ABSTRACT. The contemporary understanding of digital sovereignty is undergoing a conceptual shift: from a classic state-centric paradigm to hybrid forms in which transnational technology corporations play a key role and regulatory powers are distributed irregularly. This article analyses the structural transformations of the international legal order under the influence of digitalization and intensifying geopolitical competition. The article examines corporate sovereignty as a structural element of the international legal order and proposes a three-model typology of digital sovereignty. Drawing on a doctrinal and comparative legal approach, three models of digital sovereignty are identified: hard sovereignty, soft regulatory sovereignty, and cooperative sovereignty. It is shown that each model has a different impact on the formation of cyber governance regimes, the balance of control and accountability, and the distribution of digital resources and infrastructure. The article concludes that the development of minimum international standards in the areas of infrastructural control, algorithmic transparency, and accountability will prevent further fragmentation of the global digital space and the consolidation of corporate hegemony.

ABSTRACT. Generative AI is increasingly delivered through APIs and cloud interfaces. Firms call models as network services and embed them into manufacturing, finance, logistics, health, education and public administration. In practice, these model APIs sit inside Industry 4.0 systems and operate alongside data flows, connected devices, automation tools and platform services. Once AI becomes a general-purpose capability across sectors, it no longer looks like an ordinary digital service. It begins to function as part of critical digital infrastructure. This shift matters for national security and public interest. It raises concerns about systemic dependence on foreign suppliers, disruption risks, remote control through updates, cyber vulnerabilities, data access, model manipulation and the possibility that a small number of providers can set technical defaults for whole markets.

Recent trade and investment practice shows how quickly AI and its inputs can be treated as strategic assets. Export controls on advanced semiconductors and related computing items, and restrictions on the transfer of advanced model weights, are increasingly justified in security terms and have direct effects on cross-border supply. Investment screening has also expanded towards AI, data-rich businesses and cloud-related assets, on the view that control over compute and data can translate into influence over security-sensitive capabilities. Procurement and vendor restrictions for telecommunications and cloud services have similarly been framed as critical infrastructure protection, with spillover effects for AI services that rely on those layers. These measures illustrate a wider trend. States are not only regulating outputs and harms. They are governing the underlying infrastructure, supply chains and dependencies that shape who can build, deploy and update AI systems at scale.

This paper examines how infrastructure risks are being governed through regulatory tools that combine public law, technical standards and private assurance chains. Using the EU AI Act as the central example, it analyses how a standards and conformity assessment model is used to translate high-level public goals into operational requirements for developers, deployers and suppliers. It then assesses how these tools interact with international economic law (IEL), focusing on the GATS and selected digital trade agreements, and situating EU compliance tools within the landscape of international AI standards, including ISO and IEC work. The central question is how, and to what extent, an evidence-based compliance pathway can function in practice for cross-border supply of AI-enabled services, and what trade and investment frictions it may create.

The paper argues that the key battleground is not only whether a service is allowed, but the conditions under which it can be supplied and maintained across borders. In practice, these conditions are often expressed as compliance evidence. Suppliers may be expected to deliver recognised documentation, testing results, audit trails, incident reporting and assurance in formats accepted by regulators, buyers and auditors. Where such evidence is difficult to produce, verify or translate across jurisdictions, the barrier appears to be a technical or contractual problem, but it can operate as a de facto condition of market access. This is especially visible in procurement and supply chain settings, where compliance demands are transmitted through contractual flow down. It is also visible in platform ecosystems, where access, updates and continued service can depend on meeting platform-defined assurance thresholds.

A further finding is that compliance evidence is shaped by multiple actors. Standard setters, auditors, accreditation bodies, procurement departments, platforms and regulators jointly define what counts as trustworthy AI. Major AI platforms can operate as quasi-regulators through API terms, developer policies, audit rights and the ability to restrict access or updates. Public regulation often connects to this private layer through reliance on recognised standards, accredited assessment bodies, procurement conditions and due diligence duties. Under IEL, this blurring of public and private governance complicates the identification of a “Member measure”, and the assessment of de facto disadvantage, particularly where market access constraints arise through decentralised evidence demands rather than explicit border restrictions.

The paper connects these dynamics to strategic autonomy and digital sovereignty. Where key AI inputs such as compute, cloud capacity, foundation model ecosystems and developer platforms are concentrated, infrastructure power can shape who is able to supply, update and support models across borders, and which compliance practices become widely adopted. This has a security dimension. It affects resilience, continuity of service and the ability to verify and control critical dependencies. It also has a rule-making dimension. If compliance evidence templates, audit methods and technical benchmarks travel through procurement and platforms, they can become global defaults even without a formal international agreement.

Against this background, the paper identifies three shortcomings in current IEL responses. First, core disciplines were designed for border measures and direct regulation, while infrastructure-style governance often works through standards, audits, procurement and contracting chains. Second, security and resilience-based regulation is likely to expand, but existing exception-based approaches offer limited guidance on how to design such measures in a way that is transparent, reviewable and not unnecessarily trade restrictive. Third, IEL lacks workable tools to support interoperability of compliance evidence across jurisdictions, which increases repeated audits, duplicated documentation and fragmentation. In parallel, investment law and investment screening practice are moving in security directions, but without a settled vocabulary for distinguishing legitimate resilience from strategic exclusion.

The paper proposes a reform agenda centred on interoperability rather than full uniformity of rules. It develops two routes, recognition of foreign compliance results and structured equivalence assessments, to reduce repeated assurance without lowering legitimate public goals such as safety, cybersecurity and fundamental rights protection. It also proposes a dynamic equivalence model that fits continuous model updates through version control, ongoing monitoring, incident reporting and clearer thresholds for when an update triggers re-assessment. Institutionally, states could agree on baseline recognition and equivalence principles in trade and digital agreements, and then operationalise them through procurement and state-to-provider contracting, with conditions tied to internationally recognised standards and accepted conformity assessment practices. This approach treats compliance evidence infrastructure as a shared governance object. It aims to reduce fragmentation while preserving space for risk-based regulation and security-sensitive safeguards.

The core claim is that in the digital era, regulatory autonomy and rule-making influence depend on both legal authority and infrastructure capability. Treating AI as part of critical infrastructure clarifies why national security, public interest and market access debates converge on standards, conformity assessment and platform-based evidence gates. A state that aims to shape global rules cannot rely on legal texts alone. It also needs credible capability to assess, verify and sustain the infrastructure on which AI services depend.

References Baldwin R, The Great Convergence: Information Technology and the New Globalization (Belknap Press of Harvard University Press 2016). Ciuriak D and Rodionova V, ‘Trading Artificial Intelligence: Economic Interests, Societal Choices, and Multilateral Rules’ in Shin-yi Peng and others (eds), Artificial Intelligence and International Economic Law (CUP 2021) 97. Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products [2008] OJ L218/82. Fukunaga Y, ‘Are Digital Trade Disputes “Trade Disputes”?’ in Shin-yi Peng and others (eds), Artificial Intelligence and International Economic Law (CUP 2021) 159. International Organization for Standardization (ISO), ‘ISO/IEC 22989:2022 Information Technology, Artificial Intelligence, Artificial Intelligence Concepts and Terminology’. ISO, ‘ISO/IEC 23894:2023 Information Technology, Artificial Intelligence, Guidance on Risk Management’. ISO, ‘ISO/IEC 42001:2023 Artificial Intelligence, Management System’. Lim AH, ‘Trade Rule for Industry 4.0: Why the Technical Barriers to Trade Agreement Matters Even More’ in Shin-yi Peng and others (eds), Artificial Intelligence and International Economic Law (CUP 2021) 97. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [2024] OJ L 2024/1689. Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation [2012] OJ L316/12. Streinz T, ‘International Economic Law’s Regulation of Data as a Resource for the Artificial Intelligence Economy’ in Shin-yi Peng and others (eds), Artificial Intelligence and International Economic Law (CUP 2021) 184–185. Weber RH, ‘Global Law in the Face of Datafication and Artificial Intelligence’ in Shin-yi Peng and others (eds), Artificial Intelligence and International Economic Law (CUP 2021) 59. Weber RH, ‘Legal Interoperability as a Tool for Combatting Fragmentation’ (2014) Global Commission on Internet Governance Paper Series No 4. World Trade Organisation, General Agreement on Trade in Services (GATS). World Trade Organisation, Agreement on Technical Barriers to Trade (TBT Agreement).

ABSTRACT. Technologies like artificial intelligence (AI) and biotechnology can unlock unprecedented scientific advancements, but they also introduce novel risks, among which are existential threats like bioterrorism. Lawmakers and policymakers typically attempt to balance innovation with regulation, by creating exemptions and exceptions in regulations and policies. These exemptions and exceptions quite often include scientific and military research. For example the EU AI Act explicitly exempts military, defense, and national security applications from its scope entirely. In addition, it exempts scientific research that will not be placed on the EU market. And even in the biotech regulatory framework, where military conventions already exist, the regulations foresee certain exceptions. The Biological Weapons Convention (BWC) and Chemical Weapons Convention (CWC), while prohibiting offensive biological and chemical weapons. In addition, BWC permits research and development for "prophylactic, protective or other peaceful purposes" intended for defensive measures like vaccine development. Accordingly, the Rome Statute classifies the use of biotechnology in weapons as war crimes. However, the Rome Statute is grounded in prevailing treaty law, such as the BWC and CWC, thereby determining what constitutes prohibited conduct. However, such approaches are problematic. The EU AI Act's blanket military exemption removes such systems from the harmonised risk-based framework of the AI Act, thereby shifting them to fragmented national and international regimes and weakening ex ante oversight of dual-use applications. The BWC and CWC's exception for defensive and peaceful purposes, though narrower in scope, remains dangerously ambiguous: the line between defensive research and offensive capability is often blurred, and "peaceful purposes" can serve as cover for dual-use development. This is where the dual-use dilemma becomes acute. Technologies and research conducted under the umbrella of defense or public health can be repurposed for harm, and current regulatory frameworks struggle to anticipate, monitor, or prevent this shift. When combined with AI's capacity to optimize and accelerate biological threats, these exemptions and exceptions create regulatory gaps vulnerable to criminal exploitation. One might assume that criminal law could help prevent such harms, but legislation struggles to keep pace with technological development. Despite the Rome Statute's neutral approach towards technology and its criminalisation of outcomes and conduct, it does not proactively regulate or anticipate advances in military biotechnology, leaving significant normative and enforcement gaps. The theories underpinning criminal law were designed for human behavior occurring in physical and linear ways, rendering them ill-suited to address the complexities of emerging technologies. This convergence of AI and biotechnology leads to threats like bioterrorism, with AI serving as a potentially dangerous catalyst. This paper examines the dual challenge posed by AI-driven bioterrorism: first, the inadequacy of current regulatory frameworks to address the rapid evolution of AI and biotech; and second, the limitations of criminal law in preempting and prosecuting such threats. The analysis adopts a regulatory perspective while accounting for the practical shortcomings of international criminal law in this context. First, the paper critically assesses the regulatory landscape governing AI and biotechnology, highlighting the fragmented and reactive nature of existing policies. While acknowledging developments in the biotech frameworks, it argues that siloed approaches to AI and biotech regulation inadequately address the synergistic risks emerging at their intersection. Conventional legal doctrines face scrutiny when AI and biotechnology are used to cause terroristic harm, especially when decisions during the terroristic attack are outsourced to a machine that might deviate from human instructions. Machine learning's inherent opacity and autonomous adaptation, combined with the quite often invisible danger of biotechnology present significant challenges to conventional regulatory approaches and criminal forensics. The dual use dilemma and its attempt to balance right and wrong often hinders the law and policymakers to quickly adapt regulations. Hence, this slow regulatory pace creates critical legislative gaps that malicious actors could exploit. Drawing on comparative legal analysis and using justification rooted in political and legal philosophy, the paper proposes a proactive, design-integrated oversight framework that includes adjustments in biotech and AI regulations to mitigate these risks. Second, the paper explores the role of criminal law in deterring and responding to AI-enabled bioterrorism. It evaluates the efficacy of current legal instruments - including anti-terrorism statutes and international conventions - in addressing the unique challenges posed by AI's dual-use potential. The analysis reveals significant shortcomings: jurisdictional ambiguities and difficulties in attributing liability within decentralized or autonomous systems are particularly concerning given the proliferation of these technologies and the accompanying rise in jurisdictional disputes and cyber-incidents. Furthermore, AI-enabled bioterrorism could, depending on scale and context, fall within existing categories of international criminal law such as crimes against humanity or war crimes under the Rome Statute, while simultaneously triggering transnational counter-terrorism regimes that operate outside the framework of the International Criminal Court, creating complex jurisdictional and enforcement challenges within international criminal law. To address these issues, the paper advocates for expanding criminal liability doctrines to encompass AI-specific offenses and harmonizing international legal standards to close loopholes that could be targeted by malicious actors. With this paper, we offer a holistic approach to safeguarding against AI-enabled bioterrorism, concluding with actionable recommendations for policymakers, legal scholars, and industry stakeholders, emphasizing the need for adaptive governance structures and cross-disciplinary collaboration to effectively anticipate and respond to emerging threats.

ABSTRACT. The cyber‑resilience framework in the European Union for financial entities has undergone a transformation from regulatory sparsity to institutional density. The Digital Operational Resilience Regulation (DORA) now establishes a comprehensive, sector‑specific regime governing ICT risk management, incident reporting, operational resilience testing, and third‑party oversight across 21 categories of financial entity.

This sectoral instrument operates alongside horizontal frameworks the NIS2 Directive, the General Data Protection Regulation (GDPR), and sectoral instruments including the Payment Services Directive and Regulation each with cyber‑resilience, security, and governance obligations. While the trajectory toward stronger, more integrated cyber‑resilience governance is both normatively desirable and broadly welcomed, recent scholarship has begun to surface latent tensions between overlapping regimes as they interact in increasingly complex institutional and technological environments.

In a financial sector now fundamentally reliant on cloud platforms, ICT outsourcing, and third‑party digital infrastructure, regulation is no longer merely a constraint or enabler: it has become an integral component of the governance architecture through which cyber‑resilience is operationalized or undermined.

This paper takes these insights as foundational but pivots away from the prevailing diagnostic emphasis on regulatory fragmentation or too many rules. Rather than treating DORA, NIS2, and GDPR as mutually incompatible or normatively excessive, the paper proceeds from the assumption that their core objectives enhancing operational resilience, ensuring a high common level of cybersecurity, and safeguarding personal data are legitimate, necessary, and politically non‑negotiable. The central claim is that the primary deficit is architectural, not normative: EU financial institutions currently lack an explicit institutional convergence layer capable of absorbing, reconciling, and orchestrating converging but heterogeneous regulatory frameworks into a single coherent cyber‑resilience system. In a context where critical financial services now run on infrastructure that institutions do not own, operate, or fully control on borrowed infrastructure the absence of such an architecture does not merely create compliance friction; it introduces structural vulnerabilities that can delay detection, fragment escalation, and blur accountability during cyber incidents.

The literature on DORA’s approach to cloud and ICT outsourcing warns that misalignment with pre‑existing supervisory frameworks can distort incentives for technology adoption and risk allocation. Scott demonstrates that DORA’s oversight regime for ‘critical’ ICT third‑party service providers represents a substantive departure from earlier outsourcing guidance, with significant implications for how financial institutions structure contractual and operational relationships with cloud providers. Szadeczky and Stoelczer identify a broader trend toward regulatory complexity in the EU’s cybersecurity legal environment, where multiple instruments impose obligations that are partly overlapping, partly divergent, and rarely coordinated at the point of institutional implementation. Gruia, examining the interplay between DORA and NIS2, argues that while both instruments pursue cyber‑resilience objectives, they do so from distinct regulatory logics financial stability versus critical infrastructure protection generating implementation challenges wherever their scopes converge. At a systemic level, Kaska and colleagues emphasize that achieving genuine European cyber‑resilience demands not only baseline capabilities but also shared situational awareness and coordinated incident response, both of which are profoundly shaped by how legal obligations are translated into institutional practice.

The research question is therefore solution‑oriented: What would a convergent cyber‑resilience architecture look like at the institutional level, such that multiple well‑intentioned frameworks can be implemented as a single operational and governance logic rather than as parallel, partially conflicting systems?

Methodology and Analytical Approach The paper relies on qualitative, systematic document analysis of the incident reporting, governance, and third‑party risk provisions in DORA, NIS2, and GDPR, supplemented by supervisory guidance, implementing and delegated acts, and analytical industry reports.

Comparative attention is directed to notification triggers, materiality thresholds, timelines, and content requirements for example, DORA’s obligations concerning major ICT‑related incidents, NIS2’s multi‑stage notification scheme for significant incidents affecting essential services, and GDPR’s personal data breach notification rules. The analysis also examines the allocation of accountability between financial entities and ICT service providers across the three regimes, a particularly salient issue given the prominence of cloud and outsourcing models in contemporary financial operations. This doctrinal mapping is read in dialogue with recent legal and policy scholarship on cloud outsourcing, ICT third‑party risk, and multi‑layered compliance challenges in EU financial services.

On this basis, the paper identifies a set of recurring alignment patterns and structural fault‑lines. At the level of notification obligations, DORA, NIS2, and GDPR tend to produce multiple, partially overlapping reporting duties with divergent triggers, timelines, addressees, and content specifications. At the level of third‑party oversight, DORA’s regime for critical ICT third‑party service providers interacts with NIS2’s supply‑chain security requirements and GDPR’s controller–processor accountability framework in ways that demand intricate internal coordination and allocation of responsibility. At the governance level, management body accountability under NIS2 and DORA must be reconciled with GDPR’s broader obligations of accountability and data protection by design, each of which embeds distinct governance logics and compliance expectations.¹⁵ The analysis suggests that these tensions do not constitute irreconcilable legal contradictions, but they do generate latent coordination risks: delays in internal escalation due to uncertainty about which regulatory regime “fires first”; duplicated or inconsistent reporting to different supervisory authorities; and blind spots in the oversight of incidents involving third‑party providers, where institutional responsibilities are not clearly delineated and decision rights remain ambiguous.

Contributions and Implications The principal contribution of this paper is to move from diagnosis to design. It proposes a Convergent Cyber‑Resilience Architecture (CCRA) for EU financial institutions, conceptualized as a three‑layer institutional design that sits above individual regulatory frameworks and orchestrates them into a unified operational logic. The architecture is not a new legal standard, nor does it propose amendments to DORA, NIS2, or GDPR. Instead, it treats existing EU instruments as fixed normative inputs and specifies the institutional convergence layer that is currently missing a layer that can make those frameworks work together in practice without diluting their individual objectives or undermining cyber‑resilience.

The paper does not propose to amend DORA, NIS2, or GDPR. It accepts these instruments as normatively desirable and legally fixed, and focuses its design effort on the institutional layer that must absorb and implement them. Its contribution is threefold. First, at a conceptual level, it reframes the challenge of framework convergence without operational convergence as an architectural problem amenable to institutional design, thereby complementing existing debates on regulatory fragmentation with a constructive, solution‑oriented perspective.²² Where prior scholarship has rightly diagnosed the problem of overlapping obligations, this paper specifies what to build to solve it.

Second, at a practical level, it offers regulators and financial institutions an actionable blueprint the Convergent Cyber‑Resilience Architecture for implementing existing obligations in a manner that reduces latent coordination risks, eliminates duplicative work, and strengthens (rather than dilutes) cyber‑resilience on third‑party‑dependent infrastructures. For institutions, the architecture provides a roadmap for turning today’s fragmented compliance landscape into a unified governance system. For supervisory authorities, it offers a technically and organisationally plausible target model for future integrated supervision, mutual recognition pilots, and harmonised enforcement.

Third, at a methodological level, the paper demonstrates how design‑science thinking typically applied in information systems research and organisational management can be fruitfully deployed in legal‑governance research to generate evaluable, implementable governance artefacts grounded in rigorous doctrinal analysis. By treating law not merely as text to be interpreted but as an input to institutional architecture that can be engineered for resilience, the paper opens new pathways for interdisciplinary research at the intersection of law, technology, and governance design.

By presenting the Convergent Cyber‑Resilience Architecture as a set of design patterns rather than as a prescriptive new regulatory framework, the paper invites dialogue with both supervisory authorities and industry practitioners. Its ambition is modest but necessary: to demonstrate that in a world where financial institutions increasingly operate on “borrowed” digital infrastructure cloud platforms, payment networks, and ICT services they do not own or fully control the convergence of EU cyber‑resilience frameworks at the normative level will translate into genuine operational resilience only if the institutional architecture that receives and implements those frameworks is itself deliberately engineered for convergence. Without such an architecture, well‑intentioned regulation risks becoming a structural vulnerability rather than a source of strength. This paper specifies what that missing architecture should look like, and how it can be built.

ABSTRACT. Algorithmic transparency – referring, for the purpose of this contribution, to the need to ensure the transparency of both automated and AI-based decision-making – has been central to the Union’s digital legislative agenda, striving to handle different sources of opacity of algorithms, as stemming from the intentional state or corporate secrecy, technical illiteracy and the intrinsic complexity of the functioning of algorithms (Burrell, 2016), likely to entail negative repercussions on those affected by them. Transparency rules have been devised in terms of either granting access to information about a system and its operations or requiring system operators to explain the decision adopted to those affected by it (Wischmeyer, 2020). Both these perspectives have been adopted, to a various extent, under Regulation (EU) 2016/679 (GDPR), addressing automated decision-making, and Regulation (EU) 2024/1689 (AI Act), introducing a comprehensive regulation on AI models and systems. Within both these frameworks, the right to explanation of the algorithmic decision to the person affected by it has attracted the attention of scholars, courts and the legislator. Under the GDPR, the right to explanation granted to the data subject was explicitly mentioned only in the non-binding part of the regulation (Recital n. 71 GDPR), as such giving rise to a lively doctrinal debate as of its legal status (Goodman, Flaxman, 2017; Wachter, Mittelstadt, Floridi, 2017; Selbst, Powles, 2017; Malgieri, Comandé, 2017). Recently, the CJEU, in the Dun & Bradstreet Austria ruling (case C-203/22), identified in Art. 15(1)(h) of the GDPR the legal basis of this right, providing important yardsticks on its function and interpretation. More specifically, the Court stated that the right of the data subjects to obtain “meaningful information about the logic involved” in automated decision-making, within the meaning of Art. 22 of the GDPR, must be understood as a right to an explanation of the procedure and principles actually applied in order to use, by automated means, the personal data of the data subjects concerned with a view to obtaining a specific result (Dun & Bradstreet Austria, point 58). Under Art. 86(1) of the AI Act, the legislator introduced a similar right to explanation, that figures as the only individual right granted to a person affected by a decision based on AI systems classified as high-risk. This provision, inserted during the legislative process on impulse of the European Parliament, recognises the right to obtain from the deployer clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken. According to Art. 86(3), the right of explanation hereto established shall apply only insofar as it is not otherwise provided for under Union’s law, as such calling into question the need to clearly define the scope of application and content of the two provisions, that present a similar, yet not identical, formulation. In light of the foregoing, this paper proposes a comprehensive assessment of the right of explanation, as recognised under Art. 15(1)(h) of the GDPR and Art. 86(1) of the AI Act. Following a comparative methodology, it delves deep into the scope of application of the two provisions, the content of the said right, taking into account the interpretation provided by the CJEU – that seemingly points towards an overlapping interpretation of the two provisions –, and the remedies against its violation under the respective legal frameworks. Building on legal literature on transparency regulation, it aims at identifying the strengths and shortcomings of the regulatory models embodied in the two legal acts. It argues that, despite the growing attention given to the right to explanation – as resulting from the CJEU’s interpretation, according to which its main function is to enable the data subject to exercise the other rights attributed to him (Dun & Bradstreet Austria, point 55), and its most recent affirmation by the Union’s legislator in the AI Act – , its effectiveness, within the current legal framework, risks being undermined by its limited scope of application and weak enforceability mechanisms. It therefore stresses the need to reconsider the overall structure of this right, calling for a stronger and more general recognition of it, while acknowledging, at the same time, its limits. Indeed, as it cannot be considered a panacea to cope with algorithmic opacity, the right to explanation shall be accompanied by other models of transparency regulation, that take into consideration the opposite interests at stake – including, inter alia, trade secrets protection –, in order to provide an effective toolkit to challenge opaque and potentially discriminatory algorithmic decisions.

ABSTRACT. Explainability and transparency-related provisions are increasingly codified in European Union law and influential international policy instruments, and are adjudicated by the Court of Justice of the European Union. These provisions have direct functional implications for automated decision-making systems and for algorithms incorporated into decision-support systems. Yet in practice, (X)AI system designers often attempt to navigate this evolving regulatory landscape solely through technical solutions (Jin et al., 2019). This generates engineering and organisational tensions in response to emerging legal requirements for algorithmic transparency as a prerequisite for human oversight, contestability, and the correct interpretation and use of AI system outputs. Importantly, the implications of law and policy for the design and deployment of AI systems extend beyond the adoption of post-hoc explainable (XAI) techniques to socio-technical governance measures that must be interwoven into organisational fabrics and human-machine interfaces (Krook, 2024). While instruments such as the AI Act and the General Data Protection Regulation (GDPR) are not prescriptive about the form explanations must take, they articulate explanation objectives that are particularly salient in high-stakes domains, such as clinical decision-support in healthcare (Panigutti, 2023).

This work-in-progress examines how legal and policy aspirations for “meaningful” explanations can be translated into operational design choices for AI systems. It situates explainability as a translational problem at the interface of law, policy, and system design, and juxtaposes the normative expectations of the legal community with the praxis (practices and constraints) of XAI research. Drawing on an ongoing review of the participatory AI and XAI-law literature (Gyevnar, 2023; Panigutti, 2023; Hummel, 2025; Sovrano, et al., 2025), and an in-depth study with explainability experts, the work investigates how meaningful explainability can be operationalised as a socio-technical practice.

Building on existing reviews of the XAI–law interface, this work introduces five notional framings of XAI as: (a) an art of communication; (b) an enabler of human oversight and partnership; (c) a complement to AI literacy; (d) a prerequisite for accountability and system transparency; and (e) a tool for user empowerment and contestability. These framings expand on a recent “playbook” framework, spelling out E-X-P-L-A-I-N-A-B-I-L-I-T-Y to support interdisciplinary knowledge exchange through dialogue and recall (AI4People, Chapter 3.7 https://ai4people.org/PDF/AI4People%20Playbook.pdf; doi.org/10.13140/RG.2.2.33349.56805). The analysis engages with the interplay between Article 15(1)(h) in the GDPR and Article 86 of the AI Act in light of the recent CJEU judgment in Case C-203/22 (Dun & Bradstreet Austria), and with corresponding policy instruments and architectural design choices, in order to clarify how legal rights to “meaningful information about the logic involved” translate into requirements for context-specific, audience-appropriate explanations that enable oversight, challenge, and procedural fairness. The work uses explainable AI for Clinical Decision Support Systems (CDSS) in healthcare as an illustrative high-risk case study. It examines emerging developments in situated and conversational explainability (Zhu et al., 2023), also referred to as natural language explanations (NLEs) (Lakkaraju et al., 2022), which seek to operationalise explanation as an interactive process of communication between systems and human decision-makers.

XAI reframed as a process of communication can act as a necessary bridge between an AI system, its data processing and outputs, and human understanding, facilitated by accessible and accurate representations (Cros Vila and Sturm, 2025). We observe notable efforts to develop more social and human-centred XAI that address user needs, perceptions, and mental models, including interfaces that use NLEs (Becker et al., 2023; Garcia et al., 2018; Miller et al., 2017; Wang et al., 2019; Kulesza et al., 2013). The shift toward conversational explainability, which seeks to interpret or systematise model outputs by establishing an effective communication language, is a logical development but remains complex (Cros Vila and Sturm, 2025; Gilpin, 2018). Tailored explanations are advantageous for human–AI interaction (Miller, 2019; Saralajew et al., 2022; Sovrano, 2022), and the field is receiving increasing scholarly attention (e.g. Krause and Stolzenburg, 2023; Martens et al., 2025; Ma et al., 2025). However, natural language explanation methods require careful scrutiny, particularly where they rely on large language models (LLMs), given the limitations of such models in decision-support settings and their growing use in high-risk domains. The primary objective of LLM-based decision support is to enable collaborative human-system decision-making (Lawless et al., 2024). This objective becomes significantly more consequential in clinical contexts, which concern not trivial matters such as “meeting scheduling” but life-saving diagnoses and treatment recommendations made by clinicians who are subject to legal duties of care.

As a vivid example of a recent XAI-system design trend, NLEs in Clinical Decision Support Systems (CDSS) pose substantial technical, organisational, and legal challenges. Generative language models lack a genuine understanding of grammar or meaning (Pesch, 2025) and generate syntactically plausible text through next-token prediction, refined by reinforcement learning on question–answer datasets or human feedback. They continue to exhibit limitations in logical and arithmetic reasoning, multi-step inference, and the interpretation of quantitative values, which are central to engineering and medical practice (Shrestha et al., 2025; Wu et al., 2024). From a legal and regulatory perspective, the deployment of AI-based CDSS must account for the continuing duties of care borne by clinicians, and for the obligations of system providers to ensure transparency, explainability, and the design of human-machine interfaces that mitigate automation bias, understood as the risk of undue reliance on automated outputs (Panigutti, 2023; de Brito Duarte et al., 2025). The case-study analysis identifies common but unresolved friction points in achieving effective human oversight, in providing explanations that are both intelligible and context-appropriate to their recipients, and in avoiding explanations that may inadvertently amplify trust in system recommendations. These tensions are discussed through the lens of the five notional framings, which are proposed as a vehicle for structured dialogue at the intersection of XAI, law, and system design.

Becker, M., Vishwesh, V., Birnstill, P., Schwall, F., Wu, S., & Beyerer, J. (2023). RIXA: Explaining Artificial Intelligence in Natural Language. In 2023 IEEE International Conference on Data Mining Workshops (ICDMW). IEEE, 875–884.

Cros Vila, L., & Sturm, B. (2025). (Mis)Communicating with Our AI Systems. In CHI Conference on Human Factors in Computing Systems (CHI ’25), April 26–May 1, 2025, Yokohama, Japan. ACM, New York, NY, USA, 9 pages. https://doi.org/10.1145/3706598.3713771

de Brito Duarte, R., Abreu, M. C., Campos, J., & Paiva, A. (2025). The Amplifying Effect of Explainability in AI-Assisted Decision-Making in Groups. In Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems (CHI ’25), 1–15.

Garcia, F. J. C., Robb, D. A., Liu, X., Laskov, A., Patron, P., & Hastie, H. (2018). Explainable Autonomy: A Study of Explanation Styles for Building Clear Mental Models. In Proceedings of the 11th International Conference on Natural Language Generation (INLG 2018). Association for Computational Linguistics, 99–108.

Gyevnar, B., Ferguson, N., & Schafer, B. (2023). Bridging the transparency gap: What can explainable AI learn from the AI Act? Frontiers in Artificial Intelligence and Applications, 372, 964–971. https://doi.org/10.3233/FAIA230367

Hummel, A., Burden, H., Stenberg, S., Steghöfer, J. P., & Kühl, N. (2025). The EU AI Act, Stakeholder Needs, and Explainable AI: Aligning Regulatory Compliance in a Clinical Decision Support System. arXiv preprint arXiv:2505.20311.

Jin, W., Carpendale, S., Hamarneh, G., & Gromala, D. (2019). Bridging AI developers and end users: An end-user-centred explainable AI taxonomy and visual vocabularies. Proceedings of the IEEE Visualization, Vancouver, BC, Canada, 20–25.

Krause, S., & Stolzenburg, F. (2023). Commonsense Reasoning and Explainable Artificial Intelligence Using Large Language Models. In European Conference on Artificial Intelligence (ECAI 2023). Springer, Cham, 302–319.

Krook, J., Winter, P., Downer, J., & Blockx, J. (2024). A Systematic Literature Review of Artificial Intelligence (AI) Transparency Laws in the European Union (EU) and United Kingdom (UK): A Socio-Legal Approach to AI Transparency Governance. SSRN: https://ssrn.com/abstract=4976215

Kulesza, T., Stumpf, S., Burnett, M., Yang, S., Kwan, I., & Wong, W.-K. (2013). Too Much, Too Little, or Just Right? Ways Explanations Impact End Users’ Mental Models. In 2013 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC). IEEE, 3–10.

Lakkaraju, H., Slack, D., Chen, Y., Tan, C., & Singh, S. (2022). Rethinking explainability as a dialogue: A practitioner’s perspective. arXiv preprint arXiv:2202.01875.

Lawless, C., Schoeffer, J., Le, L., Rowan, K., Sen, S., St. Hill, C., … & Sarrafzadeh, B. (2024). “I Want It That Way”: Enabling Interactive Decision Support Using Large Language Models and Constraint Programming. ACM Transactions on Interactive Intelligent Systems, 14(3), 1–33.

Ma, S., Chen, Q., Wang, X., Zheng, C., Peng, Z., Yin, M., & Ma, X. (2025). Towards Human-AI Deliberation: Design and Evaluation of LLM-Empowered Deliberative AI for AI-Assisted Decision-Making. In Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems (CHI ’25), 1–23.

Martens, D., Hinns, J., Dams, C., Vergouwen, M., & Evgeniou, T. (2025). Tell Me a Story! Narrative-Driven XAI with Large Language Models. Decision Support Systems, 191, 114402.

Miller, T. (2019). Explanation in Artificial Intelligence: Insights from the Social Sciences. Artificial Intelligence, 267, 1–38. https://doi.org/10.1016/j.artint.2018.07.007

Miller, T., Howe, P., & Sonenberg, L. (2017). Explainable AI: Beware of Inmates Running the Asylum or: How I Learnt to Stop Worrying and Love the Social and Behavioural Sciences. arXiv:1712.00547.

Panigutti, C., Hamon, R., Hupont, I., Fernandez Llorca, D., Fano Yela, D., Junklewitz, H., Scalzo, S., Mazzini, G., Sanchez, I., Soler Garrido, J., & Gomez, E. (2023). The role of explainable AI in the context of the AI Act. In Proceedings of the 2023 ACM Conference on Fairness, Accountability, and Transparency (FAccT ’23). ACM, 1139–1150. https://doi.org/10.1145/3593013.3594069

Saralajew, S., Shaker, A., Xu, Z., Gashteovski, K., Kotnis, B., Rim, W. B., Quittek, J., & Lawrence, C. (2022). A Human-Centric Assessment Framework for AI. arXiv:2205.12749.

Shrestha, S., Kim, M., & Ross, K. (2025). Mathematical Reasoning in Large Language Models: Assessing Logical and Arithmetic Errors Across Wide Numerical Ranges. arXiv:2502.08680.

Sovrano, F., Sapienza, S., Palmirani, M., & Vitali, F. (2022). Metrics, Explainability and the European AI Act Proposal. J, 5(1), 126–138.

Sovrano, F., Vilone, G., Lognoul, M., & Longo, L. (2025). Legal XAI: A Systematic Review and Interdisciplinary Mapping of XAI and EU Law, Towards a Research Agenda for Legally Responsible AI. SSRN: https://ssrn.com/abstract=5371124

Wang, D., Yang, Q., Abdul, A., & Lim, B. Y. (2019). Designing Theory-Driven User-Centric Explainable AI. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (CHI ’19). ACM, 1–15.

Wu, Z., Qiu, L., Ross, A., Akyürek, E., Chen, B., Wang, B., … & Kim, Y. (2024). Reasoning or Reciting? Exploring the Capabilities and Limitations of Language Models Through Counterfactual Tasks. In Proceedings of the Association for Computational Linguistics (ACL 2024).

Zhu, Z., Jiang, H., Yang, J., Nag, S., Zhang, C., Huang, J., Gao, Y., Rudzicz, F., & Yin, B. (2023). Situated Natural Language Explanations. arXiv preprint arXiv:2308.14115.

ABSTRACT. Ensuring fairness in artificial intelligence systems has become a central challenge for both computational and legal communities. As AI increasingly shapes decisions in areas such as employment, credit, or law enforcement, concerns about discrimination and harmful outcomes have heightened. In response, the European Union has adopted the Artificial Intelligence Act (AI Act), the first comprehensive regulatory framework for AI systems. Although the AI Act is grounded partly in product safety regulation, it also incorporates explicit and implicit provisions related to fairness, discrimination, and fundamental rights. This paper provides an interdisciplinary analysis that connects traditional EU non-discrimination law with algorithmic fairness research, clarifying how these domains converge and diverge within the AI Act’s high-risk system provisions.

We begin by outlining the relevant foundations of EU non-discrimination law for computer scientists. Key sources include the Charter of Fundamental Rights of the European Union, which prohibits discrimination based on attributes such as sex, race, ethnic origin, disability, age, and sexual orientation. Additional protection stems from specific directives such as the Race and Ethnicity Equality Directive and the Employment Equality Directive. Central legal distinctions are those between direct discrimination, which involves explicit use of protected attributes, and indirect discrimination, which arises when neutral criteria disproportionately disadvantage protected groups. Intersectional discrimination, although less clearly codified in EU law, is increasingly significant in the context of AI systems that process high-dimensional data and may replicate biases at the intersections of gender, race, and age. The legal framework is further complicated by debates on the horizontal applicability of fundamental rights between private parties and the proportionality assessments required under EU law.

