Hostname: page-component-745bb68f8f-g4j75 Total loading time: 0 Render date: 2025-02-04T07:07:30.535Z Has data issue: false hasContentIssue false
  • English
  • Français

New Regulatory Approaches under the EU’s Legislation on Digitalisation:Introduction to the Special Edition of the EJRR “Charting the Landscape of Automation of Regulatory Decision-Making”

Published online by Cambridge University Press:  31 January 2025

Herwig C.H. Hofmann Open the ORCID record for Herwig C.H. Hofmann [Opens in a new window]
Herwig C.H. Hofmann*
Affiliation:
Department of Law, University of Luxembourg, Luxembourg
*
Email: herwig.hofmann@uni.lu
Rights & Permissions [Opens in a new window]

Abstract

This introductory article outlines three fundamental regulatory developments in the EU’s legislation addressing digitalization and automation of decision-making: One is that across many acts we see a move towards more complex multi-level composite procedures, involving not only public structures with agencies, EU bodies, national agencies, but also co-regulation through standardisation in combination with – in several areas – audited self-regulation. A second feature of much of the current legislation in digital matters is that obligations imposed therein require an increased attention to information management – from sourcing to use, dissemination, sharing. This is a requirement for both public and private actors imposing ever more ‘granular’ knowledge and reporting of information flows in economic operators. A third is the growing role of interoperability which is being firmly established as a tool to create data exchange possibilities The diverse regulatory tools and methods are creating complex networks of legal relations and obligations which appear difficult to submit to oversight and compliance without strong protection of individual rights and procedural structures ensuring their enforcement.

Keywords

EU lawRegulatory approachesDigitalisation
Type
Articles
Information
European Journal of Risk Regulation , First View , pp. 1 - 10
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2025. Published by Cambridge University Press

The European Union is in a process of regulating various aspects of digitalisation with some 122 Union legislative acts in place or in the legislative processFootnote 1 – many of which have been adopted since the publication of the Commission’s 2020 European data strategy.Footnote 2 Union legislation in the field of digitalisation generally follows regulatory objectives informed by constitutional values including establishing a human-centric, rights-oriented and democracy enhancing approach,Footnote 3 but each of these acts has different governance structures. Despite the differences, some large trends in the development of the governance models within the current generation of EU legislative acts addressing digitalisation are identifiable. Understanding these governance models is central in charting the evolving characteristics of regulatory law under the EU’s digital legislation.Footnote 4 In the following, I differentiate three common features of the evolving governance models. The first common feature of the legislation discussed here is the institutional setting for implementation and enforcement. The latter is often designed to be implemented in the context of new administrative agencies and bodies, as well as networks of actors acting in complex multi-level composite procedures. This approach deepens administrative integration and adds to the complexity of procedures and the role of individuals therein. At the same time, it comes with a remarkable rise in use of forms of co-regulation by standardisation combined with new forms of self-regulation in the form of self-conducted impact assessments by private actors.Footnote 5

The second development – reinforced in the current legislation on digitalisation – concerns the move to use information as tool of regulation. Many acts impose on individual actors and public administrations obligations implying regulation of information and regulation by information. Compliance with obligations often requires maintaining quite granular understanding of sources and uses of information or data.

A third development emerging in the new digital legislation is strongly linked to the focus on information, and which was also one of the objectives of the Commission’s 2020 European data strategy.Footnote 6 It pertains to the use of interoperability standards to create data spaces spanning publicFootnote 7 and privateFootnote 8 institutions and bodies.

I. Institutional setting – composite structures and the increasing role of co-regulation and self-regulation

Many of the new acts developed for digitalisation fit into a pattern familiar in the system of implementation of EU law: They involve a growing role of EU agencies and new forms of bodies of cooperating national regulators. Such pluralisation of executive actors results in a complex reality of composite cooperation procedures. Composite procedures involve various jurisdictional levels whereby regulatory powers are exercised within networks consisting of agencies and regulatory bodies and private actors from the European, national and in some cases international levels.Footnote 9

