A Look Ahead at EU Digital Regulation: Oversight Structures in the Member States

Author’s note: This short analysis was inspired by current German political debates on a digital agency. It draws on previous SNV/interface work on platform oversight as well as original interviews with experts, to whom I am grateful. I also thank my colleagues at interface for their feedback, particularly Josefine Bahro. The analysis is preliminary, as EU digital regulation is evolving and governance structures are not yet set across the board.

Introduction

With the 2024 elections to the European Parliament over, policymakers are now looking ahead towards the next mandate of the European Commission. For digital policy, the focus seems to shift towards enforcing recently passed and existing laws, rather than developing new ones (see point 6 in these Council conclusions).

That means that the EU and its member states must now build or adapt governance and oversight structures allowing them to enforce the many EU files that touch upon the digital sphere – be it on data protection, cybersecurity, data sharing, platform regulation or artificial intelligence (AI). Some laws, or parts thereof, can be enforced by existing authorities. For other parts, member states must expand regulators’ remit and build new structures, for instance, regarding the Digital Services Act (DSA) or the Artificial Intelligence Act (AIA). The Commission as well as several EU agencies will also receive additional tasks.

There have been repeated calls and proposals for a national digital regulator or digital agency in various forms, for instance, in Germany. Such ideas often put forward the argument that the enforcement of the many laws related to the digital sphere and data economy should be streamlined (I myself have argued, with a limited view to platform regulation, for a strong regulator that could become independent in the long term, also referencing the numerous EU digital laws). Additional arguments often center around building specialized expertise in one place instead of spreading it thin across multiple agencies, enabling better and faster communication between officials, establishing a single point of contact for consumers and businesses and, generally, allowing for a more up-to-date regulatory structure that acknowledges the importance and size of the data economy. Counterpoints are the costs of setting up a new agency, the risk of duplicating structures and a higher need for coordination between regulators.

As of now, a dedicated regulator for all things digital is missing in the EU member states. But is such a specialized agency even feasible or desirable for member states? Do the EU digital files really overlap so much that a digital regulator makes sense or is even inevitable?

The following table in section 2 provides an overview of some EU digital regulations, with a particular view to their respective national governance structures. A preliminary analysis shows that there are indeed overlaps that might support arguments for a digital agency. Yet, proponents of a sectoral approach will likely also find arguments for their case. This is confirmation that the decision to build a digital agency is ultimately a political one and not solely a technical and legal one. Section 3 picks up this discussion with an analysis of potential overlaps. A case study from Germany then highlights a current political debate on whether/how to build a national digital agency (section 4).

Selected EU digital files and their governance structures

The following table shows a selection of various EU legal files covering issues such as data protection, artificial intelligence, cybersecurity and online platforms. Most of the files have become laws, some are still under discussion. The respective status is indicated in the table. The main part of the table is an overview of the oversight structure for each file, highlighting who is responsible for this at the EU level and in the member states. Further information includes whether the laws foresee requirements for national regulators (for instance, regarding their independence), have complaint mechanisms for consumers, set up EU-wide regulator networks and allow involvement of civil society in their enforcement. Next to each piece of information, the respective sources are listed. As one case study example, the national oversight structure for each file in Germany is presented. Columns can be hidden from the view by clicking/tapping on “Hide fields”.

What does EU digital regulation cover and what does it demand of national regulators?

From the table in section 2, three major tasks as well as some requirements for regulators can be identified that cut across all topics (and are likely not only valid for digital regulation).

First, regulators’ obvious core task is oversight and enforcement. They need to check whether companies and others addressed by the law fulfill the rules and sanction any violations. This concerns either regulators at the EU level (for instance, for the Digital Markets Act (DMA)) or at the national level (for instance, for the European Media Freedom Act (EMFA)) or both (for example, for the DSA). The table shows that some companies fall under multiple digital EU rulebooks, which are enforced by different regulators, however. For example, some digital services are simultaneously covered by the DSA, the EMFA, the Regulation on Transparency in Political Advertising and the Terrorist Online Content Regulation.

