The ideas are debatable but generally correct. The EU's problem is that regulation stops at the ideas, and it is intentionally designed so to be impossible to ensure compliance in advance. So the regulation is really after the fact and a subjective judgment by regulators. So there's tons of risk even if you genuinely believe you're complying with the prescribed intents.

My opinion on EU regulation would flip 180 degrees if they offered any kind of pre-clearance where you could propose a product, feature, or policy and be told in advance if it meets their subjective requirements.

IMO you can have clear, specific requirements in advance, or you can have a body that provides interpretations of spirit-of-the-rules regulations in advance. Having neither is a problem.

(yes, I'm aware of the argument that if you tell companies what's legal in advance they will just do the bare minimum or find loopholes... I don't find that to be a legit rule of law system)

I understand that desire entirely, but I’m not sure if it would work that way. Take an ISO 27001 certification (or SOC, if you like): There is no one clear set of things to do, but both guidance and requirements that you need to address and be able to defend your concrete implementation.

And I generally like that a lot better than having a set of hard this-way-or-no-way checklists that invariably consist of 80% bullshit ceremony for giant corporations. ISO nudges you toward that too, but if you’re able to deliver the same security guarantees with less, auditors will usually be happy.

The same, in general, works for GDPR regulations as well: The law is mostly about doing the right things, but not spelling out the billions of cases and permutations and strategic decisions involving privacy in one way or another.

It's deliberately not prescriptive as the implementers are the ones best placed to solve for requirements - you don't want policy makers providing technical checklists. And it's not unstructured - ISO 42001 essentially encodes it.