Regulatory Reality · EU Systems

How EU regulatory frameworks actually operate

A publication on enforcement practice, institutional behaviour, and the distance between regulatory text and administrative reality. EU frameworks read across their full scope.

·
01
Enforcement practice

How cases are handled in practice. Resource constraints and institutional prioritization consistently shape outcomes in ways the regulation does not describe.

02
Institutional landscape

How EU authorities are organised, how jurisdiction is allocated, and how different national bodies approach the same legal framework.

03
Legislative intent

What each framework was designed to address, and how those objectives sit behind enforcement priorities over time.

04
Structural implications

How decisions made early — on establishment, classification, architecture — create regulatory exposure that only becomes visible later.

01
GDPR
EU data protection enforcement: how it actually works

Resource constraints, authority differences, and how cases are handled in practice. Germany, Ireland, and Luxembourg compared.

2026·10 min·
02
DSA
The DSA’s enforcement architecture: what the Commission actually does

Direct EU-level enforcement for very large platforms. What the framework means for operators below that threshold is less often examined.

2026·8 min·
03
AI Act
Risk classification under the AI Act: what the categories mean in practice

The four-tier structure looks clear on paper. How national authorities will apply it is still being established.

2026·9 min·
04
MiCA
MiCA authorization in practice: what national authorities are actually doing

The gap between the legal text and how competent authorities are implementing the framework is visible in early applications.

2026·7 min·
Analysis

EU regulatory frameworks

Each piece examines how a framework operates in practice — the enforcement architecture, institutional behaviour, and what the text leaves unresolved.

Data Protection · GDPR
01
GDPR
EU data protection enforcement: how it actually works

Resource constraints, authority differences, and how cases develop. Germany, Ireland, Luxembourg compared.

2026·10 min
02
GDPR
The one-stop-shop mechanism: what it means in practice

EU establishment determines lead supervisory authority. The regulatory consequences of that decision are often underestimated.

2026·8 min
03
GDPR
How complaints are processed: the administrative reality

Over 85% of filed cases remain undecided for months or years. What the complaint process looks like in practice.

2026·7 min
04
GDPR
Penalty decisions: what the published record shows

The factors visible across enforcement outcomes, and what distinguishes cases that result in fines from those that do not.

2026·8 min
Digital Services · DSA / DMA
05
DSA
The DSA’s enforcement architecture: what the Commission actually does

Direct EU-level enforcement for very large platforms. The framework looks different for operators below that threshold.

2026·8 min
06
DMA
Gatekeeper designation: thresholds, obligations, and what remains open

The Digital Markets Act targets a small set of platforms. What the designation process looks like, and what the regulation leaves unresolved.

2026·7 min
AI Regulation · AI Act
07
AI Act
Risk classification under the AI Act: what the categories mean in practice

The four-tier structure looks clear on paper. How national market surveillance authorities will apply it is still being established.

2026·9 min
08
AI Act
Provider and deployer: how the AI Act allocates obligations

Who carries compliance obligations depends on how a system is placed on the market and used. The distinction has structural implications that the text does not fully resolve.

2026·8 min
Crypto-Asset Markets · MiCA
09
MiCA
MiCA authorization in practice: what national authorities are actually doing

The gap between legal text and how competent authorities implement the framework is already visible in early applications.

2026·7 min
Platforms & Reporting · DAC7 / DMCA
10
DAC7
DAC7: what platform operators need to understand about reporting obligations

EU platforms must report seller income data to tax authorities. What triggers reporting, what is excluded, and how the data flows.

2026·7 min
11
DMCA
DMCA takedown notices: how the mechanism is used, misused, and contested

Designed for copyright enforcement. In practice the mechanism operates differently, and the incentive structure explains why.

2026·8 min
Principles

How regulatory systems work

Observations about how EU frameworks are designed, how enforcement institutions behave in practice, and what follows from that. Not recommendations — patterns that recur across frameworks and jurisdictions.

1
Enforcement is not the law

A regulatory framework and its enforcement record are two different things. Resources are finite; caseloads are not. The practical result is informal prioritization. Cases with public visibility, media involvement, or a simple factual record tend to move. Complex cases with contested facts tend to wait. This pattern is consistent across EU frameworks and jurisdictions.