The enforcement of EU digital laws has so far almost always been carried out by existing authorities. As one counterexample, Spain is setting up a completely new AI regulator. Either existing regulators’ traditional portfolios are being expanded (for example, data protection authorities receive more data protection tasks via the AIA and the Regulation on Transparency in Political Advertising) or an existing authority is being given additional oversight tasks (for example, France’s Arcom or Germany’s Bundesnetzagentur must now take action against online platforms violating the DSA).

A second set of tasks is indirectly related to enforcement. This covers specific functions that support regulators’ oversight and enforcement efforts. For instance, several EU laws stipulate that regulators must set up a central complaints office where people can report possible violations. This can be found in the DSA, the Data Governance Act (DGA), the GDPR and the AIA, among others. Furthermore, different forms of accreditation, assessment or registration processes are included in multiple regulations, such as the DSA, the Data Governance Act (DGA) or the Cyber Resilience Act (CRA). Depending on the topic at hand, such registrations are in place for varying things: trusted flaggers and out-of-court dispute settlement bodies (in the DSA), data intermediaries and data altruism organizations (in the DGA) or conformity assessment bodies (for cybersecurity in the CRA and for AI in the AIA).

Third, many EU laws require coordination, networking and cooperation in joint European bodies. For example, the Digital Services Coordinator must coordinate all national DSA authorities, the regulation on transparency in political advertising foresees national contact points that must work together and one data coordinator per member state could be established under the Data Act. Various new EU networks are to be created, most of which will have a single national contact point to represent a member state, such as the European Data Innovation Board or the European Digital Identity Cooperation Group. Notably, some of these networks are tasked with or at least have the option to establish a structured dialogue with civil society groups and other external experts. This is not without precedent in other industries but still a rather new development prominent in digital files, in particular the DSA and the AIA.

Fourth, EU laws often place demands on adequate resources and expertise at regulators. This is meant to ensure that the authorities have the necessary infrastructure and personnel to pursue their tasks. Many EU laws require independent authorities for implementation. A few even call for “complete independence”, which in Germany, for example, has led to some restructuring of the respective authorities in the case of the GDPR and the DSA to comply with this requirement (the federal data protection authority has become a supreme federal authority, while the DSC at the Federal Network Agency is being set up as an independent unit, respectively). Furthermore, sufficient technical and financial resources as well as personnel are explicitly mentioned, for instance, in the DSA and the AIA.

An all-in-one digital agency is not feasible – at least not for oversight tasks

So far, the tasks and requirements described above were mostly considered individually for each “sector” or topic. Cybersecurity agencies dealt with their oversight and accreditation tasks and developed networks and expertise. The same was happening for data protection agencies. While the analysis of the table in section 2 shows that there are fundamental similarities in how EU digital oversight structures are set up, it is also clear that these sectoral approaches are nonetheless a defining feature of EU digital policies.

More specifically, it can be seen that a national “one-stop shop”, that is, a single independent body responsible for comprehensive digital oversight, is hardly feasible. EU digital policies encompass too many different areas, each with established national regulatory structures, which make it unrealistic to consolidate all competencies into one authority in the short term. Establishing a single enforcement authority would require radical changes in each member state, by stripping regulators of some of their powers and consolidating them in one place. Such radical changes are certainly possible and worthy of discussion, but it does not seem as if the political will and the financial resources to do this are available at the moment.

Nonetheless, opportunities for partial consolidations of some of the tasks and requirements discussed above do become visible:

1.      Many of the new oversight tasks that cannot be clearly assigned to existing portfolios could be bundled in one place to build up expertise and ensure a smooth exchange of information and experiences. In current discussions (like in Germany; see section 4), this mostly concerns the DSA, DGA, AIA, Data Act and the Regulation on Transparency of Political Advertising, even though this at times only implicitly asserted. As a specific example, the DSC could receive oversight (and coordination) tasks for online intermediaries not just from the DSA but also from the transparency rules on political advertising. Yet, even if some oversight tasks are bundled together at one agency, this agency would likely stand alongside various other regulators in charge of other sectors of the digital economy.