Next, we introduce the field of algorithmic fairness for legal scholars. The machine learning community has developed numerous fairness metrics intended to quantify unequal treatment between individuals or groups. These include measures based on error rates, predictive parity, demographic parity, and individual similarity. These metrics are embedded in a technical discourse that focuses on data biases, model optimisation, and mitigation strategies across the pre-processing, in-training, and post-processing pipeline. Although they provide quantitative insight, fairness metrics require contextual and normative interpretation, and many are mathematically incompatible. Moreover, the rise of large language models introduces new challenges, as their broad training data and flexible use cases create multiple and sometimes untraceable sources of unfairness. The differences between the legal concept of discrimination and the computational use of fairness metrics illustrate the difficulty of aligning technical and legal fairness criteria.

With these foundations established, the paper discusses the AI Act itself. We review the structure, scope, and history of the regulation, with a focus on definitions of AI systems, the distinction between providers and deployers, and the risk-based classification. High-risk AI systems are subject to requirements aimed at protecting health, safety, and fundamental rights. Unlike general-purpose AI models, high-risk systems are tightly regulated through obligations that include risk management, data governance, transparency, documentation, and human oversight.

We conduct a detailed analysis of the AI Act’s provisions related to non-discrimination. Mapping the Act through a keyword-based review reveals that most binding fairness obligations fall within the high-risk regime. The central non-discrimination provisions are found in Articles 9, 10, and 15. Article 9 requires providers to identify, analyse, and mitigate foreseeable risks to fundamental rights, which implicitly includes discrimination risks. Article 10 focuses more explicitly on input data, requiring examination of training, validation, and testing datasets for biases likely to lead to discrimination prohibited under Union law. This provision raises conceptual and practical challenges, as “bias” is undefined in the Act and may be interpreted narrowly as statistical imbalance rather than broader structural or societal sources of discrimination. Although Article 10 introduces mitigation obligations, its scope is from our perspective largely limited to input data; it does not require output-based fairness testing.

Article 15 addresses output-side risks only in the specific case of systems that continue to learn after deployment. For such adaptive systems, Article 15 requires measures to prevent biased outputs from feeding into future model inputs via feedback loops, thereby avoiding amplification of existing biases. Complementary obligations in Articles 11 and 13 concern technical documentation and transparency to deployers, but these articles do not impose explicit fairness-testing requirements. Additional provisions related to human oversight, misuse reporting, and fundamental rights impact assessments play supporting roles, though with limited direct connection to algorithmic fairness methodologies.

The paper then examines the crucial role of standardisation. Under the New Legislative Framework, technical standards developed by European standardisation bodies will determine how compliance is assessed in practice. This includes defining acceptable methods for bias detection, prevention, and mitigation. Standardisation therefore becomes a site where interdisciplinary input from legal scholars and computer scientists is essential. However, standardisation committees must stay within the legal scope of the AI Act; they cannot expand fairness obligations beyond what the regulation permits. As a result, standards risk producing an illusion of safety by formalising narrow technical solutions that overlook broader fairness concerns.

Finally, the paper analyses how the AI Act interfaces with existing non-discrimination law. Since the AI Act focuses primarily on input data and does not regulate most discriminatory outputs, traditional EU non-discrimination law remains applicable. In cases where algorithmic outputs result in discriminatory treatment of individuals—whether directly or indirectly—rights and remedies under other laws and the Charter continue to apply. The AI Act therefore does not displace existing protection but instead introduces complementary obligations for providers of high-risk systems. The long-term relationship between the AI Act, the Charter, and sector-specific non-discrimination law will likely be shaped through future case law of the Court of Justice of the European Union.

In conclusion, the paper argues that the AI Act represents an important but partial step toward regulating fairness in AI. Its product-safety orientation limits its ability to address all forms of algorithmic discrimination, particularly those arising from outputs. Stronger integration between classical non-discrimination law and algorithmic fairness research is needed to ensure comprehensive protection for individuals. The paper contributes to this goal by clarifying the conceptual landscape and highlighting opportunities for interdisciplinary collaboration in future standardisation, research, and regulatory development.

ABSTRACT. Alongside substantive rules on transparency in the EU’s digital rulebook, access to documents under freedom of information laws are considered an avenue to look under the hood of digital technologies and shed light on the workings of digital algorithms. Yet, efforts to access official documents held by the European Commission (Commission) and Member States’ competent authorities are oftentimes frustrated and outright rejected invoking the protection of confidential business information and trade secrets of regulated businesses. It is thus essential to recognize public transparency rights beyond reiterated narratives of technical ‘black-boxing’, and peak through the looking glass of the broader procedural mechanisms in EU public law, such as the access to documents regime as per Regulation 1049/2001.

End of 2024, the Commission has adopted new rules of procedure. Article 4 of the Annex particularizes how the European Commission applies the rules for providing access to official documents following Regulation (EC) No 1049/2001. It provides that there is a presumption that access to documents being part of competition cases, procedures under the Digital Markets Act and Digital Services Act and comparable administrative procedures undermines interests protected by Article 4(1) to (3) of Regulation (EC) No 1049/2001. No access to those documents shall therefore be granted, unless the applicant demonstrates an overriding public interest in providing access. The urgency for judicial clarification is also highlighted by the pending case of De Capitani v. Commission challenging the lawfulness of the 2024 rules of procedure in relation to access to official documents. This contribution will critically examine the progressive extension of the presumption of non-disclosure through the Commission’s new Rules of Procedure. Particular attention will be given to Article 4(2) of the Annex, and its interaction with the broader framework of EU digital regulation, such as the Digital Services Act, Digital Markets Act, and the Artificial Intelligence Act. Significant in this context is the classification of “comparable administrative procedures”, whose meaning remains undefined and arguable open to a wide institutional discretion. The expansion of a presumption of non-disclosure to generic categories of official documents which concern the reporting obligations of regulated entities and regulatory supervision is particularly troublesome, considering the prominent role of public sector transparency in EU law. This is further problematic in the context of digital technologies, considering the aforementioned frameworks mandate compliance through ex ante risk assessments, compliance reports, technical algorithmic information disclosures, and ongoing investigative exchanges, among other documents. By pre-emptively limiting access to such information, the Commission could import secrecy logics which could be at odds with the fundamental right to access official documents enshrined in Article 42 of the Charter.

The European Ombudswoman has also voiced reservations about the Commission’s approach, pointing out that the Court of Justice's current case law does not explicitly create a general presumption of secrecy for information pertaining to DSA investigations. Although the Court of Justice (CJEU) has recognized general presumptions of non-disclosure as useful instruments to safeguard specific administrative procedures, their validity has relied on the continuous availability of rebuttal through the notion of an overriding public interest (OPI). At the same time, however, scholarship has expressed criticism towards the role of the CJEU as sole arbitrator of this balancing exercise, considering a precise normative definition of OPI is absent from Regulation 1049/2001.

In order to achieve its investigative objectives, the paper employs a critical, normative, and doctrinal legal approach. Our paper will assess the Commission’s rules of procedure regarding the design of its presumption of non-disclosure in light of the case law of the Court of Justice of the European Union and engage with the investigation of the European Ombudswomen as well as with the notion of OPI. The paper represents a first and novel contribution to the legal debate on the intersection between the new rules of procedure and the EU digital regulatory framework.

For references consult the pdf upload of the document.

ABSTRACT. Artificial intelligence (AI) is rapidly reshaping the conditions under which freedom of expression is exercised, protected, and constrained in contemporary democratic societies. On the one hand, AI systems foster creativity and enable the emergence of new forms of human expression, while also playing a crucial role in organising vast quantities of content and facilitating access to information. In light of these functions, significant constitutional questions arise, particularly regarding whether AI-generated content may qualify for protection as speech and the extent to which public authorities may legitimately intervene in the processes through which AI systems generate and disseminate information. On the other hand, these technologies can be misused for illegal purposes, including impersonation through deepfakes, large-scale disinformation campaigns, and forms of electoral fraud that undermine the fairness of democratic processes. AI-driven political bots, increasingly sophisticated and difficult to detect, are now routinely employed to manipulate public opinion, amplify polarising narratives and distorting online debate during electoral periods. Even legally permissible uses of AI raise serious concerns, particularly where such systems facilitate the mass production of harmful content that can degrade the quality of public discourse. At the same time, artificial intelligence is itself becoming a central tool of governance over speech, as online platforms rely on automated content moderation systems to comply with regulatory obligations and internal policies. While such systems promise efficiency and scalability, they carry risks of prior censorship, over-removal of lawful content, and opaque practices such as shadow banning, which may disproportionately affect marginalised voices.

These developments have triggered a substantial regulatory response at the European Union level, with the Digital Services Act (DSA) and the Artificial Intelligence Act (AI Act) forming the backbone of the emerging governance framework. Taken together, these instruments aim to mitigate the identified risks by regulating, respectively, the management of online content and the design, deployment, and operation of AI systems at a structural level. Nevertheless, significant uncertainties remain, particularly concerning the classification of generative AI applications within existing legal categories, the potential for regulatory overlap between the two regimes, and the adequacy of risk-based regulatory approaches in ensuring the effective protection of fundamental rights.

The contributions to this panel seek to address these challenges from complementary perspectives. They examine the use of the systemic risk management provisions under the DSA and the AI Act to moderate content created by generative AI; how the EU legal framework can prevent political bots from being used as a tool for manipulation during democratic processes, without interfering with pluralism and freedom of expression; the possibility of certain requirements for high-risk AI systems under the AI Act helping mitigate risks posed by AI-driven content moderation; and how the EU’s risk-based regulatory approach, in the context of freedom of expression, reshapes enforcement powers and redistributes interpretative authority in ways that challenge traditional constitutional safeguards. Together, these interventions aim to clarify how EU law can respond to the disruptive effects of artificial intelligence on freedom of expression while safeguarding democratic values in an increasingly digital public sphere.

ABSTRACT. The rapid consolidation of power by a handful of technology companies—commonly referred to as Big Tech— has triggered an unprecedented geopolitical and regulatory challenge. They have emerged not merely as market players but as quasi-sovereign actors wielding significant economic, political, social and legal power (Brich et al., 2022, 1-14). The influence of Big Tech is rooted in a convergence of economic, cultural and technocratic factors. Economically, these firms benefit from network effects, data-driven business models and near-monopoly positions in key digital markets, which enable them to accumulate vast amounts of capital, talent and infrastructure. Their services – ranging from cloud computing to social media platforms and marketplaces – are deeply embedded in everyday life, granting them cultural power and a near-universal reach. On the technocratic front, Big Tech companies control the underlying digital infrastructures – such as operating systems, algorithms and AI platforms – that are essential not only to consumers and businesses but also to governments (Ferrari, 2020, 121-124; Lindman et al., 2023, 144-159). This transversal influence enables them to set de facto standards and regulations, often ahead of or outside traditional legal frameworks (Khanal et al., 2025, 53-61; Monsees et al., 2023, 13-16). Against this scenario, the European Union has emerged as the most resolute global actor attempting to reclaim normative and regulatory authority over the digital domain (Nistadt et al., 2024, pp. 2-9; Bradford 2023). The EU’s regulatory interventions are rooted in a vision of digital sovereignty grounded in the protection of fundamental rights, in the maintenance of fair competition and in the integrity of democratic institutions (European Commission, 2020; Craglia et. al., 2018, 25-36, 63-69). This vision stands in direct tension with Big Tech’s deregulatory ethos and market-driven logic, generating a deep structural conflict between private technological power and public constitutional values (Figuerora-Torres, 2022, 5-18). The growing dominance of Big Tech, particularly from the United States, in the EU digital space poses serious risks, including reduced competition, systemic vulnerabilities and democratic erosion. These firms often acquire rivals, prioritize their own services and create high entry barriers, while centralizing control over digital infrastructure intensifies cybersecurity threats, algorithmic bias and privacy violations. Additionally, the opacity of algorithmic systems undermines democratic accountability and individual rights (Goldenfein, 2023, 88-99). These concerns are further exacerbated by Big Tech’s expanding role in traditionally public functions, blurring the line between corporate influence and state authority (Taylor, 2021, 900-902). As is well-known, the EU has reacted to such threats by enacting a multilayered regulatory package for the digital market. It seems however that the package has not meaningfully reduced the risks posed by Big Tech and the concentration of their power. At the same time, the current regulatory burden seems more than sufficient to slow down innovation, deter investment and diminish the EU’s attractiveness as a hub for technology companies. Moreover, this increasingly complex and unattractive environment has generated mounting pressure from both private and public stakeholders to reform the regulatory framework in favor of greater competitiveness and market openness (Sharon et al., 2024, 2659-2662). This paper argues that the EU’s current situation is the result not only of Big Tech’s overwhelming power and of the inability of EU’s institutions to effectively rein them, but also of specific policy decisions and inactions that deserve greater attention from academics, policymakers and institutions. It contends that improving the EU’s position in the global legal and technological landscape does not necessarily require sweeping legal reforms and the creation of new institutions; rather, even relatively modest and implementable legal and technical measures can have a significant impact. Among the often-overlooked aspects are: the need to strengthen private enforcement mechanisms, in their individual and collective form, while also reconsidering the current fining system; the establishment of mechanisms to ensure transparent and democratic lobbying processes; and the promotion of initiatives aimed at decentralizing cloud infrastructure and advancing digital sovereignty. Beginning with the significance of private vs. public enforcement, the paper argues that calculating fines based on global revenue creates significant distortions. On one hand, such fines represent an excessively high operational cost for many corporations – especially when combined with compliance and strategic expenditures – which can render the EU market unattractive for both established firms and new entrances. On the other hand, these fines have proven insufficient in curbing harmful behavior by Big Tech, whose immense economic and technocratic power often insulates them from regulatory deterrents (Wils, 2006, pp. 15-22; Reuter, 2021, 301-314). To address these issues, the paper advocates for a shift in focus from administrative fines to incentivizing private forms of restorative justice – specifically, through the enhancement of collective redress mechanisms such as class or representative actions. Class and representative actions not only provide direct compensation to victims and impose potentially significant liabilities on violators, but also alleviate the regulatory burden on public authorities. Importantly, they may also be preferable to corporations themselves, offering greater legal certainty, lower total litigation costs and opportunities for reputational management through settlements (Juška, 2017, pp. 603-607 Cassone et al., 2011,165-168). Therefore, reducing administrative fines while improving the regime for collective private enforcement, that it is actually present in EU legal framework, could offer a more balanced approach, protecting both EU interests and citizens’ rights, while avoiding the unintended consequence of discouraging technological innovation and investment (Demougin et. al., 2012, 483-500). Another key factor contributing to the EU’s declining position in the global digital race is the intense and often unrestrained lobbying activity carried out by Big Tech firms in Brussels. These lobbying efforts, which frequently serve to protect entrenched market dominance, can significantly disadvantage smaller competitors and threaten European digital sovereignty. One of the most concerning consequences is the dilution or delay of legislative initiatives, as lobbying activities often lead to broader exemptions, weaker enforcement provisions and ambiguous legal definitions that reduce the regulatory framework’s effectiveness (Davidson, 2025, 186-199). To effectively respond to this pervasive and highly influential form of private power, this paper argues that the EU must significantly strengthen its transparency rules governing lobbying. Recommended measures include the mandatory real-time disclosure of meetings between lobbyists and policymakers and detailed financial reporting on lobbying expenditure. In addition, the EU should consider imposing quotas or minimum representation requirements to ensure more diverse and balanced participation in policy discussions (Schyns, 2023, 4-33; Bank et al. 2024, 42-44). These measures would help bring lobbying activities into a more transparent, democratic and accountable framework. Rather than unduly restricting the ability of Big Tech to advocate for their interests, such reforms would impose clear democratic boundaries and conditions under which those interests may be expressed. The paper acknowledges that the power and governance of Big Tech cannot be effectively countered through legal means alone. Among the necessary complementary strategies, it is imperative that the EU actively promotes initiatives aimed at achieving digital sovereignty and technological decentralization. These efforts are essential to recalibrate the technocratic and market dominance of Big Tech. Only by developing independent, community-based alternatives can the EU strengthen its global position – not merely as a large market, but as a provider of viable and sovereign digital solutions (Streinz, 2021, 902-936). In this context, the paper will briefly examine the EU AI Continental Action Plan and Gaia-X. These initiatives seek to foster sovereign, interoperable and secure European cloud and AI infrastructures. The analysis aims to assess whether such projects represent a credible strategic response to the monopolistic control exercised by non-European tech giants over critical digital infrastructure and whether they contribute meaningfully to reinforcing the EU’s technological autonomy and reducing systemic dependencies (Salikhova, 2025, 27-38). The paper positions itself within the broader debate concerning the conflict between Big Tech and the European Union, arguing that the adoption of highly protective legal reforms has not been sufficient to assert the EU’s digital sovereignty. On the contrary, such an approach has contributed to a significant loss of competitiveness for the European continent. This position of weakness is not only attributable to the overwhelming power of Big Tech and to the technological delay of European research and innovation infrastructure, but also to the EU’s failure to adopt certain legal tools, such as the reduction of administrative fines, the strengthening of class action mechanisms and improved regulation of lobbying activities. While less conspicuous than the major reforms already in place, these instruments nonetheless offer substantial protective effectiveness and can be better aligned with business needs without unduly discouraging economic activity. At the same time, the paper emphasizes that these legal measures must be accompanied by a strong push for innovation and the decentralization of cloud services, AI structures and digital infrastructure. Only through such a combined approach can the EU actively participate in the global technological race without excessively compromising the democratic values on which it is founded.

References Bank M., Duffy F., Leyendecker V., Silva M., (2024), “The lobby network – Big tech’s web of influence in the EU”, Internet Policy Review, pp. 42-44. Bradford A., (2023), “Digital Empires: The Global Battle to Regulate Technology”, Oxford University Press. Brich K., Bronson K., (2022), “Big Tech”, Science as Culture, pp. 1-14. Cassone A., Backhaus J., Ramello G. B., (2011), “The law and economics of class actions”, Springer, pp. 165- 168. Craglia M. “Artificial Intelligence – A European Perspective”, (2018), Publications Office of the European Union, pp. 25-35, 63-69. Davidson S., Lock I., (2025), “Argumentation strategies in lobbying: the discursive struggle over proposal to regulate Big Tech”, Journal of communication management, pp. 186-199. Domougin D., Deffains B., (2012), “Class Actions, Compliance, and Moral Cost”, Review of Law & Economics, pp. 483-500. Figueroa-Torres M., (2022), “Big Tech Platforms, democracy and the Law: Global Problems, Legal Perspectives and the Mexican Experience”, Mexican Law Review, pp. 5-18. Goldenfein J., Mann M., (2023), “Tech money in civil society: Whose interests do digital rights organisations represent?”, Cultural Studies, pp. 88-99. Juška Z., (2017), “The Effectiveness of Private Enforcement and Class Actions to Secure Antitrust Enforcement”, The Antitrust Bulletine, pp. 603-607. Khanal S., Zhang H., Taeihagh A., (2025), “Why and how is the power of Big Tech increasing in the policy process? The case of generative AI”, Policy and Society, pp. 53-61. Lindman J., Mkinen J., Kasanen E., (2023), “Big Tech’s power, political corporate social responsibility and regulation”, Journal of Information Technology, pp. 144-159. Monsees L., Libetrau T., Austin J. L., Leander A., Srivastava S., (2023), “Transversal Politics of Big Tech”, International Political Sociology, pp. 13-16. Niestadt M., Reichert J., (2024), “The global reach of the EU’s approach to digital transformation”, European Parliamentary Research Service, pp. 2-9. Reuter A., (2021), “Flogging the Wrong: EU Corporate Fines Violate the Fundamental Rights of Shareholders”, Journal of European Competition Law & Practice, pp. 301-314. Salikhova E., (2025), “High-Tech Industry in the EU: Policy, Economy, Statistics”, Statistics of Ukraine, pp. 27-38 Schyns, C., (2023), “The lobbying ghost in the machine”, Corporate Europe Observatory, pp. 4-33. Sharon T., Gellert, R. (2024), “Regulating Big Tech expansionism? Sphere transgressions and the limits of Europe’s digital regulatory strategy”, Information, Communication and Society, pp. 2659-2662. Streinz T., (2021), “The evolution of European Data Law”, in P. Craig, G. de Bùrca, “The Evolution of Eu Law” 3 ed., Oxford University Press, pp. 902-936. Taylor L., (2021), “Public Actors without Public Values: Legitimacy, Domination and the Regulation of Technology Sector”, Philosophy & Technology, pp. 900-902. Wils W. P.J., (2006), “Optimal Antitrust Fines: Theory and Practice”, World Competition, pp. 15-22.

ABSTRACT. Artificial intelligence (AI) is increasingly embedded within public and private governance systems, significantly influencing decision-making processes in healthcare, education, criminal justice, and social welfare. Yet, the data regimes and algorithmic infrastructures at the heart of these technologies often rely on Eurocentric assumptions that perpetuate patterns of epistemic exclusion rooted in colonial histories. This contribution situates these dynamics within the broader debate on AI governance in a multicentric world, where competing normative frameworks and epistemologies shape technological design and regulation. In particular, this paper explores how contemporary AI systems reproduce forms of knowledge extraction and erasure that marginalize Indigenous epistemologies and ontologies, ultimately threatening the realization of collective and individual human rights.

Focusing on Indigenous communities as a paradigmatic case, the paper critically assesses how constitutional and international frameworks purporting to safeguard human rights frequently fail to address the digital dimensions of autonomy and self-determination. Despite formal legal recognition of Indigenous rights, datafication, algorithmic profiling, and opaque platform governance bypass these guarantees, threatening privacy, cultural survival, and the capacity for self-representation.

A core argument concerns the inadequacy of traditional anti-discrimination legal frameworks when applied to AI. In European and North American systems, anti-discrimination law is typically premised on the attribution of intent or causality to human actors. In contrast, AI-based discrimination often results from complex interactions between programmers, data sets, and machine learning processes. These dynamics obscure the locus of responsibility, rendering legal redress more difficult and exposing significant gaps in existing constitutional and human rights protections. In this context, epistemology becomes crucial to understanding how discrimination operates: it is not merely a product of biased outputs but is embedded in the design logic and ontological assumptions of the systems themselves. Consequently, violations of human rights may be intrinsic to the very architecture of the model – rendering traditional judicial remedies inadequate. These gaps reveal structural limits in prevailing models of AI governance that rely on individual responsibility and ex post remedies .

Rather than viewing AI as neutral, this paper positions it as a site of epistemic power that embeds dominant worldviews while excluding alternative ontologies, particularly in contexts marked by asymmetries of technological power between the Global North and marginalized communities. Framing this issue through epistemic injustice , it proposes a reconceptualization of human rights to include epistemological rights: the right to be recognized according to one’s own cultural and conceptual frameworks, and to participate meaningfully in shaping the infrastructures that define identity, visibility, and belonging.

The analysis includes a review of landmark jurisprudence, such as Ewert v. Canada , illustrating how courts can act as governance actors in contesting algorithmic infrastructures . While courts and “fourth branch” institutions – such as national human rights bodies and data protection authorities – can serve as key safeguards against algorithmic bias, their efforts must be complemented by grassroots movements, Indigenous-led initiatives, and technical agencies committed to digital justice.

Building on this, the paper explores emerging movements for Indigenous data sovereignty and digital self-determination – such as community data trusts and participatory algorithm design – as both a response to and a re-imagining of human rights. These initiatives offer insights for rethinking data governance beyond state-centric and corporate-centric paradigms, in order to reclaim control over data and resist digital colonialism .

Ultimately, the paper advocates for reconfiguring constitutional and international human rights frameworks around principles of epistemic justice. It urges policymakers, scholars, and technologists to acknowledge the role of AI in exacerbating structural inequalities and to co-create mechanisms that empower marginalized communities in shaping digital futures. In doing so, it contributes to ongoing debates on how to govern AI in a plural, multipolar, and epistemically diverse digital order.

Bibliography: Baraggia, A., Il ruolo delle istituzioni nazionali per i diritti umani in tempo di crisi, Roma Tre Press, 2022. Couldry, N. – Mejias, U. A., The costs of connection: How data is colonizing human life and appropriating it for capitalism, Stanford University Press, 2019. Council of Europe, Draft Framework Convention on Artificial Intelligence, 2023. European Union Agency for Fundamental Rights, Getting the future right: Artificial intelligence and fundamental rights, 2020. Fricker, M., Epistemic Injustice: Power and ethics of knowing, Oxford University Press, 2007. Kukutai, S. – Taylor, J. (eds.), Indigenous data sovereignty: Toward an agenda, ANU Press, 2016. Obermeyer Z., Powers B., Vogeli C., Mullainathan S., Dissecting racial bias in an algorithm used to manage the health of populations, Science, 2019, 447-453. O’Donnell, R. M., Challenging racist predictive policing algorithms, NYU Law Review, 2019, 544-580. Supreme Court of Canada, Ewert v. Canada, 2018. Tushnet, M., The new fourth branch: Institutions for protecting constitutional democracy, 2020. UNESCO, Recommendation on the Ethics of Artificial Intelligence, 2021.

ABSTRACT. Abstract

Digital sovereignty has become a central concept in European Union (EU) debates on digital governance, technological dependency, and geopolitical autonomy. While a growing body of scholarship has examined how digital sovereignty is articulated by the European Commission (Wenzelburger and König, 2025; Pohle and Santaniello, 2024; Broeders et al., 2023; Barrinha and Christou, 2022) and, to a lesser extent, by the European Council (Reiners and Kachelmann, 2025), comparatively little attention has been paid to the European Parliament (EP) as a discursive arena in which sovereignty claims are publicly articulated, contested, and reconfigured. This omission is striking given the Parliament’s role as the EU’s most pluralistic institution (Corbert et al., 2024), where competing national interests, ideological positions, and normative visions of Europe’s digital future intersect.

This paper addresses this gap by providing a longitudinal content analysis of digital sovereignty discourse in the European Parliament, grounded in Mauro Santaniello’s (2025) conceptual framework of the Attributes of Digital Sovereignty. Rather than treating sovereignty as a static legal principle or a coherent policy objective, Santaniello conceptualizes it as a dynamic, relational, and performative discourse, structured around five key attributes: adversariality, multiversity, latency, instrumentality, and hypocrisy. These attributes allow for a systematic analysis of how sovereignty is mobilized, against whom, for what purposes, at which moments, and with which internal contradictions.

The paper pursues two core research objectives. First, it reconstructs the historical evolution of digital sovereignty discourse in the European Parliament, tracing how the meaning, intensity, and political functions of sovereignty claims have shifted over time. Second, it investigates whether and how digital sovereignty discourse varies across national delegations and parliamentary groups, thereby revealing internal cleavages within the Parliament regarding Europe’s digital future. By doing so, the paper contributes to the literature on EU digital governance, parliamentary discourse, and sovereignty by showing that digital sovereignty in the EP is neither monolithic nor institutionally derivative, but instead deeply contested and politically differentiated.

Theoretical framework and operationalisation

Santaniello’s framework provides an analytically precise lens for studying digital sovereignty as discourse. It departs from legalistic or normative understandings of sovereignty and instead emphasizes its relational, instrumental, and performative qualities (cfr. also Adler-Nissen and Eggeling, 2024; Couture and Toupin 2019). In this study, the five attributes are operationalised as discursive markers observable in parliamentary speech acts, written interventions, committee debates, and plenary reports.

Adversariality captures the relational dimension of sovereignty claims. Every invocation of digital sovereignty implies the presence of an adversary – explicitly or implicitly constructed – against whom autonomy, control, or authority is asserted. In the EP context, adversaries appear in multiple forms: named geopolitical actors (such as the United States, China, or Russia), transnational corporations (“Big Tech,” “platform monopolies”), or more diffuse threats such as cybercriminals, foreign surveillance, or strategic dependencies. The analysis codes adversariality by identifying how MEPs construct oppositional relations, how these adversaries change over time, and how they shape the direction and intensity of sovereignty claims. This operationalisation allows us to trace shifts from early sovereignty claims directed primarily against U.S. digital dominance toward broader adversarial constellations involving China, Russia, and global supply chains.

Multiversity refers to the inherent multiplicity of meanings attached to digital sovereignty. Rather than prescribing a single policy trajectory, sovereignty functions as a multivocal discursive resource capable of legitimising divergent and sometimes contradictory agendas. In the EP, digital sovereignty is invoked to justify regulatory intervention, industrial policy, innovation strategies, data protection, cybersecurity measures, and even openness through alliances. Operationally, multiversity is identified by coding instances where sovereignty is associated with different policy goals, normative values, or governance models, as well as by tracing how these interpretations vary across political groups and national contexts. This attribute is particularly relevant for understanding how digital sovereignty facilitates coalition-building in a heterogeneous institution such as the EP, while simultaneously masking underlying political tensions.

Latency captures the temporal dynamics of sovereignty discourse. Digital sovereignty does not appear uniformly across time or policy fields; rather, it remains latent until activated by specific shocks, crises, or vulnerabilities. The analysis operationalises latency by examining temporal peaks and silences in sovereignty discourse, linking them to external events such as the COVID-19 pandemic, transatlantic data transfer disputes, semiconductor shortages, intensified U.S.-China technological rivalry, and the Russian invasion of Ukraine. By doing so, the paper shows that sovereignty operates less as a permanent doctrine and more as a discursive reservoir that can be strategically activated or deliberately avoided, depending on political opportunity structures.

Instrumentality refers to the anchoring of sovereignty claims in concrete issue areas and policy domains. In the EP, digital sovereignty gains meaning when it is linked to specific regulatory or industrial debates: cloud computing, platform regulation, artificial intelligence, cybersecurity, data governance, or semiconductors. The analysis operationalises instrumentality by coding the policy fields in which sovereignty is invoked and examining how the same sovereignty discourse is adapted to different sectoral struggles. This allows us to trace how digital sovereignty functions as a strategic repertoire that translates abstract claims of autonomy into tangible policy agendas.

Hypocrisy captures the structural gap between sovereignty rhetoric and material practices. Many parliamentary sovereignty claims coexist with continued dependence on non-European technologies, infrastructures, and supply chains. Operationally, hypocrisy is identified by coding discursive moments in which MEPs either implicitly or explicitly point to contradictions between proclaimed sovereignty and actual reliance on external actors, or where sovereignty rhetoric persists despite acknowledged interdependence. Rather than treating such contradictions as evidence of conceptual failure, the analysis interprets them – following Santaniello – as constitutive of sovereignty’s performative power: sovereignty sustains legitimacy and political authority even when full autonomy is unattainable.

Data and methodology

Empirically, the paper draws on a systematically constructed corpus of European Parliament materials spanning multiple legislative terms (the ninth term, 2019-2024, and the tenth term, 2024-up to the present). The dataset includes plenary debate transcripts (verbatim reports), committee debates and agendas, parliamentary questions, reports, and amendments in which digital sovereignty or closely related formulations appear. The analysis combines qualitative discourse analysis with structured coding based on Santaniello’s five attributes, allowing both longitudinal mapping and cross-sectional comparison.

The methodological design proceeds in three steps. First, a qualitative close reading identifies recurring frames, metaphors, and argumentative patterns associated with digital sovereignty. Second, these patterns are coded according to the five attributes, enabling the construction of time-series data on the relative salience of each attribute. Third, the coded material is analysed comparatively across parliamentary groups and Member State delegations, revealing systematic differences in how sovereignty is articulated.

Preliminary Findings

The preliminary analysis reveals a clear historical evolution of digital sovereignty discourse in the EP. Early parliamentary debates frame digital sovereignty primarily in instrumental terms, linked to consumer protection, data protection, and regulatory capacity. Sovereignty appears as a means to “regain control” over digital markets and protect citizens’ rights at the European scale.

From the early 2020s onward, adversariality becomes increasingly salient. Digital sovereignty is progressively framed against external dependencies, global platform power, and geopolitical competitors. This shift is accompanied by rising latency: sovereignty discourse intensifies in moments of crisis and vulnerability, such as the pandemic or geopolitical escalation, while receding in more stable periods.

At the same time, multiversity remains a defining feature of parliamentary discourse. Different political groups mobilize sovereignty to advance competing visions: some emphasize openness, alliances, and rights-based governance, while others foreground industrial policy, security, and strategic autonomy. This plurality demonstrates that digital sovereignty in the EP functions less as a unified strategy and more as a discursive battleground.

Finally, hypocrisy becomes increasingly visible in later debates, particularly as digital sovereignty rhetoric expands while material dependencies persist. Parliamentary interventions frequently highlight tensions between ambitious sovereignty claims and the realities of global interdependence, revealing sovereignty’s performative role in sustaining political authority under conditions of constraint.

Conclusion and contribution

By applying Santaniello’s attributes framework to the European Parliament, this paper makes three contributions. Empirically, it provides the first systematic analysis of digital sovereignty discourse in the EP, complementing Commission and Council-centred accounts. Theoretically, it demonstrates the analytical value of treating digital sovereignty as a relational and performative discourse rather than a fixed policy objective. Substantively, it shows that digital sovereignty in the EP is dynamic, internally differentiated, and politically contested, shaped by temporal shocks, ideological divisions, and national interests.

Overall, the findings suggest that digital sovereignty in the European Parliament functions less as a roadmap to technological independence than as a flexible political language through which Europe negotiates autonomy, dependence, and power in an increasingly contested digital order.

References Adler-Nissen, R., and K. A. Eggeling. (2024). The discursive struggle for digital sovereignty:Security, economy, rights and the cloud project gaia-X. JCMS: Journal of Common MarketStudies 62 (4):993-1011. doi:10.1111/jcms.13594. Barrinha, A., and G. Christou. (2022). Speaking sovereignty: The EU in the Cyber Domain. European Security 31 (3):356-76. doi: 10.1080/09662839.2022.2102895. Broeders D., Cristiano F., Kaminska M. (2023), In Search of Digital Sovereignty and Strategic Autonomy: Normative Power Europe to the Test of Its Geopolitical Ambitions, in «Journal of Common Market Studies», 61(5), 1261-1280. Corbet, R., Jacobs, F., Neville, D., Černoch, P. (2024) The European Parliament, 10th ed., London: John Harper Publishing. Couture, S., and S. Toupin. (2019). What does the notion of ‘sovereignty’ mean when referring tothe digital? New Media & Society 21 (10):2305-22. doi: 10.1177/1461444819865984. Pohle, J., Santaniello, M. (2024), From multistakeholderism to digital sovereignty: Toward a new discursive order in internet governance?. Policy & Internet 16(4): 672-691. https://doi.org/10.1002/poi3.426 Reiners, W., & Kachelmann, M. (2025). The EU digital strategy between sovereignty and green transformation: Political milestones, policy fields and strategic narratives (IDOS Discussion Paper 33/2025). IDOS. doi.org/10.23661/idp33.2025. Santaniello M., (2025). Attributes of Digital Sovereignty: A Conceptual Framework. Geopolitics, 1-22. doi.org/10.1080/14650045.2025.2521548. Wenzelburger, G., & König, P. D. (2025). Sending Signals or Building Bridges? Digital Sovereignty in EU Communicative and Co‐Ordinative Discourse. JCMS: Journal of Common Market Studies, 63(2), 526-547.

ABSTRACT. The rapid development of Artificial Intelligence (AI), particularly its generative branch, has captured global attention in the past couple of years. With the ever-increasing presence of AI-powered (chat)bots, Alan Turing’s old question of how to tell the difference between a human and a machine has been revived,[1] and discussion on Proof of Personhood (PoP) protocols as means of unequivocal establishment of human control have advanced.[2] On this wave, in July 2023, Tools for Humanity – a company co-funded by OpenAI’s CEO Sam Altman best known for ChatGPT – officially launched a new PoP protocol called “Worldcoin”. This innovative solution came with a promise of a revolutionary blend of biometric-based cryptocurrency and identity verification.[3] Worldcoin offered a digital passport – the “World ID” issued in exchange for cryptocurrency tokens (WLD) that were paid to users when they had submitted their sensitive biometric data – the iris scans, through a specially designed device called “orb”. In June 2025, that eye-like looking ball made it to the cover of Time magazine, when Altman introduced Worldcoin services in his home country and worlds’ leading technological hub – the United States.[4] He promoted his new initiative with the highly commendable statement that Tools for Humanity “wanted a way to make sure that humans stayed special and central.”[5] Using the orbs and the iris scans, only by mid-2023, the company “confirmed” about twelve million Worldcoin’s users worldwide to be human – all assigned a unique identifier.[6] That ‘worldwide’ aspect of operation of Tools for Humanity is crucial and subject of the proposed paper. The roll-out of Worldcoin services outside the US has given rise to considerable controversy, and criticism in many jurisdictions across the globe. Most notably, however, the extensive harvesting of biometric data by Tools for Humanity and the underlying business model premised on the exchange of sensitive personal data for cryptocurrency, has led to enforcement actions by a growing number of regulators and authorities of the countries both of the European Union (EU) and the Global South. To name a few of the non-EU actors who acted against the company, it is worth to recall initiatives taken by the Argentinian Agency for Access to Public Information,[7] Colombian Superintendence of Industry and Commerce,[8] Office of the Privacy Commissioner for Personal Data in Hong Kong,[9] Data Protection Authority in Indonesia[10] or South Korea.[11] The biggest legal battle, however, seems to have taken place in Kenya, where after the intervention of the Office of the Data Protection Commissioner (ODPC)[12] followed by a decision of the High Court of Nairobi,[13] Worldcoin was unconditionally ordered to delete all biometric data collected from Kenyans.[14] In the aforementioned countries, the pushback against sensitive data collection practices was possible largely due to the robust data protection legal frameworks, often comparable to the EU’s General Data Protection Regulation (GDPR). Paradoxically, the enforcement actions of those frameworks commonly considered to be the emanation of the GDPR’s “Brussels effect”,[15] take place at the time, when the EU is debating the possibility of weakening its personal data protection standards. The recently proposed Digital Omnibus[16] aims at simplifying rules, including rules on data protection, to better accommodate the needs of innovation and competitiveness with respect to digital technologies, in particular AI.[17] The Omnibus, among other changes, proposes relaxation of rules for the processing of sensitive data by the amendment of Article 9 of the GDPR. The European Commission’s explanations that “[t]rustworthy AI is key in providing for economic growth and supporting innovation with socially beneficial outcomes”, at times, resemble the visionary narrative of Altman and other big-tech CEOs.[18] Yet, the Commission’s solutions proposed in the Omnibus strikingly clash with the rights, that as recently reiterated by the High Court of Nairobi, are “to preserve the dignity of individuals and communities and to promote social justice and the realization of the potential of all human beings.”[19] In view of the above, in the proposed contribution, I would like to reflect on the currently observed dynamics and tensions between business- and regulatory- power by exemplifying how the data protection enforcement actions towards Worldcoin across distinct jurisdictions may shape the future of AI governance. I wish to seek answer to the question whether the EU’s attempts to join the American-Chinese AI race through its recent legislative efforts could bring an end to the “Brussels effect”, leaving it up to the “Global South effect” to keep humans special and central.

