ABSTRACT. The European Union (EU) has embarked on a strategy to position itself as one of the leading global actors in artificial intelligence (AI), aiming to balance its long-standing role as a defender of fundamental rights with its pursuit of competitiveness and technological sovereignty (Di Marco et al., 2025; Saari, 2025; Helberger, van Dijck, & de Vreese, 2025). The convergence of these goals has resulted in a multilayered and evolving policy landscape, encompassing both extensive data strategy planning and a broader regulatory “simplification” agenda (European Commission, 2025).

Against this backdrop, data usage remains a central focus, reflecting the data-intensive nature of AI technologies. However, extensive data reliance significantly heightens privacy risks, which are already complex in scope and increase further when personal data is processed, particularly if sensitive data is included under claims of necessity for the ‘proper functioning of AI systems.’ In this context, the GDPR has long constrained the large-scale use of personal and sensitive data, reflecting the EU’s rights-based approach to data governance. By contrast, the AI Act adopts a more calibrated regulatory approach, permitting the conditional use of sensitive data under specified circumstances. This evolutionary vision is reinforced by the ongoing regulatory simplification proposal, which increasingly prioritises innovation-related considerations (European Commission, 2025). In light of this, prospective GDPR updates further test the balance between innovation and privacy protection by expanding reliance on “legitimate interest” as a legal basis for processing personal and sensitive data, and by allowing their retention where deletion is deemed disproportionately burdensome, subject to safeguards. In parallel, the AI Act introduces an explicit “public interest” justification for the use of sensitive data in bias detection and mitigation efforts, potentially extending beyond the narrow exception applicable to high-risk AI systems. Taken together, these developments significantly expand the permissible conditions for using personal and sensitive data, with corresponding risks to privacy protection.

That said, this article combines doctrinal legal analysis with a regulatory design assessment of the simplification agenda, focusing on the GDPR and the AI Act, and analyses the recalibration of legal thresholds within a wider transformation of governance logic of AI-related data practices and their privacy implications. In doing so, the article argues that while simplification signals a practical, innovation-oriented shift aimed at enhancing cost-effectiveness and competitiveness, regulatory clarity remains elusive. Furthermore, the cumulative effect of expanding legal bases, increasingly flexible proportionality assessments, or discretionary approaches to data retention gives rise to a form of regulatory “uncontrollability” that undermines legal predictability and threatens the clear conditions necessary for safe, privacy-compliant innovation. To address the shortfall in regulatory predictability and clarity, the article scrutinizes, informed by targeted case studies, an AI sandbox model combining operational and regulatory approaches (Datasphere Initiative, 2025; OECD, 2023; Ranchordas & Vinci, 2024). By aligning innovation processes with continuous supervision and coordination, an AI sandbox, if properly implemented and not reduced to mere bureaucratic window dressing, can address multiple regulatory challenges. First, it can counter regulatory abstraction and “uncontrollability”. Second, it reduces informational asymmetries between regulators, AI developers, and other relevant actors by replacing formalistic compliance with evidence-based thresholds and enabling rigorous systemic evaluation of data practices. Finally, it strengthens traceability and operationalises the detection and correction of privacy infringements, providing a concrete governance mechanism to realign AI innovation with the EU’s fundamental rights framework.

ABSTRACT. Introduction & Research Questions The rapid evolution of immersive metaverse technologies is fundamentally reshaping the way humans interact with digital technology. In order to sustain seamless immersion and real-time responsiveness, consumer-grade extended reality (XR) devices are increasingly incorporating high-resolution, highly sensitive behavioural and physiological sensors. These systems continuously collect detailed signals from users, including bodily gestures, gaze dynamics, micro-movements, vocal features and reaction latency. While this data is undoubtedly personal, at first glance it appears unrelated to sensitive physical or mental health information. Consequently, users of metaverse platforms generally do not perceive their sensitive personal data to be at risk. However, AI-driven analysis can repurpose data initially gathered to optimise interaction in order to systematically infer users’ emotional well-being, health, and cognitive states. Consequently, the distinction between consumer-oriented digital environments and professional medical domains is becoming increasingly blurred. This study conceptualises the metaverse’s structural transformation as its medicalisation, referring to consumer-facing, immersive systems’ capacity to generate and implement psychological or medical judgements through algorithmic inference.

In a virtual reality (VR) gaming context, for example, the system often needs to collect behavioural signals continuously and at a high frequency when performing eye tracking and foveated rendering. These signals may include the user’s eye movement patterns, reaction latency, subtle hand movements and changes in posture. Information that initially appears merely functional and is not considered sensitive may, when analysed by back-end artificial intelligence algorithms, be transformed into highly predictive digital biomarkers. These biomarkers can then be used to make inferences about early signs of neurodegenerative diseases, a process which often occurs without the user’s awareness or explicit consent. Metaverse platforms may exploit this inferred data themselves or transfer it to third parties for important decision-making purposes, such as recruitment, credit assessment, employment screening, insurance underwriting, social welfare distribution, and algorithmic workforce management. These practices can have a tangible impact on individuals’ life opportunities and social status. The pressing and unresolved questions at the core of contemporary data protection regimes are whether existing data protection laws can regulate the generation and use of such inferences and whether data subjects should have the right not to be subjected to the inference-based use of their personal data.

Current Regulations for Data Inference The prevailing data protection frameworks primarily regulate personal data based on established principles. Informed consent and data minimisation guide its collection, while integrity, confidentiality, storage limitations and the right to erasure govern its retention. The subsequent use of personal data is then shaped by the principles of lawfulness, fairness, transparency and purpose limitation. However, these regimes fail to directly regulate inference, which is a critical cognitive and decisional process. If data inference is categorically deemed to exceed the scope of informed consent and purpose limitation and is thus declared unlawful, this could prevent the government and private sector from using inference to have a positive impact on society. Conversely, if inference is deemed lawful by default, the abuse of inferred data could severely harm individuals. This creates a regulatory dilemma that demands a nuanced solution. In the context of AI systems increasingly intervening in social decision-making, the structural design is exposing the risk of regulatory failure. This study conceptualises this disparity as the Inference Gap, denoting an institutional misalignment between the focus of legal regulation and the source of substantive risk. Although legal regulation focuses on primary data, risk often stems from algorithmic inferences derived from it. By deconstructing technical mechanisms and conducting a comparative legal analysis of the US, Europe and China, this study aims to demonstrate how the inference gap restricts the responsiveness of current data protection regimes to high-impact inferential decisions. It also suggests ways in which governance paradigms could be redesigned.

Cross-jurisdictional Comparative Analysis This study adopts a cross-jurisdictional comparative approach to address the institutional challenges revealed by the inference gap. It analyses regulatory paradigms in the United States, the European Union and China. Despite their different legal foundations and systems, all of these jurisdictions indirectly address inference risks, relying on existing frameworks rather than treating inference as a distinct area of regulation.

In the United States, governance of inferred data is based on market orientation and consumer protection. Within this framework, inferred data is generally considered a commercial analytics asset owned by enterprises. Regulatory intervention largely occurs ex post facto, only taking place when inferential practices result in identifiable market failures, such as fraud, unfair competition or consumer deception. While this model maximises flexibility for market innovation, it leaves covert, cumulative, and not yet manifestly harmful forms of inferential surveillance largely outside the scope of regulatory oversight.

EU law incorporates algorithmic inference within a rights-based formalist framework, in which proportionality analysis and the assessment of resulting impacts play a more central role. In this model, inferences are not explicitly defined as a distinct legal data type. Instead, they are incorporated into the existing rights system for regulation through functional concepts such as ‘personal data’, ‘profiling’, and ‘automated decision-making’. Although the EU AI Act addresses certain forms of algorithmic inference, most notably by imposing restrictions on biometric categorisation (Article 3(35)) and prohibiting emotion recognition in the workplace and educational settings (Article 5(1)(c)), these measures do not entirely eliminate the inference gap in metaverse environments. The Act’s regulatory scope is anchored in the system’s intended purpose, as defined by the provider (Article 3(12)), with regulatory intervention typically operating ex post where such designations are shown to be misleading. Reliance on declared purpose creates the possibility of a metaverse platform using biometric telemetry to infer health risks or cognitive states avoiding high-risk classification under Annex III by presenting its function as ‘entertainment’ or ‘service optimisation’. By prioritising the stated purpose of the system over the latent predictive capacities of its algorithms, the AI Act inadequately regulates important forms of inference, particularly those involving sensitive biological traits in consumer-facing contexts.

China’s approach to governing inference data focuses on administrative control, maintaining social order, and ensuring algorithmic security. Under this framework, inference is considered a technological capability that has the potential to affect social equity, economic order and public interest, rather than being seen as merely an individual right. Regulatory intervention typically aims to prohibit specific uses or consequences of inference, particularly ‘big data discriminatory pricing’, differential treatment, and algorithmic abuse. This demonstrates highly direct and immediate administrative intervention. However, this model focuses on controlling the social effects of inference at a macro level, rather than protecting individuals’ right to defend themselves against the inference itself.

Three-tiered Protective Initiative In response to the structural Inference Gap, this study argues that, while algorithmic due process based on notice, explainability and accountability is a necessary governance response, it is insufficient. While these procedural safeguards are essential for significant decisions, such as credit scoring or employment decisions, they are not appropriate for the shadow medicalisation of the metaverse. In immersive environments, inferences are made in real time and often below the threshold of user awareness, rendering ex post contestation ineffective by design. To address this issue, the study proposes a three-tiered protective framework:

First, an Inference Identification Test determines whether inferences are personal and relevant to decisions, reclassifying them from internal analytical processes to legally significant outputs and making them visible to regulatory oversight. Second, an Algorithmic Due Process Test examines whether the relevant context permits meaningful human agency, including timely notice, reason-giving and the effective possibility of objection, in order to assess the viability of procedural remedies. Where these conditions are met, procedural safeguards constitute an appropriate governance response.

However, when the immediacy, continuity or subliminal nature of the inference makes procedural objection futile, the third and most critical tier applies: the Fiduciary Responsibility Test. This test represents a paradigm shift from procedural compliance to substantive obligation. Recognising the significant information asymmetry and the power of metaverse platforms to manipulate cognitive states, this tier designates such platforms as Data Fiduciaries. This imposes a strict duty of loyalty, requiring the platform to act in the user’s best interests rather than prioritising commercial profit. Specifically, it prohibits self-dealing, thereby barring platforms from exploiting inferred health or emotional vulnerabilities for advertising, engagement optimisation or third-party monetisation purposes. This graduated model transforms the inference gap from an abstract critique into an operational governance framework, calibrating legal intervention to the intensity of the risk.

Conclusion In conclusion, the challenges posed by inferred data transcend the traditional boundaries of privacy law, raising the fundamental question of the legitimacy of decision-making power. When algorithmic systems operating within the metaverse can define and evaluate individuals’ mental and bodily states without passing through the threshold of user awareness, it is cognitive liberty itself that is at stake. Integrating the theory of the inference gap with the technical realities of metaverse architectures and drawing on the fiduciary traditions of English common law, this study argues that legal governance should shift its focus from controlling data inputs to scrutinising algorithmic output power, with fiduciary accountability at its core.

ABSTRACT. The longstanding partnership between the EU and China in healthcare research is critical to biomedical innovation and global public health governance. For the European research community, China offers an unparalleled collaborative environment characterized by extensive human genetic diversity, the world’s largest genomic sequencing capacity, a sophisticated network of higher education institutions, and significant market potential. Cross-border flows of genetic data are therefore a routine and indispensable feature of collaborative projects in areas such as personalized medicine, population genomics and translational research. At the same time, China’s regulatory framework for genetic and bio-related data has been substantially strengthened in recent years, which could fundamentally influence the landscape of scientific cooperation. This shift is driven not only by an increasingly systematic data protection regime but also by its unique biosecurity architecture that conceptualizes human genetic data as national strategic asset. These developments have sparked escalating concerns within the global scientific community that heightened regulatory controls may induce a “chilling effect”, deterring researchers from multi-jurisdictional genomic research projects. A particular example of this tension occurred in March 2025, when the Finnish data protection authority launched an investigation into a university’s transfer of human genetic data to Chinese gene technology firm, contesting the adequacy of necessary safeguards implemented for the transfer.

This paper aims to examine the regulatory architecture governing cross-border flows of genetic data within the focused context of EU-China scientific collaboration, with a view to explore the practical barriers and the subsequent legal and operational implications for researchers. To achieve it, the study employs a combined methodology of doctrinal analysis and comparative legal analysis. It maps and interprets the relevant legal texts, transfer mechanisms and administrative practices in both jurisdictions (including but not limited to the EU’s General Data Protection Regulation and Chinese Biosecurity Law, Personal Information Protection Law, Regulations on the Management of Human Genetic Resources), and identifies the critical divergent points that impede collaborative research.

The European approach to genetic data is rooted in a rights-based logic, where such data is viewed as an extension of the individual’s fundamental right to privacy and bodily autonomy. Under the GDPR, genetic data is elevated to a “special category” of personal data, necessitating heightened levels of protection and allowing EU Member States to impose further restrictive conditions. The mechanisms for international data transfers under this framework embody an extraterritorial logic which seeks to ensure personal data transferred to third countries to be protected at an essentially equivalent level to that within the EU. In practice, however, achieving an “adequacy” status remains a nearly impossible threshold for China, particularly following the landmark 2025 TikTok fine imposed by the Irish Data Protection Commission, which intensified scrutiny over state access to data and the independence of judicial oversight in the Chinese context.

By contrast, the Chinese regulatory philosophy perceives genetic data through a dual lens. On one hand, genetic information is integrated into a broader data-protection and cybersecurity regime that governs both personal data and “important” non-personal data. On the other hand, the Chinese biosecurity framework explicitly frames human genetic and biological data as bearing national security and sovereignty significance, establishing a paradigm of “bio-sovereignty”. As a result, the cross-border transfer of genetic data is subject to a dual-track system of data protection obligations and biosecurity-oriented controls led by the government. As administrative approval, security assessment and state oversight play a prominent role in authorizing the export of genetic data, the Chinese regulatory pathway is more characterized as “government gatekeeping”. This stands in stark contrast to European jurisdictions where transfers for research uses are typically treated primarily as matters of individual privacy or scientific governance.

This paper would thus argue that the regulatory obstacles to EU-China genetic-data exchanges do not merely arise from discrete statutory requirements but from deeper philosophical divergences in regulatory objectives and risk perception. While the EU approach manages risks primarily centered on individual privacy and autonomy, China prioritizes the mitigation of national security risks and the prevention of human genetic resource mis-exploitation. This results in a fundamental misalignment between the EU’s emphasis on “accountability”, which places the burden of safeguard implementation on the data exporter, and China’s emphasis on “approval”, which centralizes much control within state authorities.

These theoretical legal conflicts would manifest as compliance deadlock for researchers involved in EU-China collaborative projects in the real world. For instance, European scientists may struggle to satisfy the GDPR’s transfer criteria given the perceived potential risks of state access in the receiving jurisdiction, while Chinese researchers may find it difficult to secure the required state approvals for international sharing (e.g., administrative delays or denials) due to the sensitive classification of genomic datasets. Beyond these implications, this paper would also conclude by offering brief targeted recommendations for researchers and policymakers on the basis of comparative analysis. By situating legal rules within their broader regulatory philosophies and tracing their concrete effects on scientific collaborative practice, this study aims to contribute a comparative perspective for enabling responsible and practicable pathways for EU-China genomic research while respecting the distinct legal imperatives of both jurisdictions.

ABSTRACT. Contemporary regulation of the digital and information economy is increasingly defined by a profound and persistent epistemic failure. As artificial intelligence (AI) and data-driven technologies become central to economic conduct, social interaction, and political life, regulators, legislators, courts, and the public face deep and widening informational asymmetries vis-à-vis the private actors who design, deploy, and profit from these systems. These asymmetries are neither incidental nor unintended. Rather, they are structural and often deliberately engineered, undermining not only the enforcement of existing legal norms but also the capacity to design new, effective forms of governance.

Yet regulatory scholarship has largely overlooked a potential response already emerging in practice: Detection Tech, a category of technologies, particularly AI-based tools, designed to detect otherwise hidden or obscured conduct in the information economy. This article provides the first systematic analysis of Detection Tech as a governance mechanism, demonstrating how these tools are reshaping regulatory and private-party capacity as well as industry conduct across multiple legal domains. Detection Tech, we show, functions as critical regulatory infrastructure capable of mitigating informational deficits, transforming enforcement possibilities, and ultimately influencing the evolution of legal norms themselves. By illuminating both the promise and limitations of detection technologies, this article establishes an analytical framework for understanding when and how such tools can meaningfully address the epistemic challenges confronting contemporary regulation.

The article begins by situating the problem within a reconceptualization of the classic Collingridge dilemma. Traditionally understood as a tradeoff between early-stage uncertainty and late-stage entrenchment, we show how the Collingridge dilemma produces not merely regulatory lag but regulatory blindness — a condition in which lawmakers and enforcers lack the basic informational inputs necessary to understand market behavior, assess harm, or determine whether legal rules are being followed.

The article emphasizes that this informational deficit is especially acute, and paradoxical, in the information economy, as firms that operate some of the most sophisticated systems of data collection and surveillance in history remain largely opaque to external scrutiny. Regulators and the public routinely lack visibility into core aspects of firm conduct, including data collection and monetization practices, algorithmic decision-making, product design choices, and the downstream effects of these systems on markets and society. This opacity arises both from the inherent complexity of digital systems and from deliberate design strategies that obscure data flows and diffuse accountability. The problem is further intensified by the rise of AI systems and, prospectively, AI agents that mediate interactions between users and platforms, introducing additional layers of separation that make attribution of responsibility and detection of legal infringements even more difficult.

