Emerging Trends in European Digital Regulation: From Technological Sovereignty to User Autonomy
Trendwatching perspective
Digital regulation is often analysed through individual legal developments: a new investigation, a court judgment, a legislative proposal or an enforcement action. Viewed in isolation, these events may appear unrelated. However, regulatory change rarely occurs as a series of disconnected decisions. More often, it reflects broader shifts in technology, economics, politics and consumer behaviour that gradually reshape regulatory priorities.
This article adopts a trendwatching perspective. By “trend”, the authors do not mean a popular topic or a short-lived regulatory initiative. Rather, a trend is a structural change that manifests itself through multiple signals across different industries, jurisdictions and policy areas. A single signal may be insignificant. A consistent pattern of signals pointing in the same direction may indicate a deeper transformation already underway.
The legal and commercial environment for digital markets in the EU is currently being shaped by a number of such developments. This article focuses on three trends that appear particularly significant over the next 3–5 years. Each trend is illustrated through examples drawn from legislation, enforcement, policy initiatives and market developments. While these examples may seem unrelated at first glance, they are analysed together because they reflect a common underlying shift that is beginning to transform the regulatory and commercial landscape.
Being global in nature, these trends are taking a distinct form in the EU through regulation, enforcement and industrial policy.
Why businesses should track trends
Tracking trends matters because regulatory risks rarely emerge overnight. By the time a legislative proposal is adopted, an investigation is opened or a major enforcement decision is issued, the underlying shift has often been visible for years through a series of weaker signals across different jurisdictions, industries and policy areas.
For businesses, the value of trendwatching lies not in predicting the future but in recognising emerging developments early enough to respond strategically. Early awareness provides additional time to assess dependencies, adapt products and business models, allocate resources, strengthen compliance programmes and anticipate changes in customer and regulatory expectations. In increasingly regulated digital markets, the ability to identify structural change before it becomes mainstream may itself become a source of competitive advantage.
Trend 1: AI localises
A growing global trend is the localisation of artificial intelligence (AI). AI is becoming less universal as governments encourage the development of national language models, introduce data localisation requirements, and establish local standards for algorithm training and deployment. Localisation is no longer merely a technological trend. It reflects a broader shift towards digital sovereignty and cultural autonomy.
This trend matters for businesses because it affects not only compliance obligations, but also market access, technology choices and long-term investment decisions. Requirements that differ across jurisdictions may influence where data can be stored, which AI models can be deployed, and how digital products must be adapted for local markets.
From a regulatory perspective, this development is likely to result in stricter data localisation obligations, restrictions on the use of foreign AI models, enhanced transparency requirements, and increased scrutiny of algorithmic bias and cultural sensitivity.
AI, cloud and strategic autonomy
Europe’s response to this trend is shaped by a particular structural challenge: its dependence on foreign digital infrastructure. According to data cited by the Centre on Regulation in Europe, the EU relies on foreign providers for more than 80% of its digital products, services, infrastructure and intellectual property. Cloud computing provides a striking example: three non-EU hyperscalers reportedly account for over 70% of the European cloud market, whereas the largest European providers, including SAP and Deutsche Telekom, each hold only around 2%.
As AI becomes increasingly reliant on computing power and cloud services, questions of technological sovereignty are becoming closely intertwined with questions of economic competitiveness and security.
Lessons learned
The EU’s response is becoming increasingly systematic. A notable example is the Commission’s use of the Digital Markets Act (DMA) to address dependency in cloud infrastructure. In November 2025, the Commission opened three market investigations on cloud computing services, assessing whether:
The underlying logic is that greater interoperability and lower switching costs could reduce dependence on a small number of dominant providers.
The Commission is also beginning to apply the DMA to AI-related markets. In January 2026, it opened a specification proceeding (DMA.100220) under Article 6(7), DMA on Android interoperability for AI services. Though early-stage, it reflects a lesson from the platform era: intervene before dependencies entrench, not after.
A new framework for tech sovereignty
Another indication that the EU is moving towards AI localisation is the European Technological Sovereignty Package, presented by the Commission on 3 June 2026.
The package consists of four initiatives: two legislative proposals – the Cloud and AI Development Act (CADA) and the Chips Act 2.0; and two policy initiatives – the EU Open Source Strategy and a Strategic Roadmap for Digitalisation and AI in Energy.
At the centre of the package is CADA (COM (2026) 502), which introduces a sovereignty framework for cloud and AI services used by public-sector bodies. The proposal establishes four assurance levels based on factors such as control over infrastructure and supply chains, data processing arrangements, cybersecurity, and exposure to third-country interference. While non-EU providers are not excluded from the framework, the highest assurance level imposes requirements that may be difficult for providers subject to foreign legal regimes to satisfy. The proposal also aims to increase the market share of European cloud and AI computing providers to 30% by 2035 and to significantly expand European data-centre capacity.
The Chips Act 2.0, built on the 2023 Chips Act, strengthens support for Europe’s semiconductor industry through a new Chips Fund, centres of excellence, joint technology projects, and measures to accelerate the development of advanced and AI-related chips.