--- [1] Avraham Rahimov, Orel Zamler and Amos Azaria, ‘The Turing Test Is More Relevant Than Ever’ (arXiv, 5 May 2025) <http://arxiv.org/abs/2505.02558> accessed 23 January 2026. [2] Puja Ohlhaver, Mikhail Nikulin and Paula Berman, ‘Compressed to 0: The Silent Strings of Proof of Personhood Governance of Emerging Technologies Symposium Papers’ (2025) 8 Stanford Journal of Blockchain Law & Policy 60, 61. [3] See more at: https://www.toolsforhumanity.com/ accessed 23 January 2026. [4] Perrigo, B. (2025). ‘The Orb Will See You Now’. TIME. Retrieved July 17, 2025, from <https://time.com/7288387/sam-altman-orb-tools-for-humanity/> [5] Ibid. [6] Worldcoin (2025) ‘The Circulating Supply of Worldcoin (WLD): An Explainer’. Retrieved July 17, 2025, from <https://world.org/blog/foundational-topics/the-circulating-supply-of-worldcoin-wld-an-explainer> [7] Agency for Access to Public Information. (2023). ‘La AAIP investiga el tratamiento de datos personales de Worldcoin en Argentina’ <https://www.argentina.gob.ar/noticias/la-aaip-investiga-el-tratamiento-de-datos-personales-de-worldcoin-en-argentina> [8] Superintendencia Industria y Comercioia de (2024) ‘Comunicado SIC Worldcoin’. [9] Office of the Privacy Commissioner for Personal Data, Hong Kong (2024) ‘Investigation Findings: The Operation of the Worldcoin Project in Hong Kong Contravenes the Personal Data (Privacy) Ordinance’. PCPD HK. [10] Komdigi (2025) ‘Komdigi Suspends Licenses for Worldcoin and WorldID to Ensure Digital Security’. Komdigi <https://portal.komdigi.go.id/kanal-publik/berita-kini/9302> [11] Kim, M.-G (2024) ‘“World Coin” affiliates fined a total of 1.14 billion won for violating the Personal Information Protection Act’. Personal Information Protection Commission <https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=10608> [12] Office of the Data Protection Commissioner (ODPC) (2023) Determination in the Suo Motu Investigation by the Office of the Data Protection Commissioner on the Operations of the Worldcoin Project in Kenya by Tools for Humanity Corporation, Tools for Humanity GMBH & Worldcoin Foundation. [13] Republic of Kenya (2024) Office of the Data Protection Commissioner v Tools for Humanity Corporation (Worldcoin) & 2 others (Miscellaneous Criminal Application E315 of 2023) [2024] KEHC 312 (KLR) (Crim) (25 January 2024). [14] Stephen Mayhew (20 January 2026) “World’s iris biometrics scans launch in one country, undone in another Orbs deployed in Italy, data deleted in Kenya” <https://www.biometricupdate.com/202601/worlds-iris-biometrics-scans-launch-in-one-country-undone-in-another> [15] Anu Bradford, “The Brussels Effect: How the European Union Rules the World” (OUP, 2019). [16] European Commission, ‘Digital Omnibus Regulation Proposal. Shaping Europe’s Digital Future’ (19 November 2025) <https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal> accessed 7 January 2026. [17] European Commission, ‘An Agile Digital Rulebook for the EU | Shaping Europe’s Digital Future’ (19 November 2025) <https://digital-strategy.ec.europa.eu/en/policies/digital-rulebook> accessed 8 January 2026. [18] Claudie Moreau (14 January 2026) “EU tech simplification push mirrors big tech's agenda, lobby trackers warn” <https://www.euractiv.com/news/eu-tech-simplification-push-mirrors-big-techs-agenda-lobby-trackers-warn/> [19] (n13) Para 204.

ABSTRACT. Data constitutes a strategic asset for the EU internal market, since it carries information that can be exploited by a plurality of actors to generate economic, political, and competitive advantages. Datasets may be processed and analyzed in order to extract insights relevant for decision-making, business operations, public policy, and scientific research. In this sense, control over data and over the conditions of its access and reuse may translate into asymmetries of power between market participants and other stakeholders. The notion of “Data Spaces” refers to a socio-technical and legal construct articulated around three interrelated dimensions, namely policy, legal, and technical components. Data spaces may be understood as governance frameworks intended to structure the lawful and technically feasible sharing of data for specified purposes. Within this broad category, distinctions are commonly drawn between industrial data spaces, individual data spaces, and EU-promoted data spaces, each of which pursues distinct objectives and is embedded in different regulatory and institutional configurations. The term “Common European Data Spaces” (CEDS) designates a policy and legal framework developed by the EU in the context of the European strategy for data, with a view to facilitating the reuse of sectoral data across both public and private sectors. This framework comprises a set of regulatory instruments and policy initiatives aimed at enabling data sharing while, at least in principle, ensuring compliance with existing legal constraints. By way of illustration, the European Health Data Space seeks to establish a harmonized framework for the access to, use of, and exchange of electronic health data across the EU. It aims to strengthen individuals’ access to and control over their personal data, while simultaneously enabling the secondary use of certain categories of data for purposes of public interest, policy-making, and scientific research. At the same time, CEDS are being developed within a complex and evolving framework of EU and national legal regimes, characterized by the recent adoption of multiple legislative instruments. This regulatory environment raises uncertainties as to the extent to which these initiatives will, in practice, be capable of ensuring smooth and effective data sharing and reuse, in particular where such data are subject to trade secret protection, data protection rules, or other sector-specific legal constraints. Against this background, this panel seeks to engage with a number of core questions relating to CEDS, including: • How should the concept of “Data Spaces” be understood from a legal and governance perspective, and what differentiates the various types of data spaces? • What legal, technical, and institutional obstacles arise in the implementation of CEDS? • What risks and benefits do these initiatives entail for citizens and other stakeholders? • What further regulatory, technical, or governance measures may be necessary to facilitate their effective and socially beneficial implementation?

ABSTRACT. The global market for non-invasive neuroimaging technology (hereafter, “neurotechnology”) continues to expand rapidly, with consumer-oriented companies currently predicted to outnumber medical ones [1,2]. In this context, debates have intensified around whether we need new, foundational human rights, referred to as “neurorights” [3,4]. Given that most neurotechnology companies can broadly collect and trade neurotechnology-derived data under permissive take-it-or-leave-it terms, a proposed neuroright is that of mental privacy. This right would offer protection against unconsented access to, or unauthorized collection of, mental information [6]. Advocates of mental privacy argue that neural data warrants special treatment beyond traditional privacy frameworks because of its intimate connection to the bodily system responsible for cognition, affect, and personal identity [6]. Critics, however, contend that existing governance mechanisms can be applied or adapted to address neurotechnology-related concerns without creating neurorights [7]. Indeed, concerns about mental privacy echo longstanding critiques in the literature highlighting how data colonialism, commodification, and large-scale aggregation can produce cumulative harms for both individuals and groups [8,9].

The confusion surrounding mental privacy's necessity is compounded by the fact that discussions of the concept have largely remained at a high level of abstraction. Despite commendable international soft law initiatives [10,11], questions about whether, when, and how neurotechnology-derived data should be regulated remain underexplored. Efforts to incorporate diverse stakeholder perspectives in neuroethics research appear to have largely overlooked privacy and data-protection experts. This gap makes it difficult to know whether the risks associated with neurotechnological innovation are sufficiently novel to warrant differentiated legal treatment [12]. Relatedly, it remains unclear whether neurotechnology governance is best understood as facing a pacing problem, and, if so, whether precautionary regulatory principles should be invoked.

Our study sought to address these questions from a Canadian perspective. Canada has a complex and fragmented landscape of data-protection frameworks, including statutory privacy regimes, constitutional protections, and discrimination law. However, it remains unclear whether these existing frameworks adequately address the privacy risks that may arise from the growing use of neurotechnologies. Specifically, we aimed to identify potential legal uncertainties [13] emerging in Canada as a result of neurotechnology-driven socio-technical change. These included application uncertainties (i,e., whether information and privacy experts consider existing Canadian legislation adequate enough to address neurotechnology-related privacy concerns), normative uncertainties (i,e., how serious such experts consider neurotechnology-related privacy risks to be), and institutional uncertainties (i,e., whether such experts perceive themselves as having the authority, competence, and legitimacy to apply or adapt existing law in this domain).

We recruited 15 participants from five Canadian offices of privacy commissioners, including provincial offices in Ontario, Quebec, British Columbia, and Alberta, as well as the federal office. Following initial planning consultations with non-participant staff from some participating offices, we developed a two-stage qualitative study designed to align with participants’ professional interests and institutional constraints. The first stage consisted of an in-office qualitative survey. The survey included background material introducing relevant forms of neural data, as well as three short hypothetical vignettes designed to ground responses in concrete scenarios. The second stage involved follow-up focus group discussions that built on themes emerging from the surveys, including areas of convergence and divergence across offices. These focus groups were conducted across offices to facilitate inter-jurisdictional discussion and collective reflection among information and privacy experts. Topics discussed included the conceptualization of neural data (e.g., sensitivity, scope, and claims of exceptionality), regulatory approaches, big data and open science practices, soft law mechanisms, cross-border data flows, and the relevance of human rights protections. Data from the qualitative surveys and focus groups were then integrated to be analyzed [14] using reflexive thematic analysis [15]. The datasets were double-coded, with the codebook developed primarily through inductive analysis. Limited deductive elements were introduced to ensure alignment with our research questions.

The proposed presentation will examine major themes emerging from our integrated dataset, encompassing both observations specific to neural data and issues situated within the broader privacy law landscape in Canada. Our preliminary analysis identifies several key areas for discussion, including uncertainty surrounding future data repurposing, ambiguity regarding the appropriate object of regulation (e.g., data, technologies, specific uses, or alternative regulatory targets), limitations in existing enforcement mechanisms, and the increasing intersection of privacy regulation with other governance frameworks, including emerging artificial intelligence governance structures. More broadly, we seek to illuminate the trade-offs between privacy protection and the potential benefits of neural data use. We will situate our findings within the broader literature on regulatory theory to support more informed and proactive decision-making by legal actors, regardless of whether such decisions ultimately favour new regulatory intervention or regulatory restraint.

The main contribution of this study lies in its practical focus. By engaging information and privacy experts and grounding discussions in realistic regulatory scenarios, the study adds empirical specificity to debates that have largely remained abstract. It offers insight into how neurotechnology-related privacy issues are understood within existing regulatory institutions and provides a foundation for anticipating how privacy considerations may be incorporated into future neurotechnology governance. We hope that these findings will inform technology developers, policymakers, legislators, regulators, and standards-setting bodies both in Canada and beyond.

—

[1] Bernáez Timón & Mahieu (2025). Neurotech consumer market atlas. Centre for Future Generations. https://cfg.eu/neurotech-market-atlas/

[2] Hain et al. (2024). Unveiling the neurotechnology landscape: scientific advancements innovations and major trends. UNESCO Digital Library. https://doi.org/10.54678/OCBM4164

[3] Spichak (2025). The Controversial Push for New Brain and Neurorights. 27 J Med Internet Res. https://www.jmir.org/2025/1/e72270/

[4]Istace (2025). Establishing Neurorights: New Rights versus Derived Rights. 17:1 Journal of Human Rights Practice. https://doi.org/10.1093/jhuman/huae042

[5] Genser et al. (2024). Safeguarding Brain Data: Assessing the Privacy Practices of Consumer Neurotechnology Companies. NeuroRights Foundation. https://perseus-strategies.com/wp-content/uploads/FINAL_Consumer_Neurotechnology_Report_Neurorights_Foundation_April-1.pdf

[6] Ienca (2021). On Neurorights. 15 Frontiers in Human Neuroscience. https://doi.org/10.3389/fnhum.2021.701258

[7] Bublitz (2024). What an International Declaration on Neurotechnologies and Human Rights Could Look like: Ideas, Suggestions, Desiderata. 15:2 AJOB Neuroscience. https://doi.org/10.1080/21507740.2023.2270512

[8] Kim et al. (2021). Data and Manure: Are Data Subjects Investors? 18:1 Berkeley Business Law Journal. https://doi.org/10.15779/Z38DR2P915.

[9] Ström (2022). Data Mining on the Crawl Frontier: Metaphor in Cybernetic Capitalism. 26:1 Law Text Culture. https://doi.org/10.14453/ltc.778

[10] Global Privacy Assembly (2024). 46th Closed Session of the Global Privacy Assembly. https://globalprivacyassembly.com/wp-content/uploads/2024/11/Resolution-on-Neurotechnologies.pdf

[11] UNESCO (2024). Draft Recommendation on the Ethics of Neurotechnology. https://unesdoc.unesco.org/ark:/48223/pf0000394866/PDF/394866eng.pdf.multi

[12] Bennett Moses (2013). How to Think About Law, Regulation and Technology: Problems with 'Technology' as a Regulatory Target. 5:1 Law, Innovation and Technology, UNSW Law Research Paper No. 2014-30. https://ssrn.com/abstract=2464750

[13] Ard & Crootof (2025). Technology Law Chapter 2: Legal Uncertainties. Univ. of Wisconsin Legal Studies Research [Paper Forthcoming]. http://dx.doi.org/10.2139/ssrn.5476926

[14] Chamberlain et al. (2011). Pluralisms in Qualitative Research: From Multiple Methods to Integrated Methods. 8 Qualitative Research in Psychology. https://doi.org/10.1080/14780887.2011.572730

[15] Braun & Clarke (2022). Toward good practice in thematic analysis: Avoiding common problems and be(com)ing a knowing researcher. 24:1 International Journal of Transgender Health. https://doi.org/10.1080/26895269.2022.2129597

ABSTRACT. Traditionally, personal data can be processed either analogously or digitally. However, biological computing (BC), such as DNA data storage systems (Extance, 2016), genetic computing (Adleman, 1998), and organoid reservoir computing (Cai et al. 2023), expand the notion of personal data processing. For example, organoid reservoir computing involves using lab-grown, stem-cell derived human brain cells to perform machine learning tasks such as voice recognition (ibid). The advantages of BC are energy efficiency (See Smirnova et al. 2023) and independence from raw materials critical for silicon-based computing. Considering the computing efficiency of the human brain, computing with brain organoids may also demonstrate computational advantages (ibid). The first commercial BC applications, such as the Cortical Lab’s human neuron cell-based biocomputer (Cortical Labs, 2025), are already entering the EU market, raising questions about their GDPR compliance. Not only can BC systems process personal data as input – they may themselves be personal data. Although data protection law is technology neutral, to date, its applications have presumed digital data processing to involve digital software running on silicon-based hardware. The “wetware” of BC upends this distinction (See Sirbu & Floridi, 2025). For example, unlike Von Neumann computer architecture, that the conventional digital computers build upon (See Eigenmann & Lilja 1998), organoid reservoir computers do not distinguish between memory and the central processing unit – they are fused together (see Gaimann & Klopotek, 2025). Consequently, BC systems need to be evaluated as novel means of processing input personal data. This topic has been understudied by the legal and ethical community researching organoid computing, which has focused on the problem of organoids’ potential for emergent sentience and consciousness (See Lavazza & Massimini, 2018, Sawai et al. 2022; Jowitt. 2023, Kataoka et al. 2023, Hartung et al. 2024). Irrespective of BC systems’ potentials for sentience, the emergence of biological computing substrates raises numerous questions about the implementability of principles of data protection and protecting data subjects’ and third parties’ rights when their personal data is stored on and processed by wetware. For example, how could principles of accuracy or data minimization be adhered to when personal data is stored on DNA sequences or processed by an organoid? It must be considered that upon deploying human tissue or human genetic data, BC systems are, in themselves, personal data, typically of the sensitive kind. The introduction of commercial BC systems beyond R&D experimentation requires data controllers to assess a novel range of risks to the rights of data subjects whose data BC systems contain. Could the systems expose the tissue donors’ or their family members’ personal data? What degree of engineering could anonymize genetic data? What kind of consent formats account for tissue donors’ and data subject rights when human tissues are used for commercial computing, rather than the better-established purposes of R&D and medical research? BC applications are at the early stage of development and are currently at the fringe of unconventional computing. However, the first commercial applications are on the market, reflecting the broader trend towards bio-technological convergence (Helbing-Ienca, 2024). The key bottleneck for exploring these questions stems from the lack of legally relevant knowledge on the ontological nature of different forms of BC and how they differ from digital forms of data and computing. Assuming that computers of the future can be personal data, it is critical for researchers and policy makers to engage in interdisciplinary collaboration to understand BC as a form of computing and assess the actual risks associated with BC. Moreover, it is necessary to understand and envision what data protection by design could stand for when computing on biological substrates, also accounting for other fundamental rights that may be at stake in BC. In BC technology development, attention should be paid to whether it is of added value for the computing performance to use human tissues or genetic material in BC. On a more theoretical level, BC should act as a wake-up call against technology law’s path dependency in assuming modern computing to be digital and silicon-based. Where BC can offer a more sustainable and efficient way for computing, its development should not be stalled by overregulation or lack of imagination on how data protection law compliant BC could look like. References Adleman, L. M. (1998). Computing with DNA. Scientific American, 279(2), 54–61. https://doi.org/10.1038/scientificamerican0898-54 Extance, A. (2016). How DNA could store all the world's data. Nature, 537(7618). Cai, H., Ao, Z., Tian, C., Zhan Hao Wu, Liu, H., Tchieu, J., Gu, M., Mackie, K., & Guo, F. (2023). Brain organoid reservoir computing for artificial intelligence. Nature Electronics. https://doi.org/10.1038/s41928-023-01069-w Cortical Labs P/L. (2025). Cortical Labs - CL1. @Corticallabs. https://corticallabs.com/cl1 Eigenmann, R., & Lilja, D. J. (1998). Von Neumann computers. Wiley Encyclopedia of Electrical and Electronics Engineering, 23, 387-400. Gaimann, M. U., & Klopotek, M. (2025). Robustly optimal dynamics for active matter reservoir computing. arXiv preprint arXiv:2505.05420 Hartung, T., Morales Pantoja, I. E., & Smirnova, L. (2024). Brain organoids and organoid intelligence from ethical, legal, and social points of view. Frontiers in Artificial Intelligence, 6, 1307613. Helbing, D., & Ienca, M. (2024). Why converging technologies need converging international regulation. Ethics and Information Technology, 26(1), 15. Jowitt, J. (2023). On the legal status of human cerebral organoids: lessons from animal law. Cambridge Quarterly of Healthcare Ethics, 32(4), 572-581. Kataoka, M., Lee, T. -L., & Sawai, T. (2023). The legal personhood of human brain organoids. Journal of Law and the Biosciences, 10(1). https://doi.org/10.1093/jlb/lsad007 Lavazza, A., & Massimini, M. (2018). Cerebral organoids: ethical issues and consciousness assessment. Journal of Medical Ethics, 44(9), 606-610 Sawai, T., Hayashi, Y., Niikawa, T., Shepherd, J., Thomas, E., Lee, T. L., ... & Sakaguchi, H. (2022). Mapping the ethical issues of brain organoid research and application. AJOB neuroscience, 13(2), 81-94. Sirbu, R., & Floridi, L. (2025). An analysis of the governance, ethical, legal, and social implications of biocomputing. Available at SSRN. http://dx.doi.org/10.2139/ssrn.5239551 Smirnova et al.(2023). Organoid Intelligence (OI): the new frontier in biocomputing and intelligence-in-a-dish. Frontiers in Science, 1. https://www.frontiersin.org/journals/science/articles/10.3389/fsci.2023.1017235/full

ABSTRACT. The contribution addresses the challenges posed by the increasing use of non-medical neurotechnologies, such as systems designed to enhance individuals’ attention or productivity by processing their neural data. These technologies raise serious concerns for the protection of fundamental rights, particularly with regard to mental privacy and cognitive autonomy, while also affecting broader economic and geopolitical power dynamics.

It adopts the assumption that, in principle, the risks associated with neurotechnologies can be addressed within the scope of existing fundamental rights, without necessarily requiring the introduction of new autonomous rights.

At the same time, the analysis indicates that the effective protection of those rights is not yet fully ensured under the current EU regulatory framework, especially in relation to non-medical neurotechnologies.

In this respect, the paper examines the extent to which the safeguards provided by both the General Data Protection Regulation and the Artificial Intelligence Act are capable of adequately addressing the risks posed by such technologies.

It concludes by suggesting that some limitations emerging from the application of these regulatory instruments require further consideration in order to ensure an adequate level of fundamental rights protection in this domain.

ABSTRACT. Not least thanks to advances in AI, neurotechnologies – both invasive and not – have made big strides in recent years. Consumer devices to monitor and influence brain activity are becoming available to consumers, reaching beyond the medical field in which they have been more common for some time already. This boom in neurotech is significantly pushed by Silicon Valley investors and entrepreneurs. They not only provide funding and some of the relevant expertise. Neurotech also chimes with prevalent Silicon Valley ideologies that emphasize self-enhancement through advanced technology, a fundamental tech-optimism, a libertarian approach to developing and using tech, and the malleability of the human body and human existence. Neurotechnologies also raise enormous legal and economic challenges: who owns and controls the data these devices process? Can workers be required to use them? Who is responsible for their safe use, given that they may be marketed as harmless “wellness and lifestyle”-devices, much like health-tracking wristbands? Is it desirable or necessary to govern the aggregate societal impact of such devices, for example when students feel pressured to use them in an attempt to increase performance? And what political economy dynamics should we expect, as Big Tech already moves into these market segments and integrates products with their other offerings? Building on the experience with other emerging technologies, this paper charts the political economy dynamics in this field and how those structure public authorities’ ability to govern this invasive and potentially disruptive set of technologies. To do so, it takes a number of empirical steps: - It maps the current European regulatory landscape: which extant legislation already has a meaningful impact on neurotech, what are its underlying tenets, and which gaps do they leave vis-à-vis the legislative challenges neurotech raises? - Who are the main actors in Brussels? Several think tanks such as the Centre for Future Generations have been active in the field, as has been the European Brain Council and the Neurorights Foundation. It is much less clear, however, to what degree trade associations or other commercial stakeholders have directly started to get involved. This paper maps out that activity. - One aspect of special interest is the potential overlap with organizations that are also active in the field of AI. On the hand, parts of both the AI and neurotech community are rooted in a somewhat woolly Silicon Valley ideology that fuses transhumanism, rationalism and libertarian elements. Moreover, not least given the enormous financial resources circulating in AI, early-stage funding from the AI field can easily spill over into neurotech start-ups. On the other hand, given its more or less invasive character, neurotech is very different from AI, especially large language models with their enormous economies of scale. It is thus both conceivable that we find tight significant overlap between the policy circles tackling AI and neurotech and that they differ substantially. The mapping exercise of this paper will elucidate the degree over overlap. Based on its finding, the paper spells out to what degree current governance arrangements and structures contribute to meaningful democratic control over these transformative technologies, and where we can already identify gaps that deserve mending.

ABSTRACT. Panel Proposal by Profs Mira Burri (University of Luzern, CH) and Panos Delimatsis (TiU)

Digital sovereignty has rapidly emerged as a central organizing concept in contemporary debates on global economic governance (Chander and Sun, 2023). Once largely confined to discussions of data localization or cybersecurity, digital sovereignty now permeates economic policy, industrial strategy, competition law, platform regulation, and the constitutional ordering of the digital economy (Fioridi, 2020). This panel understands digital sovereignty as an evolving and multidimensional, yet elusive, legal and socio-legal construct, focusing on its implications for international economic law and, in particular, digital trade. The panel starts from the premise that digitalization fundamentally alters the nature of sovereignty (Robles-Carillo, 2023). Digital infrastructures, data flows, and algorithmic systems are largely controlled by private actors operating across borders, yet increasingly subject to territorially anchored regulatory responses. This produces a structural paradox: states seek to assert control over infrastructures, data, and technologies that are developed, owned, or governed elsewhere, often according to legal norms and values they did not shape. Against this backdrop, digital sovereignty emerges not merely as a technological or market-driven concern, but as a question of legitimacy, democratic accountability, and the distribution of regulatory power. Adopting a comparative perspective, the panel explores how different jurisdictions articulate and operationalize digital sovereignty and what are the implications of this phenomenon for the future of the world trading system. The United States has relied predominantly on export controls, investment screening, and security-based exceptions while simultaneously discouraging – often through economic coercion – non-tariff digital measures abroad. The European Union has pursued an ambitious regulatory agenda—ranging from data governance and platform regulation to AI and cybersecurity—under the banner of “open strategic autonomy.” More recently, its international digital strategic unfolds an ambitious agenda of digital partnerships and digital trade agreements. China, by contrast, embeds digital sovereignty within a broader surveillance-oriented and security-centric legal framework (broadening the so-called ‘Great Firewall’). Middle powers and digitally open economies increasingly experiment with digital economy (partnership) agreements and regulatory cooperation as alternative pathways. These divergent approaches raise fundamental questions about fragmentation, interoperability, and power asymmetries in global digital trade. A central focus of the panel is the impact of digital sovereignty claims on the multilateral trading system. Digital trade disciplines, the principle of non-discrimination, and commitments on cross-border data flows are increasingly strained by industrial policy, national security exceptions, and unilateral regulatory interventions. While existing WTO tools (including ongoing e-commerce negotiations – Burri, 2023) offer mechanisms to manage these tensions, growing disenchantment with multilateral constraints suggests a gradual reconfiguration of trade law’s normative foundations. The panel critically examines whether current trade law doctrines can accommodate digital sovereignty claims without hollowing out the system, and whether new forms of regulatory cooperation (digital partnerships, trade and technology councils, and standards-based governance) offer a viable middle ground and constitute the future of cross-border cooperation. Finally, the panel foregrounds socio-legal dimensions often overlooked in trade-centric analyses: the position of users and consumers, the role of digital rights, algorithmic governance, and the accountability of both corporate and public regulators (Burri, 2025). It asks whether digital sovereignty can function as a foundation for democratic governance in the digital age, or whether it risks legitimizing new forms of concentration, exclusion, and regulatory overreach. By bringing together legal theory, comparative regulatory analysis, and international economic law, this panel aims to move beyond simplistic dichotomies of openness versus autonomy and to offer a nuanced account of digital sovereignty as a transformative and consequential (albeit deeply contested) feature of the global digital economy. We anticipate having 4-5 papers for this panel, depending on the preferred format and time slot chosen by the conference organizers.

ABSTRACT. Over the past few years, the EU has embraced digital sovereignty as a pillar of its global positioning. In the pursuit of that sovereignty, the EU has wielded many of its traditional policy tools. Recent developments in the digital acquis, such as the AI Act or the regulation of digital platforms, have been designed both to ensure that the digital space remains within the reach of EU law and to spread the European approach to digital regulation across the world through mechanisms such as the Brussels Effect. Funding and planning mechanisms, such as funds for digital innovation and the proposed preferencing of EU-based providers in public procurement, have also been proposed as a positive counterpart to regulation. Amid this fast-moving scenario, I propose that the success of this endeavour depends on a clear answer to an earlier question: what does it mean to say that the EU is sovereign in the digital domain?

This question is, at its heart, conceptual. Dominant formulations of sovereignty tend to frame it as a property of states, and indeed national sovereignty appears most often in EU primary and secondary law as a limit to the powers conferred to the Union by its Member States. In particular, attempts to expand the reach of EU powers over the digital domain have met national pushback when dealing with matters that fall within the scope of traditional sovereign prerogatives, as seen in the tug-of-war over data retention as well as in the numerous carve-outs present in EU digital regulations. Nonetheless, the idea that the EU can be sovereign in the digital domain seems to be accepted as a starting point for all these debates, even if the precise limits of its sovereign powers remain subject to political contestation.

Accordingly, my approach to this question interweaves conceptual reflections on the meaning of sovereignty in the digital space with a legal analysis of the instruments used by the EU to assert its claim to sovereignty. More specifically, I claim that the EU’s claim to digital sovereignty cannot be fully reduced to the sovereignty of each of its Member States, as it relies on elements and competences that are strongly recognized as part of the European sphere of powers. To make this case, I analyse EU policy documents to map out the contours of the EU claim, offering a close read of three exemplars of sovereignty-informed EU digital laws—the AI Act, the NIS2 Directive, and the proposed EU Quantum Act—to show how the exercise of the EU’s internal normative powers equips it to exercise some of the traditional prerogative powers of sovereignty when it comes to the digital space. In developing the conditions for a shared European digital infrastructure, and moving to block potential influences from external polities, the EU reinforces Member State sovereignty while at the same time dislocating some sovereign prerogatives to the supranational level.

By highlighting the legal contours of this move, I intend to direct attention to how these practices contribute to legitimize the very idea of EU digital sovereignty, at the same time that they suggest legal limits to the role that—barring treaty change—the EU can take as a sovereign in cyberspace.

ABSTRACT. The research paper to be presented adopts an interdisciplinary lens – informed by ethics, political science, and psychology – to conduct a comparative analysis of AI regulation across the EU, Brazil, and Japan. Building on Bradford’s framework of the three ‘Digital Empires’ (2023) – the USA, EU, and China – this approach delves more deeply into the EU AI Act. In a second step, it introduces Brazil and Japan as influential jurisdictions in terms of AI regulation.

The paper highlights the normative and institutional logics informing AI governance and situates them within the broader societal context to define the rules of the digital future. It finds that rivalry, regulatory innovation, and imitation go hand in hand, as countries race toward a global AI standard that has yet to be defined. In this complex process, unfolding against the backdrop of growing deregulatory tendencies, the legal arena plays a crucial role. However, much like a fountain drawing from various sources, it is increasingly shaped by political, ethical, and psychological factors in the realm of AI regulation.

ABSTRACT. Practically – let alone commercially – useful quantum technologies still remain out of reach. The problem of quantum (de)coherence persists as a relentless and unyielding challenge for current quantum innovation efforts dedicated to making quantum computing, sensing and communication systems viable outside lab and controlled environments. The key to creating such useful quantum technologies is escaping ‘decoherence,’ a process in which a quantum system leaks information into the classical world, resulting in outputs indistinguishable from randomness, thereby losing its desired ‘quantumness’ for techno-commercial appropriation. If one were to think within the framing of a ‘quantum race’, escaping decoherence essentially is, as explained by Alice & Bob, a darling of Europe’s quantum start-up ecosystem, ‘analogous to gravity in space exploration […] we must escape some fundamental force to reach our destination.’

Over the last decade innovation efforts from BigTech’s quantum R&D divisions and up-and-coming quantum scale-ups have culminated in the realisation of quantum systems that can escape decoherence but still cannot do anything particularly useful. This is a significant milestone but merely a ‘baby step’ in the long journey ahead that will entail intense competition over who can wrestle control over the material, knowledge and financial resources to realise the quantum dream. Commercially viable quantum technologies have yet come to fruition, yet quantum ecosystems are already teeming with life, particularly those like in the Netherlands’ Quantum Delta NL receiving strong government push to be a ‘leading’ or at least ‘indispensable’ player within global quantum efforts.

The material reality of quantum innovation is vibrant, revolving around ‘promising’ or ‘state-of-the-art’ quantum prototypes, proofs-of-concepts, labs run by research institutions, start-up, and corporate R&D, the production of an array of enabling manufacturing and component technologies (e.g. cryostats, microelectronics, high-precision lasers, vacuum pumps, photonics, bespoke cabling solutions), and most importantly the community of scientists, engineers, and entrepreneurs committed to making quantum a commercial reality.

As quantum ecosystems around the world attempt to move towards commercialisation and scale-up, government and industry actors have invoked ‘value chain governance’ in their respective economic security and competitiveness agendas to stake claim over hardware, intangible assets, sites of innovation and production that are pivotal for building up and maintaining a quantum ecosystem’s technological, commercial and geostrategic ‘edge.’ In this respect, law may not be the beating heart of quantum innovation, yet it provides the underlying governance infrastructure for strategic positioning as well as constructing and enclosing strategic points of control in emerging quantum innovation value chain.

This submission presents the overarching theoretical framework for my ongoing PhD project investigating how legal dynamics driven by the interests of the scientific community, industry, and state(s) play out in the construction and enclosure of points of control in emerging quantum innovation value chains. I weave together approaches from geoeconomics, law and political economy as well as drawing inspiration from Selwyn and Bernhold’s recent work on ‘capitalist value chain’ from economic geography theorising the geopolitical undercurrents of global value chains and production networks. This theoretical underpinning provides a blueprint for understanding the legal mechanisms that enable the build-up and capture of ‘chokepoints’ for strategic leverage and indispensability of national quantum actors within the emerging global quantum value chain. The theoretical framework lays out three legal mechanisms enabling states and industry players to (1). build, (2). ring-fence, and (3). appropriate value to be captured within the emerging quantum value chain.

(1). ‘Build’ refers to the choice of how state-backed quantum R&D investments are legally structured (e.g. ‘classical’ government expenditure through grants and subsidies, funding through national investment or development banks, or legal frameworks of government procurement as ‘guaranteed’ first buyer and market). What does this choice reveal about the state’s role in conditioning national innovation ecosystems to yield technology actors who sit on envisioned points of control within the emerging quantum global value chains? Trite as it may sound, the crux of the matter revolves around this (metonymous) question: ‘How do we fund the build-up of the next quantum ASML?’ Without the existence and financial backing of strategic quantum assets or players in the ecosystem, the next steps of ‘ring-fencing’ and ‘value appropriation’ may prove futile or even moot.

(2). ‘Ring-fence’ refers to how the recent surge in popularity of ‘geoeconomics’ has provided the policy rationale for the use of legal instruments to exclude, i.e. ring-fence, the out- and inbound flows of material, knowledge and financial resources tied to the research, development and innovation of critical technologies such as quantum (e.g. export controls on hardware and intangibles, knowledge security screening, investment screening). Legal and enforcement infrastructures of ‘ring-fencing’ not only provide a means to stem technological flows (for better or for worse) but provide perhaps the even more pivotal means of surveying and/or surveilling these flows to map out (global) value chain of quantum innovation, i.e. crucial strategic commercial intelligence.

(3). ‘Value appropriation’ refers to legal apparatus facilitating the commercialisation of quantum technologies (e.g. intellectual property, particularly patents, as well as corporate-contractual frameworks underlying the process of ‘spinning-out’ academic research into commercial ventures). The world of quantum patents and spin-out lends itself well to be understood through the lens of law and political economy. This revolves essentially around the question of how private law instruments funnel value from techno-scientific advances by encoding them into intellectual assets, which in turn become anchoring points for value capture to dominate (usually upstream) or become indispensable within the entire technology value chain.

ABSTRACT. This panel brings together methodological reflections on the use of maps as instruments for rendering the relationship between law and digital technology inspectable. Building upon insights from the broader fields of Law, Science and Technology Studies (STS) and Digital Humanities, it explores how maps can serve as both a lens of critique and a mode of engagement in law and technology research. At the heart of this exploration lies the following question: How can mapping tools be used to critically inquire digital technologies? And how, in turn, digital technologies can offer new methods to map emerging legal frameworks?

Such overarching inquiry is especially needed in a time when rapid evolution, in both technological innovation and the legal structures that oversee it, is confronting society with several challenges across both areas. On the one hand, these challenges stem from technology's rapid adoption, evolving capabilities, deep interconnectivity across critical systems, and their potential to cause unprecedented, large-scale systemic risks to society due to their "black-boxed" nature (Pasquale, 2015; Burrell, 2016). On the other hand, regulatory frameworks are becoming increasingly complex, fragmented, and overlapping (Streinz, 2021). This legal proliferation in turn creates difficulties of accessibility, coherence, and enforceability across sectors and jurisdictions.

Through this panel, we aim to create a space for exploring the potential of a mutual methodological engagement between digital technology and emerging regulatory frameworks. The goal is not merely to generate knowledge about how legal or technological systems function, but rather to intervene in them by using maps as instruments for querying their underlying assumptions and power structures. To inform the discussion, the panel puts forward four different ways in which STS-inspired approaches to mapping can be used both as means for rendering technological systems and legal frameworks visible and inspectable and for exposing their embedded normative assumptions.

ABSTRACT. This article investigates digital loneliness as a growing but underexplored harm within the governance of digital technologies. While the EU’s Digital Services Act (DSA) and Artificial Intelligence Act (AI Act) aim to mitigate risks related to user well-being and fundamental rights, neither law explicitly addresses the social fragmentation and emotional displacement linked to excessive reliance on social media using recommender systems and AI companions. Through interdisciplinary review and legal mapping, the paper traces the concept’s origins, risks, implications and analyzes its implicit treatment in EU regulatory frameworks, particularly with respect to regulation of digital services and AI. The paper argues that digital loneliness should be better integrated into platform risk assessments and AI system design obligations and offers policy proposals for future regulatory guidance and implementation.