1. New Boards

For example, the new European Board for Digital Services (EBDS, Article 62 DSA)Footnote 10 is a body composed of national Digital Services Coordinators, chaired by the Commission. The EBDS adopts opinions by majority and assists joint investigations (Article 63 DSA). Member States are then under comply-or-explain obligations about their compliance with EBDS acts (Article 63(2) DSA). New bodies have also been developed in other acts. One is the “high level group” under Article 40 DMA. Another the European Data Innovation Board under the Data Governance ActFootnote 11 and the Data Act.Footnote 12 The latter is an expert group advising the Commission who consults it on the choice of relevant standards. It consists of representatives of competent authorities on the European and national levels but may also be supported by a subgroup of representatives form such diverse sources as industry, research, civil society, and standardisation organisations (Article 42 Data Act).Footnote 13 Also the Interoperable Europe ActFootnote 14 has created new boards and structures in the form of the “Interoperable Europe Board” (consisting of national representatives, the Commission, and the Committee of the Regions and the European Economic and Social Committee) and the “Interoperable Europe Community” which expands participation to other civil society representatives.Footnote 15

2. Composite Procedures

An example for the composite structures being created including these new bodies is the complaint system under Article 53 DSA under which individuals can initiate a public enforcement procedure against either unjustified or omitted content moderation measures by lodging a complaint against providers of intermediary services with the Digital Services Coordinator (DSC) of the Member State where the recipient is located or established.Footnote 16 The DSA procedure – not unlike that under the GDRP – foresees that the complaint will be transmitted to the DSC of the country of the platform’s establishment (Article 53 sentence 2 DSA). The latter will take the final decision about the complaint and may adopt an enforcement order (Article 51 DSA). In an attempt not to mitigate problems arising under the GDPR, a dual approach has been developed with the Commission being in charge of decisions concerning the very large operators (so called VLOP or VLOSE, Article 65(2), (3) DSA).Footnote 17 Where supervisory powers are on the national level, the Commission may request a DSC to undertake certain measures, but that body is only obliged to take utmost account of that opinion. The EDPS will suggest solutions in case of disagreements between the DSCs. The difficulties such complex composite procedures will create are by now well-documented in terms of the GDPR. Experience with the DSA will show whether the problems under the GDPR enforcement can be avoided in the DSA structures.

3. Cooptation of Private Parties as Standard Setters

One particularity of the new structures is that they are heavily based on co-opting private actors to regulatory norm-setting through standardisation bodies. These structures are quite prominently reflected in various acts including the DSA,Footnote 18 the DMAFootnote 19 , the Data ActFootnote 20 and the AI Act.Footnote 21 For example, Article 2(43) of the Data Act refers to harmonised standards requested by the Commission from European Standardisation organisations (CEN; CENELEC and ETSI) under the standardisation regulation 1025/2012. References to these can become binding when published in the Official Journal by the Commission (eg, under Articles 30(3), 33(9) Data Act). But other forms of standardisation procedures with a policy specific design are also multiplying: For example, the DSA provides for an “atypical” standardisation procedure outside of Regulation 1025/2012.Footnote 22 Under the DSA “significant systemic risks” (Article 34(1) DSA) that concern several VLOPs or VLOSEs, may lead the Commission to invite (Article 45(2) DSA) operators or other providers of intermediary services, competent authorities, stakeholders such as civil society organisations collaboratively draw up so called “codes of conduct.” The implementation of the latter would then be monitored by the Commission and the EBDS (Article 45(3), (4) DSA). Schneider, Ott, and Oles, rightly remark that this process raises questions regarding legal certainty and clear allocation of responsibilities.Footnote 23 Such forms of standardisation are also not without danger in policy areas where the technical expertise is concentrated in a small number of technology companies sometimes forming oligopolistic market structures. More generally, where private and semi-private standardisation bodies are co-opted to fill a legislative void, the standardisation procedures become a highlighted issue of public interest. This is equally true for standard setting under the EU standardisation regulation 1025/2012, as for international bodies or organisations as well as ad hoc standard setting procedures as the one mentioned in the DSA.Footnote 24 In view of the multiplication of fora and procedures for standardisation, EU law must address various questions of the value and role of standards and even address such basic aspects as public access to standards with normative effect.Footnote 25

4. Self-Regulation and Conformity Assessments

Another question is the review of compliance with the diverse types of standards. In part this question is addressed by the development of self-regulatory elements of accountability in many of the EU legislative acts on digitalisation. These impose obligations on private actors such as private impact assessment obligations and review of their results eg, in the form of Article 35 of the GDPR where Data Protection Impact Assessment are required when a new type of processing is likely to involve “a high risk” to other people’s personal information. Under the DSA, VLOPs and VLOSEs are obliged to carry out a risk assessment on their own responsibility and to take effective risk reduction measures (under Article 34, 35(1) DSA). Verification of these measures takes place by in-house compliance officers (Article 41(3) DSA) and independent audit bodies (Article 37 DSA). Implementation of recommendations arising from these audits is mandatory under Article 37(6) DSA.

