1. Introduction
In the beginning, there was the internal market. The regulation of digital technologies in the European Union (EU) has been grounded, by and large, in the EU’s ambition to foster the circulation of goods and services among its 27 Member States.Footnote 1 However, the considerable number of policies pursued in the last few decades under the umbrella notion of digital policy has also been shaped by other factors. In particular, concerns about the impact of digitalisation on the protection of fundamental rights, notably the rights to respect for private life and (more recently) the protection of personal data, have featured since at least the 1970s.Footnote 2 At the same time, EU-level regulation of matters such as artificial intelligence (AI) and digital products has been increasingly framed in security terms, reflecting the growing geopolitical tensions surrounding the EU.Footnote 3 In this article, we examine how contemporary EU digital regulatory instruments pursue market goals and the protection of fundamental rights in an environment of growing securitisation.
The term ‘securitisation’ was coined in the Security Studies literature to describe the process by which political issues are construed as existential threats to the state. By describing them as such, policymakers aim to convince the public that it is legitimate to take extraordinary action to resolve such issues.Footnote 4 In the digital domain, that process can be seen in how digital infrastructures and technologies are viewed as security tools or as sources of vulnerabilities, which are to be mitigated by regulation and other forms of policy action.Footnote 5 Our claim in this article is that the development of EU digital regulation should be understood as a mutually reinforcing relationship among the EU’s market-shaping imperative, its protection of fundamental rights, and its concerns over security, in which the latter often prevails over the others but never displaces them entirely. To the contrary: the interplay between these three elements underpins the rhetoric that legitimises EU digital law, even if it sometimes leads to conflicts that must be accommodated through restrictive provisions, exceptions and loopholes.
We make this point through a doctrinal analysis of specific legal instruments, informed by theoretical scholarship on the securitisation of cyberspaceFootnote 6 and the recent turn towards digital sovereignty in EU policy.Footnote 7 Drawing from these doctrinal and theoretical sources, we propose a typology of how policymakers frame the relationship between fundamental rights and security in different legislative texts. We then apply the typology to three EU legal instruments in the digital sphere: the AI Act,Footnote 8 the Cyber Resilience Act (CRA),Footnote 9 and the Commission’s proposal for a regulation to prevent and combat child sexual abuse online (the ‘ChatControl 2.0’ proposal).Footnote 10 In doing so, we extend the growing body of analysis on the securitisation of EU digital policy – an interdisciplinary effort in which political scientists have tended to take the lead. Whereas current analyses tend to focus on specific regulatory fields, such as cybersecurityFootnote 11 or AI,Footnote 12 our approach aims for a more holistic and up-to-date understanding of the interplay between security considerations and fundamental rights and highlights the imposition of a security provision in areas rife with commercial motivations. Through close doctrinal analysis of these instruments, we find that both security and fundamental rights rationales are increasingly common, even in regulations billed as market harmonisation instruments.
These three horizontal goals are often presented as mutually reinforcing. Indeed, both the creation of markets for new technologies and the protection of fundamental rights appear to serve a function beyond mere rhetoric in EU digital policymaking.Footnote 13 Nonetheless, the letter of the law and the practice accompanying it tend to ascribe security a heavier weight than the protection of fundamental rights whenever legislators and interpreters of the law are called to resolve value clashes that could not be dissipated by a clever reframing of the values at stake.
The rest of the paper proceeds as follows. First, we outline how the three main characters of our story – markets, rights, and security – are mobilised in the formulation of EU digital regulation, even if it remains formally grounded on the EU’s market harmonisation competencies (Sections 2 and 3). Then, we propose three models of how the interaction between these regulatory aims can be resolved in practice, which reflect different positions taken in scholarly literature and policy documents (Section 4). After that, we introduce the general elements of the three case studies and argue for their relevance (Section 5), before showing how the three resolution models appear in them (Section 6). Finally, we discuss how these models of conflict between policy aims can be useful both in the application and the critical assessment of current and future EU legislation in the digital domain (Section 7).
2. Digital regulation between markets and fundamental rights
Historically, the EU has seen the regulation of digital technologies as an offshoot of its efforts to harmonise the conditions of the single market. Such a framing is not surprising. Not only is the establishment of the internal market one of the main drivers of European integration,Footnote 14 but also digital technologies have led – and will likely continue to lead – to major transformations in market conditions, both by enabling new products and services and by transforming or even extinguishing established ones.Footnote 15 In response to the economic significance of digitalisation, much of the EU digital acquis ultimately finds its legal basis in the EU’s broad internal market competence.Footnote 16 Even regulatory instruments that are otherwise grounded, such as the General Data Protection Regulation (GDPR),Footnote 17 acknowledge the need to stimulate digitalisation within the EU and its Member States.Footnote 18 In this section, however, we articulate how this market focus is increasingly tempered by the pursuit of other policy aims, notably those related to security and the protection of fundamental rights.
