Technology and Regulation

This article investigates the definitional underpinnings of the EU Data Act (DA), specifically the concepts of “data”, “connected product”, and “related service”, to reveal how they structure the Act’s legal reach and reflect evolving policy priorities. Through analysis of the DA’s legislative journey from Commission proposal to its final form, the article shows how the definitional scope in EU technology regulation is shaped by technological developments, institutional coordination, and stakeholder influence. By tracing these dynamics, the article demonstrates how core definitions serve not simply as technical terms but as strategic instruments for balancing flexibility, legal certainty, and regulatory coherence within the EU’s broader digital governance framework. This article contributes to a better understanding of these strategic terminologies in the DA which in light of current calls within the Omnibus acquis for simplifications of data regulation in the EU has become increasingly relevant. 

In many countries, risk regulation is central to AI regulation. We examine generative AI (genAI) risk regulation in Australia through a case study of the trial deployment of Microsoft Copilot in government agencies. Risk mitigation depended on end-users’ responsibility for human review and fact-checking, readiness testing, and contractual assurance from vendors, but largely ignored the impact on team dynamics and long-term implication on human abilities. Three areas of improvement were identified: strengthening fact-checking and review by users lacking in time, knowledge and experience; addressing the impact on team dynamics and human abilities; and measures for impending uses of genAI systems as internal and public-facing government chatbots which are anchored on government-mandated collaboration among developers, deployers and users.

This paper describes and systematises systemic risk management obligations as a distinctive regulatory approach in EU digital legislation, particularly under the Digital Services Act (DSA) and the Artificial Intelligence Act (AIA). It analyses the notion of systemic risk and aims to distil the main distinctive features that characterise the related obligations under both the DSA and the AIA. Based on this analysis, this contribution outlines the uncertainties surrounding the implementation of systemic risk management obligations, as well as potential issues arising from the blending of public and private governance in novel ways. The ultimate objective is to chart the path for future research that looks at the open questions and challenges of these new and consequential regimes.

(editorial; not applicable)

Humans struggle with uncertainty, and risk management has been developed to tame it. It is used in many di=erent contexts including the digital ecosystem. But is risk management suitable for addressing cybersecurity challenges? In this article, we will delve into the di=erence between risk and uncertainty to find the types of challenges for which risk management works well, and the types of uncertainty for which it falls short. The ‘risk-uncertainty’ scale will help us clarify this distinction. Next, we will zoom in on the digital domain. Cyber risk management can be brought to bear on specific cybersecurity challenges, but we must supplement it with other approaches. In this article, we will discuss two: preparedness and Security by Design.

The management of individuals and their physical and digital identities has become vital to contemporary security and border governance. In targeting a certain set of ‘unsafe’ individuals deemed to pose a threat to national security, states’ multi-layered counter-terrorism toolkits have enabled a downward recalibration of the rights of these individuals; a recalibration that has since become both palatable and entrenched. With the ever increasing reliance on new and emerging digital solutions to existing and perceived future security risks, individual physical identities have been gradually translated into, arguably narrower, digital identities. As a corollary, the recalibration has not only shifted further downward but now impacts a much larger set of individuals depending on national and international political priorities.  

Digital authentication and electronic signatures are essential for reliable digital verification of identities in the digital environment. With the introduction of European Digital Identity Wallets under eIDAS 2.0, there has been a shift in the use of trust services. In this contribution, I examine whether eIDAS 2.0 facilitate the use of privacy-friendly trust services, in particular attribute-based authentication (ABA) and attribute-based signatures (ABS). ABA and ABS provide benefits such as modular identity and role-based signing, offering greater flexibility compared to traditional trust services. The analysis shows the difference between authentication and signing, revealing that eIDAS 2.0 only facilitates attribute-based authentication through the European wallets, but not yet attribute-based signatures. The article concludes by discussing the remaining legal challenges that may impede the full realization of privacy-friendly trust services.

