The Looming Enforcement Crisis in European Digital Policy

In recent years, the European Union has embarked on an ambitious regulatory journey driven by the goal of protecting fundamental rights and democratic values in the digital age. This approach, shaped by the rise and consolidation of digital constitutionalism, introduced stronger safeguards for users and increased accountability for both public and private actors, as underlined by the adoption of the GDPR and the DSA.

Nonetheless, this European regulatory approach has also led to legislative proliferation, raising primary constitutional questions in terms of coordination and enforcement. Indeed, the scale and speed with which the EU legislators continue to introduce new digital laws (with the AI Act being just one of the much-discussed examples) has resulted in a lack of strategic control, producing enforcement tensions. Instead of strengthening the digital single market, fragmented enforcement risks diluting the EU’s efforts and contradicting the core principles of its legal order, including the protection of fundamental rights and democratic values.

Recent calls for legislative intervention, such as the EDPS’ concept note on the Digital Clearinghouse 2.0, underscore the need to reassess the European approach to regulating the digital age. This post aims to contribute to this debate by advocating for a Rule-of-Law-Centered Enforcement framework – a vision that aligns digital law enforcement with constitutional imperatives and the broader EU legal order.

The current enforcement landscape

The European digital regulatory framework introduces a plethora of procedural safeguards and mechanisms to increase accountability, ranging from risk-based approaches to complaints procedures, administrative and judicial remedies (see our work on this). Formally, these mechanisms benefit users and increase accountability. However, practically, it has created a complex digital ecosystem marked by uncertainty and significant constitutional challenges regarding the distribution of powers among national and European regulators at various levels of governance.

There is no shortage of examples of such institutional clashes. For the sake of brevity, for example, the GDPR empowers national Data Protection Authorities (DPAs), but the enforcement of cross-border cases has exposed inefficiencies, delays, and inconsistencies (see here or here). The DSA, in turn, designates new enforcement mechanisms shared by the European Commission, in case of very large online platforms and very large search engines, and entrusted to the national Digital Service Coordinators in other cases. The AI Act further complicates the landscape by allowing each Member State to appoint multiple market surveillance authorities, necessitating close cooperation with Data Protection Authorities.

This prompted national efforts for coordination (see, for instance, the Dutch case). At the same time, the AI Act splits oversight between the newly created EU AI Office, responsible for generative AI, and national authorities, not to mention the overlaps with other regulations. The regulation on political advertising adds yet another layer of complexity, assigning enforcement responsibilities to different authorities, including DPAs.

The core of enforcement tensions was recently discussed by the CJEU in Meta Platforms. In the midst of a legislative vacuum, the Court outlined a coordination framework between data protection and competition authorities. It ruled that national competition authorities may consider GDPR compliance in abuse of dominance cases. It emphasised the principle of sincere cooperation enshrined in Article 4(2) TEU to ensure institutional cooperation over authority interchangeability, highlighting the importance of substantive enforcement and effective data protection (paras 53-54 and 62-63). However, this case also highlights the need for further legislative reform, particularly in the context of ongoing trilogues on additional procedural requirements for GDPR enforcement, introduced by the Commission Proposal. The gap-filling function of sincere cooperation may not suffice in the near future to resolve the enforcement overlaps of multiple competent authorities. Nonetheless, it remains a core principle, a “duty” as the Court refers to it, that will shape the relations between the regulators in the absence of legislative intervention for the years to come.

Further enforcement challenges stem from disparities in resources, capabilities, and priorities among Member States. National regulators vary in their financial and technical capacity, leading to inconsistent enforcement despite uniform standards. For example, some DPAs lack the resources to effectively enforce the GDPR, while countries like Italy, France, and the Netherlands are more proactive in areas such as competition and consumer protection. These gaps create uneven enforcement, undermining the uniform application of EU law – triggering questions of effet utile of the EU’s digital policy, including the rights of EU citizens. The practical concerns often overtake the discussions on potential reforms. While this is justified, we believe that these challenges need to be addressed with the repurposed vision of the rule-of-law-centered enforcement ecosystem.