By claiming that those policy aims are becoming increasingly relevant, we do not mean to dismiss their previous appearances in the digital domain. A long line of case law of the Court of Justice of the European Union (CJEU) acknowledged the need to observe fundamental rights in the governance of the internal market,Footnote 19 even before those rights were formally incorporated into an EU Charter of Fundamental Rights (CFR).Footnote 20 To the extent that digital regulation takes place within the legal framework of the internal market, it must therefore observe the same fundamental rights requirements applicable to other forms of EU market regulation.
Likewise, one particular dimension of security has long featured in digital regulation: cybersecurity, that is, the protection of infrastructure and human activities in cyberspace against hostile action.Footnote 21 By stipulating legal requirements that promote the confidentiality, integrity, and availability of networks and information systems, the EU legislator aimed to support the uptake of digital technologies by ensuring that their users can trust that such technologies will not affect their rights and interests.Footnote 22 Therefore, security and fundamental rights were afforded indirect protection even in digital regulation focused on the development of the internal market.
A. The emergence of non-market rationales
Nonetheless, the EU’s approach to digital regulation over the last decade has made both regulatory aims more salient. Whereas earlier digital regulation would pursue those goals as an incidental aspect of market governance, more recent legislative instruments often frame security and fundamental rights as explicit policy aims. That is, they no longer impose constraints that must be observed in implementing market regulation, but rather desiderata put on an equal footing with market-making.
The explicit acknowledgement of non-economic goals in legislative text is accompanied by the pursuit of other goals that are not always reflected in binding norms, such as the EU’s ambition to position itself as a leader in the global governance of emerging technologies.Footnote 23 Faced with multiple priorities that do not necessarily push in the same direction, those who interpret, implement, or enforce such regulations must figure out how to balance the legal demands of regulations pursuing a variety of objectives.
While market-making, fundamental rights, and security do not exhaust the range of aims pursued by EU digital regulation, we focus on these three for several reasons. First, because they are particularly salient in the scholarship about EU digital law, as illustrated by the wealth of secondary literature quoted in this article. Additionally, understanding the relevance of each policy aim requires a closer look at the processes that give it relevance, suggesting the need to start by considering a smaller set of factors. Last but not least, the three policy aims framed in this paper align closely with broader logics of political development, such as the dynamics between market, identity, and security identified by Kathleen R. McNamara and R. Daniel Kelemen as key drivers of political change in Europe.Footnote 24
Our focus on these three dimensions thus highlights legal responses to broader developments at the European level, such as the intertwining between market mechanisms and the ‘geopolitical turn’ in EU politics,Footnote 25 and the EU’s emphasis on fundamental rights as part of its self-image.Footnote 26 In the following paragraphs, we will focus on how the accelerated pace of digitalisation since the beginning of the 21st century has been accompanied by a greater emphasis on fundamental rights in EU digital policy.
B. Fundamental rights in post-GDPR digital regulation
When it comes to the role of fundamental rights in digital regulation, a clear turning point can be seen in the 2016 reform of EU data protection law.Footnote 27 While the idea that data protection law should protect fundamental rights was consolidated even before that,Footnote 28 the provisions of the GDPR and its contemporary data protection instruments reflect two then-recent developments that made fundamental rights even more salient in that legal framework.
On the one hand, the EU legislators were responding to the widespread use of digital technologies and the internet. Digitalisation, in its broadest sense, is not a new phenomenon or legal concern. Already in the early days of data protection law, digital databases and early information networks were acknowledged as sources of risk to privacy and other fundamental rights.Footnote 29 Still, the propagation of innovations such as the Internet, smartphones, or – more recently – artificial intelligence chatbots has changed the interactions between individuals, institutions, and technologies. Digital technologies could no longer be seen as a niche concern, as they permeate more and more social dynamics governed by the law as well as the societal infrastructures that make such interactions possible.Footnote 30 Due to these changes, legislators, authorities, and the courts have all spent considerable energy in identifying and addressing risks that those technologies can create to the rights of individuals and groups,Footnote 31 which the GDPR has explicitly sought to address.Footnote 32
On the other hand, the social changes brought about by digitalisation roughly overlapped with a major transformation in EU law. With the Lisbon Treaty, the Charter of Fundamental Rights became EU primary law on an equal footing with the Treaties,Footnote 33 reinforcing the importance of fundamental rights for the EU’s regulatory activities.Footnote 34 Between these two developments, the political and legal imperatives for attending to matters of fundamental rights became much stronger for those developing and implementing digital regulation.
Neither of these factors has lost importance since then. Accordingly, much of the subsequent EU legislation on digital matters features at least some mention of fundamental rights. In some cases, those mentions amount to little more than an acknowledgement: for example, the NIS2 Directive features only four mentions of fundamental rights, all in its recitals.Footnote 35 Others, instead, feature specific legal requirements directed at fundamental rights, as Section 5 below explores in more detail. However, one element shared by those approaches is their lack of differentiation between rights.
C. Fundamental rights as an undifferentiated category
Although the Charter of Fundamental Rights protects a wide range of rights, post-GDPR digital regulation rarely details specific rights that must be protected. For example, the Digital Services Act refers to the protection of ‘fundamental rights enshrined in the Charter’,Footnote 36 as does the AI Act in requiring that the providers of AI systems address risks to ‘to health, safety or fundamental rights’ that may ensue from the operation of certain types of system.Footnote 37 Tensions between fundamental rights are seen as accidental developments to be resolved on a case-by-case basis, rather than as deal-breakers preventing the adoption of legislation.