This article examines how digital sovereignty is being structurally reconfigured through the privatization of cybersecurity governance. As governments increasingly depend on transnational technology firms for core security functions such as threat detection and cloud infrastructure, they face new constraints in defining, overseeing, and enforcing public authority. The paper develops a framework of three structural dilemmas: infrastructural dependency, epistemic asymmetry, and governance capacity gaps, to analyze how state sovereignty is reshaped through socio-technical entanglements. Through comparative case studies of AWS Sovereign Cloud (European Union), Project Maven (United States), and LG CNS Smart Surveillance (Korea), it shows how critical decisions about risk, classification, and control are embedded in proprietary systems. Reconceptualizing sovereignty as governance capacity rather than exclusive control, the article contributes to emerging debates on algorithmic governance, platform power, and digital constitutionalism. It argues that reclaiming digital sovereignty requires institutional architectures that embed public oversight within the infrastructures and epistemologies of security.

Data Spaces are highly interconnected data sharing ecosystems that represent a new array of collaborative data-sharing forms. In this context, data space connectors play a vital role as gateways for integrating existing systems and their respective data into Data Spaces. However, the lack of reusable and interoperable core components for data space connectors has resulted in divergent implementations and a lack of a shared understanding of data space connectors as mere bridging software. Absent harmonised components of connectors and a unified definition of the primary function of data space connectors, there is a concern that these connectors may impede, rather than facilitate, seamless access to Data Spaces. The hypothesis of the paper is that regulation should be considered as a means of addressing the current heterogeneous landscape and achieving the objective of enabling data sharing through Data Spaces. The paper therefore concludes with a hypothesis regarding the regulation of data space connectors as electronic communication services under the European Electronic Communications Code, and a call for further detailed research into the potential for implementing this hypothesis in practice.

As the European Union (EU) continues to pursue a strategy of twinning the green and digital transitions, heightened expectations have been invested in the potential of artificial intelligence (AI) technologies to combat climate change. Importantly, relying on AI to address the climate crisis gives rise to a range of security concerns. Yet, only rarely have such concerns been the focus of critical attention. Adopting a narrative theoretical lens, this paper critically examines the construction and contestation of security within three EU regulatory frameworks at the intersection of climate and AI governance – the Critical Raw Materials Act, the AI Act, and the Digital Services Act. The paper argues that these regulations fall within a genre of tragic governance. Each regulation romantically positions the EU as a heroic values-based actor, driven by green, rights-based and democratic ambitions. In practice, however, these ideals are undermined by the fatal flaw of restricted vision – security threats at the intersection of climate and AI governance are framed and addressed in terms that end up legitimating harmful dynamics of exploitation against local communities affected by resource mining, people on the move, and digital activists, whilst neglecting the logics of overconsumption, border externalisation, and data extractive informational capitalism that render such actors more susceptible to control and domination than protection and empowerment. At the same time, the paper also identifies a number of footholds within each regulation that provide a basis for dominant understandings of security to be contested. While such footholds are unlikely to completely overturn the dominant security narratives that underpin these regulations, they offer possibilities to construct counter-narratives that resist their inevitability – potentially creating space for future reimaginings of EU law beyond its tragic present.

Space-based services have become an indispensable pillar of modern society. Earth Observation (EO) technologies are used to map wildfires and mitigate climate disasters, Satellite Communication (SATCOM) bridges the digital divide with connectivity in remote regions, and Position Navigation and Timing (PNT) satellites supports agriculture, transport, finance, and many other critical sectors our societies rely on.
The increased use and interconnection of space with terrestrial networks offers significant economic and societal opportunities, but it also introduces new security challenges in the digital era. Critical infrastructure classifications extend to space-based systems, under evolving European Union legal frameworks, and the space sector must adapt to broader
requirements for resilience and sustainability. This requires space operators to balance economic development with the protection of fundamental rights, including the rights to security, access to essential services, and a healthy environment. This paper explores the interconnection between terrestrial and orbital infrastructures by
examining the emerging threats posed by the digitalization of space systems. It assesses the mechanisms necessary to ensure their long-term safety and reliability, focusing on how space infrastructure is defined as critical under EU law and mapping the obligations arising for the
space industry. Central to this analysis is the role of secure satellite and data networks in safeguarding multiple fundamental rights. In considering two use cases, Earth Observation for emergency management and GNSS to enhance several critical services, we explore the impact of cyberattacks on these domains and their repercussions on fundamental rights.
Our analysis offers a fresh perspective on how to achieve a robust, secure, and rights-centric framework for space systems, contributing to a broader discussion on security in the digital age.