Within these acts, impact assessments and risk assessments are primarily used as a tool of self-regulation. Impact assessment tools were initially developed as a tool of accountability for legislative and administrative procedures.Footnote 26 Under the EU’s digital legislation they are largely used to impose obligations on private actors. The concept of conformity assessment procedures, as they are called in the AI Act, are applicable to high-risk AI systems.Footnote 27 The AI Act combines internal assessment by means of impact assessment activities with external private monitoring. For example, Article 3(20) of the AI Act identifies “conformity assessment” as the process of demonstrating whether the requirements set out in various standards and obligations relating to a high-risk AI system “have been fulfilled.” That can be controlled (Article 3 (21)AI Act) by a “conformity assessment body,” ie, a “body that performs third-party conformity assessment activities, including testing, certification and inspection” and needs to be confirmed by a conformity assessment declaration under Article 47 AI Act. Here self-regulation and assessment is combined with a type of certification approach. Such certification is not uncommon in EU “guided” self-regulatory tools. Certification is an approach used in product safety, environmental and food law and is now being rolled out to digital legislation. A similar combination of self-regulation and certification exists in the DSA which under Article 34(1) requires providers of VLOPs and VLOSEs to conduct risk assessments identifying, analysing and assessing “any systemic risks in the Union stemming from the design or functioning of their service and its related systems.” They are then obliged to put into place risk mitigation measures (Article 35(1) DSA) “with particular consideration to the impacts of such measures on fundamental rights.” Their approaches will be audited and “shall take due account of the operational recommendations addressed to them” (Article 37(6) DSA).

Various acts in the field of digital legislation therefore combine complex multi-level public enforcement procedures with strong elements of standardisation as forms of co-regulation and certain audited self-regulatory approaches. This overall structure results in complex governance systems with diverse responsibilities and often unclear positions of individuals as holders of data and information related rights.

II. Information as regulatory topos in its own right

The second general observation arising from EU legislation addressing digitalisation is that information management emerging as the central focus of EU regulation. In view of digitalisation, European regulatory law is now broadly moving ever more towards regulation of information and regulation by information. There are two dimensions to this.

On one side, many of the legal acts of the EU digitalisation package impose obligations on individual actors which can be only complied with by means of an increasingly granular collection of information sourcing, information processing, storage, and knowledge of its use. This could be described in terms of control of an information “supply chain management.”

1. Data and Information Management

The EU’s General Data Protection Regulation (GDPR) of 2016,Footnote 28 for example, requires organisations to be responsible about the collection, storage and use of personal data. The GDPR identifies rights of access and rectification of personal information (Articles 13–17 GDPR), notification obligations and portability rights (Articles 19 and 20 GDPR) which also require detailed stockkeeping of information held about a person. Other obligations such as avoiding international transfers of personal data beyond the EEA and the EU (Article 44 GDPR) in the absence of specific circumstances (Articles 45–49 GDPR) equally require precise knowledge not only of the whereabout of information but the pathways of transfers. In the same vein, the GDPR also requires detailed data breach notifications (Article 34 GDPR).

By comparison, the EU’s AI Act’s contains further reaching requirements of data and information management. Under Recital 59 and Article 13 AI Act, high-risk AI systems must be transparent, explainable, and well documented. In order to fulfil these requirements various obligations such as the recording of events in the form of logs have been introduced (eg, for high-risk AI systems in Article 12 AI Act). Logging must cover at least “(a) recording of the period of each use of the system (start date and time and end date and time of each use); (b) the reference database against which input data has been checked by the system; (c) the input data for which the search has led to a match; (d) the identification of the natural persons involved in the verification of the results (Article 12(2) AI Act).” Recording of the output of the use of a system will also be necessary.