ABSTRACT. Swipe Right for a Heart: Embedding fairness in India’s AI-driven Organ Transplant Allocation.

Organ transplants can significantly extend life expectancy, restore functional capacity, and improve the quality of life for patients with end–stage organ failure. They also reduce the burden of long-term dialysis and intensive care on the public health system, freeing up scarce resources. This potential is significantly high in India, considering the high prevalence of kidney and liver diseases, where transplantation is the only realistic route out of repeated hospitalisation and an astronomical amount of medical expenditure.

India has, therefore, continually undertaken efforts to increase access to and streamline the organ transplantation process. To standardize organ allocation rules, improve coordination and reduce the scope for ad hoc hospital-centric decisions, India has amended the Transplantation of Human Organs and Tissues Act, and created a tiered institutional structure, comprising of: National Organ and Tissue Transplant Organisation (NOTTO) at the national level, Regional Organ and Tissue Transplant Organisations (ROTTO) at regional level and State Organ and tissue Transplant Organisations (SOTTO) at the state level.

Multiple AI tools are being introduced across the country to efficiently match donors and recipients. For instance, OrganEase has been developed by IIT Madras using blockchain technology to enhance accessibility and ensure the transparent and fair allocation of transplant organs across all socio–economic groups. Similarly, the AI based Vidiyal app, launched by the Transplant Authority of Tamil Nadu, has been designed to create a transparent, efficient, automated system for organ allocation. It manages the entire workflow from patient registration to organ allocation, considering waiting-list seniority and matching organs based on factors such as blood type, weight, and donor-recipient compatibility. Both OrganEase and Vidiyal ensure that hospitals receive live information about the availability of organs, which is a very important factor in organ transplantation, as organs are only viable for transplantation for a limited window of time. Another AI tool, OrganPredict, has been developed to enhance kidney transplant success rates by analysing donor–recipient data to predict graft survival and identify the most suitable matches.

In doing so, India would be joining a global trend towards reducing human influence and automating processes to improve efficiency, accuracy, and impartiality in organ transplant allocation. The U.K., for instance, has been employing AI tools like Organ Quality Assessment (OrQA), which determines the suitability of organs for donation; UK Deceased Donor Kidney Transplant Outcome Prediction (UK – DTOP) which has demonstrated a higher predictive accuracy for deceased donor kidney transplants and UK Live – Donor Kidney Transplant Outcome Prediction, which predicts the post-transplant survival for transplant of live – donor kidneys. The U.K. is also moving towards using a score called the Transplant Benefit Score to optimize transplantation based on how much a patient would benefit from receiving an organ.

The UAE’s Hayat program also uses AI to analyse patient data and speed up the process of donor – recipient matching and transplant. It aims to increase transparency, efficiency, and fairness by eliminating the consideration of irrelevant factors, such as religion. Interestingly, Japan is leveraging AI to predict the development and success of organoids created through bioengineering. Further, the United Network for Organ Sharing (UNOS) in the U.S. integrates AI and machine learning to improve efficiency, equity and patient outcomes in their transplant system. Similarly, predictive tools like iBox are being used in the EU to increase the efficiency and results of organ transplantation. The EU is also developing strong frameworks through the EU AI Act and the European Health Data Space (EHDS) to govern such use.

While most of these technologies are very promising. The question remains whether they lead to more objective and fair decision-making in contrast to human committees. Bias can enter these models due to three factors: policy choices, training data and variables, and technical features. For example, a policy choice “prioritise younger patients” encodes distributive value judgments that can disadvantage older patients. Further, models built on historically skewed data sets by caste or socio–economic status, for instance, may reproduce those disparities. Moreover, opaque self–learning systems shift decision boundaries in ways that are difficult to understand and contest.

In the Indian context, various factors contribute to disparities. Any such tool designed for India would have to balance urgency, utility, and equity, given stark state-wise capacities and socio–economic inequalities. On the other hand, doctors cannot guarantee unbiased decisions, particularly in a deeply divided society like India, where multiple factors like caste, social status, religion, ethnicity, and language may subtly influence choices. Deliberately and consciously designing fairness into AI systems can be a viable option in such a scenario, provided we look beyond the fatalism that “androids cannot be fair” and are unfit for decisions involving life or death. For instance, the UAE’s Hayat, as mentioned above, explicitly bars consideration of religion, nationality or status. UNOS runs race/ethnicity audits to counter historical bias in the kidney donor risk index. Similarly, the EU mandates a fundamental rights impact assessment to uphold non-discrimination and ensure equitable access. A comparative case study of these tools and the regulatory frameworks in these jurisdictions can help identify possible regulatory pathways for India as well.

India’s legal framework, including the ICMR Ethical Guidelines for AI in Healthcare, 2023, the India AI Governance Guidelines 2025, and the Transplantation of Human Organs Act, already provides fertile ground for operationalising fairness and trustworthiness in AI tools for organ transplant allocation. For example, the three-tiered structure under NOTTO can be leveraged to create diverse, anonymised training datasets and to fill in missing rural data. Similarly, pre–deployment testing, as required under ICMR guidelines, may be used to integrate fairness mechanisms. Likewise, collaboration at all stages of the AI lifecycle, as mandated by ICMR guidelines, may be used to embed participatory design.

India can thus adopt global best practices to its local exigencies and transform AI tools to yield faster and fairer organ transplant allocations.

ABSTRACT. This paper examines the use of artificial intelligence (AI) in emergency medical triage through the lens of European Union (EU) regulatory instruments and EU fundamental rights. AI-enabled triage systems are increasingly deployed to prioritise 112 emergency dispatch calls and to sort patients within overcrowded emergency departments (EDs), promising faster automated decision-making (ADM) and more efficient allocation of scarce emergency resources. While such systems may, in theory, improve outcomes in time-critical situations by rapidly identifying high-risk patients or optimising ambulance dispatch, they simultaneously raise significant legal and ethical concerns. In emergency care contexts, algorithmic prioritisation may directly determine access to timely treatment, such that the rights to health and even to life may hinge on an automated assessment. This, in turn, prompts questions about due process for patients subjected to ADM, the extent to which such decisions are transparent or contestable, and how responsibility and liability are allocated when AI-driven triage errors cause harm. Under the EU Artificial Intelligence Act (AIA), AI systems used for emergency call prioritisation and ED patient triage are explicitly classified as high-risk systems. This classification subjects them to stringent ex ante obligations designed to ensure safety, accountability and fairness. Providers must implement comprehensive risk-management systems, rely on high-quality and appropriately representative datasets, design systems to allow for effective human oversight, and maintain extensive technical documentation and logging to enable traceability of decisions. Importantly, public authorities and private entities performing public services that deploy such systems are required to conduct fundamental rights impact assessments, explicitly addressing risks to privacy, non-discrimination and other EU Charter-protected interests. The AIA therefore institutionalises a model of constrained automation in emergency triage, anchored in transparency and the continued primacy of human control over life-critical decision-making. The General Data Protection Regulation (GDPR) complements this framework by imposing substantive and procedural limits on ADM involving personal data. Health data processed by AI triage systems constitute special category data, engaging heightened requirements of lawfulness, fairness and transparency. Article 22 GDPR is particularly relevant as it grants individuals the right not to be subject to decisions based solely on automated processing that significantly affect them, absent narrow exceptions. Given that triage outcomes can decisively shape access to emergency care, fully automated triage would ordinarily require either explicit consent or a specific legal authorisation accompanied by safeguards. In practice, most deployments therefore retain a human-in-the-loop structure, whereby clinicians validate or may override algorithmic outputs, thereby avoiding decisions being classified as solely automated. Nevertheless, GDPR continues to require that patients be informed of AI involvement and retain the right to seek human intervention and contest outcomes. Although the real-time exercise of these rights is often impractical in emergencies, they remain essential for ex post scrutiny and redress, and may support an emerging interpretation of a de facto right to refuse AI-driven medical decisions. AI triage systems also fall within the scope of the Medical Devices Regulation (MDR), as they influence diagnostic and therapeutic decisions. As software medical devices, they must be CE-marked and comply with safety and performance requirements prior to market entry. Most AI triage tools are likely to be classified as Class IIa or IIb devices, reflecting the potentially severe consequences of erroneous triage, thereby triggering independent conformity assessment, rigorous clinical evaluation, and ongoing post-market surveillance obligations. The MDR thus embeds fairness at the design and validation stage by requiring manufacturers to demonstrate clinical accuracy, usability, and an acceptable risk-benefit profile, while also enabling regulatory intervention where systematic mis-triage or bias emerges in real-world use. Despite these preventive regimes, AI failures remain possible, rendering liability and access to remedy central to fairness. In this sense, the recast Product Liability Directive (PLD) explicitly extends strict liability to software and AI systems. Where a defective AI triage system causes harm, patients may claim compensation without proving fault. The revised regime further mitigates evidentiary asymmetries inherent in complex AI systems by enabling courts to order disclosure of technical evidence and, in appropriate cases, to presume defectiveness or causation. Therefore, non-compliance with regulatory obligations under the AIA or MDR may itself serve as evidence of defect. The paper situates these regulatory instruments within the broader framework of EU fundamental rights, arguing that fairness in AI-enabled triage is inseparable from rights to life, health care, non-discrimination, data protection and effective judicial protection. Transparency and explanation obligations support dignity and autonomy by preventing patients from being subjected to inscrutable algorithmic determinations. Human oversight and contestability operationalise due process and good administration, while anti-discrimination norms require vigilance against the reproduction of structural healthcare inequalities through biased data or models. Timely care itself emerges as a core rights concern: AI that delays emergency response would undermine the Charter’s requirement of a high level of health protection, whereas demonstrably life-saving AI may, in time, shape evolving standards of care. Moreover, this article illustrates both the potential doctrinal benefits and governance challenges of AI triage, particularly regarding data quality, localisation, and continuous monitoring. It further highlights distinct risks in private healthcare settings, where commercial incentives may intensify pressures toward automation, necessitating robust enforcement of transparency, non-discrimination and human oversight obligations. It concludes that the EU has constructed a dense and rights-oriented regulatory framework capable of accommodating AI in emergency triage, provided it is rigorously implemented. Fairness ultimately depends not on automation as such, but on whether AI remains a controlled, explainable and accountable tool that enhances, rather than supplants, human clinical judgment in situations where fundamental rights are at stake.

ABSTRACT. Introduction

The use of ambient AI scribes is one of the recent applications of generative AI in medicine, including in the field of mental health [Fisher 2024; Mess, Mackey, and Yarowsky 2025]. By this term, we refer to LLM tools that record and transcribe clinical encounters. The content of the transcript is then summarized by the scribe, resulting in a structured note that the therapist, sometimes together with the client, reviews to accuracy and completeness. The note can then be entered directly into the patient’s EHR [Buckley, Wand, and Gopalan 2025].

While essential to care processes, (manual) clinical documentation is time consuming and may contribute to physician overload or even burnout [Buckley, Wand, and Gopalan 2025; Fisher 2024]. Therefore, the rationale for introducing AI scribes into (mental) healthcare workflows is to reduce the administrative and cognitive burden on care providers so that they can better focus on patient care. This promises not only to make care more efficient by reducing workload, but is also supposed to increase physician satisfaction and improve patient rapport and engagement [Buckley, Wand, and Gopalan 2025; Fisher 2024; Shah 2025].

Research problem and aim

While the purpose of ambient AI scribes is to act seamlessly and unobtrusively in the background of therapeutic interactions [Blease 2025], their integration into the sensitive mental healthcare domain is anything but insignificant. For regulatory scholars, the concerns are well known and echo by now often discussed issues raised in relation to implementation of (generative) AI in medicine. Among others, these include questions concerning data privacy and security; erroneous outputs and AI hallucinations that might cause harm, and assigning the liability therefor; the perpetuation of biases and health disparities; the (in)ability of AI to capture nuance or subtext in conversations; the (in)explainability of AI outputs etc. [Buckley, Wand, and Gopalan 2025; Haltaufderheide and Ranisch 2024; Mess, Mackey, and Yarowsky 2025].

To address these legal and ethical concerns, the ‘responsible AI’ framework is commonly applied [Tavory 2024]. The idea behind this approach is that if only AI is (developed and) deployed ethically and responsibly, that is, in line with principles such as accuracy and robustness; privacy and safety; fairness and non-discrimination; transparency; human oversight and control over outputs; respect for fundamental rights and values; and education and accountability [see, for instance, Buckley, Wang, and Gopalan 2025; Sasseville et al. 2025; Tavory 2024], the above-identified threats can be staved off and the potential of innovative AI for (mental) healthcare harnessed in practice.

In contrast, this paper argues that framing the responsible adoption of AI scribes only in terms of achieving otherwise commendable goals of (time) efficiency and optimization of interactions might be misguided, because it risks overlooking the fact that the introduction of digital technologies into care might fundamentally, and perhaps more insidiously, disrupt therapeutic relationships [Jongsma et al. 2021] in potentially negative ways. In other words, if AI scribes are employed to ensure efficiency as health systems are increasingly unable to meet the demand, are they actually solving the problem of physician burnout, or do they also bring about a reconfiguration of the role and expertise care providers have in therapeutic interactions, with unforeseen consequences.

Discussion

In mental healthcare, maintaining clinical documentation is the health professional’s duty that serves various purposes in the therapeutic relationship, including acting as a base for making diagnoses and treatment plans and ensuring continuity of care; a safeguard against allegations of unethical conduct; and a means of professional development, underpinned by respect for patient’s rights and dignity [Tudor and Gledhill 2022]. Against this background, the present paper contends that ambient AI scribes that automate notetaking and reporting are not only a neutral presence in the therapeutic relationship they are supposed to facilitate, but rather that their introduction might lead to several problematic developments with regard to the therapists’ role and responsibilities therein.

Firstly, Luepker [in Tudor and Gledhill 2022] suggests that (good) records represent “a clear ‘picture’ or ‘mirror’ of a patient”. AI, too, can acts as a mirror, but its reflections represent only a ‘flattened’, rather than full, version of reality [Vallor 2024]. Whereas drafting clinical notes is always to an extent a subjective and reductionist exercise, it serves a particular purpose in the therapeutic encounter beyond just recording for posterity. Namely, it represents a reconstruction of the patient’s situation into an artefact that can be managed and acted upon [Berg in Walsh 2004]. Since medical records, as reflections of the patient and their story, are something that decisively frames the therapeutic relationship and the work that happens within it [ibid.], the question arises whether the task of formulating them is something to be entrusted to AI, specifically LLMs, whose outputs are not a product of (clinical) reasoning, but a reproduction of statistical patterns in the training data [Vallor 2024].

Relatedly, automation is commonly accompanied by the concern that it might negatively affect therapists’ clinical expertise, especially with prolonged use of and (over-)trusting AI. This is because AI scribes might “remove an opportunity for psychiatrists to reflect on their work” and consolidate and develop their clinical reasoning skills [Fischer 2025]. In turn, the danger of over-reliance on AI outputs arises, which “could come at the expense of professional development and quality of care” [ibid.; see also Shahazib, Shakil, and Arifa 2025], for example by uncritically accepting incorrect outputs.

Correspondingly, these developments raise a crucial question for AI governance in (mental) healthcare. Regulatory regimes like the AI Act, which largely reflects and operationalizes the ‘responsible AI’ methodology [Tavory 2024], are welcome and significant, but likely insufficient. Whilst having a framework in place that puts forward an array of predefined risks and corresponding obligations that an AI system needs to abide by in order to be put on the market [Almada and Petit 2025] might more or less successfully tackle the legal and ethical issues described in the introduction, the more subtle implications of AI’s integration into care processes and interactions might fly under its radar [see similarly Tavory 2024]. This is, largely, because product safety-style requirements defined ex ante and in abstracto are not really able to capture the dynamic nature of AI and the way it might affect the roles and contexts into which it is integrated [see similarly Edwards 2022]. The ensuing question that AI governance should be posing is thus not whether AI in (mental) healthcare can be implemented responsibly, but rather what kind of care it enables and promotes, and whether such care is societally desirable.

References

Marco Almada and Nicolas Petit, ‘The EU AI Act: Between the Rock of Product Safety and the Hard Place of Fundamental Rights’ (2025) 62 Common Market Law Review 103 Charlotte Blease, ‘The Quiet Infiltration. AI Is Already in the Doctor’s Office - and Patients Don’t Know It’ (Substack, 1 July 2025) <https://bleaseondrbot.substack.com/p/the-quiet-infiltration> accessed 23 January 2026 Patrick Buckley, Yanshan Wand, and Priya Gopalan, ‘Artificial Intelligence Scribes in Psychiatry’ (2025) 23 Focus - The Journal of Lifelong Learning in Psychiatry 44 Lilian Edwards, ‘Regulating AI in Europe: four problems and four solutions’ (Ada Lovelace, 2022) <https://www.adalovelaceinstitute.org/wp-content/uploads/2022/03/Expert-opinion-Lilian-Edwards-Regulating-AI-in-Europe.pdf> accessed 23 January 2026 Carl E. Fisher, ‘The real ethical issues with AI for clinical psychiatry’ (2024) 37 International Review of Psychiatry 14 Joschka Haltaufderheide and Robert Ranisch, ‘The ethics of ChatGPT in medicine and healthcare: a systematic review on Large Language Models (LLMs)’ (2024) 7 npj Digital Medicine, 183 Karin Jongsma et al., ‘How digital health affects the patient-physician relationship: An empirical-ethics study into the perspectives and experiences in obstetric care’ (2021) 25 Pregnancy Hypertension 81 Sarah A Mess, Alison J Mackey, and David E. Yarowsky, ‘Artificial Intelligence Scribe and Large Language Model Technology in Healthcare Documentation: Advantages, Limitations, and Recommendations’ (2025) 13 Plastic and Reconstructive Surgery - Global Open, e6450 Maxime Sasseville et al., ‘The Impact of AI Scribes on Streamlining Clinical Documentation: A Systematic Review’ (2025) 13 Healthcare (Basel) 1447 Shreya J. Shah et al., ‘Physician Perspctives on Ambient AI Scribes’ (2025) 8 JAMA Network Open, e251904 FNU Shahazib, Shabaz Shakil, and Arifa Arifa, ‘Over-reliance on AI for diagnosis: the potential for algorithmic bias and the erosion of clinical skills’ (2025) 49 Journal of Medical Engineering & Technology 427 Tamar Tavory, ‘Regulating AI in Mental Health: Ethics of Care Perspective’ (2024) 11 JMIR Mental Health, e58493 Keith Tudor and Kris Gledhill, ‘Notes on notes: Note-taking and record-keeping in psychotherapy’ (2022) 26 Ata: Journal of of Psychotherapy Aotearoa New Zealand 123 Shannon Vallor, The AI Mirror: How to Reclaim Our Humanity in an Age of Machine Thinking (Oxford University Press 2024) Stephen H. Walsh, ‘The clinician's perspective on electronic health records and how they can affect patient care’ (2004) 328 BMJ 1184

ABSTRACT. The rapid integration of artificial intelligence into electoral campaigning has reshaped democratic participation across jurisdictions, but nowhere has this transformation been as large-scale or socially differentiated as in India, where estimates suggest that political actors spent over USD 50 million on AI-enabled election campaigning (Gupta and Mathews, 2024). India’s 2024 general election—the largest democratic exercise in history, with approximately 642 million citizens casting their vote—has been widely described as the world’s first and largest electoral deployment of deepfakes, marked by the use of generative AI tools including synthetic videos, voice-cloned calls, and data-driven voter profiling at unprecedented scale (Mani, 2024; Dhanuraj et al., 2024). These developments align with global risk assessments identifying AI-generated misinformation and disinformation as among the most severe short-term threats to democratic institutions, particularly in electoral contexts characterised by speed, scale, and affective mobilisation (World Economic Forum, 2025). Among the most controversial episodes during the election cycle was the circulation by the Indian National Congress of an AI-generated video depicting the Prime Minister’s deceased mother, Heeraben Modi, appearing to criticise her son’s political conduct and moral choices in a staged, dream-like exchange. Explicitly labelled as AI-generated, the video leveraged intimate familial symbolism and the moral authority associated with motherhood and death to deliver a personalised political message. Rather than relying on policy critique or ideological contestation, the video mobilised emotional authenticity through synthetic reconstruction, illustrating how generative AI can be used to weaponise personal grief and symbolic kinship in electoral competition. This episode prompted a 2025 interim order of the Patna High Court directing the Congress to remove the video from all social media platforms, treating its circulation as potentially defamatory and in violation of electoral restraints under the Representation of the People Act. While the order demonstrates judicial willingness to intervene once harm has materialised, it also underscores the reactive, ex post nature of India’s current legal response to AI-mediated electoral manipulation. Crucially, these developments raise a deeper question: what does it mean, in practice, for political content to be “marked as AI-generated” in an unequal democracy? Formal labelling presumes levels of literacy, digital familiarity, media awareness, and interpretive capacity that are unevenly distributed across societies marked by socio-economic inequality, linguistic diversity, and differential access to education. In such contexts, disclosure that content is “AI-generated” does not necessarily enable critical evaluation or informed consent. Instead, it risks functioning as a formal compliance mechanism that satisfies regulatory expectations while leaving underlying dynamics of manipulation intact. For many voters—particularly those targeted through vernacular, audio-based, or affectively charged content—the perceived authenticity and emotional authority of the message outweigh its technical provenance. Taken together, India’s 2024 election illustrates a widening gap between the scale and sophistication of AI-driven political campaigning and the capacity of existing legal institutions to govern these practices proactively. The combination of affective synthetic media, post-hoc judicial intervention, and transparency mechanisms ill-suited to unequal social conditions exposes the limits of governance models that prioritise disclosure and individualised remedies over anticipatory, risk-based approaches attentive to structural vulnerability and democratic inequality. Against this backdrop, the paper asks: how can democratic risk arising from AI-mediated electoral campaigning be meaningfully identified and governed in deeply unequal democracies, where formal transparency and ex post legal remedies fail to account for socially and structurally differentiated vulnerability? In this context, the paper argues that India’s experience exposes critical blind spots in prevailing, tripolar models of AI governance dominated by developments in the European Union, the United States, and China. These models, whether market-driven, state-centric, or rights-based, share an implicit assumption of institutional capacity, informational symmetry, and relatively uniform access to redress that does not hold in deeply unequal democratic contexts. It advances three claims. First, AI-mediated elections in India generate structurally differentiated democratic risks that cannot be adequately captured by frameworks focused on individual harms or procedural compliance alone. Second, the contrast between the EU’s anticipatory, risk-based approach to digital governance and India’s predominantly reactive responses reveals the limits of assuming regulatory transferability across unequal democracies (Bradford, 2020; Stengg, 2024). Third, the Indian case demonstrates the analytical need to reconceptualise democratic risk as socially distributed, shaped by caste, religion, gender, language, and socio-economic position. Methodologically, the paper adopts a socio-legal and comparative approach, combining doctrinal analysis of Indian constitutional law, election regulation, and intermediary governance with policy analysis of AI-driven campaigning practices during the 2024 election. Rather than treating India as a peripheral case or a site of regulatory lag, the analysis positions it as a theoretically generative context for rethinking AI governance under conditions of structural inequality. Importantly, this paper does not seek to operationalise a new governance framework. Instead, it uses the Indian case to set the agenda for future work on developing intersectional risk governance models. Scholarship on digital political campaigning conceptualises risk governance as a sequence of identification, assessment, responsibility allocation, mitigation, and prevention (Borz et al., 2025). The Indian experience raises a prior question: how do these stages function when institutional capacity, social trust, and equality before the law cannot be assumed? In such settings, procedural compliance risks becoming performative, offering the appearance of accountability without addressing structurally distributed harms. By documenting these dynamics, the paper contributes empirically to understanding AI-mediated elections in unequal democracies (Dhanuraj et al., 2024; Batra, 2024), analytically to debates on intersectionality and vulnerability in democratic governance (Crenshaw, 1989; Fineman, 2010), and normatively by challenging Eurocentric assumptions embedded in contemporary AI regulation and the limits of the Brussels Effect under conditions of entrenched inequality (Bradford, 2020). In doing so, it opens a research agenda on intersectional risk governance in AI-mediated democracies rather than claiming to resolve it. Bibliography • Crenshew, K., 1989. Demarginalizing the intersection of race and sex: A Black feminist critique of antidiscrimination doctrine, feminist theory and antiracist politics. In University of Chicago Legal Forum (Vol. 140, No. 1, pp. 139-167). • Batra, R., 2024. Elections, Accountability, and Democracy in the Time of AI. < https://www.orfonline.org/research/elections-accountability-and-democracy-in-the-time-of-a-i> • Borz, G. and De Francesco, F., 2024. Digital political campaigning: contemporary challenges and regulation. Policy Studies, 45(5), pp.677-691. • Borz, G., Longhini, A. and Almodt, R., 2025. Risk management and digital political campaigning. • Bradford, A., 2020. The Brussels effect: How the European Union rules the world. Oxford University Press. • Dhanuraj, D., Harilal, S. and Solomon, N., 2024. Generative AI and Its Influence on India’s 2024 Elections. • Fineman, M.A., 2010. The vulnerable subject: Anchoring equality in the human condition. In Transcending the boundaries of law (pp. 177-191). Routledge-Cavendish. • Gupta, N. and Mathews, N. (2024) ‘India’s Experiments With AI in the 2024 Elections: The Good, The Bad & The In-between’, Tech Policy Press, 25 September. Available at: https://www.techpolicy.press/indias-experiments-with-ai-in-the-2024-elections-the-good-the-bad-the-inbetween/. • Stengg, W., 2024. Digital policy in the EU: towards a human-centred digital transformation. Edward Elgar Publishing.

ABSTRACT. Problem statement Social media platforms (platforms) increasingly face a double bind: they can be sanctioned for hosting or disseminating users’ inaccurate personal data, and they can also be sanctioned for exercising their control levers incorrectly when responding to complaints. This creates a legal tension in which platforms are liable both for failing to act and for acting wrongly. Data‑protection law assigns the accuracy duty to the controller of a specific processing operation. Contemporary social‑media architectures, however, separate the act of creating a post from the system‑level operations that collect, index, rank, recommend and disseminate that post. That architecture produces a structural misalignment: the user who posts inaccurate data about another person is the controller of that specific processing, while platforms operate the infrastructure that makes false personal data visible, persistent and consequential and are therefore controllers for their own processing of that content.

Recent jurisprudence in Nigeria and the EU has brought these stakes into sharp union by treating system‑level dissemination and content‑level processing as one and the same. Although the EU Russmedia matter, concerning online marketplaces and advertisers, triggered accuracy obligations in a limited way, by requiring identity pre‑publication and identity checks among others; the data subject here exercised their rights, but the platform was unable to remedy the harm in time. On the other hand, in Femi Falana v Meta, a Nigerian High Court found that Meta processed inaccurate personal data from a user’s non‑household post, treated the company as a joint controller and vicariously liable, and awarded damages., invariably requiring proactive fact-checking. However, both disputes involve sensitive categories of data and illustrate a common tendency in recent litigation: courts are increasingly willing to treat platform dissemination as engaging platform accuracy obligations even where the data subject has not exercised rights such as erasure or restriction and even where the platform had no prior notice.

It is plausible to say that a platform processed inaccurate personal data when its indexing, ranking or recommendation systems materially amplified a user’s false post; amplification transforms a discrete user act into system‑level processing that makes the inaccuracy visible, persistent and consequential. That however, does not by itself settle whether the platform should bear the full accuracy duty: doing so requires a test that balances remedial effectiveness with proportionality and freedom of expression. In similar vein the paper argued that when courts collapse the distinction between system‑level accuracy controllership and controllership over the user’s false content, several risks follow: doctrinal incoherence, misallocation of liability, and incentives for intrusive proactive monitoring or over‑moderation. Platforms may be pushed toward continuous surveillance to avoid liability, while posters who originate falsehoods may escape direct accountability. Therefore, the factual proposition that a platform processed inaccurate data through indexing or amplification does not, on its own, resolve the normative question of whether the platform should bear the full accuracy duty. The solution therefore lies in a principled, pragmatic allocation of remedial responsibility that recognises both the realities of enforceability and the need for proportionality.

For a workable approach, the paper advances propositions to avoid automatic liability and over‑deterrence. When a platform’s system‑level choices materially transform a user’s post into widely discoverable, persistent and consequential content, the platform should bear a primary operational duty to take proportionate remedial steps once a credible trigger is met (e.g., targeted notice, calibrated risk threshold, or evidence of sensitive harm). This duty is not to adjudicate truth but to deploy proportionate, technically feasible measures that mitigate foreseeable harm while respecting freedom of expression. For damages, courts and regulators should allocate liability according to causation, control and enforceability: where the poster is joined and solvent, damages should be apportioned between poster (originator) and platform (amplifier) based on their relative causal contribution. When the poster cannot be joined or is insolvent, the platform should remain liable for compensatory relief but subject to doctrines that preserve fairness and avoid windfalls, as in Falana, which resulted in a $25,000 award. A platform should pay full damages for inaccuracy only where: (a) amplification was decisive; (b) the data subject notified the platform or exercised their rights; and (c) the platform promptly investigated and remedied the harm. Otherwise damages should not be imposed in full but may accompany fact‑dependent reliefs; de‑ranking, restriction of processing, erasure, temporary suspension of amplification, expedited human review, and the platform may exercise control levers against the poster, such as suspending the poster’s account.

Central question: How should the data‑protection accuracy principle be construed to determine when social‑media platforms bear responsibility for false personal data in user‑generated posts?

Core analysis Operation‑specific allocation: The accuracy principle protects data subjects from harms that arise when incorrect personal data are processed for a defined purpose; it is a rule about the lawfulness and integrity of processing, not a general instrument for policing public discourse. Treating platforms as joint‑controllers of every user’s factual claims or accuracy as a content‑level obligation that would require social‑media platforms to verify every user statement would convert a data‑protection norm into a speech‑regulation tool, impose disproportionate burdens on platforms and displace accountability from the original poster. Moreover, remedies for victims are not confined to data‑protection law, since tort, defamation, criminal law and platform‑specific regulatory mechanisms may provide complementary or alternative routes to redress. Notice or knowledge trigger with rebuttable presumptions: In single-victim cases, platform duties to investigate, restrict or erase should be triggered by the data subject exercising their rights or by demonstrable platform knowledge, not by an automatic duty to monitor. Where objective indicators point to constructive knowledge, rapid virality, multiple credible third-party reports, or automated detection of sensitive categories, a rebuttable presumption of knowledge may apply. This approach avoids imposing a blanket duty to monitor or fact-check Procedural duty to investigate and document: Platforms face a double bind: they can be sanctioned for hosting inaccurate content and for acting wrongly when responding to complaints. Accordingly, once a platform is put on notice or where knowledge is plausibly alleged, it must investigate, weigh competing rights, document its reasoning and be prepared to defend that decision in court. Requiring a clear investigatory record protects victims by enabling timely remediation and preserves other users’ rights by guarding against summary removals and arbitrary enforcement. Preserving doctrinal guardrails: This paper contributes to the debate on platform liability and data protection by proposing a principled rule for single‑victim cases. Where an inaccuracy stems directly from a poster’s content, a platform should be treated as having processed inaccurate personal data only after the data subject has exercised their rights or otherwise notified the platform. Recognising that victims may be unaware of harmful posts or may not use the platform, the law should also require platforms to demonstrate that they lacked actual or constructive knowledge that their systems were disseminating the inaccurate content. Where the content involves special‑category or highly sensitive personal data, platforms should adopt proportionate technical safeguards, for example keyword or pattern filters that flag such items for human review before amplification, to reduce the risk of systemic harm. By contrast, when the accuracy question concerns the platform’s own system‑level processing or the control levers it deploys, such as automated moderation, shadow‑banning or suspension. The platform should be responsible for the inaccuracy of those processing operations such as wrongful account suspension or erroneous content‑flagging Method and materials The paper employs doctrinal analysis, comparative case study and policy evaluation. It begins with a textual and purposive reading of the accuracy principle and the controller concept under the GDPR and comparable national statutes. It then examines case law and statutory practice in two jurisdictions: Nigeria (the Falana v Meta decision and relevant provisions of the Nigerian Data Protection Act) and the European Union (CJEU jurisprudence such as Fashion ID and X v Russmedia Digital SRL, together with pending Vinted UAB litigation on data protection and shadow‑banning), alongside relevant GDPR provisions. In its January 2026 judgment, the Nigerian High Court observed that its decision aligns with global trends. Although the NDPA mirrors the GDPR in many respects, Nigeria lacks a standalone, comprehensive platform regulation comparable to the DSA that could clarify situations prone to overlays and misapplications of data‑protection law. Framing the issue in broad terms risks resolving disputes by general rule rather than by reference to the specific facts of each case, and thereby invites a blanket approach that holds social‑media platforms generically liable for users’ inaccurate content. This hasty reading also obscures the functional differences among online intermediaries: hosting services, mere‑conduit providers, caching services and social‑media platforms perform distinct roles and should not be treated as if they were interchangeable.

These doctrinal materials are supplemented by regulatory guidance from data‑protection authorities on accuracy and the interaction between the GDPR and the Digital Services Act, platform policy documents, and technical literature on algorithmic amplification and recommender systems. The comparative approach highlights points of doctrinal convergence and divergence and identifies interpretative guardrails that courts and regulators can apply.

ABSTRACT. The notion of ‘public interest’ is commonly found in personal data protection (PDP) regulations as one of the legal bases or grounds for exemptions from data subjects’ rights or data controllers’ obligations. The public sector, in particular, often relies on these provisions when processing citizens’ personal data. Such provisions, whether deliberately or not, often grant state actors considerable discretion to define their scope and limits. This could create opportunities for abuse that may undermine citizens’ fundamental rights, especially in countries like Indonesia, which are democratically fragile and institutionally weak, while technologically dependent on more developed countries.

Despite their importance as a legal basis for data processing and as grounds for exemption, as well as their potentially significant consequences in the event of abuse, the discussion of public interest provisions in a PDP regulation remains relatively underexplored. In the context of EU, for instance, Stevens (2017) shows that the development of public interest provisions during the drafting of the DPD lacked objective criteria for determining what constitutes the ‘public interest’, while Bernisson (2021) finds that during the lawmaking of the GDPR, various actors mostly rely on broad and ill‑defined resources, with security and the digital single market appearing to be the main priorities. In the Global South, such analysis is largely absent.

This paper explores why public interest provisions in PDP regulations are often formulated broadly, sometimes without adequate normative or institutional safeguards, despite their significance. It examines the lawmaking dynamics behind a PDP regulation to identify the factors influencing the conceptualisation of ‘public interest’, the institutional tensions involved, and their legal and political consequences. To provide a more detailed and contextual examination, Indonesia’s lawmaking process for the PDP Law was selected, not only because of the familiarity with the country’s legal and political landscape, but also because of factors common to many countries of the Global South, offering potential for generalisability. Drawing on Hicks (2021), these factors include geopolitical position in the global information economy, the absence of major domestic big-tech data multinationals, a weakly institutionalised democracy influenced by oligarchic interests, and persistent state practices of information control following the democratic transition. The analysis offers comparative insights by illustrating how institutional struggles risk undermining the formulation and implementation of the PDP Law, even when the law appears aligned with ‘global standards’.

The examination of lawmaking dynamics builds on the dialectical paradigm, which views lawmaking as an ongoing process to resolve structural contradictions, conflicts, and dilemmas. Such processes often produce compromises and produce “tacitly acknowledged incomplete decisions”, which are decisions that intentionally leave certain issues undecided. This paper draws insights from the problematisation concept as an analytical lens for examining the lawmaking process, as it views lawmaking as a means of representing ‘problems’. This lens can help reveal underlying historical roots, conceptual logics, and silences, while reflecting on how the conceptualisation of public interest provisions could shape the way PDP Law is interpreted, applied, and enforced.

This paper argues that institutional struggles, characterised by ego-sectoralism, shape the conceptualisation of public interest provisions and, in turn, are shaped by the resulting compromise. As sectoral institutions perceived the PDP Law as a threat to their authority, they managed to instrumentalise the notion of ‘public interest’ as a flexible legal basis for data processing and for exemptions from data subjects’ rights and data controllers’ obligations, without adequate normative and institutional safeguards. Hence, instead of providing safeguards for data subjects, the conceptualisation of public interest provisions risks becoming an ‘escape route’ for sectoral institutions to avoid their responsibilities as data controllers and data processors.

The examination of the lawmaking dynamics suggests that ‘public interest’ is envisioned as ‘any interest’ other than individual interests. By positioning the state as the representative of the public, the PDP Law implies that ‘public interest’ functions as a symbol of the state’s control over citizens’ personal data, as it could flexibly determine the scope and limitations on how citizens’ personal data is utilised under the guise of ‘public interest’, even if this means derogating citizens’ rights.

Furthermore, the lack of adequate normative and institutional safeguards for public interest provisions potentially amplifies the risks to data subjects’ fundamental rights. While the PDP Law provides some safeguards, such as mandatory data protection impact assessments and assignment of data protection officers in the context of public services or large-scale data processing, it may become meaningless if its enforcement provisions cannot be applied to the public sector. This is because the PDP Law treats the public and private sectors differently in its enforcement. For example, while private sector controllers can be subject to all administrative sanctions, government institutions are limited to written reprimands, and other sanctions are practically inapplicable to them. These shortcomings in sanctions were further complicated by the data protection authority (DPA)’s institutional design. Despite its strategic role for the implementation, the PDP Law lacks any reference to the DPA’s independence, prompting criticism from civil society for granting the President unchecked discretion. Without guarantees of independence, a DPA becomes more susceptible to interference from authoritarian actors, thereby hampering the meaningful implementation of the PDP Law.