2
Frameworks encode policy objectives

Each major EU regulatory framework was designed to address a specific problem. GDPR addressed a power asymmetry between individuals and large data processors. The AI Act was built around identified harm scenarios. The DSA targeted accountability gaps in platform governance. Those original objectives sit behind enforcement priorities — sometimes visibly, sometimes not.

3
Structure determines exposure

Where a company is established, how it processes data, what category its AI system falls into — these facts determine which authority has jurisdiction and what obligations apply. They are decided early, often on commercial grounds, and their regulatory implications become visible later. That sequence is where most unplanned exposure originates.

4
Authorities are institutions

Regulatory outcomes emerge from people working within institutional constraints: budgets, political priorities, unpublished internal guidance. Germany’s sixteen state data protection authorities produce meaningfully different outcomes for the same legal question. The Irish DPC supervises a disproportionate share of EU tech enforcement not by design, but because of how Dublin developed as a corporate location. The institution matters alongside the law.

5
Administrative processes respond to context

Documentation quality, response timing, and the completeness of information provided to authorities are factors that case handlers with discretion take into account. This is a feature of administrative processes generally. It is observable in the published enforcement record and in published guidance from multiple EU authorities.

6
Early decisions have lasting consequences

Most structural decisions that determine long-term regulatory exposure — establishment jurisdiction, data architecture, system classification — are made early and are difficult to revisit. Regulatory frameworks are largely knowable in advance. Their enforcement patterns develop over time but are observable. The question is usually whether that knowledge was available when the relevant decisions were made.

7
The EU is not one system

EU regulation is often discussed as if it produces uniform outcomes across member states. It does not. The same framework is administered by sixteen different German authorities, an Irish authority with a structurally distinct caseload, and a Luxembourg authority with different sector focus. Meaningful variation in outcomes for the same legal situation is well-documented and worth accounting for.

Advisory correspondence

Scope

This platform occasionally corresponds with companies and individuals on questions related to the analysis published here — how specific frameworks operate, how EU administrative systems are organised, and where enforcement patterns are relevant to a particular situation.

This is not legal advice and is not a substitute for legal counsel.

Contact

Correspondence is selective. Write to [email protected]

About Regulatory Reality

What this is

Regulatory Reality is a publication on EU regulatory systems — how they are designed, how enforcement institutions operate, and how administrative practice diverges from legal text across different frameworks and jurisdictions.

The analysis is observational. It focuses on patterns in the published enforcement record, in institutional behaviour, and in how frameworks have developed since entry into force.

Coverage
  • Enforcement practice: how administrative proceedings develop and what shapes their trajectory
  • Institutional analysis: authority differences, capacity, sector focus, and enforcement history
  • Structural implications: how early design decisions carry regulatory consequences
  • Frameworks in scope: data protection, digital services, AI regulation, crypto-asset markets, platform reporting
What this is not

This platform does not provide legal advice. Nothing here should be read as guidance on a specific legal situation. It is not a substitute for qualified legal counsel.

Sources

Analysis draws on published enforcement records, EDPB opinions, court decisions, and regulatory documentation. Where observations are based on less formal sources, that is noted.

Contact

[email protected]

·GDPR

EU data protection enforcement: how it actually works

The GDPR is discussed primarily as a legal framework. The enforcement picture looks different. Resource constraints, institutional variation, and informal prioritization shape outcomes in ways the regulation does not describe.

Resource constraints and prioritization

EU data protection authorities operate under significant and well-documented resource constraints. Complaint volumes have grown substantially since 2018; budgets and staffing have not kept pace. The practical result is informal prioritization that shapes how cases develop across the system.

noyb has documented that over 85% of its filed cases remain undecided, more than half waiting longer than eighteen months. Complainants frequently wait three months or more for an initial response that does little more than confirm receipt. These are not individual delays — they reflect the structural condition of the system.

Cases that attract enforcement attention tend to share recognisable characteristics: high public visibility, media or NGO involvement, or a factual record that is administratively straightforward to act on.

Remediation and case closure

When a company addresses the specific practice at issue in a complaint, authorities will in many cases close the matter without a financial penalty. This follows from the logic of complaint-based enforcement: the basis for action is an ongoing violation, and remediation removes that basis. It is a common pattern in the published record, worth understanding accurately.

