Delegated Powers, Political Choices: How EU Risk-Based Regulation Can Go Too Far
—Andrea Palumbo, Centre for IT and IP Law (CiTiP), KU Leuven[*]
The next frontier of risk management: systemic risks in the Digital Services Act and the AI Act
In the last decade, EU legislation has experienced a shift to risk-based regulation as the paradigm to regulate digital technologies. Since the discussions on the data protection reform package that preceded the General Data Protection Regulation (GDPR), the risk-based approach has been valued to impose scalable and proportionate obligations on regulated entities. With different manifestations, the risk-based approach is a common thread that links different pieces of legislation.
Following the entry into force of the Digital Services Act (DSA) and the Artificial Intelligence (AI) Act, however, the risk-based approach has reached new heights and has found a new role that is unprecedented for EU law. Both Acts have introduced the notion of systemic risk, which has made its first appearance in the area of digital law. Systemic risks are defined as those arising for a variety of protected public and private interests, ranging from civic discourse to electoral processes, public health and ‘society as a whole’. Systemic risks are only posed by AI models, online platforms and search engines that, due to their computational power, reach and other factors, create large-scale and systemic societal effects. The providers of these categories of services and products are subject to ad hoc due diligence requirements laid down in the DSA and the AI Act. Among these is the obligation to assess and mitigate systemic risks.
The specific risk-based approach enacted with the DSA and the AI Act challenges key principles and values of the EU constitutional framework, due to the types of normative choices attributed to the actors responsible for systemic risk management, which can be political in nature. Therefore, the question is: how does one distinguish between political and non-political choices under EU constitutional law? In other words, which normative choices should not be taken by systemic risk managers because they should be reserved to the deliberative function of the EU legislature?
What choices are made by systemic risk managers?
Despite covering different services and products, systemic risk management regimes under the DSA and the AI Act share important common features. These features include the objective to protect not only fundamental rights but also public interests of significant political relevance, such as civic discourse and public security, and the attribution of direct supervisory and enforcement powers to the European Commission.
These features raise the same concerns about the decisions that regulated entities are entrusted with, and the role of the European Commission as EU-wide supervisor and enforcer. The reason why these regimes pose new, unique questions is that they require taking normative choices that are also political in nature. They go to the core of political questions in the areas of platform and AI regulation, and thus raise concerns about legitimacy and democratic decision-making.
Regulated entities and the European Commission act together as systemic risk managers. Systemic risk managers are required to interpret politically contested and legally undefined values explicitly mentioned in the legislative text, such as civic discourse, public security and public health, as well as others that they may identify as relevant, for instance sustainability. The absence of a definition of such protected public values, combined with the lack of guidance for systematic interpretation in other provisions (civic discourse is for instance not defined anywhere in EU law), effectively leaves systemic risk managers with the very wide discretion to flesh out the meaning to be given to these concepts. Besides the interpretation of public values, systemic risk managers may also need to decide on how they should be balanced against other protected interests, such as fundamental rights. To decide when an interference with a fundamental right is justified to protect a public interest is a key constitutional determination that also entails politically-relevant choices.
Democracy in legal terms: what is political discretion in EU law?
The CJEU has indicated, in multiple judgments, which elements are covered by political discretion reserved to the EU legislature. These judgments relate to the so-called Meroni doctrine [1, 2] on the limits to the transfer of responsibilities by the EU legislature to private or public bodies, and to the interpretation of Article 290 of the Treaty on the Functioning of the European Union (TFEU). Article 290 TFEU sets the limits as to which elements of legislative acts can be changed or integrated by acts of the European Commission.
The analysis of this case-law reveals that there are criteria to identify which choices are ‘political’, and therefore cannot be delegated by the EU legislature to other bodies, whether they are private or public. Among others, relevant choices that should be reserved to the EU legislature include the balancing of different interests in settling controversial problems [3, 5] to give concretisation to key elements of the objectives pursued under the Treaties [4], as well as laying down the basis for serious interferences with fundamental rights [5, 6]. For instance, discretion should be reserved to the EU legislature to decide which powers coast guards should have to restrict the liberty of persons that are intercepted at sea.
Therefore, under EU constitutional law, the EU legislature should only delegate clearly defined powers to other institutions and bodies, while the latter moreover cannot exercise wide discretion on central elements of a policy area, decide on controversial problems where opinions and approaches diverge, and make major determinations on the protection of constitutional values. This is all that systemic risk management seems to be about. The discretion in interpreting politically contested values such as civic discourse is very wide and requires regulated entities and the European Commission to address policy questions for which there can be different approaches. Moreover, systemic risk mitigation may be the avenue where major decisions on the imposition of restrictions to fundamental rights are taken.
Conclusions
The nature of the responsibilities attributed to systemic risk managers raises concerns about the constitutional soundness of the regulatory model embodied in the new DSA and AI Act. In particular, it risks infringing core principles of EU primary law by attributing political discretion to actors outside of the EU legislature. More broadly, it may undermine the rule of law in the implementation of EU digital regulation in several ways. First, the absence of objective criteria for systemic risk management increases the risk of arbitrary decision-making. Second, it impinges upon the separation of powers between the EU legislature and the EU executive, as the European Commission can intervene in the making of political choices. Third, the blurring of the divide between public regulation and private ordering may also impair transparency and accountability of public action, as public policies are pursued using private infrastructure. Actions are taken by private actors but are the result of legal obligations and regulatory expectations [7].
Suggested citation: Andrea Palumbo, Delegated Powers, Political Choices: How EU Risk-Based Regulation Can Go Too Far, Int’l J. Const. L. Blog, Aug. 13, 2025, at: http://www.iconnectblog.com/delegated-powers-political-choices-how-eu-risk-based-regulation-can-go-too-far/
[*] This post draws on a full-length article presently under peer review. It presents selected arguments in a simplified form for a general audience.
[1] Case 9/56 Meroni v High Authority [1958] ECR 133
[2] Case C-270/12 UK v Council and Parliament [2014] ECLI:EU:C:2014:18
[3] Case T‑781/22 Madre Querida, SL v European Commission [2025] ECLI:EU:T:2025:591
[4] Case C‑44/16 Dyson Ltd v European Commission [2017] ECLI:EU:C:2017:357
[5] Case C-355/10 European Parliament v Council [2012] ECLI:EU:C:2012:516
[6] Eljalill Tauschinsky, Maarten den Heijer, ‘Where Human Rights Meet Administrative Law: Essential Elements and Limits to Delegation: European Court of Justice, Grand Chamber C-355/10: European Parliament v. Council of the European Union’ (2013) 3(9) European Constitutional Law Review 513
[7] Andrea Palumbo, A Medley of Public and Private Power in DSA Content Moderation for Harmful but Legal Content: An Account of Transparency, Accountability and Redress Challenges, (2024) 15 JIPITEC 246
Comments