The remaining pillars are the EU Open Source Strategy, aimed at promoting open-source technologies and interoperable digital ecosystems, and the Strategic Roadmap for Digitalisation and AI in Energy, which supports the deployment of European digital and AI solutions in the energy sector.
Taken together, these developments show that AI localisation is no longer limited to discussions of data governance or model development but is increasingly shaping industrial, infrastructure and innovation policy across the EU.
Data localisation
Data localisation has a specific framework in EU law, particularly through the GDPR rules on international transfers, and AI companies are not treated differently in that respect. However, the processing of European personal data by foreign AI providers is drawing closer regulatory scrutiny. And DeepSeek has become the clearest test case.
On 28 January 2025, Italy’s data protection authority (Garante) sent DeepSeek a formal request for information, asking the company to clarify what personal data they collected, its sources and purposes, the applicable legal bases, whether data was stored in China and what data had been used to train the model. DeepSeek responded within the deadline but argued that it did not operate in Italy and was therefore outside the scope of the GDPR.
The Garante rejected that position: it found that DeepSeek unquestionably offered its services to Italian users, triggering GDPR applicability, including the obligation under Article 27 to appoint an EU representative. It also found that DeepSeek’s own privacy policy confirmed data was stored in China, in breach of the security-of-processing safeguards under Article 32. On 30 January 2025, the Garante imposed a definitive limitation on the processing of Italian users’ data, citing both DeepSeek’s lack of co-operation and the unresolved risk to users’ personal data.
The Italian intervention was not an isolated case. Ireland and Belgium opened their own information requests around the same time. In June 2025, Berlin Commissioner for Data Protection and Freedom of Information later asked Apple and Google to remove the app from German app stores over concerns about data transfers to China, while the Netherlands banned its use on government devices.
Taken together, these actions suggest that cross-border data transfers by AI providers are increasingly assessed not only as a matter of privacy compliance but also through the broader lens of security and technological sovereignty.
For businesses, the practical takeaway of this trend is that infrastructure choices are becoming legal and commercial decisions, not just technical ones. Which cloud provider, which AI model, and where data is processed may increasingly determine market access, procurement eligibility, and regulatory exposure across the EU.
Trend 2: the end of privacy in the digital environment
A growing global trend is the gradual disappearance of privacy in the digital environment. Data collection has reached a scale where preserving privacy in practice is increasingly difficult: individuals are monitored not only by governments and corporations but also by algorithms, connected devices and online communities. Personal data is no longer used solely to personalise services; it increasingly drives pricing strategies, behavioural targeting, recommender systems, political messaging and AI training.
This matters for businesses because regulators are paying closer attention to how data is collected, combined, analysed and used, creating new legal and commercial risk for data-driven business models. The EU’s emerging response does not prohibit personalisation outright. It aims to strengthen transparency and user control so that individuals understand when their data is used, and businesses cannot rely on opacity or information asymmetries.
Reshaping the rules of personalised pricing
Personalised pricing is not a new regulatory concern. The EU already has several legal instruments capable of addressing data-driven pricing practices. Under the GDPR, the use of personal data for pricing purposes must rely on a lawful basis and comply with restrictions on profiling, automated decision-making, and the processing of special category data. Consumer protection law adds a further layer of transparency: Directive (EU) 2019/2161, which amended the Consumer Rights Directive, requires traders to inform consumers when a price has been personalised on the basis of automated decision-making, while the Unfair Commercial Practices Directive separately requires that price information be presented clearly and intelligibly.
Recent enforcement activity illustrates how these rules operate in practice. Following a 2022 study by the Swedish Consumers’ Association, which found that Tinder charged different users different prices with no transparent rationale, the Consumer Protection Cooperation Network opened an investigation co-ordinated by the European Commission and led by the Swedish Consumer Agency and the Netherlands Authority for Consumers and Markets. The investigation examined Tinder’s use of automated personalisation, including pricing variations linked to age and behavioural signals such as prior disinterest in premium features. The investigation concluded in March 2024 with commitments from Tinder: to refrain from age-based pricing without clear advance notice, to disclose when discounts are personalised by automated means, and to explain the factors behind any personalised offer.
The case illustrates the limits of the existing framework as much as its reach. Current rules address disclosure and certain categories of data processing, but they do not resolve the broader concerns associated with personalised pricing: data-driven models may exploit behavioural vulnerabilities, render discriminatory outcomes difficult to detect, and leave consumers unable to understand why they were offered a particular price, even where formal disclosure requirements are met.
These gaps help explain why personalised pricing remains a live issue in the Commission’s preparatory work on the Digital Fairness Act. Options under discussion include giving consumers an explicit right to receive non-personalised pricing and advertising. Given the EU’s role as a global standard-setter on data protection, the approach ultimately adopted is likely to influence how other jurisdictions regulate personalised pricing in digital markets.
Reshaping the rules of personalised advertising
Personalised advertising is another area where EU regulation is moving from formal consent towards more substantive limits on data use.
The DSA restricts certain forms of targeted advertising, including advertising based on the profiling of minors and special categories of personal data.
The DMA goes further for gatekeepers. The Commission’s Meta decision (DMA.100055) in April 2025 is the central example. Meta’s “consent or pay” model required Facebook and Instagram users to either accept personalised advertising or pay a subscription fee: initially EUR9.99/month on desktop and EUR12.99/month on mobile. The Commission found this breached Article 5(2) of the DMA: access to the free service was conditioned on consent to cross-service data combination, with no less-personalised but equivalent alternative on offer. The Commission fined Meta EUR200 million for the non-compliance period of March–November 2024.
Meta has since introduced a free “less personalised ads” option in the EU. Under this model, Meta does not use a user’s broader profile or infer interests based on factors such as work or education. Instead, advertising relies primarily on the content that the user is viewing during the current browsing session.
The decision confirms that the Commission requires that users be offered a real choice regarding personalised advertising, including an alternative that relies on less extensive processing of personal data rather than a simple pay-or-consent model.
Reshaping the rules of personalised services and recommender systems
Regulatory scrutiny is also expanding beyond advertising and pricing into the design of digital services themselves. Recommending systems increasingly influence what users see, how long they remain on a platform and how they interact with digital content.
Under the DSA, online platforms must assess and mitigate systemic risks associated with their services: Article 28, DSA requires platforms accessible to minors to build in safety by design; Articles 34–35 impose systemic risk-assessment duties on VLOPs/VLOSEs (very large online platforms/very large online search engines), including over recommender systems.
In February 2026, the Commission preliminarily found TikTok in breach of the DSA in relation to addictive design, including concerns linked to its highly personalised recommender system. The case shows that personalised recommender systems may raise regulatory concerns where their design increases risks for minors, rather than merely improving user engagement.
There is no blanket prohibition on hyper-personalisation, as its lawfulness depends on its effects on consumers. However, where platform design and personalisation exploit users’ vulnerabilities, and the platform knowingly uses them to gain an advantage, the practice may fall outside lawful and fair commercial conduct.
For businesses, these developments suggest that the boundaries of acceptable data use are narrowing. Personalisation remains lawful, but it is increasingly expected to be transparent, explainable and compatible with user autonomy. As a result, data governance is becoming not only a compliance issue but also a strategic consideration for product design and business models.
Trend 3: growth of digital awareness
Another growing global trend is the increasing awareness of digital influence. Users are becoming more conscious of manipulative design and algorithmic steering and increasingly view their attention as a finite and valuable resource.
This trend matters for businesses because digital influence is becoming both a regulatory and reputational issue. As users become more aware of how platforms shape their behaviour, businesses may face growing pressure to demonstrate that engagement strategies support informed choice rather than exploit behavioural vulnerabilities.
From a regulatory perspective, this trend is driving greater scrutiny of dark patterns, addictive design features and algorithmic recommendation systems. Regulators are increasingly seeking to ensure that digital services support informed user choice rather than exploit behavioural vulnerabilities.
Platform safety and transparency as a new compliance standard
The DSA has become one of the EU’s primary tools for translating concerns about digital influence into binding platform-safety obligations. It moves regulation beyond the removal of illegal content and reliance on formal disclosures, requiring digital services to incorporate safety into their systems by design. Its core obligations include the following.
Recent enforcement activity shows how the Commission is interpreting these obligations in practice.
Beyond the current regulatory framework, the forthcoming Digital Fairness Act, already mentioned in relation to personalised pricing, may set new standards for tackling manipulative online practices more broadly. The Commission Work Programme for 2026 lists the Digital Fairness Act under the priority of “protecting our democracy, upholding our values”, with a legislative proposal expected in the fourth quarter of 2026. It is framed as a measure to address a broad range of dark patterns that exploit cognitive biases and steer users toward choices they might not otherwise make, resulting in unintended purchases, unwanted subscriptions, or the sharing of personal data without fully informed consent. Examples drawn from the Commission’s own consultation materials include the following.
For businesses, the significance of these developments extends beyond gatekeepers and very large online platforms. The underlying trend is a broader shift in user expectations. Users are becoming more conscious of how digital services influence their behaviour and increasingly expect transparency, autonomy and meaningful choice. These changing expectations are likely to affect digital businesses well beyond those formally in scope of the DSA or DMA. In the long run, user trust and autonomy may become as important to competitive advantage as engagement and retention.
Practical implications for businesses
For technology companies operating in the EU, these trends are not abstract regulatory developments. They are becoming practical questions of product design, customer journey, data use, market strategy, and the selection of clients and other counterparties.
The following questions can help assess the extent to which a company may be exposed to the risks emerging from these trends:
The ability to identify such developments early is becoming a competitive advantage in its own right. As digital regulation expands beyond traditional compliance and increasingly reflects broader societal and technological shifts, businesses will need not only to monitor legal change but also to anticipate the trends that shape it.
1 Water Lane
Hawley Wharf
London NW1 8NZ
United Kingdom
+44 74 2403 9183
info@dna.partners dna.partners