As the PDP Law seems to place the state as the defining agent of what constitutes ‘public interest’, the persistence of ego-sectoralism also means state interpretation may not be singular, but multiple, shaped by potentially conflicting institutional interests. Ego-sectoralism within the government risks producing conflicting interpretations and resistance, undermining meaningful implementation. This further complicates the already asymmetric relationship between the state and citizens, increasing citizens’ administrative vulnerability. Given the broad formulation of public interest provisions and the likelihood of divergent sectoral interpretations, citizens become more vulnerable administratively when there is no assurance that personal data violations by or within sectoral institutions will be properly addressed, especially amid the current political landscape characterised by democratic decline.

Moreover, although the PDP Law was drafted during a period of democratic decline, the lawmaking process was not directly influenced by autocratic practices. Nonetheless, in defence of their interests, sectoral institutions created a law that risks enabling decentralised digital authoritarianism. The exploitation of public interest provisions, combined with weak institutional safeguards and limited technological capacity, poses significant risks to society. Without clear normative and institutional safeguards, public interest provisions could imperceptibly enable the systematic promotion of authoritarian politics through the utilisation of data-driven digital technologies. This situation could undermine trust, enable unchecked surveillance, and raise concerns over transparency, accountability, and democratic resilience in the digital era.

ABSTRACT. India is a highly diverse country with a severe digital and literacy divide. Add to the mix algorithmic biases and increased reliance on Social Media Intermediaries (hence SMIs) for news consumption, and the proliferation of news essentially becomes a game of Chinese Whispers. In the absence of any specific law to regulate disinformation on SMIs, the regulation of fake news in India, especially that shared on social media, falls under the overarching technology law. While SMIs in India are governed by the Information Technology Act 2000 (hence IT Act), and The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (hereafter IT Rules/Rules, they (SMIs) are put in a unique position. They are required to undertake due diligence activities with respect to the content posted on their platforms, but can claim safe harbour.

We argue that SMIs should not be granted the safe harbour protection from liability, since they cannot be considered mere intermediaries to begin with, in light of their act of active monitoring and content moderation itself and supplying of content in highly targeted preference-based packages. This is in addition to possible accidental exposure to partial news, which adds to the disinformation conundrum. We question the non-interventionist stance that intermediaries claim to escape liability, especially given how consumption of news on social media is often governed by platform design and algorithmic layout and emphasize on how social media platforms have furthered the convolution between news and opinions. However, this begs the question - how do we regulate these platforms? What recourse does an average Indian have?

We present our arguments in the following fashion: We begin by introducing the context relevant to India, specifically in relation to consumption of news, tracking the change from legacy media to social media and the divide between digital literacy and literacy rates. We then cover the legal landscape in India that is currently regulates intermediaries, relying on statutory provisions, draft bills and case laws, and argue for how SMIs should not be entitled to the protection from liability because they are not mere intermediaries anymore. We thereafter indulge in the thought experiment that, in the absence of the safe harbour provision, how can we regulate these platforms, exploring the viability of the above-mentioned three solutions in more detail, and contextualize the same to the Indian legal terrain. We finally conclude with possible challenges we are likely to face.

ABSTRACT. Everyone in the Law & Technology landscape probably knows Lawrence Lessig's four modalities of regulation: law, norms, market and code (Lessig 1999). Although primarily meant at the time to illustrate that there is more to regulation of behaviour than law and social norms (market, and especially in the rise of the Internet and ICT in general, code), his model has become a high level shorthand for types of regulatory interventions. The model has a number of (serious) defects undermining its value. For instance it suffers from precision, places too much emphasis on the state regulation (law) as formal regulator (law) and in a sense is too specific. Murray and Scott reconceptualise Lessig’s four modalities drawing more attention to the form of control rather than its source. This leads them to reframe ‘law’ into hierarchy, ‘norms’ into community, ‘market’ into competition, and ‘code’ into design (2002). They furthermore introduce the cybernetic loop to explain how regulation (or regulatory governance) needs to be seen a a loop of norm setting, monitoring and behaviour modification. Murray and Scott’s model is richer than Lessig’s, but still does not capture the richness of the regulatory toolbox used by modern regulators.

Karen Yeung and Sofia Ranchordés categorise the modalities of control using a memorable alliteration—command, competition, consensus, communication, and code—thereby also refining the conceptual model (2025). Robert Baldwin covers more or less the same ground in his chapter on regulatory strategies in Understanding Regulation (2012). The categories he defines are more extensive than what we have seen so far. Unfortunately that comes at the expense of structure and simplicity. He distinguishes: command & control, incentives, market harnessing controls, disclosure, direct action and design solutions, rights and liabilities laws, public compensation/social insurance.

In this work, I aim to bring more structure in the catalog of regulatory tools. I have tried to synthesise a framework along the logic or mechanism through which control is exerted. This leads me to eight types that appeal to different ways in which people (or organisations) make decisions and respond to incentives. These assumptions shape how control is structured. Adopting the alliteration introduced in the field by Yeung and Ranchordés, I distinguish Command, Competition, Consensus, Communication, Contract, Claims, Code, and Compensation. Each modality is described in terms of the underlying actor model and assumed behavioural driver. A brief summary of each gives a flavour of the new toolbox Command, the most classical form of regulation, operates through authoritative rule-setting and coercive enforcement. It embodies the sovereign authority of the state and remains indispensable for certain high-stakes domains—such as criminal law, environmental protection, and human rights. Its strength lies in the certainty and predictability of norms, but it is limited by bureaucratic rigidity, enforcement costs, and the ever-present risk of regulatory capture. The AI Act illustrates both the necessity and the difficulty of command-style regulation in technologically dynamic domains: definitional ambiguities and risk classifications remain contentious, raising questions about enforceability and scope.

Competition, by contrast, uses economic incentives to steer behaviour. Taxes, subsidies, and market-based instruments like tradable emission rights aim to internalise externalities and leverage market dynamics to achieve policy objectives. The EU Emissions Trading System is a paradigmatic example. Yet, as explored, these mechanisms are vulnerable to strategic behaviour, over-allocation of allowances, and public mistrust when the system is perceived as a “licence to pollute” rather than a genuine tool for climate mitigation.

Consensus refers to collective norm formation, self-regulation, and co-regulation based on shared understandings and soft enforcement mechanisms. It is particularly relevant in contexts where formal authority is weak or fragmented, such as internet governance, open-source communities, or emerging technology fields. The EU’s use of multi-stakeholder consultations and ethics guidelines for AI development reflects the enduring appeal of consensus, though its limits—lack of accountability, risk of capture, and slow formation—are equally salient.

Communication encompasses transparency measures, public campaigns, and disclosure requirements that aim to alter behaviour by improving information flows. Mandatory disclosure, such as nutritional labelling or GDPR transparency obligations, assumes rational agents who will change behaviour when better informed. Yet, behavioural economics tells us that information alone rarely suffices. Bounded rationality, information overload, and strategic obfuscation by firms undermine the ideal of the well-informed consumer. Communication thus functions best when coupled with other modalities—such as claims (rights of redress), command (minimum standards), or code (user interface design nudging certain choices).

Contract refers to the use of public procurement and negotiated agreements to realise regulatory goals. This is particularly relevant in areas where state capacity or market failures preclude direct provision or pricing echanisms. Vaccine procurement during COVID-19 and green public procurement are prime examples. Contracts allow regulators to specify conditions, allocate risk, and secure performance from private actors while preserving flexibility. However, they may suffer from asymmetries in bargaining power, complexity, and opacity, potentially undermining accountability and efficiency.

Claims empower individuals to enforce regulatory standards themselves. Tort law, data subject rights under the GDPR, and other forms of private enforcement shift the burden of action from regulators to affected parties. Claims provide a bottom-up form of enforcement that can be more responsive and victim-centred. However, claims-based regulation depends on access to justice, collective redress mechanisms, and well-informed rights holders. It also runs the risk of under-enforcement, especially when harms are diffuse, the burden of proof is high, or litigation costs are prohibitive.

Code—the use of design and technology to embed normative constraints—has emerged as perhaps the most distinctive modality in the digital age. From Bentham’s Panopticon to Lessig’s “code is law”, we have seen the regulatory power of architecture, algorithms, and affordances. Code can regulate by design: it can make certain behaviours easier, harder, or impossible. Seatbelt reminders, Twitter’s original 140-character limit, or cookie walls are all examples. The strength of code lies in its automaticity and scalability, but this also raises concerns about legitimacy, transparency, and user autonomy. Brownsword’s notion of techno-regulation—where compliance is built into the system and non-compliance is no longer possible—poses deep ethical questions about the loss of moral agency and the shift from law as guidance to law as constraint. Captology, nudges, default settings, Hypernudging, dark patterns, affordances, etc, on digital platforms exemplify the subtle but pervasive behavioural control exercised through code.

Compensation, finally, is a more recent addition to the regulatory toolbox, framed here not merely as a post-hoc remedy but as a forward-looking governance tool. Compensation can support transitions, legitimise policy trade-offs, and maintain trust in the face of distributional impacts. The German coal phase-out and vaccine indemnity schemes during COVID-19 illustrate how compensation can be used strategically to render socially painful transitions acceptable. Distinct from subsidies or claims, compensation recognises loss and redistributes burden. It thus plays a crucial role in managing the fairness and legitimacy of regulatory interventions.

references • Lawrence Lessig, ‘The Law of the Horse: What Cyberlaw Might Teach’ (1999) 113 Harvard Law Review 501.; Lawrence Lessig, Code and Other Laws of Cyberspace (Basic Books 1999). • Andrew Murray and Colin Scott, ‘Controlling the New Media: Hybrid Responses to New Forms of Power’ (2002) 65 The Modern Law Review 26. • Karen Yeung and Sofia Ranchordás, An Introduction to Law and Regulation: Text and Materials (2nd edn, Cambridge University Press 2024) • Robert Baldwin, ‘Regulatory Strategies’ in Robert Baldwin, Martin Cave and Martin Lodge (eds), Understanding Regulation : Theory, Strategy, and Practice (Oxford University Press 2012) 106–136. • Ronald Leenes, The REALbook – a primer on regulating technology, chapter 8, forthcoming.

ABSTRACT. The European Union (EU) has increasingly relied on a so-called ‘risk-based approach’ to regulate digital technologies in the last decade. By using risk management as a regulatory tool and risk as a proxy, multiple pieces of legislation now feature a risk-based approach to protect several interests and values, ranging from safety to fundamental rights, public security, public health and electoral processes. The risk-based approach is reflected in the overall structure and formulation of obligations in several regulatory frameworks such as the General Data Protection Regulation (GDPR), the Digital Services Act (DSA) and the Artificial Intelligence Act (AI Act), although with different declinations.

The DSA and the AI Act feature risk management obligations that revolve around the notion of systemic risk. Systemic risks are those arising not only for interests and values that are typically protected in EU risk-based regulation, such as safety and fundamental rights, but also broadly-phrased and politically contested interests and values such as civic discourse, public security and public health. The definition of systemic risk in the AI Act even includes risks of negative effects to ‘society as a whole’. Under both the DSA and the AI Act, the category of systemic risks seems to be essentially open-ended, potentially including protected interests and values going beyond those explicitly mentioned in the legislative text. Legal scholarship has, for instance, already discussed the inclusion of environmental sustainability among the interests and values to be protected through systemic risk management (e.g. Kaesling, Wolf 2025; Ebert et al., 2025; Hacker, 2024). The same code of practice for General-Purpose AI Models, in the Safety and Security Chapter, includes “the environment” as an ‘example’ of risk to be considered in the systemic risk identification process, however without substantiating what it implies in practice to identify and assess environmental risks. Even by adopting the view that risks to the environment can amount to systemic risks, it is for the model providers to set the thresholds to surface such risks, with the foreseeable outcome of extremely weak – if not totally absent – safeguards. Doubts arise, among others, as to whether it would require to pursue environmental protection on the basis of quantitative indicators or if systemic risk management should also cover systemic risks to environmental sustainability arising from social processes, such as climate change disinformation.

In broader terms, an underlying question arises about the normative affordances of the notion of ‘systemic risk’ as a vehicle for policy objectives. Specifically, EU policies have endorsed the idea that the green transition is intertwined with digitalisation, a coupling known as ‘twin transition’.1 At the same time, this whole transition is also geared towards social justice objectives, such that a ‘socially just transition’ is one that ‘leave no one behind’.2 For instance, looking at the EU energy sector - crucial for the advancement of the green transition as it constitutes the largest source of greenhouse gas emissions within the EU - the policy ambition of a socially just transition entails that the opportunities of digitalisation, such as smart grids, must be accessible for consumers, taking into consideration existing disparities and avoiding the creation of new vulnerabilities.3 Despite these claims, it is unclear whether and how the policy goal of a socially just transition is translated and concretised in the body of EU legislation relevant for the digitalisation of the energy sector, through the reliance on data and AI. Therefore, given the broadline concept of ‘systemic risks’, the fundamental question arises whether it can represent an entry point for the objective of a socially just transition, essentially combining environmental and social sustainability. In other terms, how does the assessment and mitigation of ‘systemic risks’ relate to a relevant societal system aiming at environmental protection and social justice goals?

This contribution discusses in broader terms the normative affordances of the notion of ‘systemic risk’ as vehicle for policy objectives, and more specifically: i) the protection of environmental and social sustainability as a public value under the DSA and the AI Act, and ii) the relationship between the concept of ‘systemic risks’ and the EU policy objective of a socially just transition. In particular, the contribution will address the overarching research question: Can the concept of ‘systemic risks’ be interpreted and mobilised as safeguard for a societal system combining environmental and social sustainability, pursuing a socially just transition? Relevant sub-questions are: i) what are systemic risks to environmental and social sustainability?, ii) which are the challenges associated with protecting environmental and social sustainability through risk management as a regulatory tool? Finally, recommendatory inputs to consider environmental and social sustainability through risk management will be put forward.

The contribution presents the findings of doctrinal research conducted through a law in context approach. It attempts to answer the research questions combining the growing scholarship on systemic risks, digital constitutionalism and socially just transition as analytical frameworks.

ABSTRACT. In 2024, the European Parliament and the Council of the European Union adopted the Artificial Intelligence Act (AI Act). The AI Act establishes harmonised rules for the placing on the market, putting into service, and use of artificial intelligence systems within the Union, it sets out specific requirements and obligations for relevant operators and prohibits certain AI practices. Notably, although absent from the European Commission’s original proposal, the final text of the AI Act introduces a regulatory framework for General-Purpose Artificial Intelligence (GPAI) models. This contribution focuses on the regulation of such models. In particular, it examines how the AI Act envisages the implementation of GPAI-related obligations through Codes of Practice (CoPs) and Harmonised European Standards (HESs), and it raises questions as to whether the operationalisation of these obligations complies with the principle of legal certainty.

Legal certainty is generally regarded as a core element of the rule of law. The Court of Justice of the European Union (CJEU) has recognised legal certainty as a general principle of EU law, binding both on EU institutions and on Member States when acting within the scope of Union law. The principle requires that legal rules be clear, precise, and predictable, so that individuals can ascertain their rights and obligations without ambiguity and regulate their conduct accordingly. This contribution disentangles the multidimensional concept of legal certainty and, for analytical purposes, reduces it to two core requirements: (a) clarity and precision of legal norms, and (b) reasonable stability of legislation over time. While flexibility is often considered essential in regulating innovation and rapidly evolving technologies, legal certainty remains crucial to ensure foreseeability, predictability, and effective compliance.

The EU regulatory framework applicable to GPAI model providers defines their scope and obligations in terms of broad and abstract terms, delegating their concrete specification to Commission’s guideliness, as well as private or hybrid regulatory instruments. It is from this this implementation architecture that significant concerns from the perspective of legal certainty arise.

First, the definition of GPAI models and the thresholds used to identify models posing ‘systemic risks’ are formulated in broad and indeterminate terms, limitedly clarified by the Commission’s guideliness. This arguably undermines the clarity and precision of the legislation. Moreover, the Commission’s competence to amend these thresholds over time, beyond raising issues related to institutional balance, further exacerbates concerns regarding the stability and predictability of the regulatory framework. Second, with respect to the implementation of GPAI-related essential requirements, the AI Act relies on a distinctive combination of regulatory instruments involving a substantial interaction between public authorities and private actors. In particular, the AI Act relies heavily on the regulatory logic of the so-called ‘New Approach’, while also referring to Codes of Practice as potential compliance tools for GPAI providers. Although the AI Act appears to present these instruments as alternative or complementary mechanisms, subsequent Commission guidance clarifies that Codes of Practice are intended to serve merely as gap-filling instruments until Standards become available. This contribution, however, argues that the legal nature and effects these two instruments differ significantly, and that they cannot be treated as functionally equivalent.

In conclusion, this contribution examines the broad and abstract provisions underpinning the EU’s regulation of GPAI models and analyses their operationalisation through Commission’s guideliness and private regulatory instruments such as codes and standards. It argues that the resulting compliance architecture, characterised by indeterminate obligations, evolving thresholds, and reliance on soft law and private norm-setting, risks producing an unpredictable and insufficiently foreseeable regulatory environment. As such, the implementation framework for GPAI obligations under the AI Act raises serious concerns with regard to the principle of legal certainty in EU law.

ABSTRACT. 1. The project

This abstract concerns a research project which is in the making and has recently been granted funding. The aim of our presentation at TILTing Perspectives 2026 is to present the main ideas motivating the project and gather feedback from the participants. Our new research project explores how top-down institutions often frame ‘participation’ in narrow and technocratic ways, as opposed to bottom-up initiatives led by civil society organisations and social movements seeking to reclaim agency and reshape the democratic stakes in governing AI. Recently, stakeholder participation has gained traction in various literatures in AI and data governance. Our starting point is that institutional framings of the concept in Europe are often technocratic and exclusionary. For example, the AI Act and the DSA tend to privilege vetted stakeholders and industry representatives, presenting this as some sort of inclusive engagement. In practice this creates a situation where participation is ‘washed’ off its democratic potential and instead used to exert top-down institutional control, rather than foster meaningful involvement. What is missing in conventional accounts on AI stakeholderism is sustained attention for the contested relationship between a top-down institutional approach and emerging real-world practices that (re-)claim agency in the design, implementation and use of AI systems (in particular as used by public authorities). Our project addresses the gap, and aims ultimately to be foundational for a more radical agenda. Existing multi-disciplinary literature highlights the potential of norms as counter-power (Taylor and others, 2025) and shows how across the world power is also being challenged by bottom-up counter norm-making by civil society organisations explicitly setting out in various ways more grassroots agendas and approaches. ‘Nothing about us without us’ (re-)asserts agency of civil society beyond purely individual rights-based claims to demand that publics represented in AI datasets and systems be able to consent through structures of democratic representation (de Souza and Taylor, 2025). Our research project seeks to explore an existing typology (‘ladder’) of publics’ participation and to apply that in a novel way in AI governance that goes well beyond existing multi-disciplinary literature (Corbett and others, 2023). This approach aptly situates existing both top-down measures and bottom-up initiatives by exploring their various components in a more refined way. Filling in the details of the ladder and mobility between its rungs is not considered an end in itself, but a means of taking further in more concrete ways the necessity for, and possible content of, a more radical agenda. The contemporary reality is however that by and large, impactful decisions are very often made from the top down as to who is constituted as a ‘stakeholder’ in AI governance and whose voices are acknowledged as AI delivers new promises and problems that recalculate various publics (Sieber and others, 2024). Top-down regulators increasingly use the rhetoric of affected interests, impact assessment, auditing, stakeholderism (Micklitz, 2023; Kaminski and Malgieri, 2024), but more to colonise or capture in a technocratic and dominant manner the terrain of participation and representation rather than to empower and afford affected publics meaningful agency. ‘Participation-washing’ is not new in adjacent areas, but in AI governance it is particularly under-acknowledged and hidden within a top-down rhetoric that seems to positively imply the opposite. Nascent forms of (counter)norm-building in AI and data governance are rather not seen nor taken seriously by top-down actors, including states and international organisations such as the EU. In fact, the goal of the project is to relate existing top-down ‘obfuscation’ with bottom-up transparency and mobilisation, exploring ways that potentially more radical paths forward may be realised so as to more genuinely engage with the democratic stakes of public actors. Bringing together the frequently opposed perspectives of top-down institutional actors and those of the implicated publics and drawing on different degrees of participation across a ladder with various rungs, the ambition is to weigh and assess the quality of the various emerging practices according to a number of pre-defined criteria (Arnstein, 1969; Corbett and others, 2023). The main research question is: what is the ladder of affected publics’ participation in AI governance in the European Union, and what are the (institutional, other) implications for change from a more radically democratic perspective? The aim of this research project is to investigate existing forms of participation of affected publics in AI governance, and pave the way towards more radical and meaningful ways of empowering bottom-up participation of civil society.

2. Research questions

(i) Top-down institutional design

Given the existing legal and policy focus on narrow mechanisms for participation, this research project innovates by taking a broad-brush approach to analysing various top-down practices according to a number of participation criteria and how hived off they are or otherwise from affected publics. It also critically refines existing literature on the political opacity of AI technologies by mapping out concrete challenges and opposing efforts, advancing broader debates on transparency, accountability and democratic struggle (Busuioc, Curtin and Almada, 2024). For example, who decides who participates, how and according to what conditions and are barriers to participation of one type or another in place? Where does the (tracing and projection) work done by bottom-up civil society fit in on the ladder of participation and how? Do top-down actors do justice to the affected publics’ proposals, concerns and views, or do they just pay lip service to them? How do top-down institutions respond to non-institutionalised or unconventional norm-making in AI governance, and what does this reveal about democratic accountability in practice?

(ii) Affected publics’ (meaningful) participation

This research project aspires to provide vital stepping stones not only to a more radical understanding of participatory democracy for affected publics’ participation, but also to enabling a more informed engagement with powerful top-down actors. This will add to existing literature across several disciplines, including the legal one, on the content and practice of participation, on transparency and publicness and on (democratic) accountability. For instance, how do affected publics articulate democratic agency in contexts where participation is limited? What mechanisms can make bottom-up participation more visible and legitimate in policy discourse? If embedded in institutional processes, do affected publics’ alternative views and suggestions end up being captured by dominant actors, or is there room for meaningful institutional change?

Bibliography

Sherry Arnstein, (1969) “A Ladder of Citizen Participation”, Journal of the American Institute of Planners, 35:4, pp. 216-214. Chelsea Barabas and others, (2020) “Studying Up: Reorienting the study of algorithmic fairness around issues of power”, in ACM Conference on Fairness, Accountability and Transparency, pp. 167-176. Hannah Bloch-Wehba, (2022) “Algorithmic Governance from the Bottom Up”, Brigham Young University Law Review, 48:1, pp. 69-136. Madalina Busuioc, Deirdre Curtin and Marco Almada, (2023) “Reclaiming transparency: contesting the logics of secrecy within the AI Act”, European Law Open, 2:1, pp. 79-105. John Cohen and Norman Uphoff, (1980) “Participation’s Place in Rural Development: Seeking Clarity Through Specificity”, World Development, 8:3, pp. 213-235. Anna Colom, (2024) “Meaningful Public Participation and AI” (Ada Lovelace Institute, 2 January 2024) <www.adalovelaceinstitute.org/blog/meaningful-public-participation-and-ai/> accessed 29 August 2025. Eric Corbett, Remi Denton and Sheena Erete, (2023) “Power and Public Participation in AI” in ACM International Conference Proceeding Series, pp. 1-13. Andrea Cornwall, (2008) “Unpacking ‘Participation’ Models, Meanings and Practices”, Community Development Journal, 43:3, pp. 269-283. Kate Crawford, (2015) “Can an Algorithm be Agonistic? Ten Scenes from Life in Calculated Publics”, Science, Technology, & Human Values, 41:1, pp. 77-92. John Dewey, (1927) The Public and its Problems. An Essay in Political Enquiry. Holt Publishers, New York. Massimo Durante, (2015) “The Democratic Governance of Information Societies. A Critique to the Theory of Stakeholders”, Philosophy & Technology, 28:1, pp. 11-32. Anna Jobin, Marcello Ienca and Effy Vayena, (2019) “The Global Landscape of AI Ethics Guidelines”, Nature Machine Intelligence, 1:9, pp. 389-399. Margot E Kaminski and Gianclaudio Malgieri, (2024) “Impacted Stakeholder Participation in AI and Data Governance”, Yale Journal of Law and Technology (forthcoming). Hans-W Micklitz, (2023) “AI Standards, EU Digital Policy Legislation and Stakeholder Participation”, Journal of European Consumer and Market Law, 12:6, pp. 212-225. Jules Pretty, (1995) “Participating Learning for Sustained Agriculture”, World Development, 23:8, pp. 1247-1263. Siddharth de Souza, Linnet Taylor, Aaron Martin, and Joan López-Solano, (2025) “Rebooting the Global Consensus: Norm Entrepreneurship, Data Governance and the Inalienability of Digital Bodies”, Big Data in Society, 12:2, pp. 1-13. Elizabeth Seger and others, (2023) “Democratising AI: Multiple Meanings, Goals, and Methods”, in AIES 2023 - Proceedings of the 2023 AAAI/ACM Conference on AI, Ethics, and Society, pp. 715-722. Renée Sieber and others, (2024) “What Is Civic Participation in Artificial Intelligence?” Environment and Planning B: Urban Analytics and City Science, 52:6, pp. 1388-1406. Mona Sloane, (2024) “Controversies, Contradiction, and “Participation” in AI’ Big Data & Society, 11:1, pp. 1-15. Harini Suresh and others, (2024) “Participation in the Age of Foundation Models”, in ACM 2024 ACM Conference on Fairness, Accountability, and Transparency, <https://dl.acm.org/doi/10.1145/3630106.3658992> accessed 21 June 2024. Linnet Taylor and others, (2025) “Governing Artificial Intelligence Means Governing Data: (Re)setting the Agenda for Data Justice”, Dialogues on Digital Society, 0:0, pp. 1-18. Sarah White, (1996) “Depoliticising Development: the Uses and Abuses of Participation”, Development in Practice, 6:1, pp. 6-15.

ABSTRACT. Annual reports provide stakeholders with any existing or prospective financial and non-financial risk that could have an influence on the performance of a company. Among the risks which need to be mentioned in annual reports, there is also cyber risks. Cyber incidents can have a significant impact on a company, both financially and non-financially. In the aftermath of a cyber incident, a company can suffer from loss of business, reputational damage, costs of patching, and potential legal liability. All of these consequences can affect the revenues or finances of a company, impacting in the end its overall performance in the market and its long-term continuity. In light of the impact that a cyber incident can have on a company, cybersecurity information is significant to company's stakeholders. Through cybersecurity information, stakeholders can assess a company's cyber health, including its resilience against cyber incidents and ability to avoid losses. To prevent cyber incidents and their potential long-term effects, companies must implement various cybersecurity controls and risk frameworks. The adoption of cybersecurity controls and risk management frameworks comes not only as a practical necessity but also as a compliance issue. In 2022, the EU legislator adopted Directive 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) and Regulation 2022/2554 on digital operational resilience for the financial sector (DORA). While having two different scopes and aims, these legislations set for the first time obligations to set up cybersecurity controls or improve already existing cyber risk management frameworks for many companies operating in the EU. Article 21 NIS 2 requires the entities in the scope to implement technical, operational, and organisational measures to manage cyber risks and prevent or minimise the impact of possible cyber-attacks. Article 5 DORA requires financial entities in the scope to implement an internal governance and control framework that ensures an effective and prudent management of ICT risk. While Article 21 NIS2 gives a minimum list of measures to implement to achieve compliance, DORA lengthily describes the content of the ICT risk management framework (Articles 6-14). Overall, NIS2 and DORA provide a framework upon which companies can develop their cybersecurity risk management policy. Additionally, DORA and NIS2 introduced obligations regarding supply chain cybersecurity. Supply chain cyber risk has drastically increased over the past few years. Cyber threat actors shifted their attention to suppliers and vulnerabilities in their systems. Suppliers are considered the weakest link of the broader network and information system of a company. Suppliers are more likely to have less rigorous risk management procedures, limited resources dedicated to cybersecurity investments, and fewer legal obligations, therefore representing ideal targets for threat actors. By targeting the network and information system of a supplier, threat actors can obtain more easily access to the network and information system of company, due to the interconnected nature of the network and information system of the company and the one of the supplier. Therefore, relying solely on a company's risk management framework is not enough to protect its network and information systems. For these reasons, NIS2 and DORA introduced obligations for companies to manage their supply chain cybersecurity risk. Article 21(2)(d) requires companies in the scope to have a supply chain security policy to secure their direct suppliers, while Articles 28-30 of DORA establish a third-party ICT risk management framework for DORA companies. These articles played a crucial role in enhancing the security of digital supply chains. Building on this scenario, this article examines whether the regulatory changes introduced in 2022 have modified how cybersecurity risks are disclosed in annual reports. If a topic is included in the annual report, it means the risk management policies for that topic have been reviewed and discussed by different teams within the company. This discussion can lead to revisions and improvements. If a company has changed its approach and perception of cyber risk, this change will be reflected in the annual report. An increased cybersecurity disclosure would signal that the cybersecurity legislation did not push companies to sole compliance, but rather to more active revision and improvement of cybersecurity risk management practices. Due to the role that annual reports have and due to the changes in the EU cybersecurity legislation, this study aims to answer the following research question: “To what extent is there an observable change in how Dutch listed companies disclose cyber risk and supply chain cyber risk in their annual reports before and after the introduction of NIS2 and DORA in 2022?”. Understanding whether and to what extent these changes have occurred enables us to assess the effectiveness of the regulatory changes introduced in 2022 in altering companies cybersecurity risk management approaches. The research will focus exclusively on listed companies due to the more harmonised legislation on annual reporting and cybersecurity. To answer the research question, this article employs a keyword research methodology. A similar methodology has already been used to discuss cybersecurity disclosure in annual reports in Eijkelenboom and Nieuwesteeg (2021). Eijkelenboom and Nieuwesteeg (2021) focused on general cybersecurity disclosure in the annual reports of Dutch-listed companies published in 2018. The authors used keywords to identify the cybersecurity content of an annual report. This article will further develop their approach. This article will cover additional cybersecurity-related keywords and controls keywords to gain a deeper understanding of the actual content and nature of the disclosed information. Furthermore, this article will adopt a longitudinal approach, focusing on the annual reports published by Dutch listed companies in 2020, 2022, and 2024.

ABSTRACT. Artificial intelligence (AI) is often characterised as a double-edged sword when it comes to cybersecurity[1]. On the one hand, AI-based cybersecurity tools are considered effective state-of-the-art tools for detecting known as well as unknown or zero-day malware, for extracting cyber threat intelligence and for detecting increasingly sophisticated cyberattacks[2]. The EU legislator is also increasingly aware of the promise AI and data analytics tools for cybersecurity and actively encourages the collection, pooling and creation of high-quality cybersecurity data for the development of advanced AI-based cybersecurity tools[3]. On the other hand, AI also creates new cybersecurity risks. AI can serve as a tool to facilitate or enhance offensive activities as well as targets for exploitation[4].

In order for AI-based cybersecurity tools to properly function, large amounts of data are required. The extensive logging requirements found in cybersecurity law and the AI Act help create such data sources for cybersecurity tools[5]. Generally speaking, data for Ai-based cybersecurity tools comprises of security telemetry such as network traffic logs, endpoint activity logs, threat intelligence feeds, and other cyber threat information. On occasion, security telemetry data, for instance network traffic logs, endpoint activity logs, cloud workloads, network traffic, may include personal data such as usernames and IP addresses. Furthermore, behavioural analytic may be used to flag an account being used from an unusual browser, device, or geographic location, thereby helping to identify insider threats as well as advanced persistent threats.

Importantly, such extensive data use for AI-based cybersecurity tools may not only pose issues vis-à-vis the European data protection law framework but may also pose risk to cybersecurity itself. With regards to the former, Nash et al., for instance, express doubt whether there exists an appropriate legal basis for using personal data to train new AI-based cybersecurity tools[6]. Besides this, another key concern that has received little to no scholarly attention so far is that of data minimisation. Crucially, data minimisation is not only a key principle of EU data protection law[7] but also considered essential for strengthening cybersecurity[8]. Data minimisation helps strengthen cybersecurity as it reduces the attack surface area as well as lowers the overall impact should a breach occur.

This paper will critically examine the dual role of data minimisation in EU cybersecurity law. The research will investigate whether EU cybersecurity law develops a consistent approach with regards to data minimisation as a cybersecurity safeguard as well as inquire how to reconcile the tension between minimizing data for cybersecurity and logging and retaining data for cybersecurity. As a starting point, the paper will investigate the principle of data minimisation as laid down in the GDPR. Next, the paper will conduct an in-depth examination into EU cybersecurity law to investigate whether it lays down a coherent framework for data minimisation and identify potential points of tension. On the one hand, the Cyber Resilience Act (CRA) explicitly lists data minimisation is an essential cybersecurity requirement for products with digital elements, which extends to personal as well as non-personal data[9]. In contrast, the NIS 2 Directive does not include data minimisation as a mandatory technical or organisational measure and instead includes extensive logging requirements which may be seen as maximising data collection [10]. Similarly, the Cyber Solidarity Act actively encourages the collection and pooling of cybersecurity related data[11].

These points of tension within EU cybersecurity law will be related to the different protection objectives cybersecurity aims to accomplish. Whilst data minimisation may lower the impact of a data breach following a cyberattack and reduce the attack surface, thereby furthering the confidentiality element of the CIA triad and prevention of cyberattacks, minimising data and restricting logging can also be considered a risk to the availability of network and information systems, including critical infrastructure, hindering the ability to quickly restore a system to its intended use after a cyberattack (and thus resilience after an cyberattack) or curbing post-incident analysis to prevent future system failures. Overall, the paper will consider how to reconcile the diverging approaches to data minimisation found in EU cybersecurity law.

References [1] Oluwatosin Oladayo Aramide, ‘AI-Driven Cybersecurity: The Double-Edged Sword of Automation and Adversarial Threats’ (2022) 4 International Journal of Humanities and Information Technology 19; Mariarosaria Taddeo, Tom McCutcheon and Luciano Floridi, ‘Trusting Artificial Intelligence in Cybersecurity Is a Double-Edged Sword’ in Luciano Floridi (ed), Ethics, Governance, and Policies in Artificial Intelligence (Springer International Publishing 2021). [2] Andraž Krašovec and others, ‘Large Language Models for Cyber Threat Intelligence: Extracting MITRE With LLMs’ in Bart Coppens and others (eds), Availability, Reliability and Security (Springer Nature Switzerland 2025); Jose Luis Hernandez-Ramos and others, ‘Intrusion Detection Based on Federated Learning: A Systematic Review’ (2025) 57 ACM Comput. Surv. 309:1. [3] Article 3(2) of Regulation (EU) 2025/38 of the European Parliament and of the Council of 19 December 2024 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 (Hereafter, Cyber Solidarity Act). [4] ENISA Threat Landscape 2025, October 2025. [5] Eyüp Kun, ‘The Unspoken Role of the Ai Act in the Creation of Data Sources for Cybersecurity Technologies’ (CiTiP blog, 9 September 2025). [6] Ian Nash, DeBrea Kennedy-Mayo, and others, ‘Legal Issues in Reconciling Data Protection, AI, and Cybersecurity under EU Law’ (2024) 89 Missouri Law Review 871. [7] Article 5(c) of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Hereafter, General Data Protection Regulation (GDPR)), OJ 2016 L 119. [8] Paul Luehr and Brandon Reilly, ‘Data Minimisation: A Crucial Pillar of Cyber Security’ (2025) 8 Cyber Security: A Peer-Reviewed Journal 243. [9] Annex I (Part I, Section 2) of Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Hereafter, Cyber Resilience Act). [10] See point 3 of the Annex to the Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 (NIS 2 Directive) as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust services providers. [11] Article 3(2) Cyber Solidarity Act.

ABSTRACT. In the past few years, the vastly improved capabilities of Artificial Intelligence (AI) systems has complicated our long-standing assumptions about the authenticity of information. Compared to a few years ago, today’s AI systems are capable of generating more realistic and human-like text, audio and video. It is becoming increasingly difficult to identify if an image or video has been generated or altered using AI systems. This situation poses a significant risk for Courts in their efforts for identifying the accuracy and reliability of evidence, especially in criminal matters, where the main purpose is to find the truth of a matter.

In Europe, the question of accuracy and reliability of evidence in criminal proceedings is mostly addressed by domestic laws. Depending on the Member State, these laws can be quite different from one another, resulting in a fragmented legal landscape in the European Union (EU). Moreover, evidence that is collected by one Member State and exchanged with another benefit from an wide reaching assumption of lawfulness, allowing the courts on the receiving end to simply bypass an assessment of accuracy and reliability of the received evidence.

