Compendium

EU Competition and Regulation

25 min read

EU Competition and Regulation

The European Union has emerged in 2018-2026 as the de facto global rulemaker for digital markets, data protection, and AI governance. The TFEU’s competition articles (101, 102, 106, 107) anchor a 70-year-old enforcement regime, but the post-2020 regulatory wave — GDPR (2016), Digital Markets Act (2022), Digital Services Act (2022), Data Act (2023), AI Act (2024), unitary patent (2023) — has dramatically expanded the EU’s reach over global business. Enforcement is centralized at the European Commission (DG COMP for competition; DG CONNECT for digital regulation; DG JUST for data protection and consumer law) with appellate review at the EU General Court and Court of Justice (CJEU) in Luxembourg, plus a network of national competition authorities (NCAs) and data-protection authorities (DPAs).

The UK Competition and Markets Authority (CMA) operates a parallel and increasingly divergent regime post-Brexit, anchored in the Competition Act 1998 (mirroring 101 and 102), the Enterprise Act 2002 (mergers), and the Digital Markets, Competition and Consumers Act 2024 (strategic market status — parallel to DMA gatekeepers).

This note covers the EU competition law foundation (Arts 101 and 102, Merger Regulation, state aid), the digital-regulation wave (DMA, DSA, GDPR Art 22, AI Act), and the divergence with UK CMA. A sibling note (antitrust-and-competition-deep) covers US antitrust comparatively.

See also

TFEU Article 101 — Anti-Competitive Agreements

Text

Article 101(1) TFEU prohibits “all agreements between undertakings, decisions by associations of undertakings and concerted practices which may affect trade between Member States and which have as their object or effect the prevention, restriction or distortion of competition within the internal market.”

Article 101(2) — such agreements are automatically void.

Article 101(3) — an exemption applies where the agreement contributes to improving the production or distribution of goods or to promoting technical or economic progress, while allowing consumers a fair share of the resulting benefit and which does not (a) impose restrictions not indispensable to the attainment of these objectives, or (b) afford the undertakings the possibility of eliminating competition in respect of a substantial part of the products in question.

Modernization Regulation 1/2003 (in force May 1, 2004) ended ex ante notification of agreements for 101(3) exemption; undertakings self-assess.

”Undertaking”

Functional concept — any entity engaged in economic activity regardless of legal form. Höfner, Case C-41/90 (CJEU 1991). Parent and subsidiary forming a single economic unit treated as one undertaking — Akzo Nobel v Commission, Case C-97/08 P (CJEU 2009).

”By object” vs “by effect”

  • Object restrictions — restrictions inherently anti-competitive given their nature, content, and context. No need to prove actual market effects. The EU equivalent of US “per se.” Hardcore: price fixing, market sharing, customer allocation, output restriction, bid rigging. Cartes Bancaires, Case C-67/13 P (CJEU 2014) — Court narrowed “by object” — restriction must reveal sufficient degree of harm to competition.
  • Effect restrictions — actual or potential effects analyzed in context.
  • Allianz Hungária, Case C-32/11 (CJEU 2013) — object analysis must consider economic and legal context.

Vertical Block Exemption Regulation (VBER)

Regulation (EU) 2022/720, effective June 1, 2022, replacing 2010 VBER. Block-exempts vertical agreements where parties’ market shares do not exceed 30% on each relevant market, provided no hardcore restrictions:

  • Resale price maintenance (subject to limited carve-outs — true agency, genuine fulfillment contract).
  • Absolute territorial protection (customer or territory restrictions, with permitted exceptions for active sales restrictions to exclusive territories).
  • Selective distribution restrictions on selling to end users.
  • Cross-supply restrictions within selective distribution.

The 2022 VBER + accompanying Vertical Guidelines clarify treatment of:

  • Dual distribution — supplier sells via own channels and through distributors; now block-exempted up to 30% retail market share.
  • Online sales — dual pricing (different prices for online vs offline within same distributor) and equivalence principle (online-offline selective criteria) permitted; bans on online sales / online marketplaces no longer automatically hardcore (per Coty Germany v Parfümerie Akzente, Case C-230/16 (CJEU 2017)).
  • Parity / MFN clauses — wide parity clauses (across all platforms) are hardcore restrictions; narrow parity (within distributor’s own channels) is block-exempted.

Horizontal cooperation

Horizontal Guidelines updated June 2023 cover information exchange, R&D cooperation, standardization, joint purchasing, joint selling, joint commercialization, and sustainability agreements (new chapter — green-cooperation safe harbor).

Major Article 101 cases

  • Pioneer / Yamaha / Denon-Marantz / Asus / Philips (Commission July 2018) — €111M total fines for online RPM (“vertical price-fixing”) with algorithmic enforcement.
  • Trucks cartel, Case AT.39824 (Commission 2016-17) — €3.8B fines on Daimler, DAF, Iveco, MAN, Scania, Volvo/Renault for 14-year cartel; follow-on damages litigation across EU.
  • Forex / FX cartel, Cases AT.40135 and AT.40335 (Commission 2019) — €1.07B fines on Barclays, JPMorgan, RBS, Citigroup, MUFG.
  • Spread Networks / Mavi RPM and information exchange cases (Commission 2023-24).
  • Apple Music streaming, Case AT.40437 (Commission March 2024) — €1.8B fine for App Store anti-steering restrictions on music streaming apps (Spotify complaint).

Cartel enforcement

  • Leniency Programme — Commission Notice 2006/C 298/11. First-in immunity; subsequent reductions 30-50%, 20-30%, up to 20%.
  • Settlement Procedure — 2008 Notice. 10% fine reduction for cooperation + acceptance of liability.
  • Direct settlement and hybrid cases — Pharma Pay-for-Delay, Trucks.

TFEU Article 102 — Abuse of Dominance

Text

Article 102 prohibits “any abuse by one or more undertakings of a dominant position within the internal market or in a substantial part of it … in so far as it may affect trade between Member States.” Non-exhaustive list of abuses: imposing unfair prices; limiting production/markets/technical development; applying dissimilar conditions to equivalent transactions; tying.

Dominance

Defined in United Brands, Case 27/76 (CJEU 1978) as “a position of economic strength enjoyed by an undertaking which enables it to prevent effective competition being maintained on the relevant market by affording it the power to behave to an appreciable extent independently of its competitors, customers and ultimately of its consumers.”

Market share generally key indicator:

  • ≥ 50% — presumption of dominance (AKZO, Case C-62/86 (CJEU 1991)).
  • ≥ 40% with other factors — possible dominance.
  • < 40% — generally unlikely.
  • Hoffmann-La Roche, Case 85/76 (CJEU 1979) — barriers to entry, technological lead, scale, vertical integration relevant.

Abuse categories

Exclusionary

  • Loyalty rebates / fidelity discountsHoffmann-La Roche (1979); Michelin I and II; Intel, Case C-413/14 P (CJEU 2017) — partial annulment; obligation to perform AEC (“as-efficient-competitor”) test when Commission relies on price-based exclusionary effect.
  • Intel remand — Case T-286/09 RENV (Gen. Ct. January 2022) — Commission’s AEC analysis insufficient; €1.06B fine annulled. CJEU re-appeal pending. The most significant rebates case of the modern era.
  • Tying and bundlingMicrosoft (Windows Media Player), Case T-201/04 (Gen. Ct. 2007).
  • Refusal to supply / refusal to license IPMagill, Case C-241/91 P (CJEU 1995); IMS Health, Case C-418/01 (CJEU 2004) — “exceptional circumstances” test; refusal must prevent emergence of new product, eliminate competition on downstream market, and lack objective justification.
  • Margin squeezeDeutsche Telekom, Case C-280/08 P (CJEU 2010); TeliaSonera, Case C-52/09 (CJEU 2011); Telefónica, Case C-295/12 P (CJEU 2014).
  • Predatory pricingAKZO, Case C-62/86 (CJEU 1991) — below AVC presumed predatory; AVC-ATC zone if part of plan to eliminate.
  • Self-preferencingGoogle Shopping, Case T-612/17 (Gen. Ct. 2021), affirmed Case C-48/22 P (CJEU September 2024) — €2.42B fine upheld; Google favored its own comparison-shopping service in general-search results.

Exploitative

  • Excessive pricingUnited Brands (1978) two-step test (price-cost comparison + comparison with other markets); rarely enforced. Modern revival in Phenytoin (Pfizer/Flynn), Case T-934/19 (Gen. Ct. 2023); Aspen (Italy 2017).
  • Unfair contract terms — emerging in tech enforcement.

Google trilogy

Three EU enforcement actions:

  • Google Shopping, Case AT.39740 / T-612/17 — €2.42B fine 2017; upheld by Gen. Ct. 2021 and CJEU September 2024 (Case C-48/22 P).
  • Google Android, Case AT.40099 / T-604/18 — €4.34B fine 2018 (reduced to €4.125B by Gen. Ct. September 2022); tying of Google Search and Chrome to Play Store on Android phones; CJEU appeal pending.
  • Google AdSense for Search, Case AT.40411 / T-334/19 — €1.49B fine 2019; Gen. Ct. September 2024 annulled (insufficient evidence of foreclosure of advertising space provided by competitors); Commission appealing.

Other major Article 102 cases

  • Apple App Store / Music Streaming, Case AT.40437 — €1.8B March 2024 (above).
  • Apple / Apple Pay, Case AT.40452 — Commission accepted commitments July 2024 (open access to NFC on iPhone).
  • Microsoft v Commission, Case T-201/04 (Gen. Ct. 2007) — Windows Media Player tying and interop information refusal.
  • Qualcomm Exclusivity, Case T-235/18 (Gen. Ct. June 2022) — €997M fine annulled; insufficient proof of foreclosure.
  • Qualcomm Predatory Pricing, Case T-671/19 (Gen. Ct. April 2024) — €242M fine annulled.

Article 102 procedure

  • Statement of Objections (SO) — Commission’s formal allegation of infringement.
  • Access to file — defendant’s right to inspect Commission’s investigation file.
  • Oral hearing — defendant’s right to be heard.
  • Final decision — fine + remedy.
  • Commitments (Reg 1/2003 Art 9) — binding alternative to infringement finding.
  • Interim measures (Art 8) — Broadcom (Case AT.40608, October 2019) — first interim-measures decision since 2001.

Procedure and remedies

  • Fines — up to 10% of worldwide turnover (Art 23 Reg 1/2003).
  • Periodic penalty payments — up to 5% of average daily turnover.
  • Structural remedies — divestiture available but rare.
  • Private damages — Damages Directive (2014/104/EU); minimum disclosure rules; rebuttable presumption that cartels cause harm.

EU Merger Regulation

Regulation 139/2004

Mergers + acquisitions creating “concentrations” with EU dimension reviewed exclusively by Commission.

EU dimension thresholds (Art 1):

  • Two-thirds rule — if each undertaking achieves 2/3+ of EU turnover in same Member State, EU dimension lacking.
  • First test — combined worldwide turnover > €5 billion + EU-wide turnover of each of at least two undertakings > €250 million.
  • Second test (lower thresholds) — combined worldwide > €2.5 billion + combined turnover in each of at least three Member States > €100 million (with at least €25 million of each individually in those Member States) + EU-wide turnover of each of at least two undertakings > €100 million.

Phase I / Phase II

  • Phase I — 25 working days from notification; can be extended to 35 if remedies offered.
  • Phase II — 90 working days; extendable to 105 (with remedies) or 125 (complex cases).
  • Stop-the-clock — Commission can stop the clock for failure to supply information.

Substantive test — “significant impediment to effective competition” (SIEC)

Adopted 2004 — replaces older “dominance” test. Captures both unilateral (single-firm dominance) and coordinated effects. Ryanair / Aer Lingus II, Case T-342/00 (Gen. Ct. 2011).

Gun-jumping

Closing before clearance — Altice Europe, Case T-425/18 (Gen. Ct. September 2021); €124.5M fine for early implementation of PT Portugal acquisition. CJEU October 2023 (Case C-746/21 P) confirmed.

Article 22 referral and Illumina/Grail

Illumina v Commission, Case T-227/21 (Gen. Ct. 2022) → CJEU Case C-611/22 P, September 3, 2024 — overturned Commission’s acceptance of Member State Art 22 referral of below-EU-threshold transaction. Commission cannot use Art 22 to take jurisdiction over deals below national thresholds. Significantly contracted Commission jurisdiction over “killer acquisitions.” Member States can still call in nationally (e.g., German § 39a / Italian Art 16-bis powers).

Illumina divested Grail December 2023 separately.

Recent merger cases

  • Microsoft / Activision (cleared 2023 after CMA initial block + restructured deal).
  • Vodafone / Three UK (Phase II ongoing 2024-25 at CMA; conditional clearance with commitments expected).
  • Booking / eTraveli — Commission September 2023 prohibition; Gen. Ct. appeal pending.
  • Amazon / iRobot — Commission Phase II opened July 2023; parties abandoned January 2024.
  • Lufthansa / ITA Airways — Phase II July 2024 conditional clearance.
  • Adobe / Figma — abandoned December 2023 after Commission and CMA concerns.

State Aid — Article 107

Article 107 TFEU prohibits state aid that distorts competition + affects trade between Member States, unless compatible under Art 107(2) or (3).

Commission centralized enforcement under Regulation 2015/1589 (procedural).

Notable state aid cases

  • Apple / Ireland, Case C-465/20 P (CJEU September 10, 2024) — landmark. CJEU restored Commission’s €13.1 billion order requiring Ireland to recover from Apple — reversed Gen. Ct.; held Apple’s two Irish subsidiaries received selective tax advantage incompatible with state-aid rules. The Court adopted a transfer-pricing-influenced reasoning critiquing the Gen. Ct.’s analysis.
  • Amazon / Luxembourg, Case C-457/21 P (CJEU December 14, 2023) — €250M tax-aid finding annulled; Court found Commission’s “arm’s length” analysis incorrect.
  • Fiat / Luxembourg, Case C-885/19 P (CJEU November 2022) — €30M aid finding annulled.
  • Starbucks / Netherlands annulled (Gen. Ct. 2019; not appealed).

The Apple decision (September 2024) reset the EU’s tax-state-aid jurisprudence after a series of losses.

COVID-19 and Ukraine

Temporary Frameworks (2020 and 2022) authorized member-state aid responses to crises. Ukraine Temporary Crisis and Transition Framework remained in force through 2025.

Foreign Subsidies Regulation (FSR)

Regulation (EU) 2022/2560, in force July 12, 2023, applied from October 12, 2023. Authorizes Commission to investigate distortive foreign subsidies affecting EU market.

  • Notification thresholds — concentrations (combined EU turnover ≥ €500M and foreign financial contributions ≥ €50M); public-procurement bids (estimated value ≥ €250M and foreign financial contributions ≥ €4M).
  • Ex officio review — Commission may investigate any market situation.

Early enforcement — investigations of Chinese e-commerce, electric-vehicle, wind-turbine, and solar-panel sectors 2024-25.

Digital Markets Act (DMA)

Architecture

Regulation (EU) 2022/1925, in force November 1, 2022, applied to gatekeepers from March 7, 2024.

The DMA imposes ex ante obligations on “gatekeepers” providing “core platform services” (CPS).

Gatekeeper criteria (Art 3)

Quantitative:

  • Significant impact on internal market (≥ €7.5B EEA turnover or ≥ €75B market cap in past financial year);
  • Operates CPS in ≥ 3 Member States;
  • ≥ 45M EU monthly active end users + ≥ 10,000 yearly active business users;
  • Entrenched and durable position (thresholds met in each of past 3 financial years).

Quantitative presumption rebuttable by qualitative arguments.

Core platform services

Online intermediation services; online search engines; online social networking services; video-sharing platform services; number-independent interpersonal communications services (NIICS); operating systems; web browsers; virtual assistants; cloud computing services; online advertising services.

Designations (September 2023)

  • Alphabet — Search, Chrome, Google Play, Google Maps, Google Ads, YouTube, Android.
  • Amazon — Marketplace, Amazon Ads.
  • Apple — App Store, Safari, iOS.
  • ByteDance — TikTok.
  • Meta — Facebook, Instagram, WhatsApp, Messenger, Meta Marketplace, Meta Ads.
  • Microsoft — Windows, LinkedIn, Microsoft Ads.

iPadOS designated April 2024. Booking.com designated May 2024 (Booking-CPS). Apple Messages (iMessage), Microsoft Bing/Edge/Advertising not designated (Apple/Microsoft successfully rebutted presumption for some services on qualitative criteria).

Obligations

Article 5 (do’s and don’ts):

  • Allow business users to promote offers to end users acquired through CPS at different prices/conditions on other channels (anti-anti-steering).
  • Allow end users to access content/subscriptions purchased through business users outside the CPS.
  • Allow business users to communicate and conclude contracts with end users acquired through the CPS outside the CPS.
  • Allow end users to unsubscribe from CPS as easily as subscribing.
  • Allow business users to access data they generated using the CPS.
  • Allow advertisers/publishers free transparency over price + performance metrics.
  • Prohibition on combining personal data from CPS with other Gatekeeper services without specific consent (GDPR-compliant) — BundesKartellamt v Meta, Case C-252/21 (CJEU July 2023) had foreshadowed.

Article 6 (subject to dialogue):

  • Allow third-party apps and app stores on operating systems (sideloading) — iOS forced to permit alternative app stores from March 2024.
  • Allow third-party in-app payments.
  • Allow uninstallation of pre-installed apps.
  • Choice screens for default browsers, search engines, voice assistants.
  • Interoperability of OS/hardware features for third-party developers (Apple iPhone NFC requirement).
  • Real-time portability of end user data.
  • Equal treatment in ranking (no self-preferencing).
  • Free of charge access to data generated by business users.

Article 7 (NIICS interoperability) — WhatsApp / iMessage / Messenger interoperability obligations phased through 2024-27 (1:1 messaging from March 2024; group chats by 2026-27).

Enforcement

  • Penalties — up to 10% of worldwide turnover; up to 20% for repeat infringement.
  • Periodic penalty payments — up to 5% of average daily worldwide turnover.
  • Behavioral or structural remedies for systematic non-compliance.
  • Designated as preliminary findings opened against Apple (default browser, App Store steering), Alphabet (Search self-preferencing, Play steering), Meta (pay-or-consent) — March 2024.

First non-compliance decisions:

  • Apple App Store steering — April 23, 2025 — €500M fine + order to remove anti-steering restrictions.
  • Meta pay-or-consent — April 23, 2025 — €200M fine; pay-or-consent model found non-compliant.
  • Apple Safari/iOS interoperability — further enforcement steps 2025.

Apple, Meta, Alphabet all appealing.

Digital Services Act (DSA)

Architecture

Regulation (EU) 2022/2065, in force November 16, 2022, applied to VLOPs/VLOSEs from August 25, 2023; all platforms from February 17, 2024.

Categories

Layered obligations by size:

  • Intermediary services — basic transparency, illegal-content removal.
  • Hosting services — additional notice-and-action.
  • Online platforms — additional trader traceability, recommender-system transparency, advertising transparency, suspension of repeat offenders.
  • Very Large Online Platforms (VLOPs) + Very Large Online Search Engines (VLOSEs) — ≥ 45M EU monthly active users — most comprehensive obligations.

VLOP/VLOSE designations (April 2023)

19 platforms — Alibaba AliExpress, Amazon Store, Apple App Store, Booking.com, Facebook, Google Play, Google Maps, Google Search, Google Shopping, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, X (Twitter), Wikipedia, YouTube, Zalando, Microsoft Bing.

December 2023 — adult sites Pornhub, Stripchat, XVideos. May 2024 — Shein. December 2024 — Temu.

VLOP/VLOSE obligations

  • Systemic risk assessment — annual identification of risks from design and operation including dissemination of illegal content, fundamental rights, civic discourse, public health, minors.
  • Mitigation measures — adapted to identified risks.
  • Independent audit — annual external audit.
  • Recommender systems transparency — parameters + option of at least one non-profiling alternative.
  • Advertising transparency — public repository of advertisements.
  • Crisis response mechanism — Commission may activate.
  • Researchers’ data access — vetted researchers may obtain data.
  • Compliance function — designated officer.
  • Annual fee — funding DSA enforcement (0.05% of EEA turnover, capped).

Enforcement

Penalties up to 6% of worldwide annual turnover; up to 1% for procedural infringements; periodic penalty payments up to 5% of average daily worldwide turnover.

First proceedings opened:

  • X (December 2023) — content moderation, deceptive design, blue-check verification, ad repository, researcher data access.
  • TikTok (February 2024) — protection of minors, advertising transparency, addictive design, researcher access. Separate proceeding on TikTok Lite (April 2024) — addictive features; TikTok Lite withdrawn from EU.
  • AliExpress (March 2024) — illegal content, transparency, deceptive design.
  • Meta (Facebook + Instagram) (April 2024) — political advertising, illegal content, deceptive design, fake content.
  • AliExpress / Temu (October 2024) — illegal product distribution.

GDPR

Architecture

Regulation (EU) 2016/679, in force May 25, 2018. Replaced Directive 95/46.

Material scope (Art 2)

Processing of personal data wholly or partly by automated means + non-automated processing of personal data forming part of filing system.

Territorial scope (Art 3)

  • (1) Establishment in EU (regardless of where processing occurs).
  • (2) Offering goods/services to EU data subjects OR monitoring behavior of EU data subjects (regardless of controller location).

Key principles (Art 5)

  • Lawfulness, fairness, transparency.
  • Purpose limitation.
  • Data minimization.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality.
  • Accountability.

Lawful bases (Art 6)

  • (a) Consent.
  • (b) Contract necessity.
  • (c) Legal obligation.
  • (d) Vital interests.
  • (e) Public task.
  • (f) Legitimate interests (balancing test).

Sensitive data (Art 9)

Health, race/ethnic origin, political opinions, religious/philosophical beliefs, trade-union membership, genetic data, biometric data for identification, data on sex life or sexual orientation. Heightened protections + Art 9(2) restricted bases.

Data subject rights (Arts 12-22)

  • Information (Arts 13-14).
  • Access (Art 15).
  • Rectification (Art 16).
  • Erasure / “right to be forgotten” (Art 17) — Google Spain, Case C-131/12 (CJEU 2014); Google v CNIL, Case C-507/17 (CJEU 2019) — RTBF not global by default.
  • Restriction (Art 18).
  • Portability (Art 20).
  • Objection (Art 21).
  • Automated decision-making (Art 22).

Article 22 — automated individual decision-making

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Exceptions: contract necessity; authorized by law; explicit consent. Safeguards required.

SCHUFA Holding, Case C-634/21 (CJEU December 2023) — generation of credit score by credit-scoring agency for use by third party is Art 22(1) decision; expanded scope significantly.

Cross-border transfers (Chapter V)

  • Adequacy decisions (Art 45) — Argentina, Canada (commercial), Faroe, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, UK, South Korea, US (EU-US Data Privacy Framework July 2023).
  • Standard Contractual Clauses (SCCs) (Art 46) — modernized 2021/914 (module-based).
  • Binding Corporate Rules (BCRs) — Art 47.
  • Derogations (Art 49) — consent, contract, public interest, legal claims, vital interest, public register.

Schrems II, Case C-311/18 (CJEU July 2020) — invalidated Privacy Shield; SCCs require supplementary measures + transfer impact assessment. EDPB Recommendations 01/2020 implementation guidance.

Penalties (Art 83)

  • Tier 1 — €10M or 2% of worldwide annual turnover (whichever higher).
  • Tier 2 — €20M or 4% (whichever higher).

Major fines:

  • Meta — €1.2B (May 2023, Irish DPC) for SCC-based US transfers.
  • Amazon — €746M (July 2021, Luxembourg CNPD).
  • Meta — €405M (September 2022 — Instagram children’s data).
  • TikTok — €345M (September 2023 — children’s data).
  • Meta — €390M (January 2023 — advertising lawful basis).
  • LinkedIn — €310M (October 2024 — advertising).
  • Uber — €290M (August 2024 — driver data US transfers).

DPAs and One-Stop-Shop

Each Member State designates DPA. “Main establishment” lead DPA approach under Art 56. Facebook Ireland v Bundeskartellamt, Case C-252/21 (CJEU July 2023) — national competition authority may take account of GDPR compliance in competition analysis.

EDPB (European Data Protection Board) coordinates consistency.

EU AI Act

Architecture

Regulation (EU) 2024/1689, in force August 1, 2024. Risk-tiered application:

  • Prohibited practices — applied from February 2, 2025.
  • General-purpose AI obligations — August 2, 2025.
  • High-risk + most obligations — August 2, 2026.
  • Full application — August 2, 2027.

Definition of AI system (Art 3(1))

“A machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.”

OECD definition adopted (broad).

Prohibited practices (Art 5)

  • Subliminal, manipulative, deceptive techniques causing significant harm.
  • Exploiting vulnerabilities (age, disability, social/economic situation).
  • Social scoring by public authorities resulting in unjustified treatment.
  • Predictive policing based solely on profiling (criminal-risk assessment of natural persons solely from personality traits).
  • Untargeted scraping of facial images from internet or CCTV for biometric databases.
  • Emotion recognition in workplace/educational institutions (with limited safety exceptions).
  • Biometric categorization inferring race, political opinions, trade-union membership, religious beliefs, sexual orientation.
  • Real-time remote biometric identification in publicly accessible spaces by law enforcement (with limited narrow exceptions).

High-risk AI systems

Two routes:

  • Annex I — AI as safety component of products covered by EU harmonization legislation (toys, machinery, medical devices, vehicles).
  • Annex III — listed standalone areas:
    • Biometric identification + categorization (where not prohibited).
    • Critical infrastructure.
    • Education and vocational training (admissions, evaluation, monitoring).
    • Employment and worker management (recruitment, promotion, evaluation, termination).
    • Access to essential public services (welfare eligibility, credit scoring, emergency dispatch).
    • Law enforcement.
    • Migration, asylum, border control.
    • Administration of justice and democratic processes (assisting judicial decisions, influencing elections).

High-risk providers must implement: risk management; data and data governance (training, validation, testing); technical documentation; record-keeping/logging; transparency; human oversight; accuracy, robustness, cybersecurity. Conformity assessment + CE marking + EU database registration (Art 71).

General-purpose AI models (Chapter V)

Definition (Art 3(63)) — AI model trained on broad data + general-purpose capable performing wide range of distinct tasks (e.g., GPT-4 class).

Obligations (Art 53):

  • Technical documentation (Annex XI) — Commission AI Office template.
  • Information to downstream providers (Annex XII).
  • Copyright compliance — policy to comply with EU copyright law including respect for Art 4 DSM Directive opt-outs.
  • Summary of training content (sufficiently detailed) for transparency.

GPAI with systemic risk

Designation by reference to ≥ 10^25 cumulative floating-point operations (FLOPs) training compute threshold (Art 51). May also be designated by Commission decision based on other criteria.

Additional obligations (Art 55):

  • Model evaluation (including state-of-the-art adversarial testing).
  • Systemic risk assessment + mitigation.
  • Serious incident tracking + reporting to AI Office.
  • Cybersecurity protection.

Transparency obligations for certain AI

Art 50:

  • AI systems interacting with humans must disclose AI nature.
  • Emotion recognition / biometric categorization systems must inform users.
  • AI-generated synthetic content (audio, image, video, text) must be marked in machine-readable form.
  • Deepfakes must be disclosed.
  • AI-generated text used for public-interest information must be disclosed.

Penalties

  • Prohibited practices — up to €35M or 7% of worldwide annual turnover (whichever higher).
  • Most other infringements — up to €15M or 3%.
  • Misleading information to authorities — up to €7.5M or 1%.
  • SMEs and startups — choose lower of fixed amount or percentage.

Codes of practice and General-Purpose Code

Voluntary Code of Practice for GPAI providers, drafted by independent chairs September 2024 - April 2025. Final code adopted July 2025 by Commission. Signatories (Anthropic, OpenAI, Microsoft, Google, Meta, Mistral, Amazon) committed to voluntary compliance pending full Art 53/55 application August 2025.

Other EU Digital Regulation

Data Act

Regulation (EU) 2023/2854, in force January 11, 2024, applied September 12, 2025. IoT/connected products generated data access rights; cloud-switching obligations; B2G data sharing in emergencies; smart-contract requirements; data spaces.

Data Governance Act

Regulation (EU) 2022/868, in force September 2023. Public-sector data reuse; data intermediaries; data altruism.

Cyber Resilience Act

Regulation (EU) 2024/2847, in force December 10, 2024, applied December 11, 2027. Cybersecurity requirements for products with digital elements.

NIS2 Directive

Directive (EU) 2022/2555, applied October 17, 2024. Cybersecurity baseline for essential and important entities.

DORA — Digital Operational Resilience Act

Regulation (EU) 2022/2554, applied January 17, 2025. Financial-sector ICT operational resilience.

eIDAS 2

Regulation (EU) 2024/1183. European Digital Identity Wallet by 2026.

EU Intellectual Property

Unitary Patent + UPC

Effective June 1, 2023. Unitary patent provides uniform protection in 17+ participating Member States (Germany, France, Italy, Netherlands, Sweden, others; not Spain, Poland, Croatia). UPC court structure — Court of First Instance (local + regional + central divisions) + Court of Appeal in Luxembourg. Patent holders can opt existing European patents out of UPC jurisdiction during 7-year transitional period (extendable to 14).