Individual cases and systemic patterns

The complaint-based model processes individual cases. It does not address patterns systemically. When the same issue affects many people, each typically files separately. Authorities do not generally aggregate individual complaints into systemic actions unless there is a specific external trigger: NGO involvement, a formal inquiry, or political attention.

Meta’s handling of deletion requests at the Hamburg authority is a documented example. Each complainant filed separately, and the authority addressed cases on that basis. The pattern was visible; the response remained individual. This reflects how the system is structured.

Regulatory Reality · 2026 · Observational analysis. Not legal advice.
·GDPR

The one-stop-shop mechanism: what it means in practice

EU establishment determines lead supervisory authority. The regulatory consequences of that decision are significant and are often not fully understood when the decision is made.

How the mechanism works

Under the GDPR’s one-stop-shop mechanism, companies with EU establishments are supervised primarily by the authority in the country of their main establishment — typically where the EU headquarters is located, or where processing decisions are made. For cross-border cases, this lead authority coordinates with concerned authorities in other member states.

The regulatory authority a company faces for cross-border matters is determined by a structural decision — where to incorporate or locate EU operations — that is almost always made on commercial grounds, without reference to its regulatory implications. That gap is where most jurisdictional exposure originates.

The Irish DPC became lead authority for most major global technology companies not by design, but because those companies chose Dublin for commercial reasons. The regulatory consequence was incidental to the decision.

Authority differences

The DPC, BayLDA, CNIL, and other major authorities operate with different cultures, capacities, and sector expertise. Processing timelines, documentation expectations, and the intensity of scrutiny in specific sectors vary considerably across jurisdictions. These differences are observable in published enforcement records.

Regulatory Reality · 2026 · Observational analysis. Not legal advice.
·GDPR

How complaints are processed: the administrative reality

Over 85% of filed cases remain undecided for months or years. What GDPR complaints look like as administrative processes differs substantially from what the regulation describes.

From filing to response

A complaint enters a queue. The initial response — acknowledging receipt and assigning a case number — can take three months or more. What follows depends on the authority’s capacity, the nature of the case, and whether the matter has characteristics associated with prioritization: public visibility, NGO involvement, or a factually clear record.

For most complaints, the process is slow and communicates little. The formal timeline implied by the regulation is not the administrative reality.

The GDPR’s one-month response deadline applies to data controllers handling subject access requests — not to authorities processing complaints. No equivalent deadline governs complaint resolution.

What affects pace

Cases with clear factual records move faster. Cases where the data controller responds early and completely tend to develop more predictably. Cases with public or political salience are handled differently from routine individual complaints. These patterns are consistent across the published record.

Regulatory Reality · 2026 · Observational analysis. Not legal advice.
·GDPR

Penalty decisions: what the published record shows

The factors visible in cases resulting in significant fines, and how they differ from cases that close without penalty. Drawn from the published enforcement record.

The formal criteria

GDPR Article 83 lists the factors authorities consider when determining whether to impose a fine and at what level: the nature, gravity, and duration of the infringement; whether it was intentional or negligent; the degree of cooperation; and how the authority became aware of it. In practice, these criteria interact with institutional capacity and caseload dynamics.

Cases resulting in significant penalties tend to involve systematic rather than isolated failures, a large number of affected people, high public salience, or limited engagement from the company during the proceeding.

Timing appears consistently in the enforcement record. Cases where a problem was identified and addressed before a complaint was filed have a different trajectory than those where the response came under regulatory pressure.

Cooperation as a formal factor

Cooperation is one of the Article 83 criteria, and it is reflected in published outcomes. This is not specific to data protection — it is a feature of how discretionary administrative processes work. Case handlers weigh what they are given and when they receive it.

Regulatory Reality · 2026 · Observational analysis. Not legal advice.
·DSA

The DSA’s enforcement architecture: what the Commission actually does

The Digital Services Act introduced direct EU-level enforcement for very large online platforms. For operators below that threshold, the enforcement picture is different and receives less attention.