2.      For tasks such as accreditation and complaint mechanisms, it could be examined whether such processes are similar enough regarding their legal and technical requirements that they could be handled by one entity (or different units of one entity). If this were successful, various registration processes could be handled in one place. A central complaints office could be established there, too.

3.      As far as coordination and communication within the member state and with the EU level is concerned, a digital agency would presumably house some of the required single points of contact. A digital agency could also be the hub for civil society groups and other stakeholders that have practical experience or expertise to share with regulators.

4.      Regarding requirements for adequate resources and expertise, the table in section 2 reveals that some regulators might need similar knowledge (for instance, on online platforms) and technical infrastructures such as data science units. This might be an argument to build up such infrastructure and know-how at a digital agency as opposed to many different digital regulators. Yet, the table also shows that EU digital files address different topics which still require specific sectoral knowledge.

A single centralized digital agency does not seem feasible. Even consolidating all the topics mentioned above in one place is a tall task. Yet, considerations of a digital agency could also revolve around just one of the issues at a time: Could a digital agency be in charge of just the accreditation tasks, if there are enough similarities? Could a digital agency only mean centralizing particular technical infrastructure and knowledge?

Focus not only on an institution for oversight but on the way oversight works

Any considerations on digital oversight and a digital agency in the member states will not only be driven by the number of types of EU digital files, which are at the center of this analysis. There are other factors as well. Whether or not a country opts to build a digital agency will depend on its specific circumstances. This includes factors such as the historical setup of its regulatory regime for digital topics, financial and legal questions and, crucially, political will.

Regardless of whether there is a digital agency or not, the key requirements for successful, efficient oversight and enforcement in the public interest remain the same: Member states need to build structures that allow exchange across policy fields and foster a collaborative approach that is open to external expertise, including from civil society groups, find and retain highly qualified people from various academic and practical backgrounds and provide enough money to enforce digital regulation. This shows that beyond the limited view on EU digital files presented here, the question of a digital agency is tied to larger questions on improving modern public administrative structures.

Such administrative and oversight structures should benefit people, with the focus not only being on companies. The stated goal of various digital files, including the DSA and the AIA, is the improvement of the single market. This cannot and should not only be read to mean only corporate market participants. Consumer protection, data protection and, more generally, fundamental rights protection are nonetheless key parts of these EU laws. In addition to broader fundamental rights protection in digital files, some laws such as the GDPR, the DSA, the DGA, the Data Act or the AIA contain the right for consumers to file complaints with regulators. Building lean and well-functioning complaint mechanisms is at least as important as building lean and well-functioning access points for companies to get in touch with regulators. With examples like this in mind, governance structures should not be built only with start-ups, big tech companies and other corporate entities in mind but should center consumers’ rights and access to information and remedies.

The German case: Political debates on a potential digital agency

In April and May 2024, German political decision-makers published opinion pieces in a German tech policy publication proposing a digital agency. A business association representative also responded (see sources in section 5). At the time, the national oversight structure for the DSA was just being finalized and political discussions about implementing the AIA had picked up steam. The ideas for a digital agency were explicitly put into the context of the adoption of these and other EU laws and the need to find fitting oversight structures for them in Germany.

The idea of a German digital agency (“Digitalagentur”) is not new, as there have been various proposals before. As of now, the term has many different meanings. There is no uniform, clear understanding of which tasks a digital agency should take on and for which companies or areas it should be responsible, as the following examples show:

• What is referred to as a digital agency at the German state level is not a regulator but usually a state-owned company that advises businesses and the government on digitalization issues (see the website of their Germany-wide network).

• In the healthcare sector, a digital agency is planned whose main task is to provide digital infrastructures and applications (see the draft law). Oversight tasks, meanwhile, are not a priority.

• If digital agencies were understood to mean regulators working on digitization and digital policy, the table in section 2 shows that many authorities could (and do) call themselves that. They could point out that almost all supervised sectors have to do with digitalization and that tasks related to tech companies, the data economy or digital infrastructure have therefore become part of their work. This applies to the data protection officers, the Federal Cartel Office, the state media authorities and the Federal Network Agency (“Bundesnetzagentur”, BNetzA), among others.