Viewing fundamental rights as largely compatible with one another, post-GDPR digital regulation mostly refrains from offering specific directions on how to handle practical value conflicts. These instruments tend to avoid providing specific guidelines for dealing with situations in which rights might be at odds, preferring instead to affirm that some rights must be protected ‘without prejudice’ to other legally protected interests.Footnote 38 Instead, fundamental rights are seen as a relatively uniform bloc that can be balanced with other interests, such as security or the promotion of technological innovation.
Such a posture might be somewhat optimistic, as scholarly work has identified many forms of friction between fundamental rights. For example, the exercise of the right to access public documents concerning a particular technological system might clash with other fundamental rights, such as the right to protection of personal dataFootnote 39 or the protection of the intellectual property of private actors involved in the system’s development.Footnote 40 It might even be the case that different facets of the same right are at odds with one another in a particular context: consider how regulation by design provisions might be effective in protecting aspects of a fundamental right that lend themselves to computational expression while failing to offer any cover to more subjective or incomputable aspects of the same right.Footnote 41 Potential conflicts like those are seldom addressed in current exemplars of EU digital regulation, which tend to frame fundamental rights as a cohesive whole. Accordingly, our analysis in this article treats ‘fundamental rights’ as a largely unified bundle of interests, except where a legal text distinguishes between rights.
3. The securitisation of EU digital regulation
Compared to fundamental rights, the logic of security is a relative latecomer to the digital acquis. While provisions about security as a regulatory goal can be found in earlier instruments such as the ePrivacy Directive,Footnote 42 they usually refer to the technical dimensions of the confidentiality, integrity, and availability of data, the systems that process it, and the networks in which it circulates.Footnote 43 Due to this focus on technical objects, earlier discussions about cybersecurity often addressed subjects very different from the ones present in traditional debates on security, which focused on how to respond to threats to a state’s existential interests.Footnote 44 Yet, discussions on both cybersecurity and security studies are now much broader than those traditional formulations.Footnote 45 Even if hacking incidents or data leaks are not the same as a war between neighbouring states or the spread of international criminal networks, there is now a growing consensus that cybersecurity is interconnected with the functioning of various societal domains. Accordingly, a recent European Commission report describes cybersecurity as essential for building resilience against hybrid warfare and other hostile acts against the EU and its Member States.Footnote 46 In the following paragraphs, we will examine how these expanded vistas of security affect the design and implementation of EU digital regulation.
Part of that impact stems from the broad reach of digitalisation. Digital technologies are adopted not only by consumers and private organisations, but also by parts of the state that perform traditional security functions. Because some technologies can be specifically deployed as security devices, enlisting them in security practices leads to ‘the pro-active use of regulation as a security tool’.Footnote 47 Examples in this respect are manifold. National armed forces rely on information and communication technologies and increasingly pursue the use of autonomous weapon systems.Footnote 48 The European Defence Fund is also increasingly financing research concerning such technologies.Footnote 49 There are also various technological tools that were not developed primarily for security purposes but can be used in this context, or where security is one of the relevant considerations alongside administrative efficiency. For example, the EU has notoriously developed a series of databases that support its Member States in border control, border management, and asylum functions, accessible by law enforcement authorities, including intelligence services.Footnote 50 Law enforcement agencies throughout the Member States also rely on digital technologies for a variety of functions, including the automated processing of collected information.Footnote 51 Such examples illustrate how digital technologies have become embedded in some of the core tasks of modern states.
However, the fact that technological developments are relevant for policy developments does not mean that technology causes changes in policy. As scholars in law and technology have shown extensively, the same set of technological developments may be framed differently by policy, and policymakers often have considerable discretion in responding to any particular framing.Footnote 52 In the case of security, Daniel Mügge posits that the prevalence of a security logic can lead either to a reassertion of unilateral public control over regulation – and therefore to a lesser willingness to pursue regulatory integration at all costs – or to public authorities being more eager than ever to seek multilateral agreement.Footnote 53 Both tendencies can be seen in the EU digital acquis.
A. Security as a source of difference in digital regulation
When it comes to such core security tasks, conferral of national competences to Member States remains somewhat limited. Article 4 of the Treaty on European Union declares that ‘national security remains the sole responsibility of each Member State’, and other types of security interests motivate a variety of derogations from EU primary law and exceptions in secondary law.Footnote 54 In response to such limits on policy action at the European level, EU policy-makers have moved forward by building differentiated regulatory regimes for matters within a traditional security interest.
Differentiated regulation can take many forms. Often, it appears as an attenuation of regulatory requirements that would apply to technologies relevant to the security domain. For example, high-risk AI systems used in law enforcement and migration management contexts are protected by additional confidentiality requirements regarding the information they must disclose to authorities.Footnote 55 Furthermore, the registration of high-risk AI systems to the EU database, foreseen in Article 71 of the AI Act, takes place in a ‘secure non-public section of the EU database’, accessible only to the Commission and national authorities.Footnote 56 However, security interests can also lead to the application of tighter regulatory regimes at the EU level. In particular, the Dual Use Regulation limits the exports of certain technologies to non-EU jurisdictions.Footnote 57 Either way, the presence of a security interest affects the laws applicable to technologies, which would be governed differently if one looked only at their technical properties.