A two-tier structure

The DSA separates enforcement by scale. Very large online platforms (VLOPs) and very large online search engines (VLOSEs) — defined by reaching 45 million EU users monthly — are subject to direct enforcement by the European Commission. All other platforms are supervised by national Digital Services Coordinators, newly established bodies with varying capacity across member states.

The Commission has dedicated enforcement resources and political mandate for VLOP cases. For a platform below that threshold, the relevant authority is the DSC of its member state of establishment — and DSC capacity, experience, and priorities vary considerably.

Being below the VLOP threshold does not mean being outside the DSA’s scope. It means being supervised by a different authority, at a different stage of institutional development.

Early enforcement patterns

The Commission’s early DSA enforcement focused on recommender systems, advertising transparency, and the handling of illegal content — often timed around visible public events. Enforcement was framed as market signalling, not just individual remedy. This dynamic means the first years of enforcement are concentrated on high-profile situations. Operators at lower public visibility, in specialised sectors, or with B2B structures face a different enforcement landscape.

Regulatory Reality · 2026 · Observational analysis. Not legal advice.
·DMA

Gatekeeper designation: thresholds, obligations, and what remains open

The Digital Markets Act targets a deliberately small set of platforms. How designation works in practice — and what the regulation leaves unresolved — matters for companies approaching the thresholds.

How designation works

Gatekeeper status follows from either quantitative thresholds (annual turnover and user numbers) or the Commission’s own assessment that a platform holds entrenched and durable market power. The Commission has sole jurisdiction over this process. Once designated, companies face obligations covering interoperability, data access, self-preferencing, and transparency. Non-compliance carries fines of up to 10% of global turnover; repeated violations can trigger structural remedies including divestiture.

The DMA’s thresholds were designed around a specific set of platforms. But the regulation applies to core platform services, not to named companies. How the Commission interprets the thresholds as new services scale is still being established.

What the DMA leaves unaddressed

The regulation does not address platform power below the gatekeeper threshold. Companies competing with designated gatekeepers but not themselves designated operate in an environment where their competitors carry obligations they do not. That structural asymmetry is built into the regulation’s scope.

Regulatory Reality · 2026 · Observational analysis. Not legal advice.
·AI Act

Risk classification under the AI Act: what the categories mean in practice

The AI Act’s four-tier risk structure is clearly defined on paper. How national market surveillance authorities will apply it in the first years of enforcement is a different and still open question.

The classification structure

The AI Act places systems into four categories: unacceptable risk (prohibited), high risk (conformity requirements), limited risk (transparency obligations), and minimal risk (no specific obligations). The prohibited and high-risk categories are defined by Annexes specifying the use cases and sectors that trigger each classification.

Many real systems do not map neatly onto these categories. A system performing multiple functions may fall into different risk classes depending on deployment context. The provider-deployer distinction adds further complexity when systems are adapted after sale.

The AI Act’s risk tiers are defined primarily by use, not by technical capability. The same underlying model can produce different regulatory classifications depending on how and where it is deployed.

Market surveillance in practice

National enforcement is assigned to market surveillance authorities that already hold mandates in product safety, financial services, or sectoral regulation. Assessing AI systems within their sectors requires technical and regulatory capacity that is still being developed across member states. Early enforcement decisions will show how the classification thresholds are interpreted in practice, and that interpretation will vary.

Regulatory Reality · 2026 · Observational analysis. Not legal advice.
·AI Act

Provider and deployer: how the AI Act allocates obligations

Who carries compliance obligations under the AI Act depends on how a system is placed on the market and used. The provider-deployer distinction has structural implications that are not always visible in a straightforward reading of the text.

The distinction

A provider is the entity that develops an AI system and places it on the market. A deployer is the entity that uses it under its own authority. Providers carry the primary obligations for high-risk systems: conformity assessment, technical documentation, and registration. Deployers carry a narrower set: using systems according to providers’ instructions, maintaining human oversight, and conducting data protection assessments where required.

When a deployer substantially modifies a high-risk system, the AI Act treats them as a provider for that version, and the full set of provider obligations applies.

“Substantial modification” is a threshold with meaningful compliance consequences. Current guidance leaves ambiguity, particularly for entities that fine-tune or adapt foundation models for specific applications.

Multi-party configurations

Many AI deployments involve chains of entities: foundation model developers, API providers, system integrators, and end deployers. The AI Act distributes obligations across these chains, but how responsibility is allocated in complex configurations will be clarified primarily through early guidance and enforcement decisions.

Regulatory Reality · 2026 · Observational analysis. Not legal advice.
·MiCA

MiCA authorization in practice: what national authorities are actually doing

Markets in Crypto-Assets Regulation created a unified EU licensing framework for crypto-asset service providers. The gap between the legal text and how competent authorities are implementing it is already visible.

The authorization landscape

MiCA requires crypto-asset service providers to obtain authorization from a national competent authority in their member state of establishment. That authorization enables passporting across the EU. National competent authorities vary in processing capacity, familiarity with crypto business models, and how they interpret MiCA’s requirements. Early applications have surfaced meaningful differences in what authorities ask for and how long reviews take.

The choice of member state for authorization is not purely administrative. It determines which authority reviews the application and how the requirements are interpreted in practice.

Classification questions

MiCA’s three-category classification — asset-referenced tokens, e-money tokens, and other crypto-assets — does not resolve all cases. Projects with novel structures or evolving utility face genuine uncertainty about which category applies. Some authorities have been willing to engage on classification before a formal filing; others have not.

Transition arrangements

MiCA’s transitional provisions allow existing operators to continue under national regimes for a defined period. How member states have structured these arrangements varies. The practical implications depend on the specific national framework previously in place and how the transition has been implemented domestically.

Regulatory Reality · 2026 · Observational analysis. Not legal advice.
·DAC7

DAC7: what platform operators need to understand about reporting obligations

EU platforms must collect and report seller income data to tax authorities. What triggers reporting, what is excluded, and how the data flows downstream are not all obvious from the regulation itself.

What the framework requires

DAC7 requires platform operators — defined broadly to cover digital marketplaces, short-term rental platforms, freelance platforms, and transport services — to collect due diligence information from sellers and report their activity annually to the relevant EU tax authority. The data is then exchanged automatically between member states.

Reporting applies to “reportable sellers.” Exempt categories include publicly listed companies, government entities, and sellers with fewer than 30 transactions and below €2,000 in annual platform earnings.

DAC7’s definition of platform operator is broad enough to capture services that do not describe themselves as marketplaces. The relevant question is whether the platform facilitates transactions for which sellers receive consideration.

How the data is used

The automatic exchange mechanism makes data reported in one member state available to tax authorities across the EU. Early indications suggest authorities are using the data for income cross-referencing and audit selection. The framework was designed to produce audit intelligence, not just compliance records.

Regulatory Reality · 2026 · Observational analysis. Not legal advice.
·DMCA

DMCA takedown notices: how the mechanism is used, misused, and contested

Designed for copyright enforcement, the notice-and-takedown mechanism operates differently in practice. The incentive structure built into it explains much of what is observed.

The mechanism and its incentive structure

DMCA Section 512 provides a safe harbor for platforms that respond promptly to takedown notices from rights holders. To maintain the safe harbor, platforms must remove allegedly infringing content quickly, without adjudicating whether the claim is valid. Contesting a wrongful removal falls to the content creator, through a counter-notice process that carries its own legal exposure.

The asymmetry is well-documented. Sending a notice is low-cost; the counter-notice process is slower and more costly for the party seeking restoration. The result is substantial over-removal, and a mechanism routinely used beyond copyright enforcement: suppressing competitive content, removing criticism, taking down documentation of alleged wrongdoing.

The DMCA applies to US-hosted content and US service providers. Its procedural logic has nonetheless shaped content moderation practice more broadly, including in jurisdictions where it has no formal application.

The EU framework

Article 17 of the EU Copyright Directive, implemented variably across member states, has a different structure and different safe harbor conditions. Platforms operating in both jurisdictions navigate two distinct regimes. The practical differences in how removal and reinstatement function under each are significant for rights holders and creators working across borders.

Regulatory Reality · 2026 · Observational analysis. Not legal advice.
Stay informed

New analysis when there is something worth adding.

Your subscription could not be saved. Please try again.
Your subscription was successful.
No tracking. Unsubscribe at any time.