This approach to impose legal obligations obliging the detailed management of data is common in EU digital legislation. An example of this is the rules on data sharing company to company (“B2B”), from individuals to business (“C2B”) and in the inverse from business to individuals (“B2C”) between private actors in Chapter II of the Data Act. Other such obligations are formulated for exchange between companies and public institutions and bodies (“B2G”) and between public bodies (“G2G”) in Chapter V of the Data Act. Similar B2B obligations arise from Article 6(10) DMA under which “the gatekeeper shall provide business users […], at their request, free of charge, with effective, high-quality, continuous and real-time access to, and use of, aggregated and non-aggregated data, including personal data.” Regulation of requirements of information collection, categorisation, storage, exchange and use as well as an increasing depth of regulation of information architectures are also used to structure new supervisory relations between public and private actors. More reporting and more granular reporting duties are being used to regulate by information.Footnote 29

2. Public Data and Information Obligations

These examples show how information management is increasingly at the heart of the regulation of the digitalisation of society and the regulatory response. Information management by public and by private actors is becoming an ever more essential element of regulation and implementation of regulatory obligations. For the public sector this is not an entirely new challenge. In EU administrative law, it had long been argued that information needs to be treated as a legal topos in terms of regulatory law. The reason had been that the sophisticated complexity, which EU administrative co-operation within networks has reached, is based mainly on the generation, gathering, compilation, handling, computation, management and distribution of information. Information is used in relation to many functions as a key input and “raw material” for public decision-making, planning and steering activities.Footnote 30

3. Imposing Regulatory Obligations on Private Actors

The logic of imposing information management obligations is being expanded in the EU’s digitalisation legislation from public administrations to various types of economic actors, as the examples cited above show. The law concerning the establishing, compiling and use of information is developing at an increasingly rapid pace in numerous policy areas. This reflects the nature, role, technological handling, economic, social, and political relevance of information in practice. The expansion of obligations of information management to private actors also, has not only to do with the nature and the extent of the impact of the role of information and the accompanying developing law of information in the EU on the fundamental rights of the citizens. It is also related to the notion that private actors are increasingly included into obligations concerning the implementation of EU law and policies. Examples include the obligations imposed on internet service providers to maintain automated up- and download filters to protect IP rights whilst avoiding infringement of free speech and artistic freedoms.Footnote 31 Other examples arise from the private involvement in European data spaces under Article 33 of the Data Act which lays down the essential requirements that operators of data spaces need to comply with in order to allow for data exchanges. Data exchanges under this approach require that data structures and formats are being pre-defined as well as technical means to enable access and transmission of data. Further, Article 33 of the Data Act contains requirements on data quality, in terms of requirements of dataset contents being described in a standard way along with collection methodology and other factors. Data management requirements also give rise to individual rights such as inter alia as rights of access to information, correction of information held and information about the nature of decision-making processes.Footnote 32

4. Regulation of Information and Regulation by Information

A fundamental shift is therefore observable – taking place across the legal system – towards an increasing focus on regulation of and regulation by information. Whilst in the past it might have been possible to find that “[t]he particular characteristics of information, and especially its importance for the process and outcome of decision-making, are underestimated by law.”Footnote 33 This has changed considerably with the new EU generation of legislation concerning digitalisation coming into force. Instead, the definition of information standards and formats along with reporting requirements are being developed to becoming an ever more powerful regulatory tool. The formulation of data standards and reporting shapes markets and pushes regulatory choices by means of shaping information flows. The understanding of the effects of the new forms of data and information based regulatory structures will require not just legal expertise. Computer science and Science and Technology Studies will be relevant. But in some regulatory fields such as financial regulation, the approach is moving in the direction of full-scale regulatory access to market data and the possibilities of ever more real-time regulation through information.Footnote 34 This approach requires businesses making information available in specific, pre-established formats.Footnote 35

5. Accountability of Decision-Making

One of the reasons for the relevance of various approaches to information management is accountability. Accountability therefore requires the possibility of human inquiry into the conditions of decision-making in the context of automation. Accountability requires interfaces between elements of automated decision-making and humans that enable human review of decision-making procedures. There are contributions in this special edition which specifically reflect this element, for example the discussion on the accountability of the use of AI in public administrative decision-making exercising discretionary powers. Juan Carlos Martinez contribution discusses various possible angles to approach the matter.

