI Office’s implementation programme is serious though: a governance structure built with Member States through the AI Board, regulatory sandboxes, a Scientific Panel, detailed guidance documents, and an AI Act Service Desk for businesses trying to comply (EU Login account or eID currently required). Guidelines on high-risk classification are in consultation now. This is institution-building at scale, and it was on full display in Dublin.

But two things undercut the confidence.

First, the timelines keep moving. The Digital Omnibus (politically provisionally agreed on 7 May, still awaiting formal adoption) pushes the high-risk rules to December 2027 for Annex III systems and August 2028 for products under Annex I. The watermarking transition now runs to December 2026. Each delay is individually defensible, as the harmonised standards the high-risk regime depends on simply aren’t finished. But the cumulative effect is a regime that gains enforcement powers in August while still negotiating what some of its central obligations mean.

Second, the EU’s own instruments don’t yet agree with each other. My favourite example from the conference: the AI Act requires deployers of high-risk systems to retain logs for at least six months, while the GDPR gives the people in those logs a right to erasure. Brussels has produced two regimes that can simultaneously order you to keep and delete the same data. Joint EDPB–Commission guidelines on the GDPR–AI Act interplay were promised for early 2026 and are now expected “imminently”.

The small jurisdiction question

So where does this leave the Isle of Man, a jurisdiction that has allocated a substantial budget and set up a National AI Office behind the ambition of taking AI seriously?

Here is the uncomfortable version: the EU already regulates a large part of future Manx economic activity, extraterritorially, whether Tynwald ever passes AI legislation or not. Anyone tempted to think a small jurisdiction can simply wait and write its own, lighter rulebook and call it a competitive advantage should sit with Article 2(1)(c) AI Act for a while.

There is, though, a model for divergence at the margins. Post-Brexit, the UK quietly rewrote Article 22 of its version of the GDPR: since February 2026, the right not to be subjected to solely automated decision-making, which is a near-blanket restriction in the EU, now bites strictly in the UK only where the decision is based on sensitive personal data. Everything else is relaxed and permitted to a degree, subject to safeguards. It is regulatory arbitrage of a deliberate, surgical kind: keep the framework recognisably European, loosen the specific provision business finds most constraining. Whether the UK (or the Isle of Man) attempts the same manoeuvre with the European AI standards remains to be seen. But it shows that convergence and divergence are not all-or-nothing.

None of this is an argument for fatalism. It’s an argument for precision about what’s actually on offer. Convergence on the EU baseline is happening anyway, so the value a small jurisdiction can add lies in everything the EU machinery does slowly and impersonally: clarity about how the baseline applies locally, fast and authoritative guidance, maybe a regulator you can actually speak to, and legislative gap-filling where the EU regime is silent or self-contradictory. The GDPR-versus-logging conflict will eventually be resolved in the EU at Brussels speed. But a small jurisdiction could publish a sensible position in a month, once there is clarity and consensus.

That is a different and humbler proposition than “first mover advantage.” It might also be a more durable one.

If you run an Isle of Man firm: five things to do now

1. Inventory your AI tools — including the ones embedded in software you already pay for (document management, research platforms, Copilot features).

2. Map tools to people and clients — who uses what, in what context, and whether any output reaches EU-based clients or candidates.

3. Start role-differentiated AI literacy training and document it — the obligation is already live, and the documentation is your evidence of compliance.

4. Review engagement letters and vendor contracts — AI use disclosure for EU clients ahead of August; data processing terms, incident notification, and training-data restrictions on the vendor side.

5. Designate an AI governance lead and adopt a policy — acceptable use, human oversight, incident response — before enforcement powers arrive on 2 August.

I attended IAPP AI Governance Global Europe in Dublin, 2–4 June 2026. Views are my own, and nothing here is legal advice. If any of the above describes your firm, take some. This is AIOM, (optimistically) fortnightly from the Isle of Man. I fell off the posting schedule while I was busy with the Manx Bar Exam (which I thankfully passed with distinction). Please feel free to subscribe if you think the interesting experiments are happening in places you haven’t been watching.