Setting the research agenda for a rule-of-law-centered enforcement

At the core of the scholarly effort is the need to frame enforcement coordination within the rule of law, as enshrined in Article 2 TEU. The objective is to go beyond solutions focused solely on the practical lessons learned from the enforcement of siloed legislations like the GDPR, consumer protection or competition laws or through the functional spill-over from diverse bilateral or multilateral coordination efforts emerging on the national or European levels. Instead, enforcement reforms should be guided by constitutional principles, considering options ranging from further harmonisation and centralisation to improved coordination mechanisms grounded in the EU Treaties.

Beyond regulatory effectiveness, the lacking clarity in institutional cooperation in the enforcement of digital laws also produces consequences for the values enshrined in European Treaties. Within the enforcement jungle, the protection of fundamental rights, democracy and the rule of law, which arguably lie at the heart of the EU’s regulatory strategy, will not be sufficiently upheld. This situation will not only be a matter of “who gets to adjudicate” on the potential complaints, but also a matter of forum shopping, uneven levels of rights protection, and generate conflict in cross-border or cross-competence cases. Such fragmentation is fundamentally at odds with the rule of law requirements pledged in Article 2 of the TEU.

Recent initiatives, such as the EDPS’ proposition for the ‘Digital Clearinghouse 2.0’) and academic discussions (Brito-Bastor & Pałka, Hofmann & Mustert or de Hert & Hajduk) reflect growing interest in reforming digital enforcement. Legislative interventions could range from minimal measures facilitating coordination to systemic reforms addressing inconsistencies across regulations. However, any intervention must be grounded in the EU Treaties and broader constitutional considerations.

The primary research question is not merely how to minimise compliance costs and enforcement burdens but rather how could regulatory intervention best preserve the legal space, constitutional imperatives and rationales understood broadly under the notion of the EU legal system based in the rule of law. To explore this question, we propose a set of open research questions that require further scholarly and policy attention.

Open research questions

 The principle of sincere cooperation: How can the duty of sincere cooperation be systematically applied to enforcement coordination? While the Court provided initial insights on how the principle may shape enforcement coordination, the increasing complexity of institutional clashes in digital law requires a more systematic approach to collaboration and a clearer definition of the duties of the involved regulators.

Separation of powers and subsidiarity: To what extent can the future legislative intervention preserve national procedural autonomy of Member States, in line with the principles of subsidiarity and proportionality, while also preserving the broader requirements of separation of powers? The key challenge here is whether clear constitutional boundaries can prevent an overreach by EU bodies into national regulatory and enforcement spheres. This is especially in cases like the DSA and the DMA, which grant the European Commission significant powers for direct centralised enforcement.

Judicial review: What will be the role of judicial oversight in adjudication of potential conflicts of competence, both horizontally (between European institutions or national authorities) and vertically (between European institutions and national authorities)? For example, the ongoing dispute between WhatsApp Ireland and the EDPB, currently pending before the Court of Justice, highlights the open questions for judicial review in complex composite procedures. We can expect similar issues to arise in other enforcement scenarios, such as those involving the EU AI Office.

Delegation of Powers to Regulatory Agencies: The EU’s multilevel system also triggers existing concerns about the delegation of regulatory competences to specialised authorities, especially when these authorities are tasked with overseeing fundamental rights protection. It is therefore necessary to clarify the constitutional position of both the EU and national regulatory agencies in enforcing digital regulation. Future proposals for harmonising enforcement mechanisms should consider delegation theory, including the role and powers of the EU Commission as a key digital regulator.

Agency Independence: What level of independence should be required from the national and EU agencies responsible for enforcing digital laws, particularly in cases involving complaints about fundamental rights? While the CJEU has clarified the need for “complete independence” for the DPAs, similar standards are not yet required for other regulators, such as national market surveillance authorities under the AI Act. These agencies, however, will also be responsible for adjudicating complaints about potential fundamental rights violations related to AI systems.

Effet utile of EU law: How can the principle of effet utile principle influence the future enforcement ecosystem in digital policy? How should the requirements of effectiveness and equivalence be considered without infringing on Member States’ procedural autonomy in the event of further legislative intervention? This calls for a broader reflection on the effectiveness of EU law in light of the evolving digital governance strategy, which faces systemic enforcement challenges.

The list above represents just a small portion of the constitutional challenges posed by digital enforcement. We invite scholars to join this discussion by offering critiques, complementary ideas, and alternative perspectives to help shape the future of EU digital governance.