As Europe’s Digital Rulebook Expands, Regulators Warn Cooperation Can’t Be Optional

Key Takeaways

• Regulatory Overlap Is Now the Norm: The GDPR, DSA, and DMA increasingly apply to the same issues, forcing regulators and organizations to navigate overlapping obligations rather than isolated frameworks.
• Cooperation Is Becoming a Core Enforcement Tool: EU authorities are prioritizing cross-regulatory coordination to improve consistency, reduce fragmentation, and strengthen enforcement outcomes.
• GDPR and DSA Tensions Are Playing Out in Real Time: Requirements around content moderation, transparency, and data processing are creating practical conflicts that require careful balancing rather than strict separation.
• Inconsistent Enforcement Remains a Key Risk: Diverging interpretations across member states could undermine legal certainty and complicate compliance, particularly for cross-border platforms.
• Deepfakes and Platform Incentives Are Testing the Framework: Regulators are grappling with how to address emerging risks like deepfakes without turning enforcement mechanisms into broad surveillance systems.

Deep Dive

At a Brussels conference this week hosted by the European Data Protection Board, senior officials from across the EU made a clear case that the next phase of enforcement will hinge less on new rules and more on how well authorities work together to apply the ones already in place.

The event, focused on cross-regulatory cooperation, brought together voices from data protection, competition, and platform oversight. But the conversation kept circling back to what happens when the GDPR, the Digital Services Act, and other frameworks all apply to the same problem at once.

Opening the discussion, EDPB Chair Anu Talus laid out the reality regulators are now confronting. The GDPR no longer operates in isolation. It increasingly intersects with newer regimes like the DSA and the Digital Markets Act, often within the same case.

“The digital economy doesn’t operate in a silo system, and neither should we,” she said, framing cooperation not as an aspiration but as a necessity.

Her point was less theoretical than it might sound. A single issue, such as how a platform handles user data tied to harmful content, can trigger questions under data protection law, consumer protection rules, competition frameworks, and platform-specific obligations. Without coordination, enforcement risks becoming fragmented or even contradictory.

Talus emphasized that consistency must anchor this process, repeating the need for “coherence” as a guiding principle for regulators navigating overlapping mandates.

GDPR Meets DSA, and the Friction Becomes Real

That overlap becomes more tangible when regulators get into the details. Mirosław Wróblewski, President of Poland’s Personal Data Protection Office, pointed to the practical challenges that arise when the GDPR and DSA are applied side by side.

Both laws carry equal legal force, he noted, but they are designed to protect different rights. Where they intersect, tensions are not just possible, they are expected.

One example sits at the heart of the DSA itself. Platforms are required to actively identify illegal content. But that obligation can collide with GDPR principles that restrict how personal data is collected and processed.

Wróblewski pushed back on the idea that this creates an impasse. Data processing carried out to meet legal obligations does not always require consent, he said, but platforms still need to avoid sweeping up more data than necessary in the process.

There are also differences in how the two frameworks approach transparency. Efforts tied to digital identity under eIDAS and rules around protecting minors, he suggested, show that it is possible to reconcile competing priorities, protecting users while limiting unnecessary data exposure.

Still, the underlying message was clear. These are not clean lines. They are areas of negotiation that regulators and companies will need to work through in real time.

The Real Risk Isn’t Conflict, It’s Inconsistency

If overlapping rules create friction, inconsistent enforcement risks turning that friction into confusion.

Wróblewski warned that implementing GDPR and DSA obligations differently across member states could lead to diverging interpretations and uneven outcomes, particularly in cases involving cross-border platforms. National authorities, he said, carry a significant burden in building cooperation mechanisms that can keep enforcement aligned.

Others echoed that concern from different angles. Marco Giorello of the European Commission pointed to practical areas where coordination is already being tested, including access to platform data for researchers and collaboration within the European Digital Services Council.

From France’s Arcom, Benoit Loutrel highlighted a structural mismatch between the frameworks themselves. The GDPR applies broadly, while the DSA introduces tiered obligations, especially for very large platforms. That difference, he noted, has already led to situations where platforms invoke GDPR constraints to limit researcher access to data, raising questions about transparency and accountability.

Deepfakes, Incentives, and the Limits of Oversight

Beyond legal mechanics, the discussion also turned to how platforms behave in practice.

Wróblewski pointed to the rise of deepfakes as a growing concern, particularly in the context of election interference, financial scams, and misleading advertising. Platforms, he noted, can end up profiting from the same content regulators are trying to curb.

At the same time, he cautioned against allowing enforcement tools to drift into broad surveillance. Notice-and-action systems under the DSA, he said, cannot become a backdoor for monitoring users at scale.

The balance regulators are trying to strike is a familiar one, ensuring platforms act against harm without undermining fundamental rights. Recent case law from the Court of Justice of the European Union, including the Russmedia decision, reinforces that tension, emphasizing the need to weigh proactive monitoring against data protection safeguards.

What seems to be emerging is a shift in emphasis. Rather than expanding surveillance, regulators are looking for more targeted ways to address specific risks like deepfakes while staying within the boundaries of existing rights frameworks.

Business Still Waiting for Consistency

From the industry side, the message was more blunt. Victoria de Posson of the European Technology Alliance argued that European companies are still operating in an environment where enforcement lacks consistency, making compliance harder than it needs to be.

Her point was that companies should not need to navigate different interpretations of the same rules depending on where they operate. And if Europe wants to stay competitive, that fragmentation has to be addressed.

“Companies need more engineers than lawyers,” she said, capturing the operational strain created by overlapping and sometimes misaligned regulatory expectations.

A System That Now Depends on Coordination

If there was a takeaway from Brussels, it wasn’t that Europe’s regulatory framework is broken. It’s that it has reached a level of complexity where coordination is no longer optional.

The GDPR, DSA, and related laws are not being reconsidered. They are being layered. And as that architecture grows, so does the need for regulators to move in sync.

For organizations, that means compliance can no longer be managed regulation by regulation. The real challenge is understanding how these frameworks interact and where one obligation quietly reshapes another.

For regulators, the task is just as demanding. Not to write more rules, but to make sure the ones already on the books work together in practice.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.