B. Digital sovereignty and the EU digital acquis
Another direction of EU policy action is the pursuit of European digital sovereignty. In scholarly and policy circles, there is considerable debate about what such sovereignty would entail,Footnote 58 including proposals for the development of European alternatives to technologies that are widely used in the EU but are currently supplied by third countries,Footnote 59 limits to the activities of ‘Big Tech’ corporations within the borders of the EU,Footnote 60 and other measures to make the Member States less dependent on technologies subject to the influence of private interests and/or the EU’s geopolitical rivals. Despite this lack of agreement on the precise contours of digital sovereignty, the concept has been used to articulate policies that steer EU action towards greater control over technological infrastructure and applications.Footnote 61
Such policies operate partly by funding the development and adoption of emerging technologies in ways conducive to EU sovereignty.Footnote 62 Another substantial element of the EU’s push towards digital sovereignty, as we shall discuss in a moment, is built on its regulatory capacity. And the process of repurposing that capacity to promote sovereignty leads to some changes in regulatory models originally developed to ensure a well-functioning internal market.
C. The securitisation of cybersecurity
The final interface between security and digital regulation covered in this section is the securitisation of cybersecurity in the EU. Cybersecurity has been recognised as a distinct sector with a particular constellation of threats.Footnote 63 Myriam Dunn Cavelty notes that cybersecurity operates within a continuum between securitisation tendencies and technological routine, whereby securitising actors mobilise individuals’ experiences of insecurity to ensure their partnership and compliance and connect hypersecuritising scenarios to their lived experiences.Footnote 64 However, as digital technologies vary widely in their applications and the field is thus undefined, the scope of appropriate securitisation has been subject to contestation.Footnote 65 Importantly, when digital tools were not so widely adopted and were relevant only to specific economic and public sector activities, even major failures in particular organisations would not result in existential threats. Nowadays, however, the interconnection between information systems and the sheer range of activities carried out with the use of digital technologies mean that a failure in the confidentiality, integrity, or availability of a digital system might propagate to a broad range of social activities. As seen in the previous paragraphs, some of these activities are themselves crucial to the promotion of security writ large, and so a cybersecurity failure in one of them might lead to a broader security threat.
Among the existential risks that might stem from cybersecurity issues, one is especially salient in the EU: the risk of disruptions to the Single Market. Because the free flows of goods, services, capital, and labour are one of the main sources of legitimacy for the EU,Footnote 66 vulnerabilities in individual computer systems can no longer be seen as threats just to the interests of a single market actor. Instead, they may have systemic effects by interfering with the economic liberties that lie at the heart of the European project. To prevent localised cybersecurity failures from escalating to an existential level, the EU has made cybersecurity a major pillar of its overall security strategy.Footnote 67
Just as in the context of digital sovereignty, the EU’s response to cybersecurity issues involves the development of infrastructure and a shift in regulatory priorities. Regarding infrastructures, the EU plans to fund the development of various European-based technologies and technological providers, for example, by funding research on post-quantum encryption algorithmsFootnote 68 or awarding framework contracts for ‘sovereign cloud services’.Footnote 69 As a regulator, the EU fosters cybersecurity by adopting legal frameworks that require the adoption of security-promoting technical measures in specific contexts, such as the provision of critical digital infrastructureFootnote 70 or products with digital elements,Footnote 71 as well as by introducing cybersecurity-related provisions within broader regulatory instruments.Footnote 72 Through such measures, EU cybersecurity policy seeks to ensure that technical aspects of digital technologies do not pose existential risks to the operation of the Single Market, to other core EU policy areas, or any of the other concerns highlighted above.
D. Producing security through regulation
The EU also deploys regulation in a constitutive role, that is, to help develop institutional capabilities that can respond to – or, ideally, pre-empt – digital threats to security. At the supranational level, various legal instruments position ENISA, the EU cybersecurity agency, as an information hub through which private actors and national regulators can share knowledge and coordinate their actions.Footnote 73 EU legislation harmonising digital markets can also include security-related obligations for Member States, such as the duty to adopt a national cybersecurity strategy under Article 7 of the NIS2 Directive. Finally, EU regulation of digital markets often requires market actors themselves to adopt security measures, as seen in the security-by-design requirements set out in Article 32 of the GDPR. EU regulation of digital technologies is therefore aimed not only at ensuring the technical security of digital artefacts, but also at mobilising actors to address threats to security interests.