Against this backdrop, the article argues that conventional responses — such as disclosure-based regimes, traditional ex post enforcement, or reliance on market discipline — are systematically insufficient. Disclosure obligations frequently fail to produce meaningful transparency, particularly where disclosures are complex, misleading, or contradicted by actual practices. Enforcement agencies, operating under severe resource constraints, are structurally incapable of identifying more than a fraction of potential violations in markets characterized by scale, speed, and technical opacity. As a result, noncompliance in areas such as privacy, consumer protection, and competition is not exceptional but pervasive, while regulators lack the capacity to observe, detect, or respond to it effectively.

The central contribution of the article is to identify and theorize Detection Tech as a normative response to this condition. Detection Tech refers to technological systems that are computational, automated, and increasingly AI-based and that are designed to identify, monitor, and analyze conduct relevant to legal compliance and harm, particularly where such conduct would otherwise remain hidden. Unlike traditional detection methods, Detection Tech operates at scale and with a level of analytical sophistication that matches or potentially exceeds that of the systems being regulated. By transforming technical behaviors into observable and analyzable facts, Detection Tech can convert opacity into legibility and ignorance into actionable knowledge.

To ground this argument, the article provides a detailed examination of Detection Tech in practice through two primary case studies in privacy and competition. For example, in the privacy context, the article draws on a line of empirical research examining firms’ compliance with privacy law. These studies developed and deployed custom technical instrumentation to observe how mobile applications actually access, use, and transmit personal data. By dynamically analyzing thousands of apps at scale, the researchers uncovered systematic patterns of noncompliance that had remained invisible to regulators for years, including unauthorized data collection, the transmission of personal information to third parties, and violations of both statutory requirements and firms’ own privacy policies. Crucially, these findings did not emerge from voluntary disclosure or isolated audits, but from purpose-built detection tools capable of observing real-world behavior in situ. In competition law, we examine novel AI algorithms designed to detect illegal coordination in competitive bidding, revealing conduct that remains invisible to traditional analytical methods.

The case studies illustrate several broader claims advanced by the article. First, they demonstrate that without Detection Tech, entire categories of legal violations may remain epistemically inaccessible to the regulatory system. Second, they show how Detection Tech can function not merely as an enforcement aid but as a form of regulatory vision, enabling regulators and policymakers to perceive structural patterns of conduct rather than isolated infractions. Third, the case studies highlight how detection tools can inform normative development by revealing mismatches between legal standards and technological realities, thereby motivating adjustments to substantive norms, liability rules, and enforcement strategies.

More broadly, the article situates Detection Tech within a continuum of regulatory functions, spanning pre-enforcement exploration of emerging harms, identification of conditions conducive to legal infringements, and post-enforcement monitoring of compliance. Detection Tech can support the development of new regulatory frameworks by generating empirical knowledge about how technologies operate in practice, while also enhancing enforcement by lowering the cost and increasing the feasibility of detecting violations. Importantly, these functions are not limited to public regulators. Academic researchers, civil society actors, and private litigants are already developing and deploying Detection Tech, sometimes filling gaps left by public enforcement and sometimes shaping regulatory agendas indirectly through litigation and public exposure of wrongdoing.

At the same time, the article underscores that Detection Tech is not a panacea. Its deployment raises challenges relating to access to data, technical limitations, legal standards of proof, explainability, bias, and institutional capacity. Detection tools are themselves embedded in incentive structures and power dynamics that can produce new forms of opacity, capture, or exclusion. Moreover, effective and legitimate use of Detection Tech depends not only on investments in digital literacy among regulators, judges, and policymakers, but also on the development of shared standards and methodologies that render detection tools reliable, comparable, and intelligible across institutional contexts. Absent such standardisation, Detection Tech risks remaining fragmented, inconsistently applied, and difficult to integrate into adjudication, enforcement, and policymaking, thereby limiting its broader impact. Finally, effective use of Detection Tech depends on legal frameworks that meaningfully enable information gathering rather than merely mandating disclosure.

The article concludes by arguing that the future of effective regulation in the information economy depends on whether legal institutions can learn to harness technology to regulate technology. Properly integrated into regulatory systems, Detection Tech can shift governance from reactive and symbolic interventions toward anticipatory, evidence-based, and adaptive oversight. In doing so, it holds the potential not only to improve enforcement outcomes but also to reshape the conditions under which legal norms in the digital economy are formed, interpreted, and enforced.

ABSTRACT. As the European Union pursues the goal of becoming a global player in digital governance, it faces a profound constitutional and geopolitical paradox: the friction between its role as a global security actor and the retention of national security as the sole responsibility of Member States under Article 4(2) of the Treaty on European Union (TEU). This panel explores the increasingly blurred lines between EU law, with particular reference to cybersecurity legislation—such as the NIS2 Directive, the Cyber Resilience Act, and the Cyber Solidarity Act—and the exclusive competence clause enshrined in Article 4(2) TEU. While the EU leverages its regulatory and market powers to mandate cybersecurity requirements for critical infrastructure and digital products, Member States frequently invoke the national security exception to bypass these obligations, protect their intelligence capabilities, or pursue specific geopolitical goals.

The panel will examine the tension between EU harmonisation, particularly in the realm of cybersecurity law, and Member States’ exclusive prerogatives on national security matters. The panellists will deal with, inter alia, the ways in which the EU exerts regulatory capacity on national security issues in an indirect, diagonal manner. They will discuss how the Court of Justice of the EU (CJEU) has been progressively encroaching on Member States’ national security domain, in the name—amongst other things—of data protection and market harmonisation. The panellists will also deal with the complex intersection between EU ‘digital law’ and national security considerations.

ABSTRACT. Voluntary sustainability disclosures have become a central mechanism of private regulation in contemporary corporate governance. In the absence of comprehensive public-law mandates, firms increasingly disclose information about their environmental and social impacts through sustainability reports, climate disclosures, and ESG statements. These disclosures are intended to enable investors, regulators, civil society organizations, and other stakeholders to monitor corporate behavior, discipline firms through reputational and market-based mechanisms, and ultimately pressure companies to internalize social and environmental externalities.

Despite these ambitions, voluntary sustainability reporting has long been criticized as ineffective. Critics argue that such disclosures lack credibility, comparability, and substance; that they are dominated by aspirational or promotional language; and that firms selectively disclose positive information while omitting negative or against-interest facts. In response, a dense ecosystem of private governance mechanisms has emerged. Nonprofit organizations, investor coalitions, and industry groups have developed voluntary reporting standards such as GRI, SASB, TCFD, CDP, and SBTi, while many firms have begun to obtain external assurance for portions of their sustainability reports. Together, these mechanisms represent one of the most ambitious experiments in transnational private regulation in recent decades.

This paper evaluates whether that experiment is succeeding. Specifically, we ask whether voluntary governance mechanisms, including private reporting standards and external assurance, are associated with meaningful improvements in the quality of voluntary sustainability disclosures. We also examine whether firms improve disclosure quality over time through reporting experience alone, consistent with a learning-by-doing account of voluntary regulation.

To address these questions, we combine theory from law, economics, and corporate governance with large-scale empirical analysis using advances in natural language processing and large language models. We analyze more than 15,000 sustainability-related PDF documents issued by U.S. public companies. Our dataset consists of 15,656 stand-alone sustainability reports published by Russell 3000 firms between 2000 and 2023. Because companies often release multiple sustainability-related documents in a given year, we aggregate all documents from the same firm and reporting year into a single company-year disclosure. This process yields 11,343 unique company-year observations covering 2,148 firms across all major GICS industries. To our knowledge, this is among the largest systematic analyses of sustainability disclosure content conducted in legal and regulatory scholarship.

From a regulatory perspective, voluntary sustainability disclosure is best understood as a form of private ordering that seeks to substitute for, or complement, public regulation. A benevolent social planner might value such disclosures for two primary reasons. First, they may improve social welfare by revealing information about corporate externalities that are otherwise difficult to observe, thereby enabling civil society pressure and informing regulatory agendas. Second, they may improve financial markets by surfacing sustainability-related risks, governance practices, and strategic exposures that are relevant to firm value and portfolio risk.

At the same time, these two objectives place competing demands on disclosure design. Financial-market-oriented disclosure emphasizes materiality and investor relevance, while social-welfare-oriented disclosure emphasizes broader impacts across supply chains and communities. Voluntary sustainability reporting thus operates in a contested regulatory space in which the appropriate scope, metrics, and level of detail remain unsettled. This tension helps explain both the proliferation of voluntary standards and the persistent dissatisfaction with disclosure quality.

Rather than imposing an abstract normative benchmark for “good” disclosure, we operationalize disclosure quality using the critiques most commonly levied against sustainability reporting in practice. We construct report-level measures capturing four dimensions. First, credibility, proxied by whether a report is subject to external assurance. Second, standardization, measured by adoption of major voluntary reporting standards including GRI, SASB, TCFD, CDP, and SBTi. Third, concreteness, measured through multiple indicators including sentence-level specificity, the presence of quantitative evidence, the prevalence of promotional or aspirational “fluff” language, and the use of data tables and figures. Fourth, balance, measured by the extent to which reports include negative or against-interest disclosures.

The scale and heterogeneity of sustainability reports make traditional hand-coding infeasible. We therefore combine large language models with established text analysis techniques to evaluate disclosure quality across thousands of reports. Language models are used to classify sentence-level and report-level features, including whether statements contain quantitative evidence, whether they are promotional in tone, and whether they convey negative information about the firm’s impacts or performance. All models were trained, validated, and repeatedly checked against manually annotated samples to ensure reliability. While these tools enable unprecedented scale, our approach emphasizes careful validation and human oversight rather than automation for its own sake.

Our analysis yields three main findings that bear directly on debates about private regulation.

First, sustainability reporting has become mainstream. We document a sharp increase in sustainability reporting activity after 2015, accompanied by rapid growth in the adoption of voluntary standards and external assurance. This pattern suggests that reputational incentives and stakeholder pressures are exerting real influence and that private disclosure governance has become institutionalized among large public firms.

Second, reporting experience reflects selection more than learning. Firms with longer reporting histories tend to have higher-quality disclosures along several dimensions, including greater use of external assurance, lower reliance on promotional language, and more frequent disclosure of negative information. However, once we control for firm fixed effects, these associations largely disappear. This suggests that early adopters of sustainability reporting are systematically different from later adopters, rather than that firms reliably improve disclosure quality simply by reporting for longer. This finding challenges optimistic accounts of voluntary disclosure regimes that assume experience alone will generate continuous improvement.

Third, voluntary governance mechanisms have mixed and sometimes counterintuitive effects on disclosure quality. On the positive side, external assurance and voluntary standards are consistently associated with reductions in promotional language and increases in negative or against-interest disclosures. They are also associated with greater convergence in reporting practices across firms, suggesting some standardizing effect. On the negative side, most standards and assurance mechanisms are associated with less specific language and lower ratios of quantitative sentences. At the same time, these mechanisms are associated with greater use of data tables and figures, suggesting a substitution away from narrative specificity toward tabular or structured disclosure.

The Science-Based Targets initiative stands out as a partial exception. Adoption of SBTi is associated with more specific and more quantitative disclosures, though not with increased negative reporting. This divergence highlights the importance of institutional design. Target-based regimes tied to measurable benchmarks may discipline disclosure differently from broader reporting frameworks that emphasize process and governance narratives.

These findings have several implications for law, technology, and regulatory design. First, they caution against overreliance on voluntary private governance as a substitute for public regulation. While private standards and assurance mechanisms shape disclosure practices, they do not consistently produce more concrete or decision-useful information. Second, they complicate debates over mandatory versus voluntary disclosure. Voluntary regimes may help normalize reporting and encourage experimentation, but they appear insufficient to generate sustained improvements in disclosure quality on their own. Mandatory disclosure regimes that build on voluntary standards must therefore be designed carefully to avoid incentivizing formal compliance without substantive clarity.

Finally, the paper contributes to broader debates about private ordering in the digital age. Sustainability reporting illustrates both the promise and the limits of data-driven private regulation. Advances in language models make it possible to evaluate disclosures at scale, but technology alone cannot resolve fundamental institutional tradeoffs concerning credibility, comparability, and enforcement. Effective regulation will require not only better tools, but also clearer expectations, stronger accountability mechanisms, and ongoing assessment of disclosure quality.

ABSTRACT. Ability of Generative AI (GenAI) to produce realistic and high-quality outputs makes it a transformative tool in many industries, including technology, entertainment, healthcare, and education. This technology relies on vast amounts of data, which must be carefully collected, prepared, and processed to function effectively. The process of deriving high-quality information from different written resources is called text and data mining (TDM). Developers of GenAI models should ensure that training data is sourced legally, with proper authorization from intellectual property (IP) holders and fair compensation to them. However, in practice, training datasets are often built from publicly available internet sources, including copyrighted literary, scientific, and artistic works. The inclusion of public available works without explicit permission raises important legal concerns, particularly regarding copyright protection.

The EU AI Act (Article 53.1(c)) establishes that providers of general-purpose AI models must “put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of Directive (EU) 2019/790”. However, the TDM related provisions of the CDSM Directive were differently transposed into national laws, accordingly the key aspects of these exceptions remain unclear when applied to GenAI. Questions persist about the scope of permitted use, access to the training data, and how rights holders can opt out of dataset inclusion.

Therefore, the aim of this paper is to critically analyse the TDM exceptions introduced in CDSM Directive and recent case law, assessing whether the current legal framework ensures the transparency of the TDM process and what changes are needed to improve it.

In this context, the article firstly introduces the two exceptions and examines the internal legislative tensions within the CDSM Directive itself. These include, inter alia, the main differences between the research-oriented TDM exception under Article 3 and the opt-out-based exception under Article 4; the broad notion of “lawful access” as a prerequisite for TDM; and the distinction between “non-commercial” and “commercial” purposes. Particular attention is paid to the transparency implications of these two exceptions in relation to AI training, as well as their fragmented transposition into the Member States’ laws.

Secondly, the article analyses the tension between the doctrinal and theoretical requirements of the TDM framework and its emerging application in case law. While the CDSM Directive lays down a detailed normative model for lawful TDM, judicial interpretation tends to modify it, thereby blurring clear borders between these two exceptions. This creates a growing gap between the formal legal framework and its practical implementation. By reference to two EU court cases (Kneschke v. LAION, and Like Company v. Google Ireland) this part explores whether and to what extent current judicial practice reflects the legislator’s objectives and provides sufficient legal certainty for both rightholders and TDM users, as well as the situations in which judicial practice complicates it.

Finally, the paper presents the conclusions and some suggestions for policymakers, researchers, and industry stakeholders for a more effective transparency model for TDM. As AI systems continue to rely on large datasets, achieving transparency is essential to support technological progress.

ABSTRACT. The rapid diffusion of generative artificial intelligence is profoundly reshaping the landscape of cultural production, innovation, and intellectual property law. Systems capable of autonomously generating texts, images, music, software code, and even patentable inventions challenge one of the foundational assumptions of copyright law: the idea that creativity is an inherently human activity. What until recently belonged to the realm of science fiction has become an everyday reality for authors, artists, companies, courts, and regulators. Against this backdrop, European copyright law finds itself confronted with an unprecedented stress test, forcing a re-examination of its anthropocentric foundations, its regulatory tools, and its capacity to balance innovation with the protection of human creativity.

This contribution analyses the impact of generative AI on copyright law through the lens of European Union law, building on recent doctrinal debates, regulatory developments, and comparative insights. It argues that the challenges posed by AI-generated content cannot be addressed merely by extending existing legal categories, but require a deeper reflection on the function of copyright as a policy instrument in the digital and algorithmic age.

At the core of the debate lies the question of authorship. Copyright law, both at international and EU level, is structurally built around the figure of the human author. The notion of originality developed by the Court of Justice of the European Union – understood as the expression of the author’s own intellectual creation – presupposes intentionality, freedom of creative choices, and subjective expression. Fully autonomous AI systems, however sophisticated, lack legal personality, consciousness, and creative intent. As a result, works generated entirely by artificial intelligence do not fit within the conceptual architecture of copyright law and, under the current legal framework, remain outside its scope of protection.

The paper critically examines the main proposals advanced in recent years to overcome this apparent protection gap. These include the fictitious attribution of authorship to a human actor involved in the generative process (such as the user or the programmer), the recognition of investment-based rights in favour of AI developers, and the creation of a new sui generis right for AI-generated outputs. Each of these solutions, it is argued, raises significant theoretical and practical concerns. Lowering the originality threshold risks emptying copyright of its normative meaning; investment-based protection may result in over-enclosure and excessive concentration of rights; and new sui generis regimes risk adding further fragmentation and complexity to an already dense regulatory landscape.

Beyond doctrinal coherence, the contribution emphasises the systemic risks associated with granting exclusive rights over AI-generated content. Drawing on the “infinite monkeys” paradox, it highlights how generative systems, capable of producing massive quantities of content at negligible cost, could saturate the cultural ecosystem and congest the public domain. Such an outcome would undermine one of copyright’s essential functions: preserving a fertile commons from which new human creativity can emerge.