III. Interoperability as the glue holding the new regulatory world together?

At the heart of these first two common characteristics of EU legislation in the field of digitalisation are attempts at ensuring integration of data exchanges.Footnote 36 Interoperability of information and the creation of data spaces had been an explicit legislative objective formulated by the Commission’s 2020 European data strategy.Footnote 37 The latter sought to ensure technological advances and an increase in the quality of output of automated decision making due to the increase of available information.

Information management requirements imposed on businesses in order to ensure not only information exchange but also interoperability of underlying data sets, do not, however, come for free.

1. Data Sharing and Interoperability

The Commission’s European Strategy for Data of 2020 had foreseen an approach to foster data sharing across economic, government, cultural and scientific sectors in areas such as health, mobility, and agriculture to create various European data spaces. A prime example for a push in this direction is the Interoperable Europe Act,Footnote 38 seeking to link data sources across Europe for use by public decision making, however being at the same time remarkably silent on discussing means to ensure data quality in such exchanges. But interoperability approaches are now ubiquitous in the new EU data acts covering various aspects of digitalisation.

The latter role in interoperability requirements is subject to the contribution by Schneider, Erny and Enderlein in this edited volume illustrating the well-developed methods and governance structures of information sharing.

2. Multi-level Data Sharing

The collaborative governance structures for interoperability in the EU’s new data acts stand as examples not only for obligations regarding information management procedures but also the new regulatory landscape of multilevel institutions and bodies. Therein, rules are not just developed in terms of regulating data collections such as in the fields of customs law, immigration or public health, police, and security. Increasingly, rules on interoperability by design and data exchanges according to pre-defined formats and structures are being developed. The EU’s new Interoperability Act is an example for the attempts to address these questions in a horizontal cross-policy related approach. It sets out information management rules covering a host of voluntary and mandatory data sharing between private parties and public entities. Information cooperation also covers voluntary and mandatory cooperation in enforcement networks between EU and Member State actors.

Some of these developments are also illustrated by Pflücke’s contribution to this special edition addresses details in the draft data access law in finance in this special edition. But both the contributions by Schneider, Erny and Enderlein as well as that by Pflücke point to the intricate web of legal provisions seeking to create the possibility of making data available in various G2B, B2G, B2B and B2C contexts available in the EU.Footnote 39

3. Oversight and RegTech

Public bodies no longer merely give indirectly binding guidance about future regulatory determination towards increasing structuring of information gathering and exchange, but increasingly also integrate regulatory oversight into continuous data flows on markets with the support of regulatory technologies. But that is only one side of the developments. The increased availability of information might also be helpful for the development of the single market without internal frontiers under a legal framework intended to protect constitutional values and approaches.Footnote 40

IV. Three common features of EU digital legislation

Three fundamental regulatory developments in the legal system are strongly reflected in the legislation on addressing digitalisation and automation of decision-making: One is that across many acts we see a move towards more complex composite procedures, complex multi-level regulatory structures with agencies, EU bodies, national agencies, and co-regulation through standardisation. In several areas, obligations which used to be specific to public actors – such as the conduct of impact assessment procedures – are increasingly being imposed on private actors. A second feature of much of the current legislation in digital matters is that obligations imposed in that legislation require an increased attention to information management – from sourcing to use, dissemination, sharing. This is a requirement for both public and private actors. Information management is increasingly becoming the object of regulatory requirements to allow to steer private behavior and allow for enforcement of regulatory obligations. The effect of both developments is, third, linked to a change in information management. Legislation imposes an ever more “granular” knowledge and reporting of information flows in economic operators. Interoperability has left the range of inter-agency cooperation in the G2G contexts and is firmly established as a tool to create common knowledge also implying enhanced B2G, G2B and G2C as well as B2B information exchanges. In order to ensure this, efforts are made to allow for interoperability and the creation of common data spaces. The diverse regulatory tools and methods are creating complex networks of legal relations and obligations which appear difficult to submit to oversight and compliance without strong protection of individual rights and procedural structures ensuring their enforcement. Various contributions to the debate within this special edition (and beyond) discuss these matters.