While that institutional mobilisation has been studied in the narrower context of cybersecurity, it can also be found with regard to broader security interests. For example, the EU has established a Code of Practice on Disinformation that involves online platforms in a co-regulatory mechanism to address the systemic risks of disinformation practices.Footnote 74 As such, the main direction of the EU’s efforts towards security in the digital environment falls into what Andreas Kruck and Moritz Weiss have termed the ‘regulatory security state’,Footnote 75 in which it overcomes its relatively narrow positive competences in security matters by using regulation to steer supranational, national, and private actors towards the promotion of security goods. The growing emphasis on security in EU digital regulation does not come at the expense of the central role of the internal market but rather depends on it.Footnote 76
4. The interplay between security and fundamental rights
So far, we have argued that recent years have seen an expansion of logics of security and fundamental rights in EU digital regulation. Some critiques of these developments have argued that broadening policy aims comes at the expense of developing a genuine EU digital single market.Footnote 77 Our argument offers some pushback against this perspective: Sections 2 and 3 above both illustrate how security and fundamental rights logics in EU digital regulation build on existing market logics, even as they lead to some change in those logics. Yet we still need to consider the possibility that the interplay between these logics, in a regulatory domain largely governed by market logics, can undermine one or more of these policy goals. To do so, this section identifies three approaches that EU digital regulatory instruments use to reconcile potential tensions between security and fundamental rights.
A. Defusing tensions through denial
The first approach is to frame conflicts between fundamental rights and security as irrelevant, because only one of those regulatory goals actually matters in practice. In theory, irrelevance could cut both ways; policymakers could amplify the rhetoric of security without actually following through with measures to promote security-related goods. In practice, however, security-promoting measures are so ubiquitous that scholars often argue that defences of human rights in some pieces of legislation amount to little more than window-dressing. For example, Charly Derave, Nathan Genicot, and Nina Hetmanska claim that the EU’s emphasis on lawfulness as an element of ‘trustworthy AI’ is meant to legitimise the use of rights-intrusive, algorithm-based technologies grounded by law, such as those used for border management.Footnote 78 If that is indeed the case, any conflicts between what is needed to protect fundamental rights and what is needed to produce security-related goods will be resolved in favour of the latter. Regulatory instruments will at most provide for fundamental rights safeguards that can be vague, insufficient, or rife with exceptions.
B. Having your cake and eating it, too
Another approach to the coexistence of fundamental rights and security as policy goals focuses on the synergies between them. Unlike the previous case, this approach views both security-related and fundamental rights-related goals as critical for policy. However, it justifies eventual trade-offs between the two aims by claiming that pursuing one of them might lead to a better overall level of achievement for both.
Once again, it would theoretically be possible to frame this view in terms that favour the protection of fundamental rights. For example, one can point towards the ages-old discussion about the role of socio-economic interventions in reducing criminality.Footnote 79 Depending on how one reads the relevant scholarship, policies that mitigate various forms of social inequality might be more successful in reducing crime than repressive measures. In that case, measures that promote fundamental rights such as human dignity, education,Footnote 80 and fair and just working conditionsFootnote 81 would indirectly lead to a higher level of security.
In the digital domain, however, the most common direction of argumentation is the opposite one. That is, security-promoting measures are often defended on the grounds that security is a necessary precondition for effective protection of fundamental rights. This defence can take many forms.
In the AI Act, for example, cybersecurity is mentioned as crucial for ensuring the resilience of an AI system’s use, behaviour, performance, and security properties against malicious third parties.Footnote 82 Given that many of the Act’s regulatory requirements are framed in terms of protecting fundamental rights, it follows that effective cybersecurity is meant to prevent certain types of interference with those rights.
Contrastingly, the Cyber Resilience Act makes no explicit reference to fundamental rights as a goal for protection, and it does not enshrine any remedy for natural or legal persons. Still, as Pier Giorgio Chiara argues, it offers a holistic approach to rights protection by flagging the potential for violations of national and EU law on fundamental rights as an element that must be considered in the analysis of cybersecurity risks.Footnote 83
If a minimum threshold of security is necessary to reduce the risks of fundamental rights violations, one might argue that prioritising security-promoting measures will not only improve security but also lead to an overall superior standard of protection of fundamental rights. Therefore, prioritising security in the case of (apparent) clashes between those two regulatory aims would lead to a win-win scenario.
C. When security and fundamental rights clash
It is not always clear, however, that promoting security leads to a higher level of fundamental rights protection. One might argue, for instance, that mass surveillance of public spaces leads to a much greater erosion of fundamental rights standards than any harms that it might prevent.Footnote 84 In that case, the choice of whether to prioritise security or fundamental rights is not a matter of choosing the best way to achieve a single goal. Instead, we face clashes of goals, as promoting one policy aim in practice might come at the expense of another.
Practical conflicts between policy goals are part and parcel of real-world policymaking. One way to resolve them is to establish that one of the values at stake has lexical priority over the other:Footnote 85 when forced to choose between two values, policymakers can stipulate that one of them always wins. For example, fundamental rights in the EU and many of its Member States are understood to have an ‘essence’, that is, some core aspects that cannot be ‘diminished, restricted, or interfered with’,Footnote 86 even if such interference would substantially advance public interests such as the promotion of other fundamental rights.
Another example of lexical priority would be an extreme version of the synergy argument introduced above, namely, the claim that security should always take precedence over fundamental rights, since any protection of the latter would fall apart without the former.Footnote 87 Either way, the clash between public values only leaves room for pursuing other values to the extent that they do not clash with the one deemed a priority.