• An earlier idea for a digital agency at the federal level was discussed in a paper from the Federal Ministry of Economic Affairs. It envisaged the agency as a mix between a regulator and a think tank: It would enforce laws as well as conduct research, advise stakeholders and engage in public education. In the 2017 paper, there was no narrowly defined portfolio of oversight topics the digital agency was supposed to have.

• A discussion paper by the Center for European Economic Research spelled out the idea of the Ministry of Economic Affairs in more detail. Here, too, a mix of regulator and research institution was envisaged, with regulatory tasks taking a lower priority.

• In addition, there are now the current ideas from politicians and business representatives, which build on earlier ideas. The already familiar cross between oversight and coordination tasks remains, albeit in varying proportions.

The current proposals name-drop a total of six different EU laws, bills or consultations related to digital policy. Without specifying which tasks from which law are supposed to be handled by a digital agency, one overarching point of consensus is that some EU laws’ enforcement efforts should be coordinated or consolidated. For that, the lawmakers – each in a slightly different way – propose a digital agency. In contrast to that, today’s German enforcement of EU digital laws is handled by a multitude of authorities at the state and federal levels and coordination is piecemeal.

As the table in section 2 shows, the tasks spelled out for national regulators in EU digital laws are mainly divided between the data protection authorities, the BNetzA and the Federal Office for Information Security (BSI). Other competent authorities include the state media authorities, the Federal Cartel Office (BKartA) and the Federal Financial Supervisory Authority (BaFin), while in some cases only courts are in charge of enforcement (see table in section 2). Regulatory cooperation on digital topics at the federal level was recently somewhat formalized with the founding of the “Digital Cluster” in the city of Bonn. The six federal regulators which are part of this informal group want to cooperate on “all aspects of digitization”. Among them, the BNetzA stands out. Whether this was planned long in advance or not, the BNetzA has in recent years been given several key tasks from EU digital laws that could not be clearly assigned to existing sectoral regulators (for example, from the Terrorist Content Online Regulation, the Platform-to-Business Regulation and the DSA). It is also being considered as a competent authority for the AIA and the DGA, along with the DSC’s role regarding online political advertising transparency.

The political and business experts currently putting forth ideas for a digital agency are well-aware of both the sectoral and federal division of labor as well as the BNetzA’s growing portfolio. They all acknowledge this approach and some mention the BNetzA as a potential incubator for a digital agency. With this in mind, the current proposals therefore do not suggest an entirely new oversight agency with wide-ranging enforcement powers. Some authors do mention the possibility of centralizing competencies in one place. Yet, the emphasis is clearly on a digital agency as a coordinating and expertise-gathering hub that serves as a contact point for businesses and maybe also consumers (Rößner views the agency as “consolidating communication, not competencies”, Funke-Kaiser says it “works as a consultant and coordinator”, Zorn et al. see its focus on “coordinating efforts” and Holzgraefe describes it as a “service provider, consultancy and competence hub”).

Set up this way, a digital agency might guide companies through Germany’s digital oversight landscape, without them having to knock on various regulators’ doors with their questions. It might collect expertise and technical know-how in one place that could be useful for various regulators’ enforcement efforts. It might serve as a framework for better communication among sectoral regulators. Establishing such a system would be a huge lift in and of itself but seems more realistic than pooling competencies from existing regulators, potentially including both state and federal agencies. It reflects the acknowledgement of the wide-ranging types of EU digital files that cut across different policy fields (see section 3). It also acknowledges recent German precedent in failing to centralize enforcement capabilities (and not just coordinating tasks): The discussions about the German DSC were bogged down precisely because regulators unsurprisingly and mostly for good reason pushed to maintain their sectoral competencies as far as possible, with various federal and state agencies claiming a role in DSA enforcement. This continued approach of shared competencies seems to work well so far, which is promising. Yet, it is the opposite of a radical consolidation of oversight powers.