Nowadays, the improved capabilities of AI systems for processing, selecting, inferring and generating information pose a significant issue concerning the accuracy and reliability of evidence. On the one hand, AI systems can easily be used by malicious actors to create misleading evidence. On the other hand, even lawful uses of AI systems can lead to problems concerning the accuracy and reliability of evidence. Indeed, Law Enforcement Agencies (LEAs) are already deploying tools and systems with AI components in order to collect, handle and process data more efficiently. This data is then used as evidence in subsequent criminal proceedings, as ‘AI-evidence’. For instance, encrypted communications networks were hacked in EncroChat and Sky ECC investigations, and LEAs obtained vast databases containing communications between suspected criminals. Thanks to various applications of AI, LEAs were able to analyse millions of data points efficiently, and the evidence obtained as a result led to countless arrests all over Europe. Such applications of AI can be extremely beneficial, yet, they may also significantly complicate the problems of the fragmented legal landscape described above. Due to inherent characteristics of AI, the evidence that is handled by AI tools may suffer from lack of transparency and explainability, lack of accountability, unfair and discriminatory outcomes and inaccuracy. This paper focuses on the potential problems these characteristics can create in the context of cross-border criminal proceedings, where there is no binding requirement for the receiving courts to question the accuracy and reliability of the evidence that is received from another Member State.

For AI-evidence, the lack of harmonised regulations on the Union level concerning the lawfulness and admissibility is exacerbated, due to the additional need for scrutiny towards the accuracy and reliability of the evidence. In the context of cross-border criminal proceedings, these problems manifest new challenges towards a number of fundamental rights of the defendants, especially the right to a fair trial and the right to privacy. The fact that each Member State determines the rules determining the lawfulness and admissibility of evidence further complicates the problem.

In light of the above, this paper argues that the combination of the fragmented legal framework concerning the admissibility of AI-evidence and the inherent characteristics of AI can lead to critical harms towards the right to a fair trial and the right to privacy of the individuals involved in cross-border criminal proceedings. As a next step, the paper analyses in detail whether and to what extent the new regulatory developments provide necessary safeguards that would ensure the accuracy and reliability of AI-evidence. In this context, the E-Evidence Regulation and the AI Act are examined to identify potential gaps concerning the accuracy and reliability of AI-evidence.

ABSTRACT. Recent years have been marked by rising geopolitical tensions. This also affects the national security of European democracies. Here, the most immediate threat is not necessarily a conventional war with another state. Instead, the most acute threats come from ‘hybrid’ conflicts: the strategic use of various tactics to obtain a stronger position. Cyberattacks are an important weapon in hybrid conflicts, due to their relatively low cost and the difficulties in convincingly identifying the perpetrator.

Hybrid conflicts threaten national security. This means that defending against them is primarily a responsibility of the (national) government. Nonetheless, hybrid conflicts, including cyberattacks may often target private companies. Many essential services, including ICT, healthcare, banking, sewage, electricity and many more are provided by private companies. A disruption of these services, for example through a cyberattack, would seriously disrupt society. This means that companies should defend against such attacks to ensure the security of these services. This contribution is focused on these cybersecurity obligations of private companies. I answer the following question: How do hybrid threats affect European legal cybersecurity obligations for private companies?

The contribution starts by a description of the role of the cybersecurity of companies in hybrid conflicts. Actors in hybrid conflicts may target companies for various reasons. For example, companies may be the target of cyberattacks to obtain strategically important information, to disrupt society or because these companies are the suppliers of other more important entities (supply chain attacks).

Next, this contribution provides a general overview of the main European cybersecurity obligations for private companies. This part also describes how private companies and European cybersecurity law are affected by hybrid threats, even though hybrid conflicts and national security are primarily the responsibility of the governments of member states. This contribution shows that cyberattacks in hybrid conflicts are not fundamentally different from cyberattacks for other purposes such as financial gain. European cybersecurity obligations that protect fundamental rights and the internal market can also protect against hybrid threats.

Finally, this contribution discusses the various ways in which hybrid conflicts affect the cybersecurity obligations. In short, hybrid conflicts affects the cybersecurity obligations by: 1. Increasing the level of risk, and therefore the requirements of the cybersecurity obligations. This is primarily relevant in the risk-based general cybersecurity obligations of the GDPR and NIS2. 2. Obligating companies to reduce their reliance on non-European entities through rules on data transfers (GDPR, Data Act) and supply chain security (NIS2, DORA), thereby contributing to Europe's digital sovereignty. 3. Increasing the involvement of governments in the cybersecurity of private companies, especially in the context of more serious incidents that may be part of hybrid conflicts. Most notably, NIS2 and the Cyber Solidarity Act impose various powers and obligations for public authorities. Moreover, public authorities play an important role in the adoption of more detailed norms in standards, certification mechanisms and codes of conduct. 4. Leading to increasingly stringent cybersecurity obligations. This trend is likely to continue in both the EU and other jurisdictions due to the increasing geopolitical tensions. Furthermore, the relative novelty of the legal cybersecurity framework means that it still needs to be developed by things like national cybersecurity strategies, risk assessments and cybersecurity certification schemes. Importantly, the push for ‘simplification’ in the Digital Omnibus Package has not materially affected the cybersecurity rules.

All in all, geopolitical tensions require further investment in cybersecurity. This contribution shows that this also applies to private companies, even though they may primarily be interested in financial gain. This development will increase rather than decrease in the future.

This topic is important because 1) geopolitical tensions and hybrid conflicts are on the rise, 2) the role of the cybersecurity of private companies and the role and competency of the European Union have been overlooked in current literature and a thorough discussion is missing, 3) this contribution shows how hybrid conflicts can affect the full breadth of the European legal cybersecurity framework and 4) it is important to the strategic goal of European digital sovereignty.

ABSTRACT. See .doc attached

ABSTRACT. The rapid development and widespread adoption of artificial intelligence technologies bring new discussions in the field of human rights. These discussions are mostly shaped around civil and political rights such as privacy, freedom of expression, and data security. The impacts of AI on economic and social rights, the transformations it creates, and potential risks remain secondary in academic and political debates, often addressed through the concept of sustainability and with a techno-optimistic perspective. The use of the concept of sustainability instead of economic and social rights leads to conceptual ambiguity, changes the focus, and weakens the enforceability of rights. There is a shift from the understanding of rights and state responsibility to individual responsibility and corporate voluntarism. This trend poses significant risks for the protection of economic and social rights. Moreover, while AI undoubtedly has and will have positive contributions in many areas, considering its redefinition of hierarchies between skills and jobs, creation of new job fields, but also the prediction of eliminating more jobs and transforming many sectors, it is crucial to protect individuals' economic and social rights during this transitional period. In this transition, given that the power of AI is in the hands of large technology companies, the arguments presented with a techno-optimistic view that AI will have very positive effects in almost all areas need to be questioned. States should adopt a cautious approach, avoiding entirely optimistic or pessimistic stances, and being aware that they are the primary addressees of rights, they should draw roadmaps to protect and enhance both first-generation rights and economic and social rights of individuals. This article briefly addresses the impacts of AI on economic and social rights through the example of the right to work, providing a political economic critique of the prevalent techno-optimistic perspective on AI technologies and the use of the concept of sustainability as a conceptual preference change, highlighting the limitations of the current discussion framework.

ABSTRACT. The European Union recognized relatively early that digitalization posed distinctive challenges for the protection of fundamental rights. While first attempts with the Data Protection Directive in the mid-1990s reflected this concern, fundamental rights protection moved to the centre of the EU’s constitutional order with the Treaty of Lisbon in 2009, which elevated the EU Charter of Fundamental Rights (the Charter) to primary law. From that point onwards, EU action in the digital field formally had to respect, and was increasingly justified though reference to, Charter rights. This shift soon translated into a series of major digital legislation under the Commission’s Digital Single Market Strategy, designed to curb market fragmentation while promising rights guarantees. The General Data Protection Regulation (GDPR) became the first pillar of this agenda and a global template for data protection via the so-called Brussels Effect. Together with subsequent instruments such as the Digital Services Act (DSA) and the Digital Markets Act (DMA), these measures routinely invoke the Charter and embed fundamental rights protection as an objective and interpretive constraint within the EU’s digital project.

AI regulation is the latest, and arguably most contested site of this development. Although work on the AI Act (AIA) predates the public breakthrough of generative AI in late 2022, the rapid diffusion of GenAI technologies intensified EU efforts to adopt a comprehensive framework for AI systems that combines product safety logics with the protection of fundamental rights, culminating in the EU AI Act adopted in 2024. Once again, new digital technologies were framed simultaneously as an economic opportunity and a threat to fundamental rights that had to be contained. Yet, while many major EU digital laws explicitly reference Charter rights and frame fundamental rights protection as a key object and constraint, alongside internal market harmonization, it remains unclear how the notion of fundamental rights is understood and operationalized in this new AI-centered phase of EU digital governance.

Recent scholarship has begun to unpack these negotiations. Pham and Davies, for instance, argue that EU AI policy constructs AI both as an opportunity for innovation and global competitiveness, and as a threat to fundamental rights, and that this dual framing coheres in the AIA’s risk-based tiers. They demonstrate how this framing not only governs AI but also enacts Europe as a coherent, exceptional policy actor. Other studies examine the AI Act’s effectiveness in safeguarding fundamental rights, its problematization of AI systems, and the positioning of EU institutions. Taken together, existing research demonstrates that fundamental rights play a central role in AI regulation and are routinely invoked as guiding principles. What it largely neglects, however, are fundamental rights as an object of inquiry in their own right: how they are conceptually shaped, expanded or narrowed in policy discourse, how they are ranked and prioritized, and how these configurations are conditioned by the EU’s strong economic logic.

This gap is significant because product safety rationales like reliance on standards or prioritizing market efficiency, as part of internal market governance, were united with concerns for fundamental rights protection to construct the overarching problem frame of the AIA. Considering that the EU primarily remains an economy-driven community centered on competition and economic growth, the question arises as to how this market rationale shapes the meaning and function of fundamental rights in AI regulation. While frequently invoked as a cornerstone of European values, fundamental rights within AI regulation are entangled with economic rationales. They are framed not only as intrinsic protections but also as instruments to foster trust and thereby facilitate the uptake of AI. This raises a central puzzle for this article: how are fundamental rights constructed and reconciled with the EU’s parallel emphasis on innovation, investment, and competitiveness?

The relevance of this question is two-fold: First, the conceptual breath of fundamental rights risks diluting their substantive meaning, allowing the term to serve as a catch-all rather than a concrete safeguard for a variety of disparate rights. Second, it is crucial to trace how the prominence of innovation and economy-related concerns within AI policy discourse affects which rights are problematized and prioritized. In EU digital policy, rights such as data protection or privacy tend to dominate, while others, particularly social rights, remain marginal or unarticulated. Recognizing these potential hierarchies and exclusions is essential for assessing whether the EU’s approach delivers meaningful and effective fundamental rights protection in AI governance.

To address how fundamental rights are constructed and how they interact with concurrent economic interests, the article conducts a critical discourse analysis of key EU policy documents, drawing on Wodak’s discourse-historical approach. At the forefront of the analysis is the understanding that policy does not naturally emanate from pre-given problems; rather, problems are discursively constituted. Accordingly, the analysis focuses on how fundamental rights are articulated within the broader field of AI regulation, with particular attention to the AIA as an outcome of these policy processes.

ABSTRACT. In the beginning, there was the internal market. The regulation of digital technologies in the European Union (EU) has been grounded, by and large, on the EU’s ambitions of fostering the circulation of goods and services among its 27 Member States. However, the considerable number of policies pursued in the last few decades under the umbrella notion of digital policy has also been shaped by other factors. In particular, concerns about the impact of digitalization on the protection of fundamental rights, notably the rights to respect for private life and personal data protection (more recently), have featured since, at least, the 1970s. In the last few years, the regulation at EU level on matters such as artificial intelligence (AI) and digital products is increasingly framed in security terms, reflecting the growing geopolitical tensions surrounding the EU. In this article, we argue that both fundamental rights and security play a crucial role in the rhetoric that legitimizes EU digital law, but the latter tends to prevail over the former whenever they clash in practice, leading to restrictive provisions, exceptions and loopholes.

We make this point through a doctrinal analysis of specific legal instruments, informed by theoretical scholarship on the securitization of cyberspace, drawing in particular from Kruck and Weiss’s framework of the Regulatory Security State to make sense of how the EU pursues its security aims even though the competences for positive action on security matters remain largely in the hands of its Member States. Drawing from these doctrinal and theoretical sources, we propose a typology of how policymakers frame the relationship between fundamental rights and security in different legislative texts. We then apply the typology to three EU legal instruments in the digital sphere: the AI Act, the Cyber Resilience Act (CRA), and the Commission’s proposal of a regulation for preventing and combating child sexual abuse online (the “ChatControl 2.0” proposal). Through the close doctrinal reading of these instruments, we find evidence that both security and fundamental rights rationales are increasingly common even in regulations billed as market harmonization instruments.

These two horizontal goals are often presented as mutually reinforcing, and the protection of fundamental rights does indeed appear to play more than a rhetorical function in those instruments. Nonetheless, the letter of the law and the practice accompanying it tend to ascribe security a heavier weight than the protection of fundamental rights whenever legislators and interpreters of the law are called to resolve value clashes that could not be dissipated by a clever reframing of the values at stake.

The rest of the paper proceeds as follows. First, we outline how current EU digital regulation, despite remaining legally grounded on a market-driven logic, is increasingly mobilized for the pursuit of public values such as security and the protection of fundamental rights. We then examine how both values are framed in recent EU digital regulation, proposing three models of how legislators and interpreters of the law resolve conflicts between values. After that, we introduce the general elements of the three case studies and argue for their relevance, before showing how the three resolution models appear in them. Finally, we show how these models of value conflict can be useful both in the application and the critical assessment of current and future EU legislation in the digital domain.

ABSTRACT. Digital platforms increasingly mediate capabilities such as attention, social relations, and decision-making. Digital ‘ill-being’ is now an urgent governance problem: services designed for continuous engagement can foster compulsive use, displace sleep and offline life, and amplify social isolation, loneliness, anxiety, and depressive symptoms, especially among adolescents (Keles, McCrae and Grealish 2019). Yet many legal tools still treat harms from platform design as either economic (misleading practices) or as problems of individual self-control. This paper develops a concept of digital well-being and proposes a legally usable definition of digital well-being that can contribute to the policy discussion on digital fairness in the EU.

The paper builds on two observations. First, interdisciplinary work treats digital well-being not as a stable trait but as a dynamic condition shaped by interface design, business models, personal characteristics of individuals, and social context (Vanden Abeele 2021; Burr, Taddeo and Floridi 2020; OECD 2024). Second, the law increasingly gestures toward well-being-related harms, but without conceptual discipline or a common vocabulary that connects design features to legally cognisable injuries. As a result, regulators and courts risk oscillating between narrow proxies (such as time on screen) and overly general, paternalistic claims that undermine legitimacy and enforceability.

In the European Union, the conceptual gap is visible across several legal regimes. The Digital Services Act requires very large online platforms (VLOPs) and search engines (VLOSEs) to assess and mitigate systemic risks, including serious negative effects on physical and mental well-being linked to service design and recommender systems. However, it remains unclear how those negative effects should be evidenced, measured, attributed to specific design choices, and eventually mitigated. Consumer protection law, including the Unfair Commercial Practices Directive, can address manipulative choice architectures and certain dark patterns, but often remains limited to economic interests and a thin model of autonomy that struggles with cumulative and relational harms (Directive 2005/29/EC; Helberger et al. 2021). The AI Act and the GDPR further expand risk-based governance and rights-based constraints, yet neither provides a general concept of digital well-being harm that could navigate interpretation across consumer protection, data protection, and platform governance debates (Malgieri 2023; Rebrean and Malgieri 2025).

The paper contributes a two-level framework. Normatively, the paper grounds digital well-being in dignity and capabilities for autonomous agency and social participation (Dupré 2016; Nussbaum 2011). Doctrinally, the paper approaches digital well-being through the lenses of a harm concept that renders design-based interferences legally legible without reducing them to engagement metrics or placing full responsibility on users for structurally engineered dependency (Docherty and Biega 2022; Bietti 2024). Building on vulnerability as a power-imbalanced position of dependence in digital markets (Malgieri and Susser 2025), the paper defines digital well-being as a sustained condition in which interaction with a digital service does not unreasonably interfere with autonomy, cognitive and emotional integrity, the ability to manage time and attention in line with expressed preferences, and social participation. Based on this definition, digital well-being harm is identified as any reasonably foreseeable adverse effect on (a) autonomy or volitional control, (b) mental or emotional health, (c) time, attention, or rest management, (d) social relationships or participation, caused by the design, operation, or governance of the system. The paper analyses in detail each element of the proposed definition.

The final part sketches implications for the EU regulatory framework: it offers an interpretive lens for systemic risks under the DSA and bridges consumer protection and fundamental rights in debates around a possible EU Digital Fairness Act. The aim is to provide a shared understanding that makes well-being harms definable, contestable, and institutionally actionable.

Bibliography (general): European Union (2022). Regulation (EU) 2022/2065 (Digital Services Act), OJ L 277, 27.10.2022.

European Union (2024). Regulation (EU) 2024/1689 (Artificial Intelligence Act), OJ L, 2024/1689, 12.7.2024.

European Union (2016). Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (General Data Protection Regulation), OJ L 119, 4.5.2016.

European Union (2005). Directive 2005/29/EC concerning unfair business-to-consumer commercial practices in the internal market (Unfair Commercial Practices Directive).

Bietti, E. (2024). The Data Attention Imperative. Northeastern University School of Law Research Paper No. 473; forthcoming Florida Law Review. doi:10.2139/ssrn.4729500.

Burr, C., Taddeo, M., and Floridi, L. (2020). The Ethics of Digital Well Being: A Thematic Review. Science and Engineering Ethics, 26, 2313 to 2343. doi:10.1007/s11948-020-00175-8.

Docherty, N., and Biega, A. J. (2022). (Re)Politicizing Digital Well Being: Beyond User Engagements. arXiv:2203.08199. https://arxiv.org/abs/2203.08199.

Dupré, C. (2016). The Age of Dignity: Human Rights and Constitutionalism in Europe. Oxford and Portland: Hart Publishing.

Helberger, N., Micklitz, H W., Sax, M., and Strycharz, J. (2021). Choice Architectures in the Digital Economy: Towards a New Understanding of Digital Vulnerability. Journal of Consumer Policy, 44, 421 to 459. doi:10.1007/s10603-021-09500-5.

Keles, B., McCrae, N., and Grealish, A. (2019). A systematic review: the influence of social media on depression, anxiety and psychological distress in adolescents. International Journal of Adolescence and Youth, 25, 79 to 93. doi:10.1080/02673843.2019.1590851.

Malgieri, G. (2023). Vulnerability and Data Protection Law. Oxford: Oxford University Press.

Malgieri, G., and Susser, D. (2025). Digital Dependency: Needs, Vulnerability, and Power in the Platform Economy. SSRN Working Paper. doi:10.2139/ssrn.5196081.

Nussbaum, M. C. (2011). Creating Capabilities: The Human Development Approach. Cambridge, MA: Harvard University Press.

Rebrean, M. and Malgieri, G. (2025). Vulnerability in the AI Act, ACM FAccT Proceedings, https://dl.acm.org/doi/10.1145/3715275.3732133.

Vanden Abeele, M. M. P. (2021). Digital Wellbeing as a Dynamic Construct. Communication Theory, 31(4), 932 to 955.

ABSTRACT. e-Waste is growing globally, fuelled by discarded computer monitors, electric toothbrushes, mobile phones, and internet of things devices. The International Telecommunications Union and UNITAR global eWaste monitor report 2024 shows significant growth. There were 62 billion kg of e-Waste generated worldwide in 2022, up from 34 billion in 2010. But only 13.8bn of this formally collected/recycled. The rest is within informal schemes, with huge volumes of plastics, mercury and other harmful substance finding their way into environment/landfill [1]. More responsible recycling schemes for electronics (such as the WEEE rules) are one downstream solution. Another is to tackle upstream design to ensure development of more repairable, long-lasting technologies in the first place. This requires a step change in product design [2], encouraged by law. There have been EU legislative efforts to encourage more sustainable design practices e.g. the Ecodesign Sustainable Product Framework [3]; EcoDesign Directive for Tablets/Phones [4]; and critically, the EU Right to Repair Directive [5]. I will reflect on experiences from leading a 3-year project which brought together legal, design research and human-computer interaction researchers to examine how to improve design of Internet of Things devices and explore the role of repair cafes[6]. I will share findings from one study which developed and evaluated a deck of ideation cards, the Right to Repair (R2R) cards [7], to translate law into more accessible form for product designers. This work identified the importance of integrating law into design practices early through 90 legal requirements from across 25 EU and UK legal frameworks. It adopted a broad framing of repair due capture that IoT involves software, hardware, and data infrastructure dependencies [8]. The cards consolidate analysis of UK / EU legislation and standards including repair rules, cybersecurity, environmental design, consumer, and data rights. The work explores the challenges of designing for sustainability across the lifecycle of IoT products, from design to use and eventual end of life [8]. For example, how can the right to erasure or portability be realised for IoT devices once they cease to function or are bricked? How can products be designed to be more repairable, shifting away from using tamperproof screws, or glued components? The talk concludes by considering challenges for the future shifts necessary for Right to Repair for consumer Internet of Things to be realised, including the need to foster closer working relationships between legal and design practitioners.

[1] ITU/UNITAR Global eWaste Monitor (2024) https://www.itu.int/en/ITU-D/Environment/Pages/Publications/The-Global-E-waste-Monitor-2024.aspx [2] Jonathan Chapman Meaningful Stuff: Design that Lasts (MIT Press: 2021); Mike Stead and others The Little Book of Sustainability for the Internet of Things (2019) [3] 2024/1781/EC [4] 2023/1670/EC [5] 2024/1799/EC [6] As the Principal Investigator of the UK Engineering and Physical Sciences Research council funded Fixing the Future project (2022-2025) https://gtr.ukri.org/projects?ref=EP%2FW024780%2F1#/tabOverview [7] Lachlan D Urquhart, Susan Lechelt, Christopher Boniface, Haili Wu, Anna Marie Rezk, Nidhi Dubey, Melissa Terras, and Ewa Luger. ‘The Right to Repair (R2R) Cards: Aligning Law and Design For A More Sustainable Consumer Internet of Things’ In Proceedings of the 13th Nordic Conference on Human-Computer Interaction, Uppsala, Sweden https://dl.acm.org/doi/10.1145/3679318.3685341 [8] Lachlan D Urquhart, Susan Lechelt, Melissa Terras, Neelima Sailaja, Anna Marie Rezk, Teresa Castle-Green, Dimitrios Paris Darzentas, Namrata Primlani, Violet Owen, and Michael Stead. ‘Creating Sustainable Internet of Things Futures: Aligning Legal and Design Research Agendas’ Proceedings of Designing Interactive Systems Conference, Copenhagen 2024. https://dl.acm.org/doi/abs/10.1145/3656156.3658391

ABSTRACT. As any other technological transformation, the European transition towards low-carbon energy solutions such as renewable hydrogen will pose several societal challenges. As a means to tackle these societal challenges, a hydrogen energy transition should go beyond its overarching green dimension and also include justice perspectives. By and large, this means that those citizens deemed to be vulnerable in this transition must be initially identified (recognitional justice), to afterwards be equitably and actively involved in the energy decision-making process (procedural justice) which could ultimately guarantee societal fair shares of the costs and benefits of the energy transition (distributive justice).

In that line legal doctrine suggests that democratic energy decision-making has become a well-established legal precondition to attain fairer outcomes in the energy transition. Although the EU funding treaties and the Aarhus Convention constitute the first legal recognitions regarding the universality of the right to public participation, its substance is framed in a way that in practice, the vulnerable groups are still to date either unaware or uncapable to participate in energy decisions. Such evidence proves that, the deployment of a universal right fails in unequal societies. However more recent hydrogen-specific legislation have started to integrate a more inclusiveness-oriented approach to public participation yet without mentioning which forms inclusiveness should take. This research proposes equity-based legal reforms of the EU’s general framework for a participatory energy democracy. The reform includes involving the vulnerable and/or marginalised groups of society by means of adopting positive-action measures to ensure for the vulnerable not only greater access to the procedure of public participation but also higher decision-making power throughout the entire energy decision-making process.

While these theoretical amendments to EU public participation law seek to innovate and align the law with the ongoing sociological and energy transformations, for these legal solutions to go through public trust becomes central to the discussion. Therefore, this initial legal-doctrinal analysis has been followed-up with empirical methods thanks to which it has been tested whether the general public accepts and sees fit to incorporate these new forms of inclusive citizen empowerment within EU’s legal framework for public participation. For that purpose, two main streams of hypotheses have been ran through quantitative work within three of the most influential EU Member States in the race for deploying the EU’s hydrogen economy: the Netherlands, Spain and Germany. The first stream of hypotheses explores the levels of willingness to participate and the barriers that privileged vs. vulnerable respondents encounter to participate in the hydrogen decision-making chain according to their sociodemographic data (age, gender, educational and income levels). The findings reveal that vulnerable and/or marginalised individuals are less willing to participate at the different levels of the decision-chain and encounter higher personal rather than institutional barriers to participate in the hydrogen decisions. The second stream of hypotheses examine whether the proposed positive-action measures in the first place are accepted among the public, whether more positive action leads to higher levels of perceived energy justice and lastly, whether more overall inclusive participation leads to higher acceptance of hydrogen decisions. The three hypotheses of this second research stream are correct, thus proving that the addition of positive action measures provides an updated framework for European public participation and contributes to a fairer, more widely accepted and collectively decided energy transition.

ABSTRACT. This paper examines the role of digital technologies in contemporary forest governance against the backdrop of a rapidly changing international legal and political order. Satellite remote sensing, artificial intelligence (AI), geographic information systems (GIS), and digital twins have become central to the operation of international climate and biodiversity regimes established under the United Nations Framework Convention on Climate Change (UNFCCC, 1992), the Convention on Biological Diversity (CBD, 1992), and the Paris Agreement (2015). These technologies underpin forest monitoring, climate mitigation strategies, biodiversity protection, and carbon accounting, and are increasingly indispensable to measurement, reporting, and verification (MRV) systems under the Paris Agreement and related climate finance mechanisms. In policy and institutional discourse, digitalisation is commonly framed as a neutral and technical response to long-standing challenges of scale, complexity, and enforcement in environmental governance. This paper challenges that framing while remaining attentive to the genuine regulatory and epistemic opportunities digital technologies create. It argues that the digitalisation of forest governance both enables and destabilises international climate law by embedding it within material infrastructures that are unevenly regulated, geopolitically contingent, and increasingly shaped by public–private power relations but that these tensions can be addressed through more deliberate legal and institutional design.

Forests are used as a focal point through which to analyse these dynamics because they sit at the intersection of climate mitigation, biodiversity protection, and questions of equity and justice. Forests occupy a central position in climate mitigation and conservation strategies under international environmental law, including nationally determined contributions submitted by Parties under the Paris Agreement and biodiversity targets articulated in the Kunming–Montreal Global Biodiversity Framework (2022). Land-use change remains a significant source of global greenhouse gas emissions, while forest conservation and restoration are repeatedly identified by the Intergovernmental Panel on Climate Change as among the most cost-effective mitigation pathways. At the same time, forests are home to Indigenous Peoples and forest-dependent communities whose land rights, governance systems, and knowledge practices are increasingly recognised in international law as essential to effective and just environmental protection, including through the United Nations Declaration on the Rights of Indigenous Peoples (UNDRIP, 2007) and evolving protections for environmental human rights defenders.

Forest governance is increasingly mediated through digital infrastructures. Satellite constellations detect deforestation and degradation; AI-driven analytics classify land-use change; and cloud-based platforms host the data infrastructures on which MRV systems for forest carbon accounting and climate finance depend. Publicly funded Earth observation programmes such as Landsat (operational since 1972) and the European Union’s Copernicus programme (launched in 2014) remain foundational, but they now operate within a broader digital ecosystem dominated by private satellite operators, proprietary analytics firms, and commercial cloud service providers. Platforms such as Google Earth Engine function as de facto global infrastructures for forest monitoring, used extensively by governments, international organisations, Indigenous organisations, conservation NGOs, and civil society actors.

More recently, large technology corporations have begun to develop proprietary planetary-scale environmental data platforms and modelling systems with direct relevance for forest governance. Microsoft’s Planetary Computer, for example, integrates global satellite data, cloud computing, and machine learning to support environmental monitoring, carbon accounting, and land-use analysis. Similarly, Amazon Web Services (AWS) has expanded cloud-based environmental analytics and climate modelling tools, increasingly positioning its infrastructure as integral to forest monitoring, carbon markets, and sustainability reporting. While not always labelled explicitly as “digital twins,” these platforms function as proto–digital twins of forest and land-use systems by combining real-time observation with predictive modelling and scenario analysis.

The paper argues that the growing role of such private digital infrastructures reconfigures how legal authority, knowledge, and responsibility are produced in forest governance. Legal obligations under international climate and biodiversity regimes have become materially dependent on digital systems that lie largely outside the formal reach of environmental treaties and institutions. This dependence raises concerns about accountability, access, transparency, and long-term stewardship of environmental data. At the same time, it creates an opportunity for international environmental law to evolve by explicitly engaging with the governance of data, infrastructure, and expertise as legal questions rather than treating them as purely technical matters.

These developments have implications for Indigenous Peoples and environmental defenders. Digital forest monitoring can enhance transparency, support claims against illegal logging, and provide evidentiary foundations for land and human rights litigation. However, it can also introduce new forms of surveillance and data extraction that undermine rights to land, privacy, participation, and self-determination. International law has begun to respond to these risks. In the UNECE region, the Aarhus Convention on Access to Information, Public Participation in Decision-Making and Access to Justice in Environmental Matters (1998) establishes procedural environmental rights that are increasingly interpreted to encompass the protection of environmental activists and defenders. In Latin America and the Caribbean, the Escazú Agreement (2018) goes further by explicitly recognising the rights of environmental human rights defenders and obliging states to provide a safe and enabling environment for those who protect the environment.

By reading digital forest governance through the combined lenses of climate law, human rights law, and these regional instruments, the paper identifies emerging legal principles relevant to environmental surveillance: proportionality, transparency, access to information, meaningful participation, free, prior and informed consent (FPIC), and protection from retaliation. These principles provide a normative basis for governing the use of satellite monitoring, AI analytics, and digital twins in ways that enhance, rather than undermine, environmental justice. The paper situates these dynamics within a broader transformation of the international order. The post-1992 assumption that global environmental problems could be addressed through a stable, cooperative, rules-based system has weakened in the face of geopolitical rivalry, trade and technology disputes, and the securitisation of digital and space-based infrastructures. Illustrative developments include the United States’ withdrawal from the UN Framework Convention on Climate Change in January 2026 alongside its continued dominance in satellite data provision and digital infrastructure. This disconnect between formal legal disengagement and material infrastructural power highlights the need for legal frameworks capable of operating across fragmented political landscapes.

In this context, the paper engages with the International Court of Justice’s Advisory Opinion on Climate Change (July 2025), which affirms the systemic integration of international law and reinforces states’ obligations under treaty law, customary international law, international human rights law, and the duty to prevent significant transboundary environmental harm. While doctrinal coherence alone cannot resolve infrastructural vulnerabilities, the Opinion strengthens the legal basis for extending due diligence obligations to the governance of digital and satellite infrastructures underpinning environmental protection.

Building on this foundation, the paper advances four interrelated arguments oriented toward critique and constructive reform. First, it shows that hybrid public–private digital infrastructures concentrate epistemic and infrastructural power, while identifying legal pathways for reasserting public values through data governance standards, interoperability requirements, and international cooperation on open environmental data. Second, it examines AI-driven modelling and digital twins, both public initiatives such as the EU’s Destination Earth programme (launched in 2021) and private platforms such as Microsoft Planetary Computer, arguing that their legitimacy depends on embedding legal safeguards and participatory governance. Third, it analyses the surveillance dimensions of digital forest governance and the need to align monitoring practices with defender protections under Aarhus, Escazú, and international human rights law. Fourth, it situates digital forest governance within geopolitical and security dynamics without collapsing environmental governance into security logic, emphasising resilience, redundancy, and collective oversight.

Methodologically, the paper combines doctrinal legal analysis with insights from science and technology studies and political economy, drawing on empirical examples including forest monitoring initiatives, forest funding mechanisms and digital modelling platforms. Digital infrastructures are treated as sites where legal authority is exercised, negotiated, and contested.

The paper concludes that digital technologies can play a genuinely transformative role in forest protection and climate mitigation if international environmental law engages proactively with their governance. By integrating climate law with emerging protections for Indigenous Peoples and environmental defenders, reflected in UNDRIP, the Aarhus Convention, and the Escazú Agreement, the paper identifies pathways for aligning digital forest governance with principles of accountability, equity, and intergenerational justice. In an era of geopolitical fragmentation and weakened multilateralism, such an approach offers a means of strengthening, rather than bypassing, the role of international law in addressing the ongoing global threat to forests and the communities who defend them.

ABSTRACT. On 12 September 2025, the EU’s Data Act entered into force, representing the most recent and comprehensive regulatory intervention aimed at governing the generation, access to, and use of data produced by connected products and related services. Conceived as a regulation of general scope, the Data Act is destined to affect a wide range of sectors characterised by the pervasive use of digital technologies and automated systems. Notably, and for the first time, the European legislator explicitly refers to data generated by agricultural activities . Although this reference may appear marginal at first glance, it carries significant normative and symbolic weight: it formally acknowledges that agriculture—traditionally perceived as distant from digitalisation dynamics—has become a substantial source of technical and operational data, as a result of the increasing deployment of advanced agricultural machinery and digital tools. This contribution aims to clarify the regulatory framework applicable to digital agricultural technologies, identifying key legal challenges. In fact, new technologies have significantly expanded the scope of data-related concerns, which are no longer confined to the protection of personal data, increasingly involving large volumes of non-personal, machine-generated, and operational data, raising novel issues related to data access, control, interoperability, contractual asymmetries, and the risk of new forms of digital divide within the agricultural sector—many of which remain largely underexplored in current legal scholarship. Focusing on the emerging governance of agricultural data within the EU, special attention is paid to possible solutions (i.e. Common European Agricultural Data Space—CEADS) defined as a cornerstone of the European data strategy for the agri-food sector. Importantly these technologies, often described under the umbrella concept of “Agriculture 4.0” and even as a genuine “fourth industrial revolution” in agriculture, are inherently heterogeneous, encompassing a broad range of digital technologies—including the Internet of Things (IoT), big data analytics, robotics, blockchain, and AI—that are progressively integrated into agricultural practices. They enhance productivity, sustainability, and traceability across the agri-food supply chain through sensors monitoring systems, drones and advanced tractors enabling precision farming, robotic harvesting solutions, digital tools for logistics management, and smart livestock management. Digital innovation in agriculture thus contributes not only to the objectives of the European Green Deal and the “Farm to Fork” strategy, but also to the broader EU digital policy agenda, fostering the transition towards a more technological and efficient agricultural system. In this perspective, data-driven tools strengthen food security by enabling rational, evidence-based decision-making, while blockchain-based solutions promise enhanced transparency and consumer protection through immutable traceability throughout the supply chain. The scale of this transformation is rapidly expanding: globally, Agriculture 4.0 devices exceeded 25 million units in 2023 and are expected to approach 40 million by 2028 , while the global related market is projected to grow from USD 20.6 billion in 2023 to over USD 60 billion by 2033 . While digitalised agriculture appears to offer a more sustainable and efficient future compared to its pre-digital counterpart, it would be naïve—and legally short-sighted—to equate “innovation” with “improvement” in absolute terms. The rapid evolution and diffusion of these technologies generate a series of novel legal and regulatory challenges that must be addressed, to ensure an equitable and effective implementation. These challenges, which are deeply embedded in the social, legal, and technological dimensions of data protection, are not merely technical but deeply structural, as the adoption of digital tools reshapes the relationships among actors within the agri-food value chain. Indeed, the integration of digital technologies into agricultural practices entails a profound transformation of the traditional power dynamics and governance structures of the sector. Farmers, historically central and autonomous actors in the management of their productive processes, are becoming increasingly dependent on digital infrastructures, data analytics services, cloud-based platforms, and proprietary software systems. At the same time, new actors—Agricultural Technology Providers (ATPs)—have emerged as pivotal intermediaries in the collection, processing, and control of agricultural data. These entities often exercise significant influence over both operational and strategic decisions taken by agricultural enterprises, thereby altering the distribution of informational power and access to essential productive resources. This reconfiguration raises a series of complex legal questions, spanning multiple areas of law: data protection and data ownership, intellectual property rights, competition law in digital markets, liability for algorithmic malfunctions, and the regulation of asymmetric contractual relationships between farmers and technology providers. It is precisely within this largely unexplored terrain that law is called upon to intervene, to ensure that the digital transition—despite its undeniable benefits—does not give rise to new forms of vulnerability, dependency, or imbalance across the agri-food supply chain. Against this backdrop, the agricultural sector is currently positioned at the intersection of multiple EU legal instruments, including the Artificial Intelligence Act , insofar as it introduces guarantees of transparency, traceability, and oversight in the validation and deployment of algorithmic systems relying on artificial intelligence; the General Data Protection Regulation (GDPR) ; the Data Governance Act ; and, most recently, the Data Act, which specifically addresses the management of data generated, collected, and used by connected agricultural technologies. Taken together, these regulatory frameworks aim to structure the collection, use, sharing, and circulation of agricultural data, while also engaging with broader issues such as data sovereignty, interoperability, and contractual asymmetries. However, their combined application raises significant questions concerning regulatory coherence, overlap, and potential fragmentation, particularly when confronted with the technical and organisational specificities of Agriculture 4.0 technologies. In this sense, the contribution argues that the success of Agriculture 4.0 will depend not only on technological innovation, but also on the capacity of EU law to articulate a coherent and effective model of data governance capable of balancing innovation, fairness, and sustainability in one of Europe’s most strategic and socially sensitive sectors. In the absence of such framework, the rapid expansion of digital technologies in agriculture risks generating regulatory grey areas, exacerbating existing asymmetries between farmers and technology providers, and leaving critical questions of data control, responsibility, and accountability insufficiently addressed. These tensions highlight the need for a more integrated and forward-looking legal approach to agricultural data governance, capable of anticipating the systemic effects of digitalisation, rather than merely reacting to them.