References

1 Kai Zenner, J. Scott Marcus and Kamil Sekut, “A dataset on EU legislation for the digital world of 23 November 2023” in Breugel datasets, available at <https://www.bruegel.org/dataset/dataset-eu-legislation-digital-world> (last accessed 30 May 2024).

2 COM(2020)66 final.

3 Anu Bradford, Europe’s Digital Constitution, (2023) Virginia Journal of International Law Vol. 64:1, 1–68 at pp. 40–52. The large majority but not all of the acts adopted in the digital field have a single-market dimension. Some of the acts are also policy-specific (such as finance, health and digital services). Others, such as the DMA, being more akin to a competition policy tool and yet some acts also address specific uses of given technologies, such as the AI Act. Again, others are aimed at specific uses of information such as in the context of political advertising. All may be relevant for the basis of automated decision making in various elements.

4 I focus in the following on those acts most discussed in various contributions to this special edition such as the GDPR, DSA, DMA, AI Act, Data Act, Data Governance Act and the Interoperability Act.

5 See with further explanations Oriol Mir, “Algorithms, Automation and Administrative Procedure at EU Level” in Herwig C. H. Hofmann and Felix Pflücke (eds), Governance of Automated Decision-Making and EU Law (Oxford University Press, Oxford: 2024), 53–78 at pp. 65–69.

6 COM(2020)66 final.

7 See, for example, Felix Pflücke, “Interoperability in the EU: The Way for Digital Public Services” in Herwig C. H. Hofmann and Felix Pflücke (eds), Governance of Automated Decision-Making and EU Law (Oxford University Press, Oxford: 2024), pp. 267–290.

8 See in this special issue, Felix Pflücke, “Data Access and Automated Decision-Making in European Financial Law.”

9 Filipe Brito Bastos, Derivative Illegality in the European Composite Administrative Procedures, (2018) Common Market Law Review 101–134; Mariolina Eliantonio, Judicial Review in an Integrated Administration: The Case of “Composite Procedures,” (2014) Review of European Administrative Law 65–102; Herwig C.H. Hofmann, “Composite decision-making procedures in EU administrative law” in H.C.H. Hofmann, A.H. Türk (eds), Legal Challenges in EU Administrative Law – Towards an Integrated Administration (Elgar, Cheltenham: 2009) 136–167; Giacinto Della Canaea, The European Union’s Mixed Administrative Proceedings, 2005 Law and Contemporary Problems 197–218.

10 Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act, DSA) OJ 2022, L 277.

11 Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) OJ 2022 L 152.

12 Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) OJ 2023 L 2854.

13 The EDIB is established by the Commission as an expert group pursuant to Art 29 of Regulation (EU) 2022/868.

14 Regulation (EU) 2024/903 of the European Parliament and of the Council of 13 March 2024 laying down measures for a high level of public sector interoperability across the Union (Interoperable Europe Act) OJ 2024 L 903.

15 Arts 15 and 16 Interoperable Europe Act.

16 Member States are obliged (Art 49 DSA) to designate at least one competent authority (where there are several, one needs to be the coordinator). This is responsible for the supervision of providers of intermediary services.

17 All inter-agency communication is to be conducted through the EU information sharing system referred to in Art 85 DSA. See with greater detail Jens-Peter Schneider, Kester Siegrist, Simon Oles, “Collaborative Governance of the EU Digital Single Market established by the Digital Services Act” in Herwig C. H. Hofmann and Felix Pflücke (eds), Governance of Automated Decision-Making and EU Law (Oxford University Press, Oxford: 2024), 79–122.

18 Regulation (EU) 2022/2065 of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) OJ 2022 L 277/1.

19 Regulation (EU) 2022/1925 of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU 2020/1828 (Digital Markets Act) OJ 2022 L 265/1.

20 Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) OJ 2023 L 2854.

21 Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (AI Act) OJ L, 2024/1689. Standardisation by co-regulation in the context of few powerful market actors however has problems such as the ones described by Hans-W. Micklitz, The Role of Standards in Future EU Digital Policy Legislation, Commissioned by ANEC and BEUC July 2023.

22 Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council Text with EEA relevance; OJ 2012 L 316/12; a consolidated version with changes was published in 2015 <http://data.europa.eu/eli/reg/2012/1025/2015-10-07>.

23 Jens-Peter Schneider, Kester Siegrist, Simon Oles, Collaborative Governance of the EU Digital Single Market established by the Digital Services Act (September 4, 2023). University of Luxembourg Law Research Paper No. 2023-09, Available at SSRN <https://ssrn.com/abstract=4561010 or https://doi.org/10.2139/ssrn.4561010>.

24 See further discussion eg, Herwig C.H. Hofmann, “Dealing with Trans-Territorial Executive Rule-Making” (2013) 78 Missouri Law Review, 423–442.

25 See eg, C-160/20, Stichting Rookpreventie Jeugd and Others, EU:C:2022:101; C-588/21 P Public.Resource and Right to Know, ECLI:EU:C:2024:201 which in para 83 needed to remind EU institutions that “it must be recalled that ‘the principle of transparency is inextricably linked to the principle of openness, which is enshrined in the second paragraph of Article 1 and Article 10(3) TEU, in Article 15(1) and Article 298(1) TFEU and in Article 42 of the Charter.’”

26 See eg, Colin Kirkpatrick, David Parker (eds), Regulatory Impact Assessment – Towards Better Regulation? (Elgar, Cheltenham 2007); Claire A. Dunlop, Claudio M. Radaelli (eds), Handbook of Regulatory Impact Assessment (Elgar, Cheltenham 2016).

27 Arts 19 and 43 of the Artificial Intelligence Act Proposal of 21 April 2021.

28 Regulation 2016/679 of the EP and Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.

29 Eg, Herwig C.H. Hofmann, Dirk Andreas Zetzsche, Felix Pflücke, The Changing Nature of “Regulation by Information”: Towards Real-time Regulation? (2023) European Law Journal 172–186 <https://doi.org/10.1111/eulj.12466>.

30 The fact that EU administrative law was developing largely towards information law goes back to a seminal 1996 article (Eberhard Schmidt-Aßmann, “Verwaltungskooperation und Verwaltungskooperationsrecht in der Europäischen Gemeinschaft” (1996) 31 Europarecht 270). This understanding was the basis of the 2014/2017 ReNEUAL Model Rules on European Administrative law books V and VI. The Research Network on EU Administrative Law (ReNEUAL) model rules on European administrative law contain an entire book on administrative information management. It serves as a draft for a comprehensive legal framework for inter-administrative data sharing by means of digital information systems including shared databases and early warning systems.

31 Case C401/19 Republic of Poland v. European Parliament and Council of the European Union [2022] ECLI:EU:C:2022:297, para 67.

32 See eg, C634/21 OQ v Hessen and Schufa (Schufa) ECLI:EU:C:2023:957.

33 Indra Spiecker genannt Döhmann, in P. Cane, H.C.H. Hofmann, E. Ip, P. Lindseth (eds) Oxford Handbook of Comparative Administrative Law (Oxford University Press, Oxford: 2021) 677–696, at p. 692.

34 Herwig C.H. Hofmann, Dirk Andreas Zetzsche, Felix Pflücke, The Changing Nature of “Regulation by Information”: Towards Real-time Regulation? (2023) European Law Journal 172–186 https://doi.org/10.1111/eulj.12466.

35 Ibid.

36 Paulina Jo Pesch, Franziska Böhm, Interoperability in the EU: Paving the Way for Digital Public Services, in Herwig C. H. Hofmann and Felix Pflücke (eds), Governance of Automated Decision-Making and EU Law (Oxford University Press, Oxford: 2024), 53–78 at pp. 267–289.

37 COM(2020)66 final.

38 Regulation (EU) 2024/903 of the European Parliament and of the Council of 13 March 2024 laying down measures for a high level of public sector interoperability across the Union (Interoperable Europe Act) OJ 2024 L 903.

39 The abbreviations describe information flows with the letter G standing for “government” or public bodies, B for business and C for consumers or natural persons. The number 2 stands for the word “to” thus describing the direction of information sharing.

40 On the possibility thereof see Herwig C.H. Hofmann, Felix Pflücke (eds) Governance of Automated Decision-Making and EU Law (Oxford University Press Oxford 2024).