Considering the breadth of EU digital law and the recent experience with the DSA in Germany, an honest debate about a digital agency requires a much clearer delineation between long-term and short-term goals. The political proposals for a digital agency can help with this debate, as they are largely well-informed and nuanced, if early, ideas about how oversight of platforms, AI and other digital services could work in the future. Yet, in addition to this welcome planning for the future, there is also the need to critically examine and improve the digital regulatory landscape that is currently in existence – regardless of whether there will ever be a digital agency of any kind or not. This is particularly pertinent because DSA enforcement is already under way and the oversight structure for the AIA needs to be in place within a year, which the authors acknowledge. Against the backdrop of this current situation, several questions on German digital oversight arise. For instance, it is necessary to reflect on the BNetzA’s current and future role more deeply. What needs to be taken heed of when an already large regulator continues to grow? What would be the advantages and disadvantages of spinning off certain units? Also, how can a clear division of labor and good cooperation between authorities be achieved and is the Digital Cluster a suitable approach for this? What specific aspects of what EU laws are part of any consolidation debate?

Moreover, many of the ideas put forth for a digital agency could be adapted to the present situation already. That is not to say the debate about a digital agency is moot, just that some proposals rather touch upon the way a regulator works and not only on its institutional design (see section 3). For instance, the digital agency is, again, not primarily described as a regulator but a coordination hub. As such, it is taken to have structured formats for exchange with different groups of stakeholders, be open towards knowledge and experiences from other regulators as well as non-regulators and generally have the self-image as a node for a community of practice. Elements of such approaches are important no matter whether there is a digital agency or not. Such approaches are in place or under development at some regulators already, which needs more support. If they are not, regulators should be allowed and encouraged to try them.

Sources and further reading

Overviews/analyses of EU digital regulation and EU governance structures:

• Kai Zenner, J. Scott Marcus and Kamil Sekut, A dataset on EU legislation for the digital world, June 6, 2024

• Piltz Legal, Important Current EU Digital Legislation, 2024

Opinion pieces on a German digital agency (the first three coming from members of parliament, the last one from a business association):

• Armand Zorn, Parsa Marvi and Carmen Wegge, Agil, klar, zukunftsfest: Plädoyer für eine Digitalagentur, Tagesspiegel Background Digitalisierung & KI, March 18, 2024

• Maximilian Funke-Kaiser, Eine Digitalagentur als One-Stop-Shop, Tagesspiegel Background Digitalisierung & KI, April 2, 2024

• Tabea Rößner, Eine Digitalagentur ja, aber wie?, Tagesspiegel Background Digitalisierung & KI, April 26, 2024

• Moritz Holzgraefe, Digitalagentur gerne – aber bitte richtig!, Tagesspiegel Background Digitalisierung & KI, May 2, 2024

Selected ideas for digital agencies in Germany:

• Bundesministerium für Wirtschaft und Energie, Weißbuch Digitale Plattformen: Digitale Ordnungspolitik für Wachstum, Innovation, Wettbewerb und Teilhabe, March 20, 2017

• Thomas Fetzer, Bausteine für einen sektorenübergreifenden institutionellen Ordnungsrahmen für die Digitale Wirtschaft (Discussion Paper No. 18-026) (Mannheim: Leibniz-Zentrum für Europäische Wirtschaftsforschung, December 2017)

• Christoph Bieber, Leonhard Dobusch and Jörg Müller-Lietzkow, Die Internetintendanz, Medienkorrespondenz, April 28, 2019

Selected ideas for digital agencies in the US:

• Harold Feld, The Case for the Digital Platform Act: Market Structure and Regulation of Digital Platforms (Washington, DC: Public Knowledge, May 2019).

• Fiona Scott Morton et al., Stigler Committee on Digital Platforms. Final Report (Chicago, IL: George J. Stigler Center for the Study of the Economy and the State at the University of Chicago Booth School of Business, 2019)

• Tom Wheeler, Phil Verveer and Gene Kimmelman, New Digital Realities, New Oversight Solutions in the U.S.: The Case for a Digital Platform Agency and a New Approach to Regulatory Oversight (Cambridge, MA: Harvard University, August 2020)

• Paul M. Barrett, Regulating Social Media: The Fight Over Section 230 - and Beyond (New York, NY: NYU Stern Center for Business and Human Rights, September 2020)