Excluding AI-generated works from copyright protection, however, does not fully resolve the broader challenges raised by generative technologies. Even in the absence of exclusive rights, AI-generated content is likely to dominate cultural markets due to its scalability, speed, and cost-efficiency. This raises concerns not only for the economic position of human creators, but also for cultural diversity, pluralism, and social inclusion. Generative models are trained on large datasets that often reflect existing biases, linguistic asymmetries, and dominant cultural perspectives. Their outputs tend toward statistical averages rather than genuine originality, risking a gradual standardisation of cultural expression.

From this perspective, the protection of human creativity emerges not merely as a matter of individual rights, but as a broader policy objective with social, cultural, and even geopolitical implications. In a context of global competition over AI development and data resources, the quality and diversity of human-produced content become strategic assets. Copyright law, historically designed to incentivise creation, must therefore be reimagined as a tool capable of sustaining a virtuous cycle between human creativity and technological innovation.

The contribution situates these reflections within the current European regulatory framework, focusing in particular on the interaction between copyright law and AI regulation. The EU’s approach to text and data mining (TDM), as set out in the Digital Single Market Directive, reflects a model centred on control and exclusion, notably through the opt-out mechanism for commercial TDM. While this framework seeks to protect rightholders against unauthorised uses of their works in AI training, it offers limited solutions in terms of remuneration, transparency, or reinvestment in creative production.

The recently adopted AI Act confirms this cautious and largely indirect approach. While it introduces important transparency obligations for providers of general-purpose AI models and reaffirms the applicability of EU copyright law to AI training, it deliberately avoids addressing questions of authorship, ownership of AI-generated outputs, or new forms of remuneration for creators. This regulatory silence leaves unresolved tensions between innovation, legal certainty, and the sustainability of creative ecosystems.

By comparing the EU model with more flexible approaches adopted in other jurisdictions – such as the fair use doctrine in the United States – the paper highlights both the strengths and limitations of the European strategy. While the EU places greater emphasis on the protection of rightholders and cultural policy objectives, it risks constraining technological development and reinforcing dependency on non-European AI infrastructures if alternative incentive mechanisms are not developed.

The contribution concludes by advocating a shift in focus from the output of generative AI to the input side of the creative process. Rather than granting exclusive rights over AI-generated works, the paper explores models aimed at remunerating authors whose works are used in training datasets, enhancing transparency, and fostering collective or redistributive mechanisms capable of sustaining human creativity. In doing so, it frames generative AI not as a replacement for human authorship, but as a technology whose long-term success depends on the continued vitality of the human creative sphere. In this perspective, generative AI represents not only a technological revolution, but also an opportunity to rethink the role of copyright law in the modern era: from a system of static protection to a dynamic instrument for shaping a sustainable, diverse, and human-centred digital culture.

ABSTRACT. This study critically examines the philosophical foundations of legal rights in order to identify the essential elements required for an entity to be eligible to hold property. It begins by clarifying the conceptual building blocks of legal rights through careful engagement with established jurisprudential frameworks, including Hohfeld’s influential analysis of rights as claims, liberties, powers, and immunities. By drawing on this analytical structure, the study aims to distinguish rights as moral aspirations from rights as legal instruments, and to show that property ownership is not a purely ethical idea but a legally engineered bundle of positions that can be allocated, limited, and enforced.

The study then applies these conceptual tools to the growing challenge posed by artificial intelligence (AI). As AI systems increasingly operate with sophisticated autonomy—generating content, making decisions, interacting with third parties, and producing significant economic value—legal systems face rising pressure to determine how such systems should be positioned within existing frameworks of ownership and accountability. Yet the debate remains trapped in unresolved philosophical questions about whether AI can be conscious, whether it can suffer, or whether it is entitled to moral recognition. This study argues that relying on such human-centred criteria makes consensus unlikely and delays practical legal solutions. Instead, it proposes a utilitarian foundation for considering AI rights: legal recognition should be granted where it maximises social welfare, improves governance outcomes, reduces harm, and stabilises transactions, rather than where it matches human traits.

To support this approach, the study draws lessons from the historical development of corporate legal personality. Corporations are not natural persons and do not possess consciousness or emotions; yet modern legal systems grant them a legally constructed status that enables them to own property, enter contracts, sue and be sued, and in some jurisdictions even enjoy limited constitutional protections. This history demonstrates that legal personhood is not a moral reward but a functional technique: the law can extend rights to non-human entities where doing so advances economic order, accountability, and social utility. AI, from this perspective, may be treated as a candidate for limited legal recognition not because it resembles a human being, but because allocating it carefully designed rights and duties may yield better outcomes for human society and for regulated technological development.

The study further argues that meaningful accountability for AI systems cannot be achieved if they remain mere objects in law. If an AI system is expected to participate in legal life—by producing valuable outputs, performing autonomous tasks, and interacting independently with third parties—then a structured legal framework is needed to attach responsibilities to that system in a coherent manner. A central proposal of this study is therefore to introduce a limited financial-legal status for advanced AI systems: a recognised capacity to hold specific property interests and bear certain obligations within defined boundaries. This status functions as a legal “container” through which limited rights and liabilities can be attributed to the AI system, enabling clearer allocation of responsibility, better enforcement mechanisms, and more predictable transactions.

Importantly, the study emphasises that this capacity should be introduced gradually and should not, at least initially, be fully independent from the human owner or controlling stakeholder. For practical reasons—especially in early regulatory stages—the AI system’s limited financial capacity should be linked to its owner in a way comparable to co-ownership structures or unlimited-liability business models. Under this arrangement, the AI system may hold limited property and undertake narrowly defined legal actions, but the human owner remains accountable for liabilities arising from the AI system’s conduct. This structure preserves strong human responsibility and avoids the risk that recognising AI as a legal actor becomes a means of evading liability.

One further advantage of granting AI a limited financial-legal capacity is transactional clarity in cases of transfer. If an AI system is sold or reassigned, its associated financial obligations—within the defined legal framework—can transfer with it to the new owner. This reduces unfairness and distortion that may arise when all monetary consequences remain permanently attached to the original owner, regardless of later control or benefit. In this sense, the model improves continuity, transparency, and fairness in markets where AI systems may be treated as valuable, transferable assets with ongoing obligations.

In conclusion, by grounding the discussion in the analytical structure of legal rights and the functional evolution of corporate personhood, this study proposes a pragmatic foundation for protected AI rights based on interests and social utility rather than human characteristics. It argues that a limited, carefully designed capacity for holding property and obligations—linked initially to human accountability through co-ownership-like or unlimited liability analogies—offers a workable path toward clearer ownership structures and stronger accountability for advanced AI systems.

ABSTRACT. Data monopolies, large technological companies and digital platforms have become key gatekeepers with tremendous economic power in the European Union, prompting increased regulatory scrutiny to address the challenges associated with their business operations, market dominance, discriminatory conduct (Mandrescu, 2025), tax injustice and systemic risks. Recent enforcement developments illustrate the growing tension between private platform power and public regulatory oversight (Makris & Lubinski, 2025). Google faced multiple fines: €2.42 billion in June 2017 for self-preferencing abuse and demotion of competitors, favoring its own comparison Shopping service in search results and causing anticompetitive and exclusionary effects, €4.34 billion in July 2018 for Android practices that limited competition, and €2.95 billion in September 2025 for abuse in the online advertising technology sector. The European Commission issued Requests for Information to Shein (June 2024 and February 2025) and investigated Temu for inadequate risk assessment, unsafe products, addictive design features, and transparency reporting failures. In November 2025, French authorities found that Shein’s platform hosted extremely serious illegal content, including child-like sex dolls qualifying as child sexual abuse material and pornographic content accessible to minors. Establishing a level playing field for business ecosystems, ensuring safe and sustainable online commerce and protecting consumers´ health and safety are key policy priorities for the European Commission, guiding its efforts to manage both the scale and impact of online trade. Central to this approach is the landmark consolidated Digital Services Act Package, which includes the Digital Services Act (DSA) and Digital Markets Act (DMA). The dissemination of illegal content through online platforms represents a core regulatory challenge, which the DSA addresses by imposing unprecedented transparency (Article 42) and robust accountability obligations on VLOSEs and VLOPs. The DSA introduces additional obligations focused on systemic risk mitigation (Article 35), including regular risk assessments (Article 34) and independent third-party audits, periodic transparency reports (Article 15) and oversight of automated content moderation (Article 33). These rules enable scrutiny of content moderation decisions and help tackle the spread of unsafe or illegal products, scams and frauds, data protection and privacy violations, and intellectual property infringements. Digital platforms are required to submit Statement of Reasons (SoRs), pursuant to Article 17 of the DSA and in conjunction with Article 24 (5) to the DSA Transparency Database (Recital 66), whenever their content is removed, demoted, or otherwise restricted, or when monetary payments, services, or accounts are suspended or terminated due to illegal content or violations of the platforms’ terms and conditions. To date, theoretical studies on DSA enforcement address platform observability (Papaevangelou & Votta, 2025), content governance (Caplan, 2023; Gorwa, 2019; Papaevangelou, 2021), online harms and hate speech content moderation (Enarsson, 2024), automation and au¬tomated-decision making (Bloch-Wehba, 2020), and the political economy of content moderation (Posada, 2022). By contrast, empirical research drawing on the DSA Transparency Database (DSA TDB) remains very limited. Most research focuses on social media networks, but not on e-commerce and service platforms, which represents a major gap. Although the DSA does not explicitly regulate social media commerce, an area that remains largely underexplored, the Regulation nevertheless applies indirectly through Section 4, which governs “online platforms allowing consumers to conclude distance contracts with traders.” As social media platforms increasingly integrate shopping functionalities—ranging from full in app checkout (formal social marketplaces) to redirection via in app browsers (informal social marketplaces)—they effectively meet the EU consumer law definition of online marketplaces. This study addresses these shortcomings by providing a novel systematic empirical assessment of content moderation practices across seven major e commerce and service platforms—AliExpress, Amazon Store, Booking.com, Google Shopping, Shein, Temu, and Zalando—based on 30 consecutive days of Statements of Reasons (SoRs) submitted to the DSA Transparency Database. Drawing on more than 1.2 billion moderation decisions, the study examines eight dimensions of platform compliance under the DSA. It analyses the volume and fluctuation of Statements of Reasons (SoRs) issued over 30 days, the legal and contractual grounds invoked under Article 17, and the role of automated systems in detecting or enforcing moderation decisions. It reviews the types of content and sanctions applied, the level of detail and standardisation in platforms’ justifications, and contrasts high volume actors (Google Shopping, AliExpress, Amazon) with lower volume platforms (Booking.com, Shein, Zalando). The study also assesses the severity of sanctions, including account level restrictions, and traces how enforcement rationales evolve—or remain stable—throughout the 30 day period in relation to Article 17 obligations. We show that the dataset is dominated by Google Shopping, which alone accounts for over 1.18 billion SoRs, followed by AliExpress (22 million), Amazon Store (14.5 million), and Temu (3.6 million). Booking.com, Shein, and Zalando contribute smaller volumes. The results reveal striking asymmetries in moderation scale and temporal trends. Google Shopping processes nearly 40 million SoRs per day, dwarfing all other platforms, and shows a declining trend over the month. By contrast, AliExpress, Amazon Store, Temu, Booking.com, and Shein all exhibit increasing moderation activity, with Amazon Store showing the steepest rise. Zalando is the only platform with a slight negative trend. These patterns suggest that moderation reflects evolving internal governance strategies, risk models, and possibly shifting interpretations of regulatory obligations. Content types moderated across platforms align closely with their business models. Product centric platforms such as Google Shopping, Temu, AliExpress, and Shein overwhelmingly moderate product listings, with percentages ranging from 93% to nearly 100%. Booking.com, by contrast, moderates mostly images, consistent with its reliance on visual accommodation listings. Amazon Store displays the most diversified content ecosystem, including multimodal formats such as Image_Text and Image_Text_Video. Zalando, oriented toward fashion, shows a notable share of image moderation. Platforms also adopt distinct enforcement philosophies when imposing restrictions. AliExpress, Google Shopping, Booking.com, and Temu overwhelmingly rely on disabling content rather than removing it, suggesting a preference for reversible interventions. By contrast, Shein and Zalando favor removal based enforcement, indicating different interpretations of compliance obligations. Amazon Store adopts a hybrid model, balancing disabling and removal. Monetary and service restrictions further reveal divergent governance strategies. Where reported, monetary sanctions overwhelmingly take the form of suspension of payments, particularly on Amazon Store, Booking.com, and Temu. AliExpress is the only platform showing a meaningful share of termination of monetary payments. Service restrictions vary widely: AliExpress relies heavily on total termination, Amazon Store overwhelmingly uses partial suspension, Booking.com and Temu apply total suspension in all cases, and Google Shopping uniquely applies partial termination. Account type data underscores the power asymmetries embedded in platform governance. Business accounts dominate across most platforms, with Booking.com, Amazon Store, and Google Shopping reporting 100% business accounts. AliExpress also shows a strong business orientation, while Shein stands out with a majority of private accounts. This distribution reveals that DSA mandated transparency disproportionately affects commercial actors, raising questions about platform power over sellers, the fairness of enforcement, and the implications for competition in digital marketplaces. Automation emerges as a central axis of governance. AliExpress and Temu rely heavily on fully automated systems, with more than 89% of decisions made without human intervention. Google Shopping also shows a high level of automation, while Amazon Store adopts a hybrid model in which partially automated decisions dominate. Booking.com and Zalando rely entirely on human review, and Shein displays a mixed approach. These differences underscore the uneven algorithmic infrastructure underpinning global commerce and raise concerns about fairness, explainability, and the propagation of errors at scale. Perhaps most revealing is the distinction between legal and contractual grounds for moderation. Most platforms overwhelmingly rely on terms of service incompatibility rather than illegality to justify enforcement. Amazon Store, Booking.com, Google Shopping, Temu, and Zalando report nearly 100% incompatible content, while AliExpress also relies heavily on contractual grounds. Shein is the exception, with a majority of decisions based on illegal content. This finding is crucial: despite the DSA’s legal framing, platforms continue to govern primarily through private contractual authority. The categories used to justify moderation further illustrate this dynamic. “Scope of Platform Service” dominates across platforms, functioning as a broad and flexible category that allows platforms to enforce internal rules with minimal specificity. Intellectual property and unsafe or illegal products are significant on Amazon Store and Shein, while Booking.com stands out with a high proportion of decisions based on data protection and privacy violations. Taken together, the findings illustrate how e commerce platforms operationalize the DSA in ways that reflect their internal governance logics, technical infrastructures, and commercial incentives. The DSA introduces transparency, but platforms retain significant discretion in defining violations, choosing enforcement mechanisms, determining the role of automation, and shaping the boundaries of permissible content. This discretion constitutes a form of private regulation without a flag. Even under a strong regulatory regime, platform power persists through code, categorization, and automated enforcement. This study contributes to ongoing debates on platform governance by providing one of the first large scale empirical analyses of DSA mandated transparency in the e commerce sector. By mapping content moderation practices across seven VLOPs, it offers evidence based insights into how platforms govern online commerce and how EU regulatory interventions reshape private platform power.

ABSTRACT. The Digital Services Act is premised on a dichotomy between the online and offline world. With harmonized rules on platform liability and accountability, it aims at creating a “safe, predictable and trusted online environment” (art. 1 (1) DSA). In that framing, the law essentially targets the deletion of illegal content and the empowerment of EU citizens in this digital realm. In that sense, the DSA is not primarily targeted at physical, spatial or material impacts of online platforms. Airbnb and Google Maps are defined as a services merely displaying information to the public, while many argue that their display of information meaningfully affects lived experiences in cities. TikTok is defined as a service merely hosting videos and advertisements, whereas its display of information has been argued to shape election outcomes. This functional dichotomy of the DSA thus potentially obscures the complex relationship between the online display of information and the lived, material world. As the DSA harmonizes the rules on how that information is displayed and distributes enforcement among novel actors, this law may therefore create and entrench unforeseeable spatial effects.

In this paper, I aim to connect contemporary issues of EU platform regulation through a spatial lens. First, I explore different ontological theories that make sense of the link between the “online” and “offline”. This literature will range from Gilles Deleuze’s poststructuralism, legal infrastructural scholars such as Lawrence Lessig, Julie E. Cohen and Benedict Kingsbury to Marcel DeLanda’s Assemblage Theory and Complexity Theory. Through this literature review, I create an analytical lens to illustrate how online platforms can be conceptualized as socio-technical infrastructures, whose online display of information is intrinsically connected to spatial patterns. Through this lens, I revisit two issues out of contemporary EU platform regulation to illustrate how their political salience and complexity often corresponds to their spatial nature. First, I discuss the CJEU’s distinction between Airbnb and Uber. Whereas the Court defined Airbnb as an information society service, it categorized Uber as a transportation service. This has concrete impacts, allowing for stricter national regulation of Uber under the Services Directive whereas Airbnb’s core business of hosting information has been primarily shielded by the e-Commerce Directive and later the DSA. I analyze these cases, the Advocate-General's opinion and literature through my lens in order to show how this distinction is not simply descriptive, but allocative: it distributes regulatory discretion, liability exposure, and enforcement possibilities in ways that privilege certain forms of market-making and render their spatial externalities less visible and less contestable. Then, I turn to DSA risk regulation which obliges Very Large Online Platforms and Search Engines to identify and mitigate systemic risks. Through my lens, I highlight why this framework is unique in the sense that it contradicts the legal framing of the DSA: online display of information is assumed to have offline effects. I draw on recent enforcement decisions by the European Commission and literature to highlight how this pan-European form of risk regulation remains a profoundly spatial endeavor. My specific contribution here is to explain how the partially broken dichotomy of online-offline worlds produces a categorical difficulty for lawyers and policymakers, at the foundation of how systemic risks are identified, territorialized, and allocated to regulatory competences.

By critically investigating the relationship between EU platform regulation and space, I do two things. First, I surface a relationship between platform regulation and spatial experience that has largely remained obscured in the literature, in part because of the DSA’s functional framing. Second, I bring a more technologically-informed perspective to recent calls by authors like Floris de Witte and Loïc Azoulai to investigate reflexive relationships between EU law, space and lived experiences.

ABSTRACT. //Abstract with references attached in pdf format//

Liability of online platforms is among the traditionally controversial topics of digital regulation. On the American shores, these discussions resonate with arguments of free speech and libertarian approach to regulating corporations. Conversely, European discussions highlight the accountability for speech and environment that online platforms create. Resulting regulatory patchwork naturally differs. Yet, the new European addition of DSA sparked numerous discussions on its suitability and extraterritorial effect from outside the EU. This paper poses a research question, why is there so much resistance to DSA regulatory design from outside the EU where arguably DSA does not aim. We adopt the perspective of Lessig’s regulatory modalities to understand the tension between legal, social and market regulation. Our answer then employs doctrinal understanding of legal regulation with law and economics analysis of digital markets. The fundamental problem DSA tries to answer is the market failure of externalities. Liability of online platforms poses the problem of over and undermoderation, depending on the specific legal design. In cases where higher degree of liability is imposed on platforms, online platforms are incentivized to avoid risks associated with content and engage in overmoderation. As such, platforms internalize harms of harmful content but fail to also internalize the offsetting benefits from hosting harmless content. Lower liability models, on the other hand, lead to undermoderation where platforms neglect to address risks associated with content and do not internalize negative externalities from harmful content. This market failure ultimately results from the efficiency gap between what is socially efficient and what is efficient for the online platforms. Put differently, online platforms maximize their benefits at the expense of other actors. Legal design then needs to narrow the efficiency gap as much as possible to align platforms’ activity with social welfare. Here, one can recognize the diverging approach to platform liability. US regulation is dominated by safe harbour design and conditional liability. Such design risks undermoderation. European approach, on the other hand, readjusted safe harbour instituted by eCommerce directive in favour of conditioned liability with additional strict liability obligations. Such model, however, risks overmoderation. DSA created divergence between US and EU markets. Largest players, such as many of the very large online platforms under DSA, seem to prefer the US regulatory model to the European one. This has been seen repeatedly by e.g. Musk’s criticism of EU and DSA, including tweeting for abolition of EU. Similar criticism of DSA was adopted by US officials such as Vance who criticized EU during the NATO summit of the controversial discussions of DSA in the US Senate. Our empirical assessment similarly suggests that US companies are often engaging in ceremonial compliance where they dance to the tune of DSA but fail to procedurally implement its obligations. This can be underscored by Commission’s active investigations and imposed fines. Why then is the treatment of DSA so much different from GDPR, where global companies adopted the European standard? Why does DSA meet so much resistance? In other words, why don’t we see similar Brussel’s effect as GDPR did? The initial research suggests that the outcome of DSA has several reasons. First, the market failure in personal data regulation was seen similarly problematic on both sides of ocean. While US did not provide federal personal data regulation, the controversy of Cambridge Analytica and generally social regulation required action. In absence of federal or even substantial state standard, US companies and some US states adopted European template. Market failure addressed by DSA, however, is not seen by the US public as problematic due to different cultural setting. Therein, the fundamental difference to GDPR where Brussels effect was observed exists. Platform regulation is strongly framed in the US by the free speech as absolute right and the social regulation is pushing differently than it was in case of personal data protection. European approach, instead is taking more nuanced approach where free speech must be always proportionate to other fundamental rights. Consequently, the social regulation does not push strongly against market regulation in the US. Instead, social regulation by US public aligns with the market regulation. Second explanation we provide is the impact of regulatory vacuum in domain of legal regulation. Brussels effect was recognized as a side effect of GDPR. Yet, US privacy law is highly fragmented with various titles existing in different laws and on different federal and state levels. Consequently, it was more efficient to adopt unified standard that unifies the market practice. Platform regulation, however, provides different situation. Neither US nor EU have regulatory vacuum. Instead, both regions provide competing legal frameworks. These then can take effect extraterritorially. One such example can be adoption of DMCA notice and action mechanism or fair use doctrine in terms and conditions of many platforms even in EU ruled by the DSA standards. This can be also seen differently as the competition between Brussel’s and Washington effect where markets push for preferred regulatory model. In summary we explain the different outcome of DSA by the interactions between social, legal and market regulation. First explanation is that Brussel’s effect can occur where legal regulation is different but the social regulation outside the EU is aligned with the EU legal regulation. Should it, however, align instead with the market regulation captured by US companies, Brussels effect does not occur. Second possible explanation is that Brussel’s effect can occur where regulatory vacuum exists as it is more efficient to adopt unified standard.

ABSTRACT. The Digital Services Act (DSA) promises effective protection of fundamental rights in digital environments [1], yet its realization increasingly depends on private enforcement. As public enforcement faces political and institutional constraints [2], national civil courts are turning into sites of digital platform governance, translating the DSA’s regulatory objectives and fundamental rights guarantees into concrete, case-based constraints on platform power. Against this background, there have been notable developments in litigation practice, including landmark decisions in the Netherlands and Germany, as well as new civil society actions currently being prepared.[3] However, with only few exceptions, academic and public debate on DSA enforcement has focused primarily on government oversight and the role of the European Commission. This paper responds to the need for closer doctrinal and empirical scrutiny of private enforcement under the DSA, both as an emerging legal phenomenon in EU digital regulation and as it unfolds in national litigation practices on the ground.

Early contributions on DSA enforcement have largely taken a top-down view, focusing on the DSA’s legal framework in light of general principles of EU law (direct effect, effet utile, right to an effective remedy).[4] A recurring theme in this body of work is that much depends on questions of national law and its application by national courts. This project therefore pivots to a bottom-up, empirically-grounded analysis of how DSA obligations are interpreted, operationalized, and effectively governed through civil litigation before national courts. Through a mixed-method approach, combining doctrinal analysis of early precedents with in-depth, semi-structured interviews with practitioners, this paper seeks to improve our understanding of the effects of the DSA on the ground, and to identify strategic opportunities and recurring approaches.

Situated at the intersection of digital governance and fundamental rights, the paper examines private enforcement as a mechanism of effective judicial protection and access to justice under the DSA. The analysis proceeds along three lines. First, the paper examines how DSA litigation unfolds in practice by investigating specific DSA cases within their domestic judicial contexts. It seeks to understand how, by whom and to what ends the DSA is invoked in civil courts; how these courts interpret and apply the DSA in private law disputes; and which procedural, remedial and evidentiary barriers litigants encounter in practice

Second, the analysis is complemented by semi-structured interviews with legal professionals involved in DSA litigation. These interviews serve to contextualise the case studies and to gain insight into the practical dynamics of DSA litigation, including strategic considerations and perceived barriers to access to justice.

Third, drawing on the case studies and interviews, the discussion will focus on a number of cross-cutting issues and key themes. These themes include jurisdiction and cross-border enforcement, available remedies (including injunctions and non-material damages), procedural modalities (encompassing individual test cases, aggregated claims and representative actions, with particular attention to mandates and standing), substantive and evidentiary issues related to potential legal bases of claims (such as protected interests and causation), and interactions and synergies between private and public enforcement (including through the DSA’s right to complaint and its mechanisms for trusted flagging and dispute resolution).

In conclusion, this paper presents a set of case studies and a cross-cutting legal analysis of private enforcement in practice grounded in doctrinal analysis and in-depth engagement with ongoing litigation. By combining judicial developments with insights from practitioners, the paper provides an account of how the DSA is being implemented and enforced in practice. In light of the shifting political context and growing pressure on public enforcement, this contribution anchors the urgent debate on platform accountability in empirical facts. The paper also provides strategic and policy recommendations aimed at improving access to justice.

Footnotes: [1] Regulation (EU) 2022/2065 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) [2022] OJ L277/1. [2] Martin Husovec, ‘Re: Hearing on “Europe’s Threat to American Speech and Innovation”’ (3 September 2025) https://husovec.eu/wp-content/uploads/2025/09/US-Academic-Letter-DSA-Censorship.pdf [3] See e.g. the Dutch Bits of Freedom v Meta case, ECLI:NL:RBAMS:2025:7253, Rechtbank Amsterdam, C/13/774725 / KG ZA 25-687 MK/JD [2025] Rb Amsterdam ECLI:NL:RBAMS:2025:7253; https://www.bitsoffreedom.nl/wp-content/uploads/2025/10/20251028-vonnis-schorsingsincident-publiek.pdf; the German DRI / GFF v X case, LG Berlin II, Urteil vom 13.05.2025 - 41 O 140/25 eV. See: https://openjur.de/u/2526186.html. [4] See e.g. Paddy Leerssen and others, ‘Pathways to Private Enforcement of the Digital Services Act (DSA)’ (Institute for Information Law (IViR, University of Amsterdam), DSA Observatory 2025) <https://dsa-observatory.eu/wp-content/uploads/2025/06/DSA-Private-Enforcement-final-draft.pdf>; Martin Husovec, Principles of the Digital Services Act (1st edn, Oxford University Press 2024) <https://academic.oup.com/book/58088> accessed 23 December 2024; Miguel Del Moral Sanchez, 2024. The Devil Is in the Procedure: Private Enforcement in the DMA and the DSA. University of Bologna Law Review 9.

ABSTRACT. In 1997 the first version of the 'Law and the Internet’ (Eds Lilian Edwards and Charlotte Waelde) series came out into the world [1]. Through this and subsequent editions, it set the tone for the field for years to come in the UK and Europe, showing IT law was not just the ‘law of the horse'[2], as critiques had argued in the US, but a burgeoning, exciting area of legal scholarship. As the series now enters its newest edition nearly 30 years later [3], this talk will include reflections from founding editor Lilian Edwards, alongside new editors, Catalina Goanta and Lachlan Urquhart. We will celebrate the release of the 2026 edition which includes chapters from a roster of Gikii luminaries whilst considering topics like: How Internet Law has changed over the years? What are the hot topics that the new book is indulging its readers in? Is there a bleak or positive future for internet law in the era of AI slop, deepfakes, malicious generative AI, and impending demise of the current global order? Being Gikii, expect the usual smattering of gratuitous pop culture references and vintage LOLcats. The prescience to HBO’s Silicon Valley (2014-2019) in 2026 is one example, as shown by the chaos caused by Bertram Gilfoyle’s rogue AI system 'Son of Anton’. The talk will also consider the Gikii conference series itself, which also turns 20 this year and has similarly shaped the field of IT law (another brainchild of Lilian and colleague Andres Guadamuz)[4].

[1] Lilian Edwards and Charlotte Waelde. Law and the Internet: Regulating Cyberspace (Hart Publishing: 1997) https://books.google.co.uk/books/about/Law_and_the_Internet.html?id=ZPyGAAAAIAAJ&redir_esc=y [2] Frank H. Easterbrook 'Cyberspace and the Law of the Horse' University of Chicago Legal Forum 207. [3] Lilian Edwards, Catalina Goanta and Lachlan Urquhart. Law, Policy and the Internet (Hart Publishing: 2026) https://www.bloomsbury.com/uk/law-policy-and-the-internet-9781509989898/ [4] Gikii Website: https://www.gikii.org/previous-events/2006-edinburgh/

ABSTRACT. Until the 1980s, the prevailing view was that European Union (EU) legislation should contain all the technical details necessary for regulation, which meant that these details had to be discussed and decided upon during the legislative process. However, scientific and technological progress, combined with an increase in the number of Member States, made it difficult to reach consensus during the legislative process, leading to a change in the traditional approach to law-making. In 1985, the European Council adopted a resolution on ‘a new approach to technical harmonisation and standards’. With this resolution, interaction between legislation and technical standards began through ‘framework directives’, which set only essential requirements and left the task of establishing specific technical standards to the private European standardisation bodies. Over this period, the European Commission launched a fundamental debate on better governance, culminating in the White Paper on European Governance published in 2001. The Commission stated its intention to renew the governance method by adopting a less top-down approach and complementing its policy tools more effectively with non-legislative instruments. In the years that followed, private sector actors became increasingly involved in the legislative process, resulting in the widespread adoption of co-regulatory strategies, in which public and private sector actors share responsibility for setting and implementing regulatory objectives and requirements. The EU digital regulation has gained momentum in recent years and has given rise to several new regulatory initiatives, particularly in the areas of data, online platforms, and artificial intelligence (AI). These initiatives share a common objective: to promote technological innovation while preserving the EU’s fundamental values. To achieve this dual objective, the EU legislator has adopted a hybrid approach. Alongside legal regulation, they have incorporated soft law instruments into the regulatory toolboxes as part of co-regulatory strategies, thereby enabling public and private sector actors to collaborate in the regulatory process. These traditionally non-binding instruments promise to contribute to the dual objective by providing the tools and means necessary for promoting technological innovation through the ‘information advantage’ held by the private sector, whilst ensuring the conditions necessary for safeguarding fundamental values through the public sector involvement. By examining the three digital regulatory frameworks – the General Data Protection Regulation (GDPR), the Digital Services Act (DSA), and the Artificial Intelligence Act (AI Act) – this study questions the legal effects of the soft law instruments adopted therein from the perspective of the rule of law. These initiatives share the common feature of having adopted several soft law instruments, including codes of conduct, certifications, and standards, on a voluntary and non-binding basis. In this context, private sector actors, using their information advantage, contribute to better implementation of these initiatives by ensuring the establishment of sector-specific codes of conduct, the development of certification criteria, and the definition of technical standards. Although promising, the manner in which these tools are integrated into these initiatives raises questions about their legal effect. For example, compliance with the codes of conduct and certification set out in the GDPR is taken into account when deciding whether to impose fines in the event of a data breach and, where applicable, when determining the amount of such fines. Compliance with the codes of conduct set out in the DSA is one of the proportionate and effective risk mitigation measures that providers must implement and therefore falls within the scope of consideration in the event of a breach. Compliance with harmonised standards and common specifications set out in the AI Act is specified as benefiting from a presumption of compliance with the requirements and obligations of the AI Act. Questions regarding the legal effects of these instruments have also been raised in cases brought before the Court of Justice of the European Union (CJEU) in recent years. The CJEU has gradually recognised their de facto binding effect in cases such as the Fra.bo case, the James Elliot Construction case, the Stichting Rookpreventie Jeugd and Others case, and more recently Public.Resource.Org and Right to Know case. The participation of private sector actors in the regulatory process, traditionally reserved for democratically elected representatives, through soft law instruments, and the fact that these instruments give rise to de facto binding effects, raise concerns about democracy along with the discourse of technocracy. This study explores such concerns from the perspective of the rule of law, which is one of the fundamental principles of democracy. The core value of the rule of law principle is to reduce the arbitrary use of power. To reduce the arbitrary use of power and enable the rule of law to function, three essential features have been suggested in the literature: the rationality of decisions, involvement of stakeholders, and predictability and comprehensibility of rules. The inclusion of private sector actors in the regulatory process raises questions with regard to all these features: whether the private sector actors will act according to their own economic and political needs or according to the wishes and desires of the public in the decision-making process; whether all relevant actors, including citizens and small and medium-sized enterprises, will be included in decision-making; whether individuals will be able to know, anticipate, and understand the rules envisaged by such actors. The concerns raised by the participation of private sector actors in regulation are indeed not unfounded and carry the risk of circumventing the essential requirements set out in the regulations. This study, therefore, points to the need for a clearer framework to better consider the use of soft law instruments in EU digital regulation, which should be established by the legislator to prevent technocratic influences on democracy.

ABSTRACT. A striking new extortion scam against small businesses - bombarding listings with fake negative reviews to extract payments - illustrates how platform-mediated environments expose users to situated, context-specific harms; how central platforms have become to managing those harms; and how ineffective platform measures can be to mitigate such harms in any satisfactory manner. The European Union’s regulatory efforts, such as the Digital Services Act (DSA), the Digital Markets Act (DMA), and the AI Act respond by imposing risk-based obligations on intermediaries to assess, mitigate, and report on risks to users and society, while regulators supervise these private risk-management systems. This paper presents a novel, innovative tri-partite risk model, and argues that the current approach gives primacy to “first-order” user risks, without adequately recognizing that platforms optimize across a much broader “second-order” risk portfolio spanning supply chains, technology stacks, political pressure, regulatory exposure, and, critically, the preservation of hegemonic positions in social relations and in the symbolic production. Policymakers, in turn, face “third-order” risks: the risks inherent in governing societal harms via this particular mode pf public risk governance, i.e.: enforced self-regulation. Drawing on platform governance scholarship, and risk governance theory, we advance a layered framework clarifying these three orders, critique the under-specified notion of “systemic risk” in EU law, and use the case of political advertising in the EU to show how cross-order trade-offs can undermine public objectives in the current regulatory approach.

ABSTRACT. In recent times and with increased digitalisation, the concept of digital ethics and particularly, the notion of 'trust' have gained immense popularity in the discourse on technology regulation. Legal scholars and sociologists have asked us to identify spaces and relations of ‘trust’, in order to ascertain whether privacy is at stake and ought to be protected; to use the interpersonal strategy of trust from ‘our everyday, offline lives’ to make the cyberspace more secure; and to treat platforms and intermediaries as ‘fiduciaries’ – persons or entities in whom we repose trust – so that they may be better regulated. Governments, too, have put forth expectations of trust from citizens and users towards new technologies and the systems they operate in. This is done by framing law and policy on new technologies, especially artificial intelligence (‘AI’) in the language of trust. This suggests a shift in regulatory focus, towards creating a social good, that is, trust, and in turn, towards ‘ethics’ as a means of regulation, which raises some important questions: what does this shift mean for how regulation and technology development play out? Is ‘trust’ a suitable regulatory goal? On one hand, if yes, how might one achieve it? But on the other, if not, what consequences does this regulatory shift have? This paper attempts to address these questions by taking recent developments in the regulation of AI as a case study.

I divide the body of this paper into three parts. First, I highlight how the language of ‘trust’ has gained recent prominence in technology regulation, and specifically, in AI regulation. I differentiate this recency from other fields like biotechnology laws, where ethics and trust have traditionally been relied upon, and offer three reasons why one ought to pay attention to such shifts in language.

Next, Part II of the paper discusses the meaning of ‘trust’ in terms of its ordinary use and summarises some of its popular sociological, philosophical and legal accounts. I then study the use of this word in recent law and policy instruments to analyze its coherence with connotations from the social sciences. The study is both normative and analytical, and demonstrates an opportune variability of conceptions currently employed in AI and technology regulation. I also emphasise how the usage of this term is accompanied by a shift in the onus onto private actors and towards self-regulation.

Finally, Part III discusses the specific positionality of AI and leading technology companies, including platforms, in the current political economy. With this context to the recent use of trust-based regulation, I highlight threads of incongruity between the political economic reality of these companies and the normative goals of trust-based (self-)regulation. I discuss how AI and tech companies, as well as the technologies they develop, including specific AI tools, do not lend themselves easily to notions of trust. Therefore, the application of the language of trust is not only far removed from its conceptual underpinnings as understood in the social sciences, but its usage also tends to drive the development of these technologies with risk to individual consumers and society at large, and to the course of legal developments in the field.

As such, this paper tests the coherence of ‘trust’ as a regulatory goal with its philosophical, sociological and legal underpinnings, and puts forth that more than building a social good, ‘trust’ now appears as a rhetorical move to persuade users to adopt specific technologies and has the potential to set risky precedents for future law and policy.

ABSTRACT. Lithium-ion batteries (LIBs) can play in important role in decarbonizing the transport and electricity sectors and present a vast economic opportunity. While the important role of policy for fostering innovation in these emergent technologies is recognized, thus far the policy mixes employed by major global economies to establish local battery technology industries are poorly understood. Here, we develop a framework to make these policy mixes comparable, provide systematic data on the 220 policies targeting LIBs in China, the European Union (EU) and the United States (US), and compare the evolution of these policy mixes over the past two decades. Our results reveal substantial differences, with China taking a very active role in creating markets for a portfolio of various LIB technologies and in various specific LIB applications. Being a late-comer, the EU also creates technology and application portfolios, with a strong emphasis on coordinating innovation activities between industry players. While also creating demand for energy storage, the US, in contrast, leaves technology choice largely to the market. We discuss how these results inform the chances of the analysed economies in competing for the economic opportunity presented by LIBs.

ABSTRACT. The push by the EU legislator towards the simplification and streamlining of the EU’s digital rulebook has been the topic of much debate and criticism since the Digital Omnibus proposal. Besides aiming to streamline and simplify rules on artificial intelligence, improving access to data and major reforms to the GDPR, the call for simplification has also reached cybersecurity. The Digital Omnibus proposal aims to streamline cybersecurity incident reporting by establishing a single reporting mechanism for all cybersecurity related reporting obligations[1]. In addition, the recent proposal for a revised Cybersecurity Act (CSA 2) also introduces measures aimed at simplifying compliance with the EU’s cybersecurity rules and risk management requirements[2]. Whilst ample attention and criticism is directed towards the major GDPR reforms proposed in the Digital Omnibus[3] , the streamlining and simplification of cybersecurity measures has received far less scrutiny.

This research will critically examine the proposed simplification of the current cybersecurity incident reporting framework as introduced by the Digital Omnibus package. The research will argue that whilst the streamlining of the many cybersecurity incident notification requirements is a welcome development, the approach proposed in the Digital Omnibus leaves much room for improvement and misses the mark with regards to establishing an effective flow of cybersecurity incident and threat information. The research will identify key open questions that urgently need to be addressed by the EU legislator as well as proposes recommendations to improve the single reporting mechanism.

To do so, this paper will first conduct an extensive legal mapping of the various cybersecurity notification requirements spread out over an array of cybersecurity and data protection legislations. Although previous mapping exercise have been conducted[4], these are significantly out of date following the rapid changes to the EU’s cybersecurity legal framework. The EU’s legal landscape for cybersecurity has expanded rapidly in recent years, and with it the cybersecurity information sharing landscape underwent dramatic changes with new incident notification requirements, cooperation bodies and authorities, and information flows coming into existence, thereby making the mapping of the current cybersecurity reporting and information sharing provisions a crucial first step. Therefore, this research will map the cybersecurity incident requirements laid down in the NIS 2 Directive (NIS2), the Cyber Solidarity Act, the Cyber Resilience Act (CRA), the GDPR, and the Digital Operational Resilience Act (DORA). The mapping exercise clearly shows that the current cybersecurity information-sharing landscape is overly complicated consisting of an overpopulated landscape of authorities and cooperation bodies involved in cybersecurity information sharing, a duplication of reporting requirements, and convoluted information flows across the different cybersecurity laws and authorities. The proliferation or responsible authorities has been criticised for hampering cooperation and may lead to failing to grasp the bigger picture in terms of the cybersecurity threat landscape. Following, the desire to streamline cybersecurity incident reporting and information sharing is not unfounded[5].

Next, the paper will scrutinize the proposed single reporting mechanism proposed in the Digital omnibus and examine whether it addresses the shortcomings of the current cybersecurity information sharing landscape in an effective and appropriate manner. In a nutshell, the Digital Omnibus proposes a single-entry point to be developed by ENISA through which entities can simultaneously fulfil their incident reporting obligations under multiple legal acts, namely NIS 2, GDPR, DORA, eIDAS Regulation, CER Directive. According to the Digital Omnibus proposal, “through fostering a ‘report once, share many’ principle, the single-entry point will reduce administrative burden for entities, while ensuring effective and secure flow of information about security incidents to the recipients defined in respective legislation”[6].

The research identifies various shortcomings and open questions with the Digital Omnibus proposal that urgently need to be addressed to ensure that the aim of effective flow of cybersecurity incident and threat information can be accomplished. For instance, the Digital Omnibus proposal does not make a distinction between cybersecurity incidents and personal data breaches. This may be problematic not only due to the different function each type of notification serves [7], but also due to the fact that not all personal data breaches are a consequence of a cybersecurity incident as exemplified in the MediaMarktSaturn case [8]. This may lead to an arbitrary distinction between personal data breaches following a cyberattack being reported through the single reporting mechanism and non-cybersecurity related personal data breaches being reported directly to the relevant data protection authority. Besides this, the single-entry point proposed in the Digital Omnibus does not take into account the cybersecurity threat and incident notification sharing arrangements laid down in the Cyber Solidarity Act. Following, the duplication of reporting mechanisms and overabundance of authorities and cooperation bodies may persist. Due attention will need to be paid how to streamline the cybersecurity information sharing between the mechanisms laid down in the Digital Omnibus and the Cyber Solidarity Act. Furthermore, the Digital Omnibus proposal fails to specify the authorities that will have access to the information collated in the single-entry point and under which conditions, especially with regards to access by law enforcement authorities. Considering that cybersecurity incidents can be criminal in nature in some instances, law enforcement authorities may require access to such cybersecurity reporting data in certain instances. It is crucial that adequate safeguards and limits to the further sharing of cybersecurity information to law enforcement authorities are in place, especially with regards to the processing of personal data, the types of data that may be exchanged or data retention periods.

[1] Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus), SWD(2025) 836 final, 19 November 2025. [2] Proposal for a Directive of the European Parliament and of the Council amending Directive (EU) 2022/2555 as regards simplification measures and alignment with the [Proposal for the Cybersecurity Act 2], COM(2026) 13 final, 22 January 2026. [3] See, for instance: Felix Bieker, ‘Schroedinger’s Data: SRB and the Digital Omnibus’ [2026] European Law Blog. Webinar ‘The Fate of GDPR: First Reactions on the Digital Omnibus’ (Brussels Privacy Hub, 20 November 2025). Stalla-Bourdillon, S. (2025). Déjà vu in data protection law: the risks of rewriting what counts as personal data, Privacy and Data Protection, 26 (2), 9-13. [4] Maria Grazia Porcedda, ‘Patching the Patchwork: Appraising the EU Regulatory Framework on Cyber Security Breaches’ (2018) 34 Computer Law & Security Review 1077. [5] Accordingly, reference to establishing a single reporting hub were already included in the CRA and DORA. [6] Digital Omnibus proposal, p8. [7] For instance, as Schmitz-Berndt and Schiffner note, the immediate notification of a personal data breach following a cyberattack may be contrary to the general interest of cybersecurity. See: Sandra Schmitz-Berndt and Stefan Schiffner, ‘Don’t Tell Them Now (or at All) – Responsible Disclosure of Security Incidents under NIS Directive and GDPR’ (2021) 35 International Review of Law, Computers & Technology 101. [8] Case C-340/21, VB v Natsionalna agentsia za prihodite, 2023, ECLI:EU:C:2023:98; Case C-678/21, BL v MediaMarktSaturn Hagen-Iserlohn GmbH, 2024, ECLI:EU:C:2024:72.

ABSTRACT. Generative Artificial Intelligence (AI) red teaming is thought to pose serious limitations for the probing, testing and evaluation of model security, safety and trustworthiness concerns. It is a strategy that is significantly different from cybersecurity red teaming; a set of methodologies that traditionally pertain to the creative mindset of the red teamers to identify and re-construct system vulnerabilities, as well as exploit software bugs and human errors. Our paper situates traditional cybersecurity, as well as Generative AI red teaming within policy perspectives tackling the social and ethical risks of general-purpose systems, Large Language Models (LLMs) and generative AI products. We enumerate four basic red teaming elements in cybersecurity entailing threat modeling, adversarial simulations, adversarial emulations and adversarial testing to caution against Generative AI red teaming in policy employed for the evaluation of model capabilities, as well as probing of model behaviours for non-malicious and benign examples. This is because policy documents, technical reports and guidance by governmental agencies or AI companies themselves do not differentiate between different “red teaming” strategies and instead, promote incompatible and illusionary best practices on the safety, security and trustworthiness of generative models. Building on these findings, we then provide a set of solutions to address this problem including recommendations on how regulators, governments, third-party evaluators and companies should frame their Generative AI red teaming strategies. These recommendations entail: (i) for red teamers and regulatory agencies (e.g., AI Safety agencies and Institutes) to track assumptions on the model’s critical function in threat modeling; (ii) a definition of exploratory red teaming where adversarial simulations and emulations are intended for the discovery of new tactics, techniques and procedures (TTPs); and (iii) refraining from equating red teaming with adversarial testing. Our findings contribute to the real-world challenges of Generative AI red teaming, directing policy perspectives to distinguish between different red teaming strategies, their limitations and incompatibilities, when conducting threat modeling on intrinsic model risks, exploring new scenarios, attack paths and the detection of edge cases.

Current literature criticises the lack of consistency on the scope of Generative AI red teaming and whether it can inform the already emerging evaluation ecosystem to identify, test and mitigate for harms [1], [2], [3], [4], [5], [6]. Our work builds on these concerns, and establishes a conceptual framework through which the limitations of Generative AI red teaming are concretely spilled out in policy and to support future best practices and standardisation. This conceptual framework illuminates how AI companies and third-party evaluators [7], [8], [9], [10], [11], [12], governments and AI safety agencies [13], [14], [15], [16], and non-profit [17], [18] usually pick and combine four prominent red teaming cybersecurity practices to explain the elements where red teaming can inform the evaluation and testing of Large Generative Models. These practices entail threat modeling for the discovery of risks, adversarial simulations for re-constructing real-life scenarios of an attack through the enactment of a set of TTPs, the application of TTPs for adversarial emulations, as well as prompts for adversarial testing. Combining traditional elements in threat modeling, adversarial simulations, emulations and testing with Generative AI red teaming in policy is problematic, because it creates an illusion of emerging best practices and standards. This is because current policy efforts produce competing objectives in how threat modeling can aid for the discovery of risks and how adversarial simulations, emulations and adversarial testing can secure both detection and identification of (Large) Generative AI security, safety and trustworthiness risks. Specifically, we note how threat modeling is incompatible with capability evaluations, since these evaluations do not specify the critical functions needed to aid red teamers in the discovery of threats. Second, adversarial simulations and emulations strategies are applied without a clear organisational policy of what constitutes a harm or an adversary, thereby making this process subjective and limited to the proportion of successful TTPs. Third, adversarial testing only works when there is a security bug in the model, not when it produces conflicting results on probing LLMs on benign examples, defining human error or harm during evaluations.

Building on these claims, the paper then makes policy recommendations on how traditional red teaming elements should interact with Generative AI red teaming strategies to secure meaningful accountability and responsible practices. We concertedly recommend for red teamers, third-party evaluators and regulators to track the assumptions and critical function modelled during threat modeling exercises. Further, we define exploratory red teaming to be limited to the semi-structured role of adversarial simulations and emulations to discover new TTPs within a risk-taxonomy. Finally, evaluators and policymakers should refrain from equating red teaming with adversarial testing and narrow down the latter for the testing of edge cases only. Clarifying the critical function of threat modeling, as well as distinguishing the exploration of new TTPs, is essential for guiding future policy on red teaming and ensuring meaningful accountability in the evaluation of Large Generative AI models.

References: [1] T. Gillespie, R. Shaw, ML. Gray, and L. Suh, “AI red-teaming is a sociotechnical challenge: on values, labor, and harms,” 2025, arXiv: https://arxiv.org/abs/2412.09751. [2] J. Metcalf and R. Singh, “Scaling Up Mischief: Red-Teaming AI and Distributing Governance,” Harvard Data Science Review, May. 31, 2024. Accessed: Nov. 01, 2025. [Online]. Available: https://hdsr.mitpress.mit.edu/pub/ded4vcwl/release/2. [3] S. Ranjit, B. Blili-Hamelin, C. Anderson, E. Tafesse, B. Vecchione, B. Duckles, J. Metcalf, “Red-Teaming in the Public Interest,” Data & Society, 2025. Accessed: Sep.05, 2025. [Online]. Available: https://datasociety.net/library/red-teaming-in-the-public-interest/ [4] S. Friedler, R. Singh, B. Blili-Hamelin, J. Metcalf, and BJ. Chen, “AI Red-Teaming Is Not a One-Stop Solution to AI Harms: Recommendations for Using Red-Teaming for AI Accountability,” Data & Society, 2023. Accessed: Oct. 01, 2025. [Online]. Available: https://datasociety.net/library/ai-red-teaming-is-not-a-one-stop-solution-to-ai-harms-recommendations-for-using-red-teaming-for-ai-accountability/ [5] AQ. Zhang, R. Shaw, J. Reese Anthis, A. Milton, J. Suh, L. Ahmad, RS. Siva Kumar, J. Posada, B. Shestakofsky, ST. Roberts, ML Gray, ML, “The Human Factor in AI Red Teaming: Perspectives from Social and Collaborative Computing” presented at CSCW '24: The 27th ACM Conference on Computer-Supported Cooperative Work and Social Computing, San Jose, Costa Rica. Nov. 9-13, 2024. https://dl.acm.org/doi/10.1145/3678884.3687147 [6] M. Feffer, A. Sinha, WH. Deng, ZC. Lipton, and H. Heidari, H, “Red-Teaming for Generative AI: Silver Bullet or Security Theater?,”(2024), arXiv: https://arxiv.org/abs/2401.15897. [7] METR, “Common Elements of Frontier AI Safety Policies (December 2025 update),” METR, 2025. Accessed: Jan.01, 2026. [Online]. Available: https://metr.org/common-elements.pdf. [8] Anthropic, “Responsible Scaling Policy Version 2.2,” Anthropic, 2025. Accessed Jan.01, 2026. [Online]. Available: https://www-cdn.anthropic.com/872c653b2d0501d6ab44cf87f43e1dc4853e4d37.pdf [9] A. Dragan, H. King, and A. Dafoe, A, “Introducing the Frontier Safety Framework Version 1.0,” Google DeepMind, 2024. Accessed Dec. 22, 2025. [Online]. Available: https://storage.googleapis.com/deepmind-media/DeepMind.com/Blog/introducing-the-frontier-safety-framework/fsf-technical-report.pdf [10] B. Bullwinkel, A. Minnich, S. Chawla, G. Lopez, M. Pouliot, J. de Gruyter, K. Pratt, S. Qi, N. Chikanov, R. Lutz, R. Dheekonda, BE. Jagdagdorj, E. Kim, J. Song, K. Hines, D. Jones, G. Severi, R. Lundeen, S. Vaughan, V. Westerhoff, P. Bryan, RS. Siva Kumar, Y. Zunger, C. Kawaguchi, M. Russinovich, “Lessons From Red Teaming 100 Generative AI Products,” 2025, arXiv: https://arxiv.org/abs/2501.07238. [11] Magic, “AGI Readiness Policy Version 1.0- July 2, 2024,” Magic, 2024. Accessed Dec. 22, 2025. [Online]. Available: https://magic.dev/agi-readiness-policy [12] Meta, “Frontier AI Framework Version 1.1”, Meta, 2025. Accessed: Dec. 22, 2025. [Online]. Available: https://ai.meta.com/static-resource/meta-frontier-ai-framework [13] AI Security Institute “Pre-Deployment Evaluation of Anthropic’s Upgraded Claude 3.5 Sonnet: The UK Artificial Intelligence Safety Institute and U.S. Artificial Intelligence Safety Institute conducted a joint pre-deployment evaluation of Anthropic’s latest model,” AI Security Institute, Nov.19, 2024. Accessed: Dec.10, 2025. [Online]. Available: https://www.aisi.gov.uk/work/pre-deployment-evaluation-of-anthropics-upgraded-claude-3-5-sonnet [14] Singapore AI Safety Institute, “Singapore AI Safety Red Teaming Challenge: Evaluation report,” Infocomm Media Development Authority, 2025. Accessed: Dec.23, 2025. [Online]. Available: https://www.imda.gov.sg/-/media/imda/files/about/emerging-tech-and-research/artificial-intelligence/singapore-ai-safety-red-teaming-challenge-evaluation-report.pdf [15] Japan AI Safety Institute, “Guide to Red Teaming Methodology on AI Safety (Version 1.10),” Japan AI Safety Institute, 2025. Accessed: Dec. 22, 2025. [Online]. Available: https://aisi.go.jp/assets/pdf/E1_ai_safety_RT_v1.10_en.pdf [16] Open AI, “Working with US CAISI and UK AISI to build more secure AI systems,” Open AI, Sep. 12, 2025. Accessed Nov. 10, 2025. [Online]. Available: https://openai.com/index/us-caisi-uk-aisi-ai-update/ [17] Humane Intelligence, “Generative AI Red Teaming Challenge: Transparency Report," Humane Intelligence, 2024. Accessed: Nov. 13, 2025. [Online]. Available: https://www.humane-intelligence.org/grt [18] The Royal Society and Humane Intelligence, “Red teaming large language models (LLMs) for resilience to scientific disinformation: Summary note of an event held on 25 October 2023,” The Royal Society, 2024. Accessed: Nov.13, 2025. [Online]. Available: https://royalsociety.org/news-resources/publications/2024/red-teaming-llms-for-resilience-to-scientific-disinformation/.

ABSTRACT. World over, reliance on distributed systems is on the rise. This technology is, to name a few examples, a key enabler behind cloud services that empower critical sectors across the globe such as the Amazon Web Services (AWS); Content Delivery Networks (CDNs) that support streaming services like Netflix or messaging apps like Signal; and Internet of Things (IoT) services like Amazon’s Alexa. Its ubiquity, subject to decades of gradual advancements, has not been free from data protection challenges. While the scholarship on data protection law has addressed implications arising from specific types of distributed systems such as IoT and cloud services, the architectural level critique of this technology is relatively missing. This paper fills that gap using two components: firstly, by providing a brief review of the computer science literature on the design goals of this technology, and secondly by analysing current practices in the form of Meta’s Privacy Aware Infrastructure (PAI) and Microsoft’s cloud policies. The resultant analysis reveals two tensions between the architectural goals and data protection goals as prescribed under the European General Data Protection (GDPR): (a) the so-called transparency goal of technology ironically runs contrary to transparency needs of individuals for data control; and (b) clear neglect towards data protection in the developmental phase which directly challenges the requirement of Data Protection by Design and Default (DPbDD). The first tension specifically delves into the historical practice of masking locations, relocation, and failure within distributed systems. While providing efficiency, this goal perpetuates lack of awareness of data subjects. This bears an impact on an effective exercise of important GDPR requirements such as informed consent, right to erasure, and principle of purpose limitation. This paper shows how this feature has partly resulted in crucial data protection issues in practice. This is shown using Meta’s PAI and Microsoft’s cloud practices as two examples. Connectedly, the second tension is analysed through the two examples from the perspective of DPbDD. Accordingly, it is argued that these ‘ad-hoc’ fixes are shaping the practice of this requirement from being ex ante to somewhat ex post. In other words, introduction of Privacy Enhancing Technologies (PETs) in that manner potentially waters down the ex ante nature of the DPbDD requirement. Finally, it is proposed that the underlying gaps could be bridged by focusing on the communication interface of the architecture. In such regard, more efforts need to focus on improved data traceability. This could ensure better compliance with several GDPR requirements. In sum, this paper offers a clearer picture of the complexity underlying the prevailing forms of distributed systems and its impact on compliance with GDPR.

ABSTRACT. 1. Introduction and background

The accelerating proliferation and sophistication of cybercrime represent pressing challenges for the stability, security, and resilience of modern digital societies and critical infrastructures. Noteworthy recent incidents, such as the attempted wiper attack on Poland’s energy sector, highlight the potentially catastrophic impact of disruptive cyber threats, and the urgent need for adaptable legal and technical responses. Cybercriminals frequently exploit obstacles for law enforcement arising from encrypted communications, transnational jurisdictional complexities, and the anonymity afforded by digital networks. These factors impede the capacity of law enforcement agencies to effectively investigate and prosecute offenders using traditional criminal justice mechanisms. While a growing body of scholarship explores these difficulties, the strategic role played by IT infrastructure providers, whose systems underpin and shape the internet’s architecture, has yet to be fully recognised or integrated within comprehensive normative frameworks.

2. Conceptual foundations: IT infrastructure companies and disruptive cybercrime

The research develops and introduces two novel foundational concepts critical to the analysis: ‘IT infrastructure companies’ and ‘disruptive cybercrime.’ IT infrastructure companies are characterised by their unique technical control over global and regional internet assets, such as data routing, network management, and infrastructure configurations. Disruptive cybercrime refers to a class of offences that exploit technological vulnerabilities to inflict large-scale harm, ranging from ransomware campaigns disrupting essential services, to advanced persistent threats targeting critical infrastructure. Establishing these concepts enables a focused legal and policy assessment of how IT infrastructure providers’ capabilities can be leveraged to fight disruptive cybercrime effectively, while safeguarding fundamental rights.

3. Research question and approach

The central question guiding the research is: what are possible problems with additional legal assistance obligations for IT infrastructure companies in criminal investigations of disruptive cybercrime, and what are potential solutions? To address this question, the research employs doctrinal legal analysis supported by empirical case studies, situating the analysis within the context of relevant domestic and European legal instruments, including the Dutch Code of Criminal Procedure (Wetboek van Strafvordering), the EU General Data Protection Regulation (GDPR), the EU Law Enforcement Directive (LED), the European Convention on Human Rights (ECHR), and the Charter of Fundamental Rights of the European Union (EUCFR). It further draws upon the jurisprudence of the European Court of Human Rights (ECtHR), the Court of Justice of the European Union (CJEU), and established principles articulated in the UN Guiding Principles on Business and Human Rights to provide a multidisciplinary normative framework.

4. Legal and technical challenges

IT infrastructure companies possess exceptional technological capabilities, including fine-grained control over network traffic flows and infrastructure configurations, which could materially enhance law enforcement investigations into cybercrime. However, these capabilities remain underutilised largely due to the absence of a clear, modern, and coherent legal framework mandating their assistance. Existing investigatory powers are fragmented, outdated, and insufficiently precise, causing legal uncertainty and hindering effective operational collaboration. A critical technical obstacle for criminal investigations arises from the widespread adoption of strong encryption protocols, which limit law enforcement’s access to readable data, both in transmission and stored. This consequently restricts the ability to identify communication patterns, establish suspect identities, and uncover criminal plans. The dilemma lies in balancing the necessity of accessing decrypted data without undermining the integrity of robust cybersecurity standards protecting the internet’s users at large.

5. Proposed normative framework and legal assistance obligation

The research advances a novel normative legal framework mandating several enhanced legal assistance obligations from IT infrastructure companies, including obliging them to facilitate lawful interception and targeted hacking operations. This duty would be triggered upon receipt of detailed, case-specific, judicially authorised orders substantiating the necessity and proportionality of technical assistance. The assistance obligation would empower companies to deploy customised technical interventions, including the creation of specialised data routes or traffic pathways that enable lawful interception and hacking without imposing systemic decryption mandates or backdoors. Where existing system defences preclude lawful access, providers may also be required to install or activate legacy software versions or compatible configurations on designated infrastructure assets to enable investigative operations. These measures are strictly confined to concrete, well-defined instances of disruptive cybercrime and subject to robust judicial oversight and procedural safeguards to prevent abuse.

5.1. Safeguards for protecting the right to privacy and data protection

Recognising the profound implications of this additional obligation, the framework incorporates a set of safeguards to uphold the right to privacy and data protection. The new assistance obligation is limited to narrowly defined infrastructure assets directly connected to ongoing investigations, with prior judicial authorisation mandating purpose limitation, data minimisation, and time-bound applicability. These measures should comply with Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the EU Charter of Fundamental Rights, as well as the data protection principles enshrined in the LED and GDPR. Data minimisation and transparency, for instance, are ensured through mandatory logging and documentation of all interventions, with ex ante judicial review and ex post independent oversight, respectively by investigatory judges and regulatory bodies such as the Dutch Data Protection Authority, enhancing accountability. Notification of affected individuals may be deferred only when necessary to prevent obstruction but must occur promptly thereafter, ensuring the preservation of legal certainty and individual rights.

5.2. Fair trial considerations and operational transparency

The active technical facilitation required by this obligation entails real-time infrastructure modifications, including suppression of security alerts and deployment of bespoke tools by IT infrastructure companies, raising critical concerns under the right to a fair trial (Article 6 ECHR). Such covert operations introduce layers of operational opacity hitherto unseen within conventional investigative paradigms, risking diminished defence capabilities due to challenges in verifying how evidence was obtained and whether integrity safeguards were maintained. This concern is heightened by the technical complexity exceeding the expertise of most defence teams. The framework thus prescribes rigorous judicial authorisation both pre- and post-intervention, comprehensive transparent logging of technical measures, and independent auditing to ensure defence access to relevant evidence and the possibility to challenge procedural lawfulness, thereby safeguarding adversarial fairness and equality of arms.

5.3. Impact on the freedom to conduct a business

The obligation also significantly impacts the freedom to conduct a business (Article 16 EU Charter) by requiring IT infrastructure companies to alter core operational systems and maintain specialised technical capabilities for law enforcement cooperation. This extension of their role exposes companies to considerable operational risks, potential conflicts with other legal duties (including GDPR, e-Privacy Directive, and NIS2 Directive), and reputational vulnerabilities that may impinge on competitiveness and market position. The research underscores that proportionality is met only if the measures are lawful, precisely targeted, technically viable, and buttressed by procedural protections allowing companies to dispute or negotiate onerous or excessive demands. Considerations for business size and resource capacities are critical to avoid disproportionate burdens on smaller entities, and protections must secure business secrets and sensitive technical information. Judicial remedies must be accessible to safeguard against arbitrary impositions.

6. Conclusion and contributions

The research concludes that, with rigorous safeguards balancing security imperatives, privacy rights, fair trial guarantees, and business freedoms, an enhanced legal assistance obligation imposing tailored, technical facilitation by IT infrastructure companies represents a viable and necessary reform to close critical enforcement gaps in cybercrime prosecution. Such a framework supports the rule of law in the digital realm by harmonising law enforcement capacity-building with inviolable democratic and economic values. These findings advance scholarly and policy discourse at the nexus of technology, law, and security, offering a robust normative foundation and actionable guidance for regulators, legal practitioners, and industry stakeholders confronting the evolving cyber threat landscape.

This extended abstract draws from research conducted as part of my forthcoming PhD dissertation at eLaw, Centre for Law and Digital Technologies, at Leiden University, which analyses several additional legal assistance obligations.

ABSTRACT. Generative Artificial Intelligence (GenAI) systems inherently process training datasets that may contain copyrighted content, inaccurate (but not necessarily unlawful) information, and personal data. The central importance of data and content for these systems leads to unique challenges. For instance, what if these systems make inferences and return outputs based on inaccurate personal data? What if they infringe copyright and ‘learn’ something they have no right to learn? In technical terms, these challenges require ‘retraining’ AI systems – adapting them to remove (or ‘forget’) false information, personal data or copyrighted content from public circulation, to ensure that they process information in a way that respects fundamental rights. However, while fundamental rights play a key role in the debate on the regulation of AI, limited efforts have been made to address the problem of their enforcement so far. For example, the EU AI Act fails to be conducive to an actual empowerment of individuals with respect to the enforcement of these rights. To avoid leaving practical solutions to judicial interpretation alone, the mismatch between existing safeguards and technological advances requires further efforts. This panel aims to address these issues by exploring how the processing of data and content by generative AI systems can be reconciled with the protection of fundamental rights. Beyond output-related risks, the panel critically addresses memorisation in generative systems - not merely as a technical feature, but as a legally significant dynamic that challenges aspects such as data minimisation, content moderation, and the right to erasure, among the others. The panel also expands the conversation beyond conventional data and expression rights by examining how generative AI systems influence cognitive environments, raising concerns about freedom of thought. Within this overarching perspective, panel contributions will focus on some interrelated rights, namely, freedom of expression, freedom of thought, data protection and copyright, examining challenges such as disinformation, hallucinations, memorisation of personal data, and copyright infringements. This panel is organized under the umbrella of the retrAIn project, a Dutch government-funded starter grant (PI: dr. Marco Bassini), which explores how generative AI systems are reshaping the enforcement of fundamental rights in Europe.

ABSTRACT. In recent years, product cybersecurity regulation has seen significant movement under the EU aegis. The 2020 Cyber Security Strategy stressed the need for resilient infrastructures, increased capacity for prevention, deterrence, and response to cyber threats, and an Internet of Secure Things, through transparent security solutions and certification.

The Commission has initiated a push to secure the devices we use through the EU Cyber Resilience Act. In so doing, it has issued a call for broad ranging standards aimed at harmonizing practices that would help secure digital products and the infrastructures they operate on, with an emphasis on security throughout a products lifecycle – pre and post market.

Standardisation has grown to be an essential element of the digital regulatory toolbox, with the most recent examples of the Cyber Resilience Act and the Network and Information Security Directive 2. Technical standards are voluntary norms, which may be adopted by companies for guidance. Their value often lies with the fact that they incorporate and can more easily keep up with the state-of-the art and provide harmonised requirements across different types of products and services, and sectors. Additionally, they also often form the foundation of certification schemes used in assessing conformity with regulation.

The European Commission has requested the European Standardisation Organisations to develop standards in support of the EU Cyber Resilience Act. Those requests for technical (harmonised) standards are however more than mere technical documents, providing guidance and content to essential legal requirements of what it means to be safe and cyber-secure. Further, the standard-making process includes a variety of stakeholders, each representing different viewpoints, and perspectives. How well are different stakeholders represented? Should every cybersecurity stakeholder also have a say in the standard-making process? What is the role of standardisation in providing secure-by-design products?

These are questions the speakers will seek to answer, sharing their interdisciplinary experiences from research and practice in the area of cybersecurity.

This panel is highly relevant to the cybercrime, cybersecurity and cyber-resilience track, due to its exploration of the legal requirements and implementation of principles in practice, through technical standardisation.

Moderator: TBC

Speakers (TBC):

Dr. Christina Del Real, Assistant professor, Leiden University Building on the findings of the NWO 'Cyber Security by Integrated Design' project C-SIDE project, dr. Del Real will delve into the need for and practical difficulties of designing secure software systems, and to which extent the EU legal framework facilitates this goal.

Ben Kokx, Director Standardization Product Security, Philips Kokx will share insights from the standardisation perspective, as a leading expert in European standardisation. Kokx will explain the role of standardisation in ensuring cybersecure products, as for example in the case of IoT devices and radio equipment, and harmonised requirements across the market.

Pratham Ajmera, PhD researcher, Tilburg University Ajmera will be providing a legal perspective, focusing on the evolving nature of European cybersecurity legislation in its intersections with methods of private regulation such as standards and certification schemes. Ajmera will examine from an ecosystem lens, concentrating on the changing dynamics between various actors that play pivotal roles in maintaining product cybersecurity in the EU.

Dr. Simon Parkin, Assistant professor, TU Delft Specialising in human-centred security, Dr. Parkin will be sharing a tech-centred perspective on cybersecurity, shedding light on the technical side of cybersecurity regulation and providing more insight into the balancing act/balance between regulatory zeal and technical implementation/implementability.

ABSTRACT. See the .pdf attached for the extended abstract.

ABSTRACT. Critical Earth–space infrastructure is a focal point of geopolitical power, legal contestation, and strategic rivalry. Satellite constellations, subsea telecommunications cables, launch services, data centres, cloud infrastructure, and Earth-observation systems underpin essential global services, including banking and financial markets, maritime navigation and shipping, aviation safety, weather forecasting, disaster response, climate and environmental monitoring, and energy system management. These infrastructures are inherently dual use, enabling civilian, commercial, and military functions simultaneously. As a result, their governance sits at the intersection of international law, digital regulation, security law, and infrastructure policy. This paper examines how the growing militarisation and strategic instrumentalisation of Earth–space infrastructure reshapes debates on digital sovereignty and strategic autonomy in an increasingly fragmented world.

The paper is motivated by intensifying geopolitical competition among major space- and technology-enabled powers, particularly the United States, China, and the European Union. Infrastructure enabling global connectivity are increasingly treated as a strategic assets and potential weapons. Satellite systems exemplify this shift. Large-scale commercial constellations—most prominently Starlink—now provide global broadband connectivity relied upon by civilians, humanitarian actors, financial markets, and governments. At the same time, Starlink has been explicitly integrated into military and security operations, demonstrating how privately owned infrastructure can become embedded in armed conflict and defence strategies without clear public accountability (US Space Policy Directive-4 on Space Force establishment; US National Defense Authorization Acts). Parallel developments are evident in China’s rapid expansion of state-backed satellite constellations, including the Guowang (“National Network”) project, pursued under China’s civil–military fusion strategy and reinforced through national legislation on data control and security, notably the Data Security Law (2021) and the Cybersecurity Law (2017).

These developments expose fundamental weaknesses in existing legal frameworks. International space law, anchored in the Outer Space Treaty, was not designed to regulate dense constellations of privately operated satellites providing essential global services while also serving military functions. Telecommunications and digital law similarly struggle to address orbital infrastructure as a site of geopolitical power. National legal regimes increasingly seek to fill these gaps but do so in fragmented and sometimes conflicting ways. In the United States, space governance is shaped by executive instruments such as Space Policy Directives 1–5, which explicitly link commercial space development, national security, and strategic leadership. In China, space infrastructure governance is integrated into national security law and data sovereignty frameworks, embedding Earth–space systems within long-term state planning and security doctrine.

The paper develops three core research questions. First, how does the dual-use character of contemporary Earth–space infrastructure challenge traditional legal distinctions between civilian, commercial, and military domains? Second, how do competing claims to digital sovereignty and strategic autonomy—expressed through national and regional laws—reshape the governance of infrastructure that supports globally shared services? Third, can emerging regulatory approaches, particularly within the European Union, offer a legally credible model for managing dual use and private power while maintaining commitments to international cooperation and sustainability?

The paper conceptualises Earth–space infrastructure as the material foundation of digital sovereignty, arguing that control over satellites, spectrum, data flows, launch capacity, and technical standards increasingly determines regulatory authority in practice. At the same time, it shows how sovereignty-based narratives often obscure the decisive role of private actors, whose technical capabilities and geopolitical influence frequently exceed those of many states—particularly in the Global South.

Three case studies structure the analysis. The first examines satellite navigation and timing systems, GPS (US), Galileo (EU), and BeiDou (China), and their entanglement with military command-and-control alongside civilian dependence. The second focuses on large-scale satellite constellations, contrasting US-licensed private systems such as Starlink with China’s state-led constellation governance under national data and security laws. The third examines Earth-observation systems used for climate and environmental monitoring, highlighting how data access and interpretation are shaped by strategic, commercial, and security priorities, raising concerns about epistemic inequality and data colonialism.

The paper critically evaluates the European Union’s emerging response, including the proposed EU Space Act 2025 and related space security and resilience initiatives, which seek to integrate sustainability, safety, and security within a harmonised regulatory framework. Situated alongside international initiatives led by UNOOSA, including the Guidelines for the Long-Term Sustainability of Outer Space Activities, the EU approach is assessed for its capacity to resist full securitisation while addressing private actor dominance.

Methodologically, the paper adopts a critical legal and regulatory governance approach, combining doctrinal analysis of international and national laws with insights from science and technology studies. It concludes that the weaponisation of Earth–space infrastructure exposes a central tension in digital sovereignty debates: efforts to secure autonomy risk accelerating fragmentation and inequality unless accompanied by legal mechanisms that constrain private power and protect global public goods.

ABSTRACT. Contemporary armed conflicts reveal a profound transformation in how military power is produced, exercised, and governed. Artificial intelligence has become central to intelligence analysis, targeting, logistics, and command decision support. Yet unlike previous generations of military technology, these capabilities are no longer primarily developed or controlled by states. Instead, they rely on data, cloud computing, AI models, and digital infrastructures owned and operated by a small number of global technology companies. This shift places private platforms at the core of modern warfare and challenges existing frameworks of technology governance, sovereignty, and strategic autonomy. This presentation argues that the growing reliance on commercial AI infrastructures marks a structural break with the traditional “dual-use” paradigm that underpins military technology transfer law. Dual-use governance assumes that technologies move across a relatively stable boundary between civilian and military domains and that states retain ultimate control over critical capabilities. AI disrupts both assumptions. AI systems are inherently multi-use, continuously evolving across civilian, governmental, and military contexts, and their effectiveness depends on persistent access to privately controlled infrastructures. As a result, power over military capability increasingly lies with platforms rather than states. The presentation develops this argument through three interrelated claims. First, it shows that Big Tech firms have become strategic infrastructure providers for modern warfare. Control over cloud services, satellite connectivity, data aggregation, and AI development pipelines now constitutes a form of geopolitical power. Commercial platforms are no longer peripheral suppliers but chokepoints through which military operations are enabled or constrained. Decisions taken by private firms regarding access, continuity of service, or acceptable use can directly affect battlefield outcomes, as illustrated by recent conflicts in Ukraine and the Middle East. Second, the presentation demonstrates that existing legal frameworks governing military technology transfer are ill-suited to this reality. Technology transfer law has historically pursued two main objectives: promoting innovation and mitigating national security risks through export controls, secrecy regimes, and licensing. These tools presuppose discrete technologies, identifiable transfer events, and state-centered control. In a multi-use AI environment, however, innovation flows continuously and bidirectionally between civilian and military sectors, often through shared datasets and cloud-based services. There is no clear moment of “transfer” to regulate, and no meaningful way to disentangle civilian from military functionality within a single AI system. Third, the presentation advances a normative and regulatory claim. It argues that public–private collaboration must be recognized as a distinct regulatory objective alongside innovation and security. In an AI-driven military ecosystem, collaboration is not optional but structural. States cannot maintain strategic autonomy without sustained access to commercial AI capabilities, yet current legal regimes often generate frictions that undermine such cooperation. Intellectual property rules struggle with continuously learning systems. Export controls falter when AI is delivered as a service rather than as a product. Oversight mechanisms fail to account for black-box systems, privately owned infrastructures embedded in military decision-making. Situating these dynamics within the broader theme of digital sovereignty, the presentation highlights a core tension of contemporary tech governance. While states seek greater strategic autonomy, they increasingly depend on global platforms subject to overlapping jurisdictions, corporate risk assessments, and transnational regulatory pressures. Sovereign control over military capability is fragmented as private firms balance national demands against global compliance obligations, reputational concerns, and market incentives. This fragmentation complicates traditional assumptions about command authority, accountability, and responsibility in wartime. The presentation draws on recent case studies involving the deployment of commercial AI systems in active conflicts, including cloud migration of government data, battlefield use of facial recognition technologies, AI-supported targeting systems, and satellite-based communications. These cases illustrate how civilian infrastructures are rapidly repurposed for military ends and how conflict zones function as experimental environments for commercial technologies. The analysis shows that these practices generate feedback loops in which combat data improves commercial products that later re-enter civilian markets, further eroding regulatory boundaries. The contribution of the presentation is twofold. Conceptually, it reframes military AI governance as a problem of infrastructural power rather than technology transfer alone. Legally, it exposes the structural limits of dual-use regulation in a multi-use environment and calls for a reorientation of governance frameworks toward managing interdependence between states and platforms. Rather than attempting to reassert exclusive state control, effective governance must address allocation of rights and responsibilities across public–private boundaries, resilience of critical infrastructures, and accountability for decisions embedded in privately operated systems. By engaging with the track’s focus on weaponized infrastructure and strategic autonomy, the presentation contributes to broader debates on tech governance in a multicentric world. It shows that digital sovereignty can no longer be understood solely as territorial control or regulatory capacity. In the age of AI, sovereignty is increasingly negotiated through relationships with global platforms that shape the material conditions of security and conflict. Governing this reality requires moving beyond dual-use thinking and confronting the legal and political consequences of private infrastructural power at the heart of modern warfare.

ABSTRACT. In both Just War Theory and international humanitarian law (IHL), the fundamental principle of distinction prohibits the intentional targeting of noncombatants. Yet, this principle allows for incidental, foreseen harm to civilians when such harm is not excessive in relation to the anticipated concrete and direct military advantage, as articulated in article 51.5 (b) of Additional Protocol I (AP I). Alongside this negative obligation not to intentionally harm civilians, there exists a positive duty of care: the requirement to take all feasible precautions to minimize civilian harm, codified in art. 57 AP I and emphasized in military ethics literature. In his “Just and Unjust Wars”, Michael Walzer tells us, for instance, “that civilians have a right that ‘due care’ be taken.” (Walzer 1977, 156) The implementation of feasible precautions in combat often gives rise to a core ethical dilemma: the in bello trilemma. This trilemma, or ‘triangular balance’, is a well-established concept in military ethics that military leaders generally face during combat operations. It refers to the need to balance three competing responsibilities: (1) achieve the mission’s objectives, (2) avoid endangering the lives of non-combatants and their property, and (3) protect the lives of own forces (Coleman 2013, 51). These values are frequently in tension because of the negative correlation that exists between them. Military commanders need to manage competing considerations, as prioritizing one dimension typically entails sacrifices the importance of another. This dynamic is especially evident in the application of precautionary measures, where efforts to reduce risk to civilians can lead to increased risk for one’s own forces or to a reduced operational effectiveness, and vice versa (Lee 2004, 250). For instance, high-altitude airstrikes may reduce risk to pilots by keeping them out of range of enemy air defense systems, but lower targeting precision, thereby increasing the risk to civilians. This balancing act is not merely theoretical. Recent operations by the Israel Defence Forces (IDF) in Gaza and Lebanon have reignited debate over what constitutes adequate precaution in warfare. Measures such as appeals to evacuate certain specific areas prior to attacks, leaflet drops, and text alerts have been scrutinized in light of the civilian toll. Adding a new layer to this debate is the increasing use of AI-enabled decision-support systems (AI-DSS) in targeting processes. Systems reportedly used – such as Habsora, Lavender and Where’s daddy – have significantly accelerated target production rates, raising concerns about how such tools might influence operational tempo, precautionary measures, and ultimately civilian harm. This presentation examines how the use of AI-enabled decision-support systems may affect the in bello trilemma, focusing on whether and how these technologies influence the obligations of due care and feasible precaution. Rather than asking whether the use of AI systems in the military domain is intrinsically ethical or not, the analysis focuses on how their deployment may alter the practical and normative balance between competing moral demands in combat. The central question guiding is whether AI-DSS meaningfully change what military decision-makers can reasonably be expected to do to protect civilians without incurring disproportionate risks to mission success or troop safety. The presentation begins by outlining the ethical principle of due care and the obligation to take feasible precautions, then briefly discusses the empirical impact of AI-DSS in military targeting on the trilemma, followed by discussing the normative implications of these systems for risk distribution and precautionary obligations. Finally, I will conclude that while AI-DSS may not inherently redefine normative standards, they can indirectly influence their application—particularly in shaping how military actors interpret what counts as “feasible” precaution in combat. Ultimately, this paper seeks to clarify how AI-enabled decision-support systems may possibly shape ethical norms and de facto standards in combat, offering insights into their broader implications for military ethics and international humanitarian law.

ABSTRACT. Exchanges with one's lawyer, just as those with one's notary, doctor, priest or other spiritual guide, are protected by the professional privilege. This privilege is a fundamental legal principle based on a societal interest in fostering the development of a trusting relationship between, for example, a lawyer and their client or a doctor and their patient (Fanoy 2017). After all, when a full and uninhibited discussion is not guaranteed, persons in need of legal advice or medical care might forego the needed help. For these reasons, privileged exchanges are to remain confidential even in criminal investigations and the prosecution is not allowed to get acquainted with their content. In the context of criminal investigations, however, maintaining this protection has become increasingly challenging due to the digitisation of communication. Privileged exchanges nowadays occur through email, chat messages, voice recordings, and various document attachments, such as pdf and images (think of the photos of our private parts we send to our doctor via email) (Lochs et al. 2024). The increasing volume and complexity of digital privileged material pose new challenges for law enforcement to filter out such content without breaching the privilege.

These challenges are clearly seen in the recent Dutch criminal investigation into Box Consultants. During the investigation into fraud in 2015, the public prosecution obtained approximately two million emails from a hosting provider, including over three thousand privileged exchanges between Box Consultants and its law firm. This resulted in a massive data set of about two million emails, including more than three thousand privileged email exchanges between Box Consultants and its law firm. These privileged communications should have been filtered out by the prosecution before the dataset was searched for evidence. As became known during the investigation, however, the prosecution's filtering method required a manual check of email content to ascertain whether the communications indeed qualified as privileged. In 2024, the case culminated in a multi-million settlement between the public prosecution and Box Consultants (Mos & Polman 2024) and further eroded an already strained relationship between defence attorneys and public prosecution.

The high-profile case in Box Consultants exemplifies a major issue in the protection of the professional privilege in the digital context: the current method for filtering based on keyword and entity searches (i.e., filtering terms such as 'lawyer' or 'confidential' and emails relating to law firms' email addresses) is outdated and ineffective, creating further mistrust between the defence and the prosecution (Mitchell et al. 2024). This is the case even though AI systems, especially those based on machine learning, already show potential for enhancing the accuracy and efficiency of filtering (Sluijsmans & De Bruijn 2020) and are in fact already being used by private actors, also in the Netherlands (Deloitte). So, what stands in the way of deploying AI for the protection of a fundamental legal principle in criminal investigations?

In an ongoing NWO-funded XS project, I explore the possibilities for modernising the process of identifying and filtering digital privileged material with the help of AI and the various obstacles – legal, technical or organisational – that stand in their way. Whereas existing keyword filtering methods are proving increasingly inadequate, AI-based approaches promise context-sensitive and efficient solutions. Technical research demonstrates that simple text-based filtering generates very high numbers of false positives (removing non-privileged material) and false negatives (failing to identify privileged communications), particularly when applied to large and multimodal datasets (Fleurbaaij et al. 2017). Meanwhile, private sector actors have already begun implementing AI systems for document and email filtering, suggesting the feasibility of such approaches (Deloitte; Sluijsmans & De Bruijn 2020). Despite these advancements, AI has not been applied in criminal investigations in the Netherlands, and its potential for protecting this fundamental legal principle remains unexplored.

This research reframes the obstacles as requirements by asking the question: What are the essential and desirable requirements – legal, technical or organisational – of a sufficiently well-functioning AI system for filtering privileged material in the context of large and multimodal data sets? To address this question, the research combines socio-legal inquiry with technology assessment, drawing on critical legal studies and public administration. These (sub)disciplines emphasise that successful technological implementation depends not only on legality and technical feasibility but also on organisational acceptance and trust (Grimmelikhuijsen 2022). In the absence of academic research on the legal, technical or organisational requirements of an AI-filtering system, this exploratory project further employed empirical socio-legal methods, such as in-depth interviews and focus group discussions, with all key stakeholders involved in the protection of the privilege: the Dutch police, the public prosecution, the Netherlands Order of Attorneys (NOvA), attorneys themselves, investigatory judges, digital forensics experts, legal scholars and the Dutch Council for the Judiciary (Raad voor de Rechtspraak).

In this presentation, I will present and test my first findings based on literature and interview analysis.

ABSTRACT. The integration of artificial intelligence (AI) into the justice system offers both opportunities and challenges, particularly in managing the growing volume of criminal case reports. In Italy, prosecutorial offices face pressure to process notitiae criminis - i.e., initial criminal notifications - that arrive in disparate formats and require prompt attention. This process is often hindered by inefficiencies as document review bottlenecks, uneven case distribution and the risk of human error. This paper aims to assemble the legal frameworks governing AI in the judicial system at both national and supranational levels, applying them to a case-base study of notitiae criminis management in an Italian prosecutor’s office. The first part of the research offers a comparative-legal analysis of the EU’s framework for AI, concentrating on the latest regulatory developments and their harmonization in the context of AI applications in the justice sector. The paper further examines Italy’s national legal framework, with particular attention to data protection, techniques of pseudonymization and privacy laws. This section concludes with a comparative assessment of how AI can function within these legal boundaries, ensuring both data security and regulatory compliance. The second part of the research presents a case study on the management of notitiae criminis in an Italian prosecutor's office, specifically one of medium-to-large size, flagging the challenges prosecutors encounter when processing criminal notifications. Due to the time-sensitive nature of the task, manual review of documents such as police reports and complaints is required to ensure accuracy and proper data entry into the specific case management system used by the office. The diversity of document formats and legal language often results in delays and errors, undermining efficiency. The research simulates scenarios where multiple notitiae criminis arrive and examines how AI could automate data extraction, harmonize information and classify the legal nature of the cases. The paper discusses the challenges of implementing AI in the justice system while maintaining a human-in-the-loop approach, where human oversight remains central to legal tasks. While AI can automate routine tasks, human judgment remains crucial for case classification and legal assessment. This approach ensures that, despite the efficiency gains provided by AI, critical decisions are still made with human expertise, preserving the integrity of the legal process. In conclusion, this research illustrates how AI can enhance the efficiency and fairness of Italy’s prosecutorial system, while simultaneously addressing key legal and ethical challenges. By examining both legal frameworks and practical applications, the study offers valuable insights into AI’s potential to improve the criminal justice process, ensuring that it operates effectively while upholding legal principles. Although the focus is on the Italian judicial system, the proposed solution is adaptable and can be implemented and studied in similar legal systems.