Selected bibliography

Albisinni F, Agricoltura e digitalizzazione: l’impresa agricola nel tempo presente, rivista di diritto alimentare 1 (2023) 92-106.

Atik C, Horizontal Intervention, Sectoral Challenges: Evaluating the Data Act’s Impact on Agricultural Data Access Puzzle in the Emerging Digital Agriculture Sector, Computer Law and Security Review 51 (2023) 105861.

Atik C, Towards Comprehensive European Agricultural Data Governance: Moving beyond the “Data Ownership” Debate, International Review of Intellectual Property and Competition Law 53 (2022) 701-742.

Atik C, Understanding the role of agricultural data on market power in the emerging Digital Agriculture sector: a critical analysis of the Bayer/Monsanto decision in D. Bosco D, Gal M S (eds) Challenges to Assumptions in Competition Law (2021) Cheltenam-Northampton, Edward Elgar Publishing.

Atik C, Martens B, Competition Problems and Governance of Non-personal Agricultural Machine Data: Comparing Voluntary Initiatives in the US and EU, JIPITEC 12 (2021) 370-396.

Brunori G, Bacco M, Puerta-Pinero C, Borzacchiello M T, Stormer E, Agri-Food Data Spaces: Highlighting the Need for a Farm-Centered Strategy, Data in Brief 59 (2025) 111388.

Bustamante M J, Digital Platforms as Common Gods or Economic Goods? Constructing the Worth of a Nascent Agricultural Data Platform, Technological Forecasting & Social Change 192 (2023) 122549.

D’Avanzo W, La quarta rivoluzione industriale e la digitalizzazione nel settore agricolo, Diritto Agroalimentare 2 (2022) 279-300.

Ferrari M, Digitalizzazione e innovazione nell’attività delle imprese agricole in Ferrari M (eds) START UP E PMI INNOVATIVE IN AGRICOLTURA – le imprese agricole fra innovazione e sostenibilità (2024) Milano, Wolters Kluwer.

Gil R M, Ryan M, Garcìa R, Sovereignty by Design and Human Values in Agriculture Data Spaces, Agriculture and Human Values 42 (2025) 1413-1438.

Guarda P, Riflessioni in merito alla natura giuridica dei dati nell’agricoltura di precisione, rivista di diritto alimentare 1 (2023) 20-35.

Lattanzi P, L’agricoltura di precisione: fisionomia, quadro strategico di riferimento e implicazioni giuridiche, rivista di diritto alimentare 2 (2024) 19-36.

Leone L, Big data e intelligenza artificiale nell’agricoltura europea 4.0: una lettura etico-giuridica, Diritto Agroalimentare 3 (2024) 505-550.

Ryan M, The Social and Ethical Impacts of Artificial Intelligence in Agriculture: Mapping the Agricultural AI Literature, Ai & Society 38 (2023) 2473-2485.

Ryan M, Atik C, Rijswijk K, Bogaardt M J, Maes E, Deroo E, The future of Agricultural Data-sharing Policy in Europe: Stakeholder Insights on the EU Code of Conduct, Humanities and Social Sciences Communications 11 (2024) 1197.

Val I L, The EU AI Act and the Food System: How the European Union AI Act Applies to Agrifood, European Journal of Risk Regulation (2025) 1-21.

Versaci G, La regolazione dei dati per l’agricoltura di precisione tra questioni generali ed esigenze settoriali, Diritto Agroalimentare 3 (2024) 619-638.

Wiseman L, Sanderson J, Zhang A, Jakku E, Farmers and Their Data: An Examination of Farmers’ Reluctance to Share Their Data through the Lens of the Laws Impacting Smart Farming, NJAS—Wageningen Journal of Life Sciences 90–91 (2019) 100301.

Yu Z, Hou E, Pompeo J, Huffaker R, Wang M, Zhao Y, Agriculture Technology Providers’ Perspectives of Data Rights and Obligations in Agriculture Reflected by Farm Data Value Chain, Sustainable Futures 9 (2025) 100585.

ABSTRACT. This article is the outcome of a 4 months-long empirical study conducted at DPG Media, the largest media conglomerate in the Netherlands, on how the adoption of large language models (LLMs) within the company intersects with the institutional and legal boundaries of newsrooms’ editorial freedom.

While the Dutch context is marked by a strong tradition of protecting editorial autonomy and the identity of the individual titles through legally binding contracts (‘editorial statutes’) between newsrooms and publishers, the integration of LLMs raises new questions. Technology, even if conducive to the fulfillment of the journalistic mission, has traditionally fallen outside the legally protected domain of editorial freedom, claimed by the publisher as a corporate competence. Tensions between newsrooms and executive boards for influence on journalistic operations are on a historical continuum and these are already extending to AI. The recent struggle of Politico US’ newsroom against management’s non-consensual deployment of two AI-driven reporting tools is illustrative. With the future of European journalism increasingly shaped by corporate conglomerates, driven by centralisation and scaling logics in digital operations, the distribution of decision-making power over AI use becomes a defining issue. This discussion acquires also relevance in the wider EU law debate surrounding the recently enacted European Media Freedom Act, which under art 6(3) (softly) requires media service providers to adopt relevant measures to preserve the autonomous operation of their newsrooms.

The article therefore investigates how the adoption of LLMs at DPG Media unfolds through contested processes in which institutional norms, professional ethics, and individual agency are continuously renegotiated, raising fundamental questions about who is entitled to decide on the limits, legitimacy, and ethical orientation of AI use in journalism. At a European level, it encourages to reflect on the long-term significance of editorial freedom as a normative institution for the articulation of journalistic values, and on the legal and organisational structures required to uphold the ethical function of journalism with the increasing penetration of content-automating technology in news production and distribution.

Methodologically, the study combines a qualitative thematic analysis of 36 interviews with chief editors, journalists across 10 news outlets owned by DPG Media, company executives, legal trustees, and labour union representatives, with normative legal analysis. The aim is to explain how boundaries of decision-making are perceived, negotiated, and operationalised in the development and deployment of LLMs at DPG Media, and how these are reflected in the recently renewed editorial statutes and other legal safeguards implemented after the acquisition process. We ask in the immediate: 1) Who gets to decide whether and how LLMs-applications are developed and used for editorial tasks? 2) To what extent are those decisions perceived as editorial in nature? 3) And what role should legal safeguards play?

Next to the right to freedom of the media grouded in art 10 ECHR, the empirical study builds on a tripartite interdisciplinary theoretical framework. The first pillar is institutional theory which, applied to media industry and technologies, is used to illustrate how these also have a regulatory dimension constraining and facilitating communicative behavior and practices’. More recent scholarships, theorises in particular how the increasing adoption of content-generating technologies, like LLMs, in journalistic processes can bear in unprecedented ways on the institutional orientation and expression of journalism as a professional field. At the same time, the role of journalistic organisations, with their norms and professional expectations, remains central in determining practices and uses of LLMs, in an evolving relationship of ‘reciprocal shaping’. The second pillar is labour process theory applied to journalism, according to which the experienced degradation of journalistic control over the news process should be understood in light of journalistic labour’s continuous subordination to technology since the profession’s early days. Last, the article employs neo-republicanist theory to frame the dependencies newsrooms have on their commercial publishers in terms of finances and expertise for the development of AI infrastructure. Neo-republicanism, with its focus on non-domination as a theory of freedom, provides the conceptual tools to reflect on the role of effective organisational and legal safeguards European media organisations can adopt to preserve adequate boundaries of journalistic autonomy.

ABSTRACT. Few technological developments have so rapidly transformed public and policy debates as the release of ChatGPT-3.5 in November 2022. AI moved from a relatively specialized technological institutional governance, regulatory and supervisory domain to a central subject of public, social, political and economic debate (AI Security Institute, 2025; Bengio, 2025).The promises and risks of this ‘new’ AI are, since ChatGPT’s introduction, dominating news cycles, reshaping expectations the economy and raising profound questions about the future of work, human autonomy and even possible human extinction (Appel et al., 2025; Avezov, 2025; Bengio, 2025; Future of Life Institute, 2025). For effective and proportional regulation and supervision of AI it is important to clearly distinguish between ‘earlier’ generation of task-specific or narrow AI applications , and the more recent emergence of ChatGPT like general-purpose artificial intelligence (GPAI) (Ebers & Vargas Penagos, 2025). Rather than being optimized for a single predefined goal/task, GPAI models are developed as foundation models that display significant generality and can be adapted, fine-tuned or integrated across a wide range of downstream AI applications , AI systems and AI agents (Ebers & Vargas Penagos, 2025; Walden & Lynch, 2025). This shift from specific ‘narrow’ goal defined AI models to general, reusable model infrastructures fundamentally alters both the scale and nature of AI’s societal impact and risk. This also has implications for regulating and supervising GPAI, compared to narrow AI applications. Whereas earlier narrow AI could be regulated and supervised primary at the level of concrete narrow AI applications, GPAI introduces upstream design choices that shape the broad AI value chain downstream.

This impact and implications of more and more capable AI not only expands the scale of AI deployment, but also fundamentally changes the nature of the risks and societal impact involved. As a result, questions about how AI systems should align with human values and societal objectives have moved to the forefront of the scientific and policy debate (Christian, 2020; Russell, 2020). In these debates on AI, value alignment refers to the problem of ensuring that AI acts in accordance with human values, norms and societal objectives (McKinlay et al., 2025). For a long time, AI development was primarily driven by improvements in performance, while AI safety was treated as a secondary concern. This orientation began to chance following key technological and intellectual developments in the mid 10’s of the 20th century. Breakthroughs such as AlphaGo’s success highlighted the unpredicted speed and capability gains of AI, while seminal work in AI safety, most notably Nick Bostrom’s Superintelligence (Bostrom, 2014), broadened awareness of the risks associated with increasingly capable AI systems pursuing misaligned goals (AI Security Institute, 2025; Udo et al., 2025). With this emerging AI safety discourse, value alignment initially focused on the possibility that advanced AI systems might product harmful or unintended outcomes even in the absence of malfunction of malicious intent (Christian, 2020; Kearns, 2020; Russell, 2020). More recent scholarship has further focused on GPAI value alignment specifically, even framing GPAI alignment as one, if not the biggest societal and even human extinction level risk (El & Zou, 2025; Future of Life Institute, 2025; Yudkowsky & Soares, 2025). Unlike the narrow AI from before 2022, whose value related risks are largely confined to specific and specifically goal defined AI models, GPAI function as foundational infrastructure for a wide range of downstream uses. Value laden design choices of GPAI, such as training data selection, optimization objectives and safety guardrails, can therefore propagate across the entire AI value chain, to numerous AI applications, systems and agents build on top of this GPAI infrastructure (Buyl et al., 2025; Huang et al., 2025). As a result, misalignment at the level of a GPAI model has the potential to scale across the whole AI value chain, producing systemic effects that are difficult to anticipate, contain, or correct in the downstream phase of the AI value chain. This raises fundamental questions about which values should be embedded in GPAI systems, how conflicts between competing values should be resolved, and which actors or intuitions are legitimacy authorized to make those determinations (Fisher et al., n.d.; Huang et al., 2025; Rozado, 2024). This issue is most pressing for Europe considering the geopolitical concentration of GPAI development in the US (Google, Microsoft, OpenAI, Meta, Anthropic, X) and China (DeepSeek, Tencent, Alibaba) (Future of Life Institute, 2025; Negele et al., 2025), while Europe only has one serious contender (Mistral). The Europe specific question is whether the embedded values of the regions where GPAI is developed are compatible with the European value system (Bria et al., 2025).

Concerns about GPAI value misalignment are well-founded, as AI safety teams at GPAI model developers have empirically identified value misalignment in these models (Baker et al., 2025; Y. Chen et al., 2025; Souly et al., 2025; Wang et al., 2025). These infrastructural characteristics and implications for the downstream AI value chain make effective supervision of GPAI indispensable. Without targeted supervision at the level of GPAI models themselves, value misalignment risks can remain latent and propagate across different domain in society and the economy. Importantly, the need for effective supervision of GPAI does not arise in a supervisory vacuum. Value alignment in general is not an entirely new concern for supervisory authorities (Chen et al., 2023; van Bruggen & Beckers, 2020). Across many regulatory domains, supervision has gradually moved away from a predominantly legalistic model, focused on the ex-post enforcement of rules, towards more principle-based, societal problem solving, and risk-oriented forms of supervision (de Vries, 2019; Sparrow, 2000, 2020). Supervisors are granted a wider mandate to interpret open norms, anticipate emerging risks, and intervene in situations where formal legal compliance may nonetheless result in societal harm (de Vries, 2019, 2023; Kasdorp, 2022). Therefore, supervision is increasingly understood not merely as rule enforcement, but as a form of public governance aimed at safeguarding fundamental and supervisor specific public values (Kockelkoren, 2016; WRR, 2013). These public values function as normative reference points that guide supervisory judgement in situations where legislation is incomplete, technologically lagging, or intentionally formulated in abstract terms (Bozeman, 2007; Jørgensen & Bozeman, 2007). Therefore, value-oriented supervision has become a recognized and, in many cases, expected feature of modern regulatory practice (Kockelkoren, 2016). Against this background, the idea that supervisors should also attend to value alignment in the context of GPAI supervision is not anomalous. On the contrary, it fits squarely within an existing supervisory paradigm in with public authorities are already expected to interpret, balance and safeguard societal values when overseeing complex and transformative technologies.

Against this background the first objective of this contribution is to examine whether existing forms of value driven supervision are fit for purpose of GPAI value alignment. Supervisory authorities already employ a range of strategies, tools, practices and enforcement approaches aimed at safeguarding public values. This contribution therefore asks whether these established supervisory approaches, such as supervisory problem solving (Sparrow, 2020), risk-based supervision (Black & Baldwin, 2010), responsive regulation (Ayres & Braithwaite, 1995) and value-oriented enforcement (Black, 2011), are sufficient to address the value alignment challenges in supervising GPAI. Or, whether the infrastructural, upstream position in het AI value chain and systemic nature of GPAI requires adaptations in supervisory strategy, practice and tooling.

The second objective concerns the European institutional allocation and coordination of supervisory responsibilities for GPAI. Under the AI Act, and reinforced by the Digital Omnibus Package, primary supervision of GPAI models is concentrated at the European level with the AI Office of the European Commission. At the same time, national supervisory authorities already encounter GPAI through downstream AI applications, systems, and agents deployed within their jurisdictions. This creates a structural challenge, as national authorities may need to assess or enforce compliance while centralized EU-level supervision of GPAI models is still evolving. Without effective coordination, this risks inconsistent supervision, legal uncertainty, and duplicative regulatory burdens across the AI value chain. This contribution therefore examines how GPAI supervision can be organized coherently across EU and national levels, including during transitional phases, in accordance with the Draghi agenda (Draghi, 2025) emphasis on regulatory simplification.

ABSTRACT. Background Diella, the Albanian ministerial‑AI announced in 2025, marks a scaffolding point in administrative law for procurement decision contexts aimed at greater transparency, reduced corruption and improved bureaucratic efficiency. Governmental automation and algorithmic decision‑support are established phenomena, yet the public sector is poised to see an influx of advanced‑AI systems whose deployment in high‑stakes domains such as infrastructure and procurement decisions will amplify tensions with social‑contract norms, public trust, rights protection and constitutionalism; these deployments therefore require careful rule‑of‑law assessment. This paper does not contest that history. It advances the claim that personification features combined with formal cabinet elevation, produces novel legal and institutional effects for administrative law and constitutional governance. By situating Diella within the conventional institutional architecture of procurement, where finality, contestability and distributive stakes are concentrated, the paper uses doctrinal analysis supported by socio‑technical reasoning to examine how anthropomorphisation and technical concentration generate an attribution gap, procedural opacity and systemic risk that public-sector virtual assistants or ordinary decision‑support systems do not, thereby undermining reason‑giving, judicial review and remedial efficacy. From these premises the paper proposes a compact statutory and procedural package tailored to procurement decision contexts, including statutory attribution, limited delegation, enforceable explainability, robust human‑in‑the‑loop standards, audit trails and independent technical certification.

How this builds on existing research Existing scholarship on algorithmic governance has established three relevant propositions. First, algorithmic systems can reproduce and amplify bias through data and design choices. Second, human‑in‑the‑loop arrangements often fail in practice when oversight lacks independence or technical competence. Third, administrative‑law doctrines require traceable authorisation and intelligible reasons for exercises of public power. This paper builds on those propositions but narrows the analytic lens. Rather than re‑arguing general harms, it doctrinally interrogates the intersection of personification and formal office‑status. The departure is conceptual and doctrinal: prior work treats algorithmic systems as tools or processes. This paper treats a personified‑agent elevated to ministerial office as a distinct legal actor whose symbolic authority and institutional placement alter the operation of delegation, reason‑giving, and contestability doctrines. The contribution is therefore not empirical novelty but doctrinal reframing supported by socio‑technical argumentation that links specific design features to discrete legal effects.

Core doctrinal claim and arguments The central doctrinal claim is that personified‑ministerial AI produces an attribution‑gap and procedural opacity that existing administrative‑law remedies do not readily address. The following arguments have support the claim:

First, legitimacy‑shortcut and reason‑giving failure. Personified‑agents and ministerial titles create a legitimacy‑shortcut: lay audiences and administrative actors may defer to a personified‑agent and accept outputs as authoritative. This deference reduces demand for documentary reasons and weakens adversarial scrutiny. Administrative‑law’s reason‑giving requirement presumes a human decision‑maker capable of articulating intelligible reasons linked to statutory criteria. A personified‑agent that issues opaque, non‑traceable outputs frustrates that presumption and thereby impairs judicial review and proportionality analysis.

Second, attribution‑gap and remedial impotence. Delegation doctrine requires statutory authorisation for transfers of public power and presumes a human accountable official. Ministerial‑AI severs the causal chain: who specified the rubric, who authorised the model‑version, and who bears legal responsibility become unclear. Without statutory attribution rules that name accountable natural persons or corporate entities, remedies such as injunctions, quashing orders, and damages risk practical impotence because courts cannot identify a legally responsible actor to enjoin or sanction.

Third, systemic‑risk and contestability collapse. Centralised scoring engines and specification‑capture make early design choices governance choke points. A single compromised rubric or biased model‑version can scale corrupt outcomes across many contracts. Contestability depends on access to rubrics, logs, and override records; opaque model artefacts and guarded system prompts impede discovery. When contestability collapses into formalism, procurement integrity, and proportionality are undermined and public trust erodes or forms.

These doctrinal claims are supported by socio‑technical reasoning about specific technical mechanisms that produce legal friction. Specification‑capture and rubric centralisation render feature‑selection and weighting politically salient; adversariality and memorisation risks enable gaming and data‑exfiltration; opaque artefacts, proprietary training data and guarded system prompts, impede meaningful discovery; cybersecurity concentration makes a ministerial‑AI a high‑value target whose breach yields systemic corruption and operational paralysis. Human‑in‑the‑loop arrangements often prove hollow when reviewers lack independence, technical literacy, or authority to override automated outputs; such arrangements create the appearance of oversight while preserving automated outcomes.

Limitations: This paper is doctrinal and socio‑technical in orientation and does not undertake empirical investigation; its arguments therefore rest on conceptual analysis and case‑study reasoning rather than systematic data‑collection. The scope is intentionally narrow, procurement‑decision contexts and personified‑ministerial deployments, which limits generalisability to other public‑sector uses or jurisdictions with different institutional architectures. Rapid technological change and proprietary opacity mean some technical claims may evolve as systems and vendor practices change.

ABSTRACT. The return of protectionist trade policies in the United States and the European Union’s turn toward “open strategic autonomy” reveal a profound paradigm shift in international economic law. Public procurement—historically governed by principles of openness and non-discrimination under the WTO Government Procurement Agreement—has emerged as a strategic lever in the contest for technological sovereignty. This paper argues that procurement is no longer a merely conjunctural instrument but increasingly functions as both an industrial catalyst and a regulatory gatekeeper in the global race for artificial intelligence (AI).

On the American side, entrenched domestic preference rules, recently reinforced by Trump-era neo-mercantilist policies, extend into the digital and AI sectors, effectively amounting to a “Buy American Tech Act.” In contrast, Europe resists an explicit “Buy European” framework but deploys regulatory instruments—the AI Act, the Net Zero Industry Act, cybersecurity and data localization requirements (or even the potentiel Industrial Accelerator Act—that operate as implicit forms of domestic preference. Defense procurement, as well as sustainability and resilience criteria, further accentuate this shift toward a fragmented procurement order.

The analysis demonstrates how procurement is becoming a central battlefield in transatlantic economic relations, where regulatory cultures diverge yet converge toward strategic use of state purchasing power. By mapping explicit and implicit preference policies, the paper assesses whether procurement can act as a structural tool of industrial policy, shaping innovation trajectories and redefining the level playing field in the global economy.

ABSTRACT. Since the 1980s, industrialised nations and their institutions have experienced increasing corporatisation. Indeed, in the aftermath of the Second World War, states primarily acted as providers of goods and services to their populations. Over the course of the last decades and up to today, however, they have progressively been retreating, delegating more and more tasks and the implementation of public policy objectives to the private sector. Academic literature has examined this shift through the concept of the regulatory state (Majone, 1997, 1994). This concept underscores how states (and most particularly the European Union) have moved from direct provision to oversight, increasingly leaving the execution of public functions to private actors. At the same time, the concept stresses that, contrary to the neoliberal rhetoric of the 1980s and 1990s, the state has not disappeared (Vogel, 1996): rather, it has adopted a mode of regulatory governance based on control ‘at a distance’ (Yeung, 2010). In other words, the growing corporatisation of the world has transformed the state’s role from “rowing” to “steering” (Maggetti, 2025).

Although this development is at the centre of regulation studies literature, it has not fully permeated other academic fields. In the digital domain, for instance, legal scholarship often interprets EU legislation as evidence of the state reclaiming authority over tech giants (De Gregorio, 2025, 2022). For example, the GDPR or the DSA have been at times celebrated as instruments for enforcing fundamental rights online, while the DMA has been portrayed as a decisive intervention to foster competition. Many works that focus on these laws frame them as a form of ‘constitutionalism’ in the digital age (Pollicino, 2021; Celeste, 2019), on the basis of the premise that a strong state (the EU) is trying to curb private sector excesses.

Yet, the private sector in the digital world exhibits unique characteristics that distinguish it from historical state-market relations. A small number of predominantly American tech companies dominate the landscape. These firms operate transnationally and wield immense infrastructural power, controlling critical components of the digital ecosystem (from submarine cables for data transfer to cloud infrastructure and user interfaces) (Plantin et al., 2016). This control enables them to make decisions with profound implications for users – an aspect which is particularly evident with regard to social media platforms, where companies have been setting the rules of online discourse (Klonick, 2018). Their centrality in digital services (or, as some would argue, their monopolies – Klinge et al., 2022) also grants them exceptional financial resources, which translate into lobbying influence (Tarrant & Cowen, 2022) and the capacity to challenge regulations in court. When laws are not tailored to their interests, these firms possess the means to resist enforcement through litigation (Fahey, 2025).

These dynamics raise two fundamental questions for the literatures presented above. For scholarship on digital constitutionalism, the potential capture of the state by private interests (Laux et al., 2021) calls for a reassessment not only of the state’s role but of its very nature. Can we truly claim that EU interventions enhance the protection of fundamental rights when it remains uncertain whether the Union can impose its will against such powerful actors? For the literature developing the idea of the regulatory state, a re-examination is equally necessary. While this literature recognised the state’s transformation over the last decades, it largely dates from the early 21st century and fails to account for the rise of an extraordinarily powerful digital private sector. Does the notion of the state ‘steering from a distance’ still hold in the face of these developments?

Drawing on these two parallel developments, this paper aims to introduce and develop the notion of digital regulatory capitalism – both as a conceptual lens for understanding the EU’s regulatory approach in the digital sphere and as a framework for reconciling the apparent tension between two opposing visions of public-private entanglement found in the literatures on the regulatory state and digital constitutionalism. The concept of digital regulatory capitalism builds on the notion of regulatory capitalism (Braithwaite, 2008; Levi-Faur, 2011) in the wake of work on the regulatory state. However, this notion never really gained traction – although it seems particularly relevant to describe certain developments that arose in the last couple of years. This relevance lies notably in its ability to connect changes in the state’s role with broader shifts in the political economy of the digital world over the last 20 years.

The concept of digital regulatory capitalism thus aims to capture both the transformation of the state’s role and its efforts (particularly in the EU) to exert control over tech companies, while simultaneously revealing how states, due to the financial and infrastructural power of these actors, remain dependent on them and delegate certain tasks to them. This dynamic seems especially evident in regulatory areas such as data protection, online discourse, and, more recently, artificial intelligence. In short, digital regulatory capitalism seeks to illuminate the restructuring of the state and its regulatory capacity in the digital world around the infrastructural dominance of the private sector.

In addition to introducing and developing this concept, the paper aims to explore its potential to understand the EU’s approach to digital governance (including its recent 'deregulatory' turn, Avril 2025), while contrasting it with the increasingly evident emergence in the United States of a form of neo-mercantilism – one that increasingly disregards the rule of law and justice, and instead manifests as an expression of raw power serving private-sector interests.

ABSTRACT. Discussions of artificial intelligence (AI) under the lens of infrastructure typically focus on the physical layer of the AI stack: the computational power needed to train models, the storage systems required to manage data sets and model parameters, and the networking infrastructure that facilitates data flow and system coordination. While this perspective captures the technical foundations on which AI systems depend, it overlooks a crucial development: AI is not merely built on existing infrastructure. Instead, it increasingly functions as infrastructure itself, enabling business operations across the economy.

Infrastructures are defined in the economics literature as ‘large-scale, human-made resources’ that serve as ‘shared means to many ends’ (Frischmann, 2011). The paradigmatic examples that come to mind are physical infrastructures such as railroads and highways, although the internet and the rule of law also fulfill infrastructural functions. To qualify as an infrastructure, a resource must serve an enabling function for downstream activities, play an existential role as a key resource, and generate significant positive spillovers that result in large social gains (Frischmann, 2011). In terms of their industrial organization, infrastructure displays natural monopoly characteristics: high fixed costs, low marginal costs, and socially inefficient duplication.

The language of AI as infrastructure has recently been adopted by senior executives of frontier AI labs. Chris Lehane, OpenAI’s Chief Global Affairs Officer, declared in July 2025 that ‘AI is core infrastructure for nation building—akin to electricity’ (Lehane, 2025). Such claims are not merely rhetorical. Today, AI underpins core activities in sectors ranging from logistics and finance to e-commerce, media, and customer service. With 42% of large firms already deploying AI tools and 97% of business owners reporting operational benefits, AI functions as the new infrastructure of the contemporary economy (IBM, 2025).

Out of the entire range of AI applications, the infrastructural metaphor is particularly fitting for the dynamics of AI foundation models, or general purpose AI models (GPAI) in the parlance of the AI Act. Foundation models are trained on broad data and can be adapted to a virtually infinite range of downstream tasks (Bommasani et al., 2021). First, access to foundation models is essential to AI-native market entrants. At the time of writing, 9 out of 10 business developers are relying on some version of OpenAI’s GPT models (Forbes). If we take into account competing frontier models, the number rises to 10 out of 10. Second, large businesses are also catching up, 60% reporting the use of foundation models in 2025 (Lightspeed Venture Partners). Third, governments increasingly rely on commercial foundation models for tasks ranging from automating the review of complex contracts to powering real-time chatbots for public enquiries and knowledge management. Partnerships between frontier foundation model providers and governments are becoming commonplace, most notably in critical industries such as national defense (e.g. OpenAI—The United Kingdom; Anthropic’s Claude for Goverment; Mistral AI—French Armed Forces, etc.).

This reliance is likely to deepen. Unlike traditional infrastructures such as highways or electricity grids, foundation models do not depreciate with use. Under certain conditions, increased deployment can generate additional data that feeds back into model improvement, reinforcing performance and adoption. These data flywheel dynamics are mediated by technical and organizational choices, but they nonetheless distinguish foundation models from static infrastructures. Furthermore, recent research shows that, under certain conditions, foundation models can self-adapt by generating their own fine-tuning directives (Zweiger et al., 2025; Zhang et al., 2025), reinforcing the idea that they represent dynamic, self-improving infrastructures.

This evolution provokes serious policy challenges. When access to foundation models becomes a prerequisite for effective market participation, the possibility that some actors may be denied access—or that others may receive preferential licensing terms—introduces new forms of economic exclusion. Access to foundation models is currently governed exclusively by their providers’ terms of service and acceptable use policies, which are purely contractual instruments that bestow unilateral modification rights on the providers. Downstream developers can suffer from both contractual discrimination (e.g. different levels of access and pricing schemes) and technical discrimination (rate limits, selective update releases, throttling, etc.). There is already ample evidence that foundation model providers engage in both types of discrimination, giving preferential access to selected developers (e.g. OpenAI’s provision of early access to GPT-4 to Duolingo and Morgan Stanley; Anthropic offering access to Claude for the US Goverment for $1 a year). While these harms are still emerging, they risk evolving into forms of political and normative gatekeeping with chilling effects on socially valuable uses. Foundation model providers currently determine which applications are acceptable and which actors may operate at scale. Uses such as watchdog research, safety auditing, or governance tools for governments in the Global South may therefore be subject to price discrimination, denial of scale, or suspension. Over time, this risks biasing the infrastructure toward commercially lucrative applications rather than socially valuable ones.

These dynamics point to a governance gap that cannot be addressed through existing regulatory tools. Current frameworks remain largely ill-suited to the problem of access governance for foundation models. In the EU, the AI Act is primarily oriented toward risk classification and safety obligations and is notably silent on the conditions under which access to foundation models should be granted, restricted, or withdrawn. Yet an emerging body of scholarship emphasises that downstream use cases, benefits, and risks depend critically on the access conditions afforded to AI systems (Kembry et al., 2024). Reframing foundation models as self-improving infrastructures thus brings into focus not only their pervasive economic role, but also the limits of a governance regime grounded exclusively in private law and ex post enforcement. This, in turn, raises the question of whether competition law can fill the gap. As has been amply documented, antitrust-style interventions are ill-suited to address the structural features of the foundation model ecosystem. First, enforcement timelines are poorly aligned with the speed at which access conditions and dependencies can become entrenched, with cases often taking years to reach resolution (Sitaraman & Narechania, 2024). Second, the relevant concern is not the conduct of isolated firms, but the industrial organisation of the sector itself. High fixed costs in compute, cloud infrastructure, talent, and data, combined with low marginal inference costs, render the industry inherently inhospitable to effective competition and structurally prone to concentration (Weyl, 2024; Vipra & Korinek, 2023).

By contrast, public-utility-style obligations offer a more promising governance framework. Existing legal instruments, such as the European Electronic Communications Code Directive (2018), establish that sector-specific obligations can be imposed when three conditions are met: 1) high and non-transitory barriers to entry are present; 2) there is a market structure which does not tend towards effective competition within the near time horizon; and 3) competition law alone is insufficient to adequately address the relevant harms. Building on this, this paper argues for the imposition of the following obligations on frontier foundation model providers: 1) non-discrimination—same technical and commercial terms for similarly situated users and potentially a ban on preferential treatment of affiliates and large investors; 2) duty to supply—no arbitrary refusal of service, strict conditions for termination; and 3) procedural guarantees and oversight mechanism for the enforcement of terms of service.

ABSTRACT. The question of whether artificial intelligence should be regulated cannot be considered a normative choice anymore. The debate has shifted decisively toward how, why and through which regulatory instruments AI should be governed. The rapid diffusion of generative AI across virtually all sectors has intensified its interaction with constitutionally protected fundamental rights, rendering regulation unavoidable. Risks such as discrimination, opacity, the expansion of automated decision-making, and the erosion of meaningful human oversight show that artificial intelligence cannot be treated as a purely technical innovation detached from constitutional and democratic constraints.

From a comparative law perspective, distinct models of AI governance have emerged. In the United States, regulation remains largely sector-specific and multi-layered, without a comprehensive federal framework. Certain states, most notably California, have introduced pioneering initiatives targeting frontier AI systems. This approach prioritizes innovation but results in regulatory fragmentation. In contrast, China has developed a security-oriented and state-centric governance model, grounded in public order, national security, and social stability, with extensive administrative oversight over algorithmic content and data governance. The European Union (EU) has charted a different and globally influential path. The EU Artificial Intelligence Act (AI Act) introduces a risk-based, ex ante regulatory framework that classifies AI systems according to their use contexts and imposes heightened obligations on high-risk applications. As the first comprehensive horizontal AI regulation, the AI Act functions as an umbrella framework designed to structurally reconcile technological innovation with the protection of fundamental rights.

Against this regulatory landscape, the regulation of artificial intelligence in Türkiye raises a distinct set of normative and institutional questions. Türkiye’s skilled human capital, extensive use of AI in strategic sectors, particularly defence, its geopolitical positioning, and its long-standing EU accession process place it within the Global South as an emerging regulatory jurisdiction. These characteristics make a gradual and hybrid regulatory strategy not merely preferable, but necessary.

This article argues that, in the pre-legislative phase, Türkiye should internalize selected mechanisms of the EU AI Act as soft law instruments before adopting a binding AI legislation. Such an approach would both enhance the future enforceability of domestic AI regulation and facilitate compliance with the AI Act’s extraterritorial reach and the Brussels Effect, particularly for Türkiye-based AI providers and deployers operating in or targeting the EU market.

For the EU AI Act to become functionally effective in Türkiye, several conditions must be met: the applicability of the Act where AI outputs are used within the EU; the structural adaptation of risk categories, particularly for high-risk systems; the establishment of institutional governance capacity encompassing market surveillance, conformity assessment, and sanctions; the integration of core digital-law principles such as data protection, transparency, and meaningful human oversight; and the practical internalization of CEN/CENELEC and ISO-based harmonized standards within domestic legal and market practices.

From a broader Global South perspective, the article further contends that an abrupt transition to comprehensive and binding AI legislation may generate significant institutional and market-adjustment challenges. Türkiye illustrates how a soft law ecosystem comprising ethical guidelines, voluntary self-assessment tools, AI impact assessments, regulatory sandboxes, early standardization, and AI literacy initiatives can facilitate risk-based governance and promote institutional learning. This ecosystem also smooths the path toward binding regulation.

In conclusion, a pre-legislative, soft-law-driven approach offers Global South countries a legally coherent, rights-sensitive, and institutionally realistic pathway for integrating the EU AI governance model.

ABSTRACT. Note: This is a plain-text version. Please see the attached PDF for the fully formatted Extended Abstract with mathematical notation and references.

1 Introduction

The global digital economy operates on the fragile assumption that widely deployed cryptographic primitives, such as RSA and ECC, provide data confidentiality for the foreseeable future. However, the brisk advancement of Quantum Computing, especially the development of the Cryptographically Relevant Quantum Computer (CRQC), would change this state of facts.

Specifically, the "Harvest Now, Decrypt Later" (HNDL) and "Trust Now Forge Later" (TNFL) introduce a unique temporal paradox into legal liability frameworks. Adversaries exfiltrate encrypted data (t0) to decrypt it once a CRQC arrives (t1).

This paper addresses a critical legal lacuna: Does the current legal "Duty of Care" protect a data controller/processor who adheres to today's market standards but fails to mitigate a mathematically foreseeable future breach? By comparing the approaches presented by the European Union (EU), the United States (US), and the People's Republic of China (PRC), this paper demonstrates how the quantum threat transforms the character of data retention from a standard compliance practice into a critical liability exposure. The paper argues that the timeline of quantum risk currently creates an immediate liability exposure, redefining the concepts of damage, standing, and negligence.

2 Theoretical Framework: The Mosca Inequality as a Legal Test

This paper transposes cryptographic theory into legal doctrine. To objectify the elusive concept of "negligence" in the face of uncertain technological timelines, it applies the Mosca Inequality, a risk management metric, as a binding legal test for the Duty of Care: X+Y>Z

Where:

X: The time required to migrate the infrastructure to Post-Quantum Cryptography (PQC).

Y: The retention period or shelf-life of sensitive data (e.g. genomic data, state secrets).

Z: The time remaining until a CRQC is available ("Q-Day").

The Paper argues that if X+Y>Z the data is effectively compromised at the time of exfiltration (t0), not decryption (t1). Consequently, continuing to store data with long retention periods (e.g., biometric data) (Y) protected with classical encryption constitutes immediate negligence under risk-based legal frameworks.

Probabilistic Risk Refinement.

Crucially, this paper challenges the reliance on Z as a fixed scalar value. From a risk management perspective, Z behaves as a random variable with a probability distribution. The paper argues that a commercially reasonable Duty of Care cannot rely solely on median predictions of quantum availability (e.g., 15 years) but must account for "tail risk" - the non-negligible statistical probability of a "Black Swan" breakthrough in error correction. Ignoring this tail risk in favor of a "best-case" scenario constitutes a failure of reasonable foresight.

3 The European Union: The "State of the Art" and Burden of Proof

Within the EU, this liability is particularly severe under Article 32 of the GDPR, which requires adoption of technical measures appropriate to the risk, considering the "state of the art" (SOTA). This paper interprets Article 32 to require that SOTA be re-conceptualized not as a static checklist of approved algorithms but as a dynamic capability benchmark rooted in Crypto-Agility. Furthermore, according to Article 32(1) of the GDPR, technical measures must be appropriate to the risk, considering the SOTA. In the absence of a binding definition, this paper provides an understanding of SOTA in the quantum era by synthesizing guidelines from ENISA, TeleTrusT, and standardizing bodies to establish three concurrent criteria for cryptographic measures:

Scientific Validation: Algorithms must be accepted by the research community as resistant to all currently known cryptanalytic attacks, including IND-CCA2.

