The Enforcement Dilemmas in Europe’s Digital Rulebook

Europe is (re)writing the rulebook for the digital age. From protecting personal data to regulating online platforms and governing AI, the European Union has initially embraced a bold and arguably constitution-driven approach to digital regulation. But with ambition comes great complexity. As EU laws like the GDPR, DSA, and AI Act took shape, a new challenge has become evident, not only in the content and connection of these laws, but in how they are to be enforced.

Amid overlapping supervisory mandates and divergent national approaches, the EU’s digital rulebook is being tested for its fitness to enforce its digital policy, where the lack of coordination could undermine the competitiveness of the EU’s single market, and, broadly, fundamental rights. This post puts forward three emerging fault lines of the evolving enforcement landscape, focusing on the following dilemmas: harmonization vs. fragmentation, centralization vs. decentralization, and public vs. private enforcement.

Harmonization vs. Fragmentation: Overlaps and Conflicts

The EU's digital regulatory framework aspires to harmonize enforcement across Member States. However, the coexistence of multiple legal regimes risks generating overlaps, inconsistencies, and tensions in both substance and enforcement, as particularly underlined by the intersection between content, data, and AI. Clear alignment between these legal frameworks is lacking, not only in terms of legal obligations but also in the institutional structures responsible for their implementation.

One prominent example is the intersection between data protection and platform regulation. Data processing is central to the platform economy, particularly due to the use of algorithmic recommendation systems and targeted advertising. Under the DSA, each Member State appoints a Digital Services Coordinator (DSC) to supervise intermediary services, while the European Commission holds direct enforcement powers over Very Large Online Platforms (VLOPs). In contrast, the GDPR grants enforcement powers to national Data Protection Authorities (DPAs), and the AI Act introduces yet another layer, allowing Member States to designate at least one, but in most states, this has been understood to designate multiple market surveillance authorities. Their parallel and potentially overlapping enforcement mandates risk fragmenting enforcement efforts, leading to inconsistent application of the EU’s digital rulebook and weakening the overall protection of fundamental rights across the EU.

This interdependence calls for the cumulative and coherent application of multiple regulatory instruments. Yet the relationship between distinct legal regimes like the DSA, the GDPR, and the AI Act remains underdefined and is slowly being clarified through litigation and emerging enforcement practices. This fragmentation affects more than just the coordination of rules and obligations. It directly impacts the enforcement authority.

Centralization vs. Decentralization: European Institutions and Member States

From the above, it becomes evident that the enforcement of EU digital regulations sits at the intersection of centralized oversight by EU institutions and decentralized implementation by Member States. Centralization can enhance consistency and efficiency, particularly in addressing cross-border enforcement challenges, while decentralization allows for context-sensitive enforcement sensitive to national specificities.

The GDPR grants national DPAs primary responsibility for enforcement. Yet the "one-stop-shop" mechanism, intended to streamline oversight in cross-border cases by designating a lead DPA, has revealed inefficiencies, including delays, bottlenecks, and forum shopping. Similarly, the DSA reflects this central-local tension: while national DSCs are responsible for enforcing the DSA rules within their jurisdictions, the European Commission holds exclusive powers to supervise VLOPs, aiming to ensure consistent enforcement for platforms with EU-wide reach. However, this centralization may sideline national authorities and raise concerns about the Commission's capacity to manage a growing supervisory burden effectively. In contrast, the AI Act opts for a more decentralized enforcement model, allowing each Member State to designate at least, but also possibly more, market surveillance authorities. While this approach respects the national procedural autonomy of Member States and thus allows for the expression of particular national administrative cultures, it risks creating a patchwork of enforcement practices, potentially leading to regulatory arbitrage and uneven protection of rights.

The challenge lies in designing an enforcement framework that leverages the strengths of both centralized and decentralized approaches. The principle of sincere cooperation, enshrined in Article 4(3) of the Treaty on European Union, obliges the Member States and EU institutions to work together to ensure effective enforcement. However, in practice, this principle may not resolve the overlaps, gaps, and potential conflicts inherent in a multi-level and multi-regulatory enforcement landscape evolving under the EU digital regulations, which could see multiple authorities clashing or competing in certain cases.

Public vs. Private Enforcement: Public Actors and Private Enforcers

The EU digital regulatory landscape increasingly relies on administrative authorities for enforcement, potentially at the expense of judicial oversight. While administrative bodies bring specialized expertise and can act with greater speed and flexibility, their growing prominence raises concerns about accountability, by sidelining the role of courts in fundamental rights adjudication. While administrative bodies such as national DPAs, DSCs, and market surveillance authorities under the AI Act offer specialized expertise and operational agility, their increasing centrality may come at the expense of judicial oversight. This shift risks eroding key legal safeguards, such as transparency, accountability, and the right to an effective remedy guaranteed under Article 47 of the EU Charter of Fundamental Rights.

The GDPR remains the most judicialized of the three regulatory examples, providing explicit avenues for individual complaints and court challenges. However, the DSA and the AI Act give a less prominent role to judicial remedies, reinforcing the dominance of administrative and alternative private enforcement. While courts are formally accessible via the existing national procedures, their limited integration into the legislative design of the enforcement frameworks constrains their visibility and perhaps also their ability to apply increasingly technical legal standards. At the same time, private enforcement mechanisms are evolving in two distinct directions. On one hand, traditional forms of private enforcement, such as through user complaints and litigation by civil society organizations, continue to play a key role, particularly under the GDPR and the DSA. Instead, the AI Act provides fewer remedies for private actors to challenge violations or enforce compliance. On the other hand, the regulatory burden of enforcement is increasingly being delegated to the very private actors subject to regulation. The DSA, for example, requires platforms to implement internal complaint-handling systems and to engage in certified out-of-court dispute settlement processes. These mechanisms aim to provide accessible and fast-track remedies but also raise concerns about independence, procedural fairness, and the risk of regulatory capture.

This dual privatization of enforcement, both by and through private actors, marks a significant development in EU digital governance. While it promises to alleviate pressure on public authorities and broaden access to redress, it also exacerbates the questions of accountability and independent oversight, thus raising questions for the rule of law.

Towards Better Enforcement under the EU Digital Rulebook

Striking the right balance among the roles of national administrative authorities, judicial oversight, and private enforcement capacity becomes essential to preserving the integrity and legitimacy of the EU’s digital legal order. Simplification of the digital rulebook effort of the current Commission would be a welcome development if it did not come at the expense of strict fundamental rights protections.

The effort towards simplification should be focused on improving the enforcement system rather than changing the substance of regulations. A coordinated academic and policy effort is required to address the enforcement challenges in a systematic way that focuses on removing the barriers to effective accountability by improving the enforcement of European digital policy.

As an initial step toward a more systematic approach, we have recently co-launched a Europe-wide academic collaboration, led by Leiden University and the Católica Global School of Law, and supported by a Leiden University Starting Grant for the project The EU’s Human-Centered Digital Transformation, directed by Simona Demková. Together, we aim to explore coordinated solutions to the challenges outlined above—solutions that respect national procedural autonomy while remaining consistent with the requirements of the EU Treaties.