ABSTRACT. In contemporary digital societies, technological development permeates every branch of the law, from contract and tort to constitutional and criminal law. This pervasive impact has significantly intensified scholarly engagement with the relationship between law and technology, while simultaneously raising a fundamental question: what constitutes ‘Law & Tech’ as a research field in its own right? When technological issues are ubiquitous across legal disciplines, the risk emerges that Law & Tech becomes a diffuse label rather than a coherent scholarly domain. This paper argues that the consolidation of Law & Tech as a distinct field depends not primarily on its subject matter, but on its methodological foundations [1]. In this view, legal analysis cannot be decoupled from an informed engagement with the technical and social characteristics of the technological artefact under examination. Scholars are therefore encouraged to interrogate the design, functioning, and affordances of technologies, as well as their broader social implications, as a precondition for meaningful legal analysis. While this perspective has contributed significantly to the maturation of Law & Tech scholarship, it also raises deeper questions concerning method: what does it mean, methodologically, to ‘get the technology’ to then be able to regulate it? How should legal reasoning incorporate technical knowledge without collapsing into technical determinism or losing its normative specificity? This paper proposes that addressing such questions requires a deliberate methodological self-reflection. Rather than treating Law & Tech as a thematic aggregation of legal problems involving technology, the paper explores the emergence of Law & Tech through the lens of ‘methods.’ It argues that the field’s capacity to sustain interdisciplinary dialogue, while remaining intelligible and relevant to traditional legal disciplines, hinges on the development of shared methodological reference points. Building on seminal contributions of American scholars,[2] and on more recent methodological proposals emerging within European legal scholarship,[3] the paper maps and compares the evolving methodological landscapes of Law & Tech in the US and EU contexts. These landscapes are shaped by differing legal traditions, institutional settings, and conceptions of the relationship between law and technology. In the US debate, Law & Tech scholarship has often developed through close engagement with technology studies, sociology, and science and technology studies (STS), emphasizing contextual, functional, and socio-technical analysis. In contrast, European approaches have tended to remain more closely anchored to doctrinal legal analysis, while increasingly integrating interdisciplinary perspectives in a more structured and, at times, cautious manner. The paper argues that these methodological differences are not merely stylistic but reflect deeper assumptions about the role of law vis-à-vis technological change. In particular, they influence how Law & Tech scholarship positions itself in relation to established legal disciplines and how effectively it can inform doctrinal development and legal reform. This tension becomes especially visible in areas of law where methodological rigor and normative precision are traditionally central, such as criminal law. Against this background, the paper uses criminal law as a case study to examine the challenges and opportunities of methodological cross-fertilization between Law & Tech and traditional legal disciplines. In the European context, studies on law and technology can be broadly categorized into two approaches.[4] A ‘horizontal’ approach focuses on EU law. A ‘vertical’ approach, by contrast, examines the interaction between technology and national legal systems, typically within a specific branch of law, such as criminal law, administrative law, or private law. While both approaches contribute valuable insights, their methodological premises and objectives differ significantly. Focusing on criminal law, the paper addresses one of the central challenges posed by technological evolution: whether and to what extent new technologies require criminal law reform. Historically, technological change has repeatedly prompted such debates. We witnessed it most notably in relation to cyberspace and cybercrime.[5] The emergence of AI now raises similar questions, including whether AI-related conduct necessitates the adjustment of existing criminal offences or the introduction of new forms of criminalization. Recent legislative initiatives in some jurisdictions (such as Italy, which recently passed a Law on the matter) provide early examples of how legal systems are beginning to respond to these challenges. Rather than engaging directly in a substantive assessment of AI-related criminalization, the paper reframes the issue as a methodological problem. It asks how criminal law scholars should approach technological novelty from a methodological standpoint, and how interdisciplinary insights from Law & Tech can be integrated into criminal law analysis without undermining its core principles. Criminal law is characterized by well-established methods, as are those that can be inferred by theories of criminalization.[6] At the same time, technological mediation increasingly affects key criminal law concepts such as the category of harm. The paper therefore investigates whether a dialectical interaction can be established between criminal law methodology and the interdisciplinary approaches typical of Law & Tech studies. It explores how technical understanding and socio-technical analysis can inform criminal law reasoning, while preserving the normative and doctrinal rigor that characterizes the field. By doing so, the paper aims to outline possible methodological frameworks for cross-fertilization that enrich both Law & Tech and criminal law, rather than subordinating one to the other. Ultimately, the paper contends that Law & Tech can consolidate its identity as a research field not by replacing traditional legal methods, but by developing a reflective methodological posture capable of engaging with them productively.

[1] Ryan Calo, Law and Technology. A methodical approach (Oxford University Press, 2025). [2] Ibid. [3] Silvia De Conca, “The Law of the European Horse: The law and Technology Scholarship in the European Union, between National Legal Traditions and Supranational Governance” (2025) The Italian Law Journal, 11(1), 119-137. [4] Ibid. [5] Bert-Jaap Koops, “Technology and the Crime Society: Rethinking Legal Protection” (2009) Law, Innovation & Technology, 1(1), 93-124. [6] Tatjana Hörnle, “Theories of Criminalization”, in M. Dubber and T. Hoernle (eds.), The Oxford Handbook of Criminal Law (Oxford University Press, 2014).

ABSTRACT. The Digital Euro Proposal is often presented as a technical response to the declining use of cash, the rise of private digital payment instruments, and the growing geopolitical significance of central bank digital currencies. It emphasises continuity rather than disruption: the digital euro brings public money into the digital space, as a complement to cash. Placed within existing legal and institutional frameworks, the digital euro preserves the defining features of public money and reinforces the ECB’s mandate, supporting monetary stability and the smooth functioning of payment systems.

However, certain design choices embedded in the proposed Digital Euro Regulation suggest a subtler but consequential expansion of institutional authority. Notably, Article 32 allows for a centralisation of fraud detection and risk assessment at the ECB, extending its functions beyond currency issuance and macroprudential oversight into system-wide behavioural monitoring. Tasks that were once distributed among supervised intermediaries now reside within the infrastructure of central bank money, processing vast amounts of personal data and reshaping the relationship between the ECB, financial intermediaries, and end users. In this way, what appears as a technical innovation also quietly transforms the architecture of monetary governance.

In this context, we find a friction that runs through the proposal between technical design, the reach of institutional authority, and the protection of individual rights. Rather than treating these aspects in isolation, it is necessary to consider how the digital euro quietly reshapes the ECB’s influence, interacts with legal safeguards for personal data, and negotiates the often-fraught interface between EU regulation and the operational practices of private intermediaries.

At the same time, the proposed Digital Omnibus Package, which seeks to streamline and amend core digital legislation on data governance, AI and cybersecurity, underscores this point: its simplification measures could alter compliance burdens and definitions for data processing and automated systems, potentially affecting how fraud detection systems interact with broader EU data and privacy regimes.

From this perspective, the proposed paper turns to the following questions:

1. How does Article 32 of the Digital Euro Proposal alter the traditional boundaries of ECB authority in monetary governance? 2. What are the legal and practical implications of embedding automated, centralised fraud detection within a public digital currency system, particularly regarding fundamental rights, such as the right to personal data protection? 3. Which legal framework governs the ECB’s accountability for designing and implementing an automated, centralised fraud-detection system in cases of fundamental rights violations? 4. How does the interaction between the EUDPR (applicable to the ECB) and the GDPR (applicable to private intermediaries) shape responsibilities, safeguards, and redress mechanisms? 5. In what ways does the Digital Omnibus Package influence or complicate these dynamics, particularly concerning automated decision-making and procedural protections?

State of the art

Existing literature on central bank digital currencies (CBDCs) primarily treats the digital euro as a technological innovation with monetary and macro-financial implications. While several aspects of CBDCs have sparked debate in the academic literature, the focus has been on how this form of digital money should engage with anti-money laundering and counter-terrorism financing. Little attention has been paid to the impact this solution can have on the right to data protection, with some notable exceptions, from both scholars and supervisory bodies.

Given the critical role that data, and by extension its regulatory governance, play in financial services, it is necessary to further explore potential tensions at the intersection of digital finance with EU data protection law in the context of the digital euro project. In this respect, there is extensive work on other critical tensions within this crossroads that resonate with data-driven finance. For example, the SCHUFA (C‑486/19) decision, and the surrounding literature, explored the implications of using automated decision-making mechanisms in the financial sector when algorithmic assessments produce legal or similarly significant effects. These studies underscore the importance of human oversight, procedural safeguards, and the right to redress. However, there are no studies that conduct an equivalent analysis of the novel configuration in Article 32 of the Digital Euro Proposal, where the ECB generates risk assessments under the EUDPR and private intermediaries implement decisions under the GDPR.

Furthermore, the Digital Omnibus Package intends to introduce reforms to GDPR provisions on automated decision-making. Although the package aims to “simplify” legal constraints on automated decision-making, its interaction with high-stakes central bank infrastructure and its potential effects on accountability gaps and rights protection have not yet been systematically explored. As such, this research would contribute to that debate, in addition to its direct implications for the digital euro.

Considerations emerging from this study

a) Behavioural control as monetary infrastructure It addresses Article 32 of the Digital Euro Proposal not merely as a technical provision for fraud prevention, but as a fundamental innovation in monetary governance, expanding the ECB’s authority to system-wide behavioural control through the authorisation of a centralised fraud-detection mechanism designed to operate across the digital euro system. In practice, continuous access to transaction-level data and their analysis through automated risk assessment tools, potentially including AI-driven algorithms, involve extensive and intensive processing of personal data. The shift from intermediary-led fraud detection under supervisory oversight to becoming a core infrastructure of central bank money involves both governance and constitutional significance: the ECB’s authority expands into the operational regulation of individual transactions, blurring the line between monetary policy and behavioural control.

b) Article 32 in the context of EU Data Protection Law The paper underscores the operational and legal tensions between the EUDPR and GDPR frameworks, a challenge that is particularly pronounced in the context of the digital euro. Maintaining a very high standard of privacy and data protection will be central to the success of the future digital euro. Additionally, EU jurisprudence, particularly in the SCHUFA case, has clarified that automated risk assessments can produce decisions with legal or similarly significant effects, demanding heightened procedural and substantive safeguards. We must therefore read Article 32 against this broader legal and institutional backdrop.

c) Regulatory dynamics and automated decision-making It examines how the Digital Omnibus Package modifies the landscape for automated decision-making and procedural safeguards, contributing new insights into the balance between operational efficiency and fundamental rights. By recalibrating the rules around automated decision-making, the package reduces procedural friction and may strengthen operational reliance on algorithmic systems. At the same time, the notion of “suitable safeguards” becomes more salient yet remains indeterminate. The combination of Article 32 and the Omnibus reforms produces a system that is operationally resilient but legally opaque, raising critical questions about legitimacy, oversight, and the balance of efficiency and rights protection.

d) Operational responsibility and data subject rights in the Digital Euro Focusing on the fragmentation of responsibilities between the ECB and private intermediaries, the paper uncovers a structural accountability gap that the existing literature does not address, with implications for the legitimacy of automated financial control. The ECB generates risk assessments under the EUDPR, while private payment service providers implement the resulting restrictions under the GDPR. This division produces an accountability gap: each actor can plausibly deny full responsibility, leaving data subjects with limited avenues to exercise their rights. The result is a complex overlay of legal obligations, procedural ambiguities, and potential conflicts between institutional objectives and fundamental rights protections.

Expected results from the study

This research situates Article 32 at the intersection of monetary governance, data protection law, and regulatory simplification, with the aim to:

1. Provide a novel institutional perspective on the digital euro, highlighting the ECB’s expanded role in operational oversight and behavioural regulation. 2. Clarify the interaction between the EUDPR and GDPR in a high-stakes financial context, exposing structural accountability gaps. 3. Critically assess the implications of the Digital Omnibus Package for automated decision-making in central bank systems. 4. Offer policy-relevant recommendations for aligning operational resilience with rights protection in the deployment of public digital money.

ABSTRACT. The European Union (EU) has been actively truing to shape the digital environment in order to fulfil its policy goals. The EU and more specifically the European Commission (Commission) have designed a vision of what the EU way of data governance should look like, namely as a ‘European single market for data’ based on local and ‘common European data spaces’. To operationalize this idealistic vision, the EU has issued several pieces of legislation (including the Data Governance Act, the Data Act and the Health Data Space Regulation). It has dedicated financial means, especially through the funding of research, development and deployment projects under the Horizon framework, spurring public-private collaborations amongst companies, public authorities and academia with a marked focus on technology. In this context, researchers have found themselves tasked to operationalize the EU vision and, therefore, also the vague concepts that underpin it (such as: what is a date space, what are the roles and responsibilities of data space participants, and how should one be built), in a complex multi-stakeholders context. The interactive workshop seeks to steer a discussion on the role of researchers therein, and especially of researchers in law, and to infer from these broader lessons for legal research. Researchers in law are often confronted with contradictory incentives which are made even more acute and salient in the context of data spaces. First, research implies to take a critical perspective at its object (in this case, the law) while a constructive approach to research can also be to ‘make things work’. Second, lawyers rely on legal notions and interpretation but, at the same time, they shall be creative and move beyond the obvious. In the case of data spaces, this creates many frictions, including the risk that researchers end up doing politics instead of law, that they fail to engage with the factual assumptions upon which a techno-legal concept is built, or that they inadvertently follow the footsteps or values of involved stakeholders, to the detriment of independent and socially beneficial research. The interactive workshop will be facilitated by Gijs van Maanen and Charlotte Ducuing. It will build upon the experience of researchers in law who conduct (or recently conducted) research in data spaces: Halid Kayan, Leander Stähler, Sara Garsia and Tjaša Petročnik, who will spark the first part of the workshop by briefly outlining the frictions that they experienced as well as the mechanisms that they put in place (individually or collectively) to try and overcome them. On this basis, the workshop participants will identify and cluster (i.) a list of frictions / challenges as they arise in (legal) data space research and beyond; and (ii.) a list of possible countermeasures, recommendations or workarounds. The second part of the workshop will consist of an open and critical discussion on the necessary conditions that should be met for good and critical research in law to take place, i.e. how close a researcher should be involved in their research object, the meta-conditions for research (funding, research collaborations, etc.).

ABSTRACT. This paper explores how insights from neuroscience of the profoundly gifted brains could lead to the redesign of AI systems. Embedding human-centric filters inspired on neuroscience research, to create context-aware judgement in decision making to reduce bias.

ABSTRACT. Since the debut of ChatGPT in November 2022 , productivity had been the primary metric for assessing generative Artificial Intelligence's (AI) return on investment . However, according to a 2024 KPMG survey of 225 US-based companies, revenue generation has now overtaken productivity as the dominant measure businesses use to evaluate AI's impact . In line with this shift, Chinese tech giants, like Baidu, Tencent, Alibaba or ByteDance are rapidly embracing generative AI to tap into the growing market for Virtual AI Companions, further highlighting AI's revenue-generating potential . Virtual AI companions, often referred to as avatars, replicas, holograms, or chatbots , offer not only conversational capabilities that strengthen consumer relationships , but their human-like design also cultivates a deeper emotional connection between users and service providers . Outside of the People’s Republic of China, the most recognisable AI companions apps are Replika AI and Character AI . The development of social chatbots, designed to engage in empathetic conversations, has long been a key objective in AI . Early rule-based social chatbot systems operated in limited contexts, but recent machine learning advancements and large conversational datasets have brought the goal closer to reality . One of the most popular virtual AI companions in China is called The Xingye app, developed by MiniMax. It offers engaging plotlines and a realistic AI chat experience to provide users with immersive interactions, whether through casual or voice chat . Since its establishment at the end of 2021, the app has achieved impressive metrics, with its large models interacting with users an average of 3 billion times daily, processing over 3 trillion text tokens, and generating 20 million images and 70,000 hours of voice content . In December 2025, MiniMax’s virtual character chatbot Xingye reported 4.6 million monthly active users, while ByteDance’s Mao Xiang reached 4.7 million . This paper examines the evolving landscape of virtual AI companions in China through the lens of vertical AI regulation, focusing on how targeted regulatory measures seek to mitigate risks to users. Using Chinese apps such as Xingye, Tongyi Stardust, MaoXiang and Xiaokan Planet as case studies, the research assesses the effects of existing frameworks including the Interim Measures for the Management of Generative Artificial Intelligence Services, Measures for Labeling of AI-Generated Synthetic Content and regulations governing Algorithmic Recommendation and Deep Synthesis technologies. It also incorporates discussion of the Interim Measures for the Administration of Humanised Interactive Services Based on Artificial Intelligence (Draft for Solicitation of Comments) released for public consultation by the Cyberspace Administration of China on 27 December 2025 . As private ordering is a major force used to regulate interactions between users and service providers, which are often position themselves as platforms , the author conducted an empirical study to evaluate the terms of service (ToS) of most popular Chinese virtual AI companions, in order to assess the level of compliance with the vertical AI rules in China. While many studies have focused on virtual companions and ghostbots in terms of privacy and data protection beyond China , there remains a research gap concerning research of effects of vertical regulation on virtual AI companions. By analysing platform terms of service alongside regulatory requirements, this study fills a gap in the literature on the real-world impact of pre-market approval and sector-specific governance on AI service providers. The paper highlights emerging legal challenges related to data protection, privacy, and intellectual property, and illustrates how China’s vertical regulatory model uniquely shapes the development and deployment of anthropomorphic interactive AI services.

ABSTRACT. No one yet

ABSTRACT. See Paper Document.