Availability and Applicability: Technology must be proven in operational environments rather than being purely theoretical.

Technological Awareness: Measures must not rely on primitives classified as "Deprecated" or "Legacy" by standardizing bodies such as ISO/IEC, NIST, and State Administration of Cryptography TC260.

Technological Obsolescence as Negligence.

In the LfDI Baden-Württemberg v. Knuddels.de precedent, storing passwords in plain text (unhashed) was deemed a GDPR violation due to the failure to implement "state-of-the-art" security measures. Analogously, the use of classical encryption in the quantum era shall be considered equivalent to storing data in plain text (same applies to using obsolete hashing primitives, such as MD5 or SHA-1).

Reversal of the Burden of Proof.

Furthermore, the paper analyzes the critical impact of the recent CJEU ruling in VB v. Natsionalna agentsia za prihodite (Case C-340/21), which established the reversed burden of proof. The Court ruled that the mere occurrence of a breach does not imply strict liability, but the controller is responsible for demonstrating that their security measures were "appropriate." Regarding quantum threat, the sentence confirmed the requirement for the data controller to demonstrate that the use of classical encryption was an appropriate risk decision despite the known HNDL or TNFL threat. The paper argues that CJEU imposed a probatio diabolica on controllers, effectively shifting the EU regime towards a strict liability model for technological stagnation.

The NIS2 Directive and Executive Accountability.

Beyond the GDPR, the NIS2 Directive (2022/2555) introduces a shift toward personal liability for management bodies in Article 20, consequently establishing personal liability for negligence in overseeing cybersecurity risks. In the quantum context, failure to address these threats could lead to personal administrative fines, aligning the EU regime closer to the Chinese model of strict executive accountability.

4 The United States: The Jurisprudential Split on Standing

Unlike the EU's proactive liability regime, the US Article III "standing" doctrine creates a complex circuit split regarding whether the theft of encrypted data constitutes a "concrete injury."

The Pro-Standing Doctrine (Dissemination).

The Third Circuit, in In re Horizon Healthcare Services Inc., recognized that the unlawful dissemination of private data constitutes an injury in itself, regardless of immediate financial loss. This precedent supports HNDL and TNFL liability, implying that privacy loss occurs in the moment of theft (t0). Furthermore, according to this sentence the "read and understood" standard evolves into "harvested and will be understood."

The Anti-Standing Doctrine (Public Disclosure).

Conversely, the Fourth Circuit in Holmes v. Elephant Insurance Company (2025) introduced a stricter requirement, ruling that data held in "cold storage" by adversaries do not constitute an injury absent public disclosure (e.g., on the Dark Web). The analysis demonstrates that the HNDL and TNFL strategies are uniquely tailored to exploit the Holmes precedent. Because sophisticated states perform operations on data silently rather than publishing it, they create a temporary "safe harbor" for negligent US companies.

Negligent Stagnation.

In addition, this paper examines the Shore v. Johnson & Bell precedent, identifying a doctrine of "Negligent Stagnation." This case suggests that the failure to patch known vulnerabilities (analogous to failure to migrate to PQC) can constitute a cause of action even without a confirmed breach, defining security obsolescence as a service failure.

5 China: Retroactivity and Strict Liability

Comparison of Western approaches with the PRC reveals a third, distinct model rooted in the "Three Synchronizations" principle (San Tong Bu), which requires security architecture to be synchronously planned, constructed, and operated with state-certified cryptography (GuoMi standards).

Retroactive Enforcement.

The paper analyzes the Cyberspace Administration of China (CAC) v. Didi Global case to illustrate the principle of retroactive enforcement. The CAC penalized Didi for data processing activities that preceded current enforcement actions, applying a "continuous violation" doctrine. In the quantum context, failure to implement anti-harvesting measures is treated not merely as a privacy breach but as a national security failure under the DSL and PIPL.

Liability for Harvesting.

Drawing on the Sina Weibo data breach precedent, the paper accentuates that Chinese regulators interpret failure to prevent data scraping (harvesting) as a violation. In contrast to the focus of the United States on consumer harm, the Chinese model imposes strict personal liability on executives for architectural failures. If a system allows for the "harvesting" of core data, the liability is triggered immediately at (t0), regardless of whether decryption at (t1) has occurred.

6 Conclusion: From Algorithms to Infrastructural Readiness.

The paper concludes that the quantum paradox makes classical encryption standards obsolete as a legal defense, classifying them similarly to the use of no safeguard at all. The divergence in liability regimes develops a fragmented compliance landscape for entities operating globally, particularly immediate liability in the EU, procedural hurdles in the US, and strict sanctions and legal requirements in the PRC.

Resolving these issues requires a shift in the legal definition of "Duty of Care." Rather than mandating specific algorithms (which become obsolete), legal frameworks must require "Infrastructural Readiness" (Crypto-Agility), consequently requiring systems to be designed for the replacement, without unnecessary delay, of cryptographic primitives without structural redesign. Crucially, only by prioritizing the agility to transition standards can legal frameworks effectively mitigate the retroactive risks of the quantum era.

ABSTRACT. Introduction

The nature of data has shifted profoundly. Once static, carefully collected, and confined to specific purposes, data now flows continuously, reshaped, merged, and interpreted across vast digital ecosystems. It moves across borders, sectors, and analytical contexts, while traditional legal categories struggle to keep pace. Labels such as personal versus non-personal, sensitive versus non-sensitive, or identifiable versus anonymised no longer capture the fluidity of contemporary information.

As information moves freely, governance and control remain bounded, revealing a persistent clash between borderless flows and the limits of law. This paper explores this paradox by examining the EU’s evolving data governance architecture. The European Data Strategy of 2020, the Data Governance Act (DGA), the Data Act (DA), the emerging Data Union Strategy (DUS), and the 2025 Digital Omnibus proposal illustrate the Union’s ambition to create a borderless, interoperable digital economy that overcomes data siloing. At the same time, they expose the limits of legal frameworks designed for discrete, compartmentalised data spheres. Data spaces, which lie at the heart of these initiatives, exemplify this dynamic: they facilitate access, sharing, and innovation while simultaneously reinforcing hierarchies, privileging actors with legal, institutional, or technical resources and leaving smaller or less-equipped participants on the margins.

Data Liquidity

Any information represented as data is encouraged to flow, taking on liquid characteristics where it, broken down into transferred, and reconstructed, yet not retraced. Although multiple actors can use the same data, the uses they pursue often produce competitive effects within the economy. In this sense, the prevailing market dynamics usually treat data, whether appropriate, as a proprietary asset to be hoarded, creating what scholars increasingly describe as a “failure” of the data economy, when valuable resources are withheld rather than shared.

These dynamics become even more knotted as data moves in new ways, stretching traditional legal frameworks through two intertwined forms of liquidity. “Technical liquidity” reflects data’s ability to flow seamlessly across systems, jurisdictions, and analytical contexts. At the same time, data’s “economic liquidity” has intensified. It is commodified, tradeable, and non‑rivalrous, capable of being reused indefinitely without depletion, ‘whether we like it or not.’ Together, these forms of liquidity disrupt the stable legal categories that underpin European governance.

The GDPR, for instance, allocates rights and obligations according to clearly defined classifications (personal versus non-personal, identifiable versus anonymous), but in practice, cross-contextual reuse, AI training, and the constant reshaping of data blur these distinctions. This gap between regulatory design and technological reality generates uncertainty, complicates enforcement of data subject rights, and opens opportunities for exploitation that the law struggles to contain. GDPR’s protections operate only when identifiability can be inferred, so obligations arise situationally. At the same time, the more expansively “personal” data is understood, the less plausible it becomes to treat personal data as something that can be fully owned, commodified, or controlled.

Technical and economic liquidity accentuate this misalignment: data circulates rapidly across contexts and acquires new value, while the legal framework remains tied to static categories. The result is a fragmented landscape of protections and gaps, revealing both the limits of existing governance instruments and the need for regulatory approaches that can respond to data’s fluid, multi-dimensional character. In this way, liquidity does not just describe a property of data; it also exposes the structural friction between the mobility of information and the bounded nature of legal power.

Operational Gaps in EU Governance

In its pursuit of a borderless, interoperable digital economy, the EU faces the practical challenges of balancing innovation, openness, and the protection of fundamental rights. The DGA exemplifies this negotiation of competing priorities, demonstrating how regulatory measures intended to foster trust and facilitate data sharing can simultaneously lock in advantages, defining who participates and who benefits. Measures designed to limit exclusivity, enforce privacy-enhancing techniques, and provide procedural protections leave key questions unresolved: What determines the general interest? Under what circumstances is temporary exclusivity acceptable? In practice, these rules privilege actors with institutional sophistication, while individual data subjects remain marginal.

The Data Union Strategy and the Digital Omnibus proposal continue this trajectory, aiming to simplify and scale the regulatory environment. The Strategy links sectoral data spaces with AI ecosystems and public-sector datasets, opening access to foster innovation while reducing regulatory burdens for smaller actors. The Digital Omnibus consolidates provisions of the Data Governance Act and related legislation, streamlining obligations around data intermediation, altruism, and reporting. These reforms enhance clarity and operational efficiency, but they emphasise economic aims over distributive fairness and individual empowerment. In doing so, they risk eroding the distinctions that historically protected European data subjects.

These developments produce a structural accountability gap. Data flows across multiple actors, systems, and jurisdictions, yet governance frameworks fail to give individuals or communities meaningful control. Consent becomes opaque, individuals lose their centrality, and collective harms remain largely invisible. Infrastructures designed to enable cross-border sharing—technical standards, interoperable protocols, secure processing environments—reintroduce barriers, stratifying participation according to resources and expertise. The paradox crystallises: by promoting borderless circulation, the EU simultaneously embeds new forms of exclusion and hierarchy, privileging insiders while leaving others outside the benefits of a supposedly seamless digital economy.

Equity and justice remain central to governance debates but receive limited practical attention. Technical measures such as anonymisation and privacy-preserving tools can mitigate specific risks, but they do not address underlying structural imbalances. Market dynamics tend to reward accumulation rather than sharing (particularly in the context of data extraction, where data is taken with little regard for consent or compensation), concentrating influence in the hands of actors best positioned to derive economic value from it. The inherent properties of information and data reinforce these dynamics: traditional economic theory frames them as non-rivalrous, reflecting their low reproduction costs. While information is often treated as a public good because exclusion is costly, data is generally regarded as excludable, allowing selective control over access.

Data spaces, while presented as institutionally neutral, often reproduce these asymmetries by privileging those able to comply with demanding legal, technical, and procedural requirements. In the absence of deliberate efforts to integrate distributive considerations, governance arrangements risk entrenching existing hierarchies and narrowing the scope for meaningful participation.

Reconciling Openness, Rights, and Structural Inequalities

The EU pursues a dual agenda: promoting openness, interoperability, and the economic valorisation of data, while safeguarding fundamental rights, equitable access, and the public interest. In practice, however, operational realities often tip the balance toward efficiency and growth, leaving unresolved questions of justice, accountability, and distributive fairness. The challenge lies in the structural logic of governance itself. Systems and infrastructures (framed as neutral through technical and legal jargon) frequently sustain the appearance of impartiality while reproducing existing hierarchies, favouring actors equipped to meet demanding legal, technical, and procedural requirements. Those lacking such capacity are effectively shut out, rendering formal equality aspirational rather than real.

This disconnect raises pressing questions: How can frameworks align with the fluid, multi-dimensional nature of data while upholding commitments to equity and inclusion? How can access, reuse, and cross-contextual interoperability help avoid the concentration of power among incumbents? How can regulatory instruments recognise and mitigate both individual and collective harms in an ecosystem designed for continuous circulation? These are not abstract dilemmas.

Addressing them requires moving beyond compliance-oriented governance. Legal and technical rules alone cannot neutralise the advantages built into institutional and market structures. Adaptive, context-sensitive frameworks must embed distributive considerations and participatory mechanisms, ensuring that opportunities for innovation, insight, and value creation do not accrue solely to those best positioned to navigate the system. Governance must cultivate stewardship, reflexivity, and proactive interventions that redistribute influence and foster meaningful engagement across the full spectrum of participants. The challenge is to reconcile borderless data flows with bounded governance in a way that preserves order while emphasising who benefits, who participates, and whose rights are safeguarded.

ABSTRACT. Many of the regulatory issues that the European Union (EU) and its Member States seek to address shape private infrastructures, i.e., goods and services that have become essential within society while managed by private actors. Examples include online platform services, semiconductor producers, data centers, and critical raw materials projects. It is thus unsurprising that recently-adopted legislative frameworks in these fields take on an infrastructural nature, whether to address the issues deriving from the power of Big Tech (Digital Services Act and Digital Markets Act), to initiate the green transition policy (Net Zero Industry Act) or to secure a resilient European industry (European Chips Act, Directive on Resilience of Critical Entities, Critical Raw Materials Act).

Such an infrastructural turn is characterized by blurry boundaries between public and private interests. For instance, the EU advances private industrial interests regarding semiconductors, which are viewed as instrumental to the public goal of European strategic industrial autonomy. Relatedly, the boundaries between public law and private law are also increasingly blurry. This is exemplified by the Digital Services Act, which requires Big Tech firms to balance their own interests, fundamental rights and public values, and consequently govern their users’ behavior – where both Big Tech and user are private legal actors –in light of systemic risks incurred by their business model. We argue that this infrastructural turn might herald a shift in economic regulation, and more generally, regulatory policy.

From the outset of the neoliberal era, legislators were expected to create more markets and to intervene in existing markets only to fix ‘market failures’ based on the understanding that well-functioning markets are sufficient to deliver on public values (‘economic welfare’). In contrast, the infrastructural turn repositions legislators’ role to intervene in economic activities for other reasons – whether for the preservation of fundamental rights, environmental purposes, industrial resilience, or supply chain security.

This infrastructural turn poses a tremendous opportunity and challenge to democracy broadly construed. On the one hand, it promises significant public input into the governance of (private or privatized) essential resources, which, by themselves, entail regulatory affordances (Winner 1980; Lessig 2006; Frischmann 2012). On the other hand, it asserts certain firms’ position as the central providers of essential services and threatens their infrastructural powers, with significant downstream effects(Mann 1984).

In this context, we outline a research agenda for a democratic reimagination of the EU ‘Law of Infrastructure’. This law is placed against the background of the public utility doctrine (PUD), forged by United States (US) scholars around the turn of the 20th century (Rahman 2018a and 2018b). We argue this is an analytical, normative, and critical necessity for at least three reasons. First, the Law of Infrastructure must be approached from a conceptual perspective, informed by a cross-sectoral historical perspective to avoid falling into the traps identified in the past in analogous sectors (Novak 2017). A conceptual approach is thus needed to draw comparative insights. Until now, the infrastructural turn within EU legislation has been underrecognized (Kampourakis 2021), under-conceptualized, and a fortiori critically under-evaluated.

Second, as a prototypical form of public infrastructure regulation, the PUD’s relationship to economic and market governance must be addressed to enable the integration of democratic principles (Vaheesan 2024). This requires addressing how economic democracy of infrastructures can be reflected in the law, independent of misconceptions between State and market or public and private. At present, and in continuity with the neoliberal era, States and law remain instrument for purposes of commodification (Pistor 2019). This remains the case for the contemporary Law of Infrastructure, for instance via the Data Governance Act and Data Act which advance data commodification (Ducuing 2025). The role of the PUD needs thus to be critically interrogated with regard to the contemporary form of capitalism.

Third, we posit that democracy should be a central value and objective of the law of infrastructure. With the infrastructural turn, the close interaction between public and large private infrastructural actors raises serious risks for democracy. For example, with the Digital Services Act, there is a risk that the EU legislator endorses Big Tech’s governance of users’ behavior ‘for their own good’, recognizing them as quasi-regulators. Entrusting large private firms as quasi-public entities thus raises familiar concerns of democratic involvement and accountability of public bodies.

Our conceptual framework rearticulates the PUD, as developed within the US legal scholarship, including in more recent scholarship on‘networks, platforms and utilities’ (Ricks et al 2022), but focuses on democracy as a lodestar. It thus aims to address infrastructure in light of incisive allied approaches of law and political economy and transformative law scholarships.

ABSTRACT. In 2022, the EC presented its draft for the European health data space (EHDS), proposing new rules along with a technical infrastructure and a novel governance system for enhanced data sharing in the health sector. The regulation is the first of the common data spaces (CDS), in a sectoral approach meant to overcome the shortcomings of data sharing across sectors. In the case of healthcare, the EC forsees tremendous economic benefits from improved data sharing. Interested parties would have access to data using a newly established common mechanism, aimed to benefit research and innovation to benefit practitioners, patients and innovators in a trickle-down manner. To reinforce adhesion to the project, the EC relies on compliance with data protection with the GDPR and anonymisation of the data set for sharing. While the EHDS promises positive changes thanks to a redistribution of its expected benefits, data protection alone does not cover all risks associated with data sharing within a sector. Notably, the governance scheme and the creation of the technical infrastructure of the EHDS open a vast array of risks given their reliance on private actors on the one hand, and on the accumulation of infrastructural power on the other. Together, private influence and concentration of power would lead to a negative outcome where risks fall on society, while the benefits stemming from the EHDS would recaptured by actors having power over the infrastructure. In this contribution, we follow the work of Science and Technology (STS) and Law and the Political Economy (LPE) scholars to explore different risks stemming from the infrastructure and the governance of the EHDS. Firstly, we examine the influence of private actors in the standards-making process for the creation of the HealthData@EU infrastructure. As a socio-technical construction, standards allow for an influence on the design of the infrastructure, which in turn can lead to its participants having a de facto advantage in the data sharing pipeline. Second, we analyse how power can be yielded by technology companies and already dominant companies active in for profit research through a broad interpretation of the EHDS. In the long term, we argue that the provisions of the EHDS would allow these companies to create intellectual monopolies which prevent the expected benefits of data sharing to be shared with society.

ABSTRACT. Recent EU data legislation has stipulated that specific data sharing activities take place in a ‘secure processing environment’ (SPE). Such environments are envisioned to ensure compliance with the law and – to that end – facilitate the re-use of public sector data and the secondary use of electronic health data under the Data Governance Act and the European Health Data Space Regulation, respectively. Further, in view of discussions concerning common European data spaces, the Data Act and the Digital Service Act’s data access regime, they may serve as a key blueprint for related and future data sharing arrangements under EU law. The promise of SPEs to ‘ensure compliance’ may be difficult to fulfil, especially where requirements emerging from different frameworks potentially diverge. In the limited literature that has thus far discussed SPEs, they are generally presumed to be potentially capable of fulfilling this promise. Moreover, there are no contributions discussing how SPEs reframe power relations and accountabilities in relation to the processing of personal and non-personal data. Critical of this view, this contribution therefore examines the arrangements created by SPEs for data access under the DGA and EHDS, which actors they empower and how they interact with the legislation they seek to ensure compliance with. From a broad EU law perspective, there are some elements to believe that SPEs may be interpreted consistently – such as dimensions that it uniquely introduces and the role of general principles of EU law, for instance, proportionality – whereas the SPE notion relies on a broad notion of (EU and national) law that they should aim to ensure compliance with. Understanding how SPEs may ensure compliance requires inquiry into legal frictions that emerge by virtue of the SPE notion. This contribution thus scrutinises the legal notion of SPE in light of two applicable areas of law, data protection and trade secrets law, to understand the implications of their practical implementation. Based on textual and systematic interpretations of the SPE notion in light of these legal frameworks crucial to the processing of (personal and non-personal) data, it becomes clearer that SPEs leave many questions unanswered, relegate questions to practical implementations, reframe powers and accountabilities in ways that may not be compatible with the logic of the EU data protection and trade secrets law. Tying this together, this contribution provides an examination of three legal dimensions of SPEs the above scrutiny reveals. First, it looks at the normative choices to be made within SPEs, particularly regarding their design and operation. For concrete situations where a user is engaging with an SPE, such a where they seek to view, download or export relevant data, the SPE is the first instance in which such conduct may be enabled or limited, potentially affecting relevant legal entitlements. Second, it examines the role that different actors, private and public, have in making normative choices within SPEs, also in the context of a general 'institutionalisation' of data sharing arrangements. This is particularly relevant where, as clear from data protection and trade secrets law analysis, fundamental rights concerns are raised within the context of SPE operations. Third, it considers that consequences that the reliance on SPEs can have for affected persons. This is crucial for SPEs and their operations to be accountable based on the law they aim to ensure compliance with, and brings to light the need for SPEs to reflect existing and diverse enforcement structures. Based on the analysis of these different dimensions, the paper concludes that SPEs change pre-existing balances, dynamics and accountability frameworks for data access and processing. This runs the risk of creating SPEs as a legal category that is shrouded in uncertainties, mired by the applicability of adjacent fields of law, and is – in part – regulatorily unaccountable.

ABSTRACT. In the field of emerging technologies, where formal lawmaking struggles to keep pace, we are witnessing a growing number of bottom-up regulatory initiatives. A prominent example is the development of global standards by non-governmental institutions such as the International Organization for Standardization (ISO). Although voluntary, these standards increasingly penetrate the realm of law, for instance by serving as evidence of conformity with national and regional legal requirements, being incorporated into domestic legislation, or gaining authority through Article 2.4 of the WTO Agreement on Technical Barriers to Trade (TBT), which encourages WTO Members to base their regulations on relevant international standards.

By promoting harmonization and facilitating market access, the reliance on standards has become one of the central instruments of regulatory convergence. These tools have long offered policymakers a convenient mechanism for incorporating harmonized innovation-enabling rules into domestic law while protecting core regulatory values like health, safety, and fundamental rights. But does this “international standards effect” materialise in practice, and if so, what implications does it carry for the evolving distribution of roles in the global regulation of emerging technologies?

This paper seeks to explore this question through the example of the medical devices sector, offering insights into the promises and perils of an "international standards effect" in technology governance. Indeed, the global regulation of medical devices requires navigating sensitive trade-offs between market access and safety requirements, while reconciling competing demands of innovation and industrial policy. Additionally, it intersects with regulatory domains in which national initiatives remain dominant, such as cybersecurity, data protection, and artificial intelligence, making it an interesting case study. Moreover, although global governance bodies such as the WTO and WHO emphasize the importance of harmonizing medical device regulation, significant divergences continue to persist across jurisdictions and between developed and developing countries.

To assess these trends, the study examines the uptake of international, regional, and national standards in the medical device legislation and regulatory practices of the US, EU, both developed economies and major exporters of medical equipment, and India, a developing country and one of the largest importers. By identifying which standards these jurisdictions reference in their legal frameworks, the paper evaluates whether, and to what extent, an “international standards effect” is producing regulatory convergence, or whether national and regional preferences continue to sustain fragmentation. In doing so, the paper offers an empirically grounded account of these dynamics and situates the analysis within the broader literature on technology regulation and global governance, providing a foundation for future research across multiple regulatory domains.

While focused on the medical devices sector, the insights from this paper carry significant implications for global AI governance, where international standardization is increasingly invoked as a pathway to regulatory convergence in the context of a governance landscape that exhibits a high degree of fragmentation.

Firstly, AI governance is more explicitly value-laden than medical device regulation. While both domains address product safety concerns, regulations tackling AI often extend beyond them to fundamental rights, democracy, and rule of law, as demonstrated by the example of the EU AI Act. In these domains consensus is inherently more difficult and standards inevitably embed contested normative choices. International standard-setting bodies have begun to acknowledge this challenge. The ISO/IEC/ITU Seoul Declaration, adopted at the International AI Standards Summit in December 2025, commits to "incorporate socio-technical dimensions in standards development" and to "deepen the understanding of the interplay between international standards and human rights, recognizing both their importance and universality." Yet embedding fundamental rights considerations into technical standards, while maintaining global consensus, will prove challenging.

Secondly, the industrial and geopolitical stakes surrounding AI arguably exceed those of medical devices. AI is perceived as foundational to economic competitiveness, national security, and technological sovereignty. Export controls on AI chips, restrictions on model transfers, and competing regulatory frameworks reflect a fragmented landscape in which different countries pursue divergent approaches shaped by industrial policy as much as by safety considerations.

The paper is organized as follows. Section 2 discusses parallels and differences between the regulation of medical devices and AI. Section 3 proceeds with examining global regulatory frameworks for regulating medical devices, and then focuses on three regional and national frameworks, namely the EU, US and India. Using a mixed-method approach of legal and empirical analysis, it traces the elements of regulatory convergence in the applicable regional and national regulations, in particular when they reference international standards. Drawing on this analysis, Section 4 discusses whether a similar scenario of regulatory convergence could materialise in the AI sector.

Our analysis yields a central finding: international standards exert significant influence on national regulatory frameworks, but their adoption is selective and strategic rather than automatic. States draw on international standards when alignment serves their interests, but they simultaneously promote national or regional standards developed by private bodies that increasingly function as institutions of economic governance. These organisations, despite their private character, reflect domestic priorities and shape transnational regulatory landscapes in ways that serve particular jurisdictions. Regulatory convergence thus emerges less through traditional international organisations such as ISO than through decentralised, often competing, national and regional standard-setters. For AI, this finding is sobering. If regulatory alignment in medical devices, a sector with decades of international cooperation and strong trade incentives, remains only partial and strategically driven, AI governance may face similar limitations. In a multipolar world where AI standards embed contested values and geopolitical stakes, the “international standards effect” may prove less a pathway to harmonisation than an arena of regulatory competition.

ABSTRACT. Generative AI is increasingly delivered through APIs. Firms call models through cloud interfaces and embed them into products and business processes. In practice, these APIs sit inside Industry 4.0 systems and operate alongside data flows, connected devices, automation tools and platform services. Interoperability is therefore not a nice extra. It is a basic condition for reliable operation. Once model APIs become general-purpose capabilities across sectors, they look like cross-border digital services to users, but to regulators and procurement teams, they look more like part of the critical infrastructure. Such integration also brings risks, including safety incidents, cyber-attacks, discrimination, subtle manipulation and opaque errors, etc. In response, governments and large buyers are turning to technical standards, testing methods and conformity assessment. These tools not only support compliance, but they can also create practical entry conditions for market access. As a result, the meaning of trustworthy AI is often set less by statutes alone and more by standards, audits, certifications and contractual compliance packs, which can lead to fragmented standards and repeated compliance, with clear trade frictions.

Using the EU AI Act as the central example, this paper examines how an evidence-based AI compliance pathway operates under IEL. It assesses the EU approach through the lens of the GATS and selected digital agreements and situates EU compliance tools within the landscape of international AI standards, including ISO and IEC work. The paper asks how, and to what extent, the EU AI Act’s standards and conformity assessment model can function in practice for cross-border supplies of AI-enabled services, and what trade-relevant effects it may produce. To ground the analysis, it uses a focused case study of Chinese suppliers providing AI systems to EU deployers, where compliance demands are often transmitted through procurement, platform terms, and contractual flow down rather than direct extraterritorial enforcement.

The core claim is that the main trade effect is rarely a formal ban on the service. It is a shift in the conditions for supplying it across borders, and this shift is best understood as a gate for market access evidence. Even where EU rules place direct obligations on deployers in the EU, those deployers often push the same requirements upstream. Foreign suppliers are then expected to deliver recognised documentation, testing results, audit trails, and assurance in evidence formats that EU buyers and auditors accept. Where such evidence is difficult to produce or translate, the barrier appears to be a private contracting and audit problem, but it can also function as a de facto condition of cross-border supply.

A further finding is that compliance evidence is shaped by multiple actors, which complicates the identification of a ‘Member measure’ and the assessment of de facto disadvantage under trade law. Standard setters, auditors, platform intermediaries, procurement departments and regulators jointly define what counts as acceptable evidence. In practice, major AI platforms also operate as quasi-regulators. Through API terms, developer policies, audit rights, and the ability to restrict access or updates, they can define compliance thresholds for market participation. Public regulation often connects to this private layer through accreditation, recognised standards, procurement and due diligence requirements. This blurs the boundary between public regulation and private governance, and it shifts key market access constraints from formal border measures to platform-managed evidence gates.

The paper argues that a workable response is not a full uniformity of rules, but interoperability across compliance evidence systems. It develops two routes, recognition of foreign compliance results and structured equivalence assessments, which aim to reduce repeated audits and duplicated documentation without lowering legitimate public goals such as safety, cybersecurity and fundamental rights protection. It also proposes a dynamic equivalence model that fits continuous model updates, through version control, ongoing monitoring, incident reporting, and clearer thresholds for when an update triggers re-assessment. A final implication is institutional. States can agree on baseline recognition and equivalence principles in trade and digital agreements, and then translate them into workable conditions through state-to-provider or state-to-investor contracts. To limit fragmentation, those conditions should be tied to internationally recognised standards and accepted conformity assessment practices.

The core conclusion is that the key battleground in AI governance is the compliance evidence infrastructure. It turns legal goals into market access conditions. Standards and conformity assessment are not just technical add-ons. They can function as private regulatory tools with tangible trade effects. However, such a rule-based pathway is also constrained by politics and technical capacity. A jurisdiction, or a state, that seeks to shape global rule-making in the digital era cannot rely on legal texts alone. It also needs credible technical capacity and influence over key AI inputs. Where computing, cloud services, and platform ecosystems are concentrated, dominant actors can shape who is able to supply, update, and support models across borders, and they can influence which compliance practices become global defaults. A workable approach for global API governance under IEL, therefore, needs effective interoperable evidence systems, and also a realistic account of how infrastructure power can limit regulatory autonomy in practice. Strengthening domestic technical capability may thus support regulatory capacity.

References: Baldwin R, The Great Convergence: Information Technology and the New Globalization (Belknap Press of Harvard University Press, 2016). Ciuriak D and Rodionova V, ‘Trading Artificial Intelligence: Economic Interests, Societal Choices, and Multilateral Rules’ in Shin-yi Peng and others (eds), Artificial Intelligence and International Economic Law (CUP 2021) 97. Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products [2008] OJ L218/82. Fukunaga Y, ‘Are Digital Trade Disputes “Trade Disputes”?’ in Shin-yi Peng and others (eds), Artificial Intelligence and International Economic Law (CUP 2021) 159. International Organization for Standardization (ISO), ‘ISO/IEC 22989:2022 Information Technology—Artificial Intelligence—Artificial Intelligence Concepts and Terminology’. ISO, ‘ISO/IEC 23894:2023 Information Technology—Artificial Intelligence—Guidance on Risk Management’. ISO, ‘ISO/IEC 42001:2023 Artificial Intelligence—Management System’. Lim AH, ‘Trade Rule for Industry 4.0: Why the Technical Barriers to Trade Agreement Matters Even More’ in Shin-yi Peng and others (eds), Artificial Intelligence and International Economic Law (CUP 2021) 97. Reese B, The Fourth Age: Smart Robots, Conscious Computers, and the Future of Humanity (Atria 2018). Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [2024] OJ L 2024/1689. Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation [2012] OJ L316/12. Streinz T, ‘International Economic Law’s Regulation of Data as a Resource for the Artificial Intelligence Economy’ in Shin-yi Peng and others (eds), Artificial Intelligence and International Economic Law (CUP 2021) 184–185. Tegmark M, Life 3.0: Being Human in the Age of Artificial Intelligence (Penguin Books 2017). Weber RH, ‘Global Law in the Face of Datafication and Artificial Intelligence’ in Shin-yi Peng and others (eds), Artificial Intelligence and International Economic Law (CUP 2021) 59. Weber RH, ‘Legal Interoperability as a Tool for Combatting Fragmentation’ (2014) Global Commission on Internet Governance Paper Series No 4. World Trade Organisation, Agreement on Technical Barriers to Trade (TBT Agreement). World Trade Organisation, General Agreement on Trade in Services (GATS).

ABSTRACT. As artificial intelligence governance increasingly relies on technical standardization, understanding who shapes these standards has become central to global AI governance. This article provides the first cross-organizational empirical study of leadership in AI standardization, across six major standards bodies— CEN-CENELEC, ETSI, IEEE, IETF, ISO/IEC and ITU-T. Using a longitudinal dataset of 819 leadership positions (2023-2025), interviews with 13 standards developers, and social network analysis, we map the individuals and organizations occupying positions of authority in AI standardization. Our results challenge prevailing assumptions in that leadership positions matter more than long-term reputation and resources for strategic influence. Major AI labs (OpenAI, Meta, Google) are largely absent from leadership roles, contradicting "Big Tech capture" narratives, while Chinese telecommunications companies dominate ITU-T. The AI standards landscape is fragmented with minimal cross-SDO collaboration and stark geopolitical divisions. Chinese organizations hold 52% of all positions, concentrated in ITU-T, evidencing deliberate coordination. In contrast, European and North American actors prioritize venues producing legally binding standards under the EU AI Act, although there is no evidence to support a coherent U.S-led strategy for standards’ engagement. These findings challenge current narratives about power in standardization and highlight the need to scrutinize AI standards development as it increasingly underpins emerging regulatory regimes.

ABSTRACT. Over the past decade, digital sovereignty has emerged as a central strategic priority for the European Union (EU). This shift reflects a changing geopolitical and technological environment marked by the erosion of Western hegemony, intensifying global competition in digital technologies, and Europe’s structural dependence on foreign digital infrastructures (Seidl and Schmitz, 2024). While historically the EU has exercised considerable global regulatory influence through the scale and attractiveness of its single market - an influence often captured by the notion of the Brussels Effect (Bradford, 2020) - these developments have increasingly challenged its capacity to shape global technological markets and rules.

Within this context, technical standards have become a core instrument through which the EU seeks to reclaim influence over the digital economy. Standards structure markets, embed values, and shape technological trajectories, making them a crucial site for geopolitical competition (Zuniga et al., 2024). The European Commission’s 2022 Standardisation Strategy explicitly situates standard-setting at the heart of Europe’s efforts to secure competitiveness, reduce strategic dependencies, and promote value-driven governance in key digital domains (European Commission, 2022). In this sense, standards form a bridge between the EU’s strategic ambition for digital sovereignty and its concrete regulatory practices. To say it differently, standards become sites of the operationalisation of digital sovereignty.

This paper conceptualizes digital sovereignty as “a form of legitimate, controlling authority over [...] data, software, standards, services, and other digital infrastructure” (Roberts et al., 2021). Digital sovereignty thus rests on two analytically distinct but interrelated dimensions. Control refers to the ability to influence technological artefacts and their development, deployment, and interaction (Floridi, 2020). Legitimacy, by contrast, concerns the extent to which rules and rule-making institutions are perceived as procedurally appropriate and normatively justified, thereby generating compliance (Franck, 1990).

This contribution examines how the EU operationalises digital sovereignty through the governance of European technical standardisation in artificial intelligence (AI) policy. It identifies a core puzzle: while geopolitical competition and technological dependencies push the EU to strengthen its control over standards-setting to shape technological outcomes, the growing reliance on standards for implementing value-laden and constitutionally salient regulation raises concerns about legitimacy, transparency, and democratic accountability.

Existing scholarship has highlighted the limited participation of civil society in standardisation, the opacity of standard-setting processes, and the constitutional implications of delegating regulatory authority to non-majoritarian actors (Eliantonio and Caufmann, 2020). Together, these concerns cast doubt on whether current standardisation practices can sustain the legitimacy dimension of digital sovereignty. Moreover, the expanded range of interests and values at the core of the Commission’s standardisation request to the European Standardisation Organisations compounds these concerns. The AI Act broadens the scope of technical standard-setting well beyond the traditional focus on health and safety that characterises harmonised standards, including democracy, the rule of law, and the protection of the environment. Building on this tension, the paper advances two hypotheses. First, if digital sovereignty requires enhanced control over the technical foundations of AI, this should manifest in an expansion and qualitative strengthening of EU-level standardisation activities, including a more strategic and centralised role for EU institutions. Second, because digital sovereignty also requires legitimacy, increased public oversight and accountability over standards-setting should accompany this expansion, implying a greater role for the European Commission in supervising and, where necessary, substituting private standardisation processes. The focus is, therefore, on how this tension reconfigures the governance of technical standards by strengthening the EU’s capacity to steer the content, direction, and timing of standard-setting in strategically salient digital domains, and by expanding public oversight mechanisms intended to ensure that standards implementing AI regulation remain consistent with EU legal principles and fundamental rights.

Substantively, the analysis highlights emerging developments that point towards a verticalisation of European standardisation governance. These include, most notably, the introduction of common specifications as a fallback regulatory instrument where harmonised standards are absent, delayed, or deemed insufficient, particularly in relation to fundamental rights protection. In addition, the reconfiguration of the role of Harmonised Standards Consultants, now contracted directly by the Commission rather than by European Standardisation Organisations, signals a shift towards stronger public control over the legal and constitutional conformity of technical standards. The paper’s central contribution is, therefore, threefold. First, it provides an empirically grounded account of how digital sovereignty is operationalised through legislative and institutional changes in standardisation governance. Second, it shows how the dual requirements of control and legitimacy embedded in the concept of digital sovereignty generate systematic pressure towards greater centralisation and public authority involvement in standard-setting. Third, it demonstrates that this verticalisation produces not only complementarities but also trade-offs: while increased public oversight and centralisation may enhance the EU’s capacity to align standards with regulatory objectives, they also risk narrowing participation, politicising technical expertise, and constraining the procedural legitimacy of standard-setting processes.