UPC central division — Munich (mechanical engineering, lighting, weapons), Paris (electricity, IT, biotech), Milan (chemistry, pharma — added 2024).

First UPC injunctions issued 2023-24:

  • 10x Genomics v NanoString (Munich Local Div., September 2023) — first UPC PI.
  • Edwards Lifesciences v Meril (Hague Local Div., October 2023).
  • Sanofi v Amgen (Munich Central Div., 2024).

EU Design

Community Designs (Regulation 6/2002); Registered Community Designs + Unregistered Community Designs. Designs Reform Package 2024 — Regulation (EU) 2024/2822 + Directive 2024/2823 modernized framework (effective May 2025 / December 2027 staggered).

EU Trademark

Regulation 2017/1001 (codified). EUIPO Alicante. International registration via Madrid Protocol.

Directive (EU) 2019/790 (Copyright in Digital Single Market):

  • Art 3 — TDM exception for scientific research (no opt-out).
  • Art 4 — TDM exception for any purpose (with rightsholder opt-out via machine-readable means).
  • Art 15 — neighboring right for press publications (defining “press publication”; carve-outs for hyperlinks + very short extracts).
  • Art 17 — online content-sharing service providers’ obligations (YouTube, Facebook) — best efforts to obtain authorization + best efforts to remove notified content + stay-down for notified works.

UK CMA Post-Brexit

The UK CMA has emerged as a parallel global gatekeeper alongside EU + US.

Powers

  • Competition Act 1998 — Chapter I (mirror Art 101) and Chapter II (mirror Art 102).
  • Enterprise Act 2002 — merger control (substantial-lessening-of-competition test). Voluntary notification with high-jurisdiction thresholds; CMA can call in deals up to 4 months post-completion.
  • Digital Markets, Competition and Consumers Act 2024 (DMCC Act) — in force January 2025. Strategic Market Status (SMS) designation framework parallel to DMA gatekeepers; conduct requirements (CRs); pro-competition interventions (PCIs); merger reporting requirements; substantial UK consumer law revisions.

CMA Digital Markets Unit (DMU)

DMU created 2021 (shadow form); statutory backing in DMCC Act. First SMS investigations opened January 2025 on Apple/Google mobile-ecosystem dominance.

CMA Notable Cases

  • Microsoft / Activision — CMA Phase II decision April 2023 blocked deal on cloud-gaming theory; Microsoft restructured (Ubisoft acquired cloud rights ex-EEA outside Microsoft) and CMA cleared revised deal October 2023.
  • Meta / Giphy — CMA ordered divestiture November 2021, upheld CAT 2022, sold to Shutterstock May 2023.
  • Adobe / Figma — abandoned December 2023 after CMA Phase II SLC finding.
  • Mobile Browsers / Cloud Gaming Market Investigation — Final Order March 2024 imposing conduct remedies on Apple + Google mobile ecosystems.

CAT — Competition Appeal Tribunal

Reviews CMA decisions. Apple v CMA (CAT 2022) restored CMA’s market investigation reference after initial procedural challenge; Court of Appeal November 2022 upheld CMA process.

Practical Practice Notes

  • Notification thresholds — EU + UK + Germany + France + Italy + Austria each have separate merger-notification regimes. Global deals routinely require 15-20 filings.
  • DMA compliance — gatekeepers maintain dedicated compliance teams + annual “compliance reports” published.
  • DSA compliance officer — designated VLOP/VLOSE compliance officer reports directly to senior management.
  • GDPR Article 30 records — controller + processor records of processing activities; CNIL/ICO enforcement focus.
  • AI Act preparation — high-risk providers begin conformity assessment work 2025-26 ahead of August 2026 applicability.
  • DPA “one-stop-shop” — Ireland DPC, Luxembourg CNPD, Netherlands AP, France CNIL most-active lead supervisory authorities for major tech.
  • EU litigation venues — Gen. Ct. and CJEU in Luxembourg; UPC central + local divisions; national IP and competition specialized courts (Düsseldorf, Mannheim, Munich for patents; Paris for IP and competition).

Adjacent

Graph View