Yet in legal contexts, the prevailing view is that clashes between public values should be resolved through a proportionality assessment.Footnote 88 Anyone trying to resolve a perceived conflict between two values – in our case, between security and the protection of fundamental rights – is expected to find an equilibrium in which the extent to which a measure interferes with one of the values is justified by the positive effects and the importance of the other value(s) advanced by that measure. This exercise is commonly described as ‘balancing’ the public interests at stake. However, Mireille Hildebrandt introduces a relevant distinction between the act of balancing – in which potential harms are compensated by the adoption of safeguardsFootnote 89 – and the computation of trade-offs, in which gains to one value offset losses to another in a zero-sum game.Footnote 90 Because a regulatory response might involve both a balancing exercise and the calculation of trade-offs, this paper views both processes as forms of articulation between clashing goals.
Various methods have been proposed for such an assessment, ranging from semi-quantitative ponderations of valuesFootnote 91 to the more informal proportionality tests present in EU judicial practice.Footnote 92 Furthermore, the relative weights assigned to each goal at stake might differ: they might be considered essentially equivalent, or one of them might be deemed so important that only a substantial impact on other goals would suffice to offset non-trivial gains from promoting it. The label of ‘articulation’ can therefore cover a wide range of policy positions. For our purposes, however, these positions are unified by one thing: no matter how good a particular measure is at promoting security, there is some degree of interference with fundamental rights that would render it unjustifiable.Footnote 93
D. A typology of fundamental rights and security
We can summarise the different views outlined above with the following typology:
-
1. Irrelevance: The emphasis on fundamental rights is mere window-dressing, meant to legitimise regulation that is interested in security alone.
-
2. Synergy: Promoting security leads to an improved level of fundamental rights and vice versa.
-
3. Clash of goals: There are real trade-offs between security and fundamental rights in the feasible courses of action.
-
a. Lexical priority: Security needs to be prioritised because it is a precondition for any meaningful protection of fundamental rights.
-
b. Articulation: There is some amount of interference with fundamental rights that would render even a security-maximising proposal disproportionate.
-
The types outlined above are ideal types, that is, abstractions meant to simplify the issues at stake. A previous attempt at such simplification was made by Maria Grazia Porcedda, who proposed that the relationship between cybersecurity, privacy, and data protection could be understood as a spectrum of reconciliation ranging from zero-sum conflicts to complete complementarity of aims.Footnote 94 The typology offered in this article extends Porcedda’s account by adding a rhetorical dimension (the irrelevance case seen above), expanding the discussion of the securitisation of cybersecurity in light of recent developments, and dealing with fundamental rights beyond privacy and data protection. By incorporating those additional elements, we posit that our typology can shed further light on how the logic of security can both feed on the logics of market development and the protection of fundamental rights and, to a certain extent, direct their implementation. To make this case, we will now analyse recent pieces of EU legislation in the digital domain.
5. Three case studies of EU digital regulation
One challenge faced by any attempt to take a broad perspective on EU digital regulation is the sheer scale of policymaking. A recent overview identifies over 100 digital-relevant policies adopted or proposed as of July 2025.Footnote 95 To make sense of policy at this scale, some authors have resorted to computational techniques such as large-scale topic analysis.Footnote 96 Without dismissing the value of such approaches, we propose a close reading of specific pieces of legislation representative of broader trends in the digital acquis.Footnote 97 More specifically, the rest of this section introduces three legislative instruments that we will analyse more closely: the AI Act (s 5.A), the Cyber Resilience Act (s 5.B), and the ChatControl 2.0 proposal (s 5.C).
The three instruments are selected because of some of their salient features. First, security and fundamental rights feature explicitly in all of them. The AI Act and the ChatControl 2.0 proposal both feature the protection of fundamental rights in their justification, while the CRA incorporates it as a component of its view of cybersecurity risks. Cybersecurity is mentioned in the AI Act and the CRA as something that the regulation is meant to produce, while the ChatControl 2.0 proposal focuses on security more broadly while being grounded on the debated premise that its proposed interventions will not harm cybersecurity. Hence, the three instruments illustrate different contexts in which the EU legislator has deemed that regulation of digital technologies was needed to further both fundamental rights and security, even if with different priorities in each case.
Second, all of the selected instruments have been the subject of considerable written production. For the CRA, much of the discussion is academic, while the ChatControl 2.0 proposal has not yet given rise to a sizable scholarship but is intensely debated in policy circles and venues such as academic blogs, and the AI Act has been the subject of both extensive debates over its legislative procedure and a growing body of scholarship. By drawing on these sources, it is possible to identify rationales commonly invoked to guide the interpretation of the instruments, or to propose alternatives.
The selection of these three legal instruments thus allows us to concentrate on the interpretation of specific legal instruments in their particularities.Footnote 98 They are similar enough in their technological focus to allow meaningful comparison, while still different enough that the analysis of each text reveals distinct facets of how the relationship between fundamental rights and security is managed in the EU digital acquis.Footnote 99 It is now time to introduce what makes them unique.
A. The AI Act: cybersecurity as a means for public values
The AI Act is an EU regulation, adopted on 13 June 2024, which establishes harmonised rules for artificial intelligence. For the most part, its legal basis is the market harmonisation competence in Article 114 TFEU,Footnote 100 and this inclination towards a market logic is reflected in the chosen regulatory approach. Drawing a leaf from the book of EU product safety,Footnote 101 the AI Act defines two AI-related products and defines rules for their commercialisation within the EU single market.Footnote 102 Some of these rules are technical requirements that must be observed before commercialisation, while others establish duties for governance and surveillance after the products have been placed on the market or otherwise put into service.Footnote 103
The first of those products is the AI system, which is machine-based system with particular capabilities.Footnote 104 Under the Act, AI systems can never be used for certain applications,Footnote 105 and the systems used for certain high-risk applicationsFootnote 106 are subject to harmonised rules regarding their placing on the market, putting into service, and use.Footnote 107 The other object regulated by the AI Act is the AI model: a technical component that allows an AI system to produce its distinctive traits.Footnote 108 Some models, labelled ‘general-purpose AI models’ for their versatility, are subject to special rules before they can be placed on the market.Footnote 109 To use an analogy from another product safety domain, it is as if the AI Act established rules for automobiles (AI systems) and for certain turbocharged engines (general-purpose AI models).
This tiered approach, in which most AI systems and models are not subject to new rules, is meant to foster the uptake of intelligent technologies and support innovation, while promoting trust in the technology by addressing potential risks that AI might cause to health, safety, fundamental rights, democracy, the rule of law, and environmental protection.Footnote 110 The pursuit of this broad set of goals has produced a complex piece of legislation, with 113 articles, 180 recitals, and 13 annexes, not including the delegated and implementing acts it authorises.
A complete overview of this framework exceeds the scope of the article,Footnote 111 but it is nonetheless possible to highlight how both security and fundamental rights are extensively mentioned in the AI Act’s provisions. The final text of this regulation features 103 mentions of ‘fundamental rights’, including obligations that providers of AI systems identify and address risks to fundamental rights,Footnote 112 mandatory fundamental risk impact assessments for certain applications,Footnote 113 and the involvement of authorities charged with the protection of fundamental rights in regulatory sandboxesFootnote 114 and in the overall enforcement of the Act.Footnote 115 The result is a framework in which fundamental rights are hardly an ‘afterthought’,Footnote 116 even if substantial criticisms of the Act’s approach to fundamental rights are possible.Footnote 117
The term ‘security’ also features prominently, with more than a hundred mentions encompassing not just cybersecurity but also other aspects of the concept. Regarding the former, cybersecurity is a requirement for high-risk AI systemsFootnote 118 and the most sophisticated general-purpose AI models,Footnote 119 as well as a necessary competence for enforcement bodies.Footnote 120 Those requirements are meant to ensure that AI systems are ‘resilient against attempts to alter their use, behaviour, performance, or compromise their security properties’.Footnote 121 By imposing such requirements, the EU legislator reassures society that any lawful AI systems or models will be protected from such malicious interference with their operation, in line with the risk each system or model poses.Footnote 122 The cybersecurity requirement is therefore aligned with the Act’s objective of fostering trust in AI technologies.
Other aspects of security play different roles in the AI Act. Sometimes, security imposes a strict limit on regulation. The Act does not apply in contexts where AI is used exclusively for military, defence or national security purposes,Footnote 123 and the prohibition of real-time remote biometric identification in publicly accessible spacesFootnote 124 is subject to a series of exceptions based on public security interests. Security rationales are also invoked to sustain a series of carve-outs from the AI Act. Exceptional reasons of public security can justify a derogation from conformity assessment procedures otherwise applicable to high-risk AI systems,Footnote 125 and the market surveillance authorities are subject to several confidentiality restrictions when handling information about systems used for law enforcement, immigration, or asylum purposes.Footnote 126 Finally, the AI Act creates conditions to foster certain AI applications that are seen as beneficial for security, for example, by establishing special conditions for the reuse of personal data for law enforcement purposes (including the prevention of threats to public security) within regulatory sandboxes.Footnote 127 In AI regulation, security is not merely a matter of technical cybersecurity.
B. The Cyber Resilience Act: public values as constraints
The Cyber Resilience Act (CRA) shares some of its key features with the AI Act. They were adopted in the same year and are both patterned after product safety regulation, featuring requirements that must be observed before a product enters the EU single market and market surveillance requirements afterwards. The AI Act and the CRA also apply to broad categories of products; in the latter case, the regulation is meant to apply to all products with digital elements, defined as software and hardware products and their remote data processing solutions,Footnote 128 as opposed to the relatively narrow object of traditional product safety laws.Footnote 129 However, its approach to incorporating fundamental rights and security differs from that of the AI Act.
That difference is reflected primarily in the central role that cybersecurity plays in the CRA. Whereas the AI Act seeks to promote a cornucopia of public values, the CRA is sharply defined as a tool to promote cybersecurity in the narrower technical sense discussed in Section 3 above.Footnote 130 To prevent cybersecurity-related harms and address any that actually occur, the CRA establishes requirements for the design, development, production, and commercialisation of those products, as well as obligations related to the mandatory disclosure of information about software and hardware vulnerabilities.Footnote 131
As in the AI Act, the CRA divides the covered products into categories based on perceived risk. In the CRA, however, products in different risk categories are not subject to radically different regulatory requirements.Footnote 132 Risk classification affects, instead, the stringency of those requirements: for example, products with digital elements that have the core functionality of a product category listed in Annexes III or IV of the CRA are subject to specific conformity assessment procedures.Footnote 133 Because products with digital elements often rely on free and open-source components that would not themselves be considered products, the CRA also includes rules for volunteers contributing to such components.Footnote 134 In all those cases, the CRA’s obligations focus on mandating the adoption of technical measures and the sharing of information about technical vulnerabilities.
This is not to say that other public values are absent from it. Fundamental rights appear indirectly, as the CRA’s provisions must be interpreted in light of the fundamental rights in the CFR.Footnote 135 They also appear as a direct requirement, as a product that complies with the CRA’s requirements might nonetheless be deemed to present a significant cybersecurity risk if it has the potential to cause loss or disruption that leads to non-compliance with obligations under EU or national law intended to protect fundamental rights.Footnote 136 National and public security appear, instead, as constraints to the CRA’s scope: products with digital elements developed or modified exclusively for national security and defence purposes fall outside this Act’s scope,Footnote 137 and national and public security or defence interests can be invoked to limit the mandatory disclosure of information about cybersecurity vulnerabilities.Footnote 138 Therefore, the CRA is less concerned with promoting those public values than with safeguarding them from potential interference stemming from measures that promote cybersecurity.
C. ChatControl 2.0: cybersecurity and fundamental rights as irritants?
Finally, the ‘ChatControl 2.0’ proposal to prevent and combat child sexual abuse online aims to create a mandatory EU framework for the detection, reporting, and removal of child sexual abuse material (CSAM) from online communication services. The proposal aims at replacing the Interim Regulation, which provides a temporary legal basis until 2026 enabling interpersonal communication services to continue their voluntary practices to detect, report and remove CSAM online as a ‘temporary derogation’ from the ePrivacy Directive (‘ChatControl 1.0’).Footnote 139 This means that, unlike the previous two cases, the ChatControl 2.0 proposal, if approved, will lead to a sector-specific instrument, which introduces obligations that are directed at the governance of online platforms rather than digital technologies in general.
The proposal introduces a two-step approach that must be followed by providers of information society services, including providers of interpersonal communication services and of hosting services. First, these providers conduct risk assessments to identify whether their services are being misused to disseminate CSAM.Footnote 140 These providers are also obliged to take appropriate measures based on the outcome of the risk assessment. As a second step, the proposal introduces the possibility for judicial authorities or independent administrative authorities at the national level to issue detection, removal, or blocking ordersFootnote 141 in relation to known CSAM, unknown CSAM and grooming.Footnote 142 The ChatControl 2.0 proposal prescribes procedural guidelines and safeguards concerning the scope of the detection order, the timeline, the application, the protection of personal data, and quality management.
The proposed rules are to be applied to all types of interpersonal communication, including encrypted and non-encrypted communications, possibly leading to generalised scanning of communications especially to identify unknown CSAM and grooming.Footnote 143 While the legislative proposal does not explicitly make this distinction, end-to-end encryption (E2EE) is referred to in recital 26. Addressing the 20th anniversary summit of the European Data Protection Supervisors in June 2024, former European Commission Vice-President Věra Jourová admitted that the proposed CSAM scanning rule clarified that even encrypted messaging can be broken in the name of better protecting children.Footnote 144
Including E2EE communications within the scope of application of the ChatControl 2.0 proposal constitutes a major change compared to the Interim Regulation, which provides only a legal framework for providers of information society services to detect, report, and remove identified CSAM in non-E2EE communications. As a result, though the ChatControl 2.0 proposal does not per se constitute a cybersecurity instrument, some of its provisions arguably lead to the reduction of cybersecurity levels by weakening E2EE and creating systemic vulnerabilities in terms of cybersecurity that can be exploited by criminal organisations and hostile actors.Footnote 145 This outcome is justified in terms of the protection of the fundamental rights of childrenFootnote 146 and of addressing the public security risks caused by the kinds of cybercrime the regulation purports to combat.Footnote 147 This manifests an additional rift between cybersecurity in its narrow sense and the broader security interests pursued through ChatControl 2.0.
Aside from this matter, the proposal has raised significant criticism about the violation of various fundamental rights, in particular privacy, data protection and freedom of expression, while journalistic investigations and interventions by civil society organisations highlighted issues of transparency and conflicts of interest.Footnote 148 In its report, the European Parliament introduced an end-to-end encryption exception, a limitation on detection orders in cases of specific suspicion, and strengthened security controls.Footnote 149 On the contrary, the Council of the EU could not secure a consensus for the proposal by the end of 2025, as a strong ‘blocking minority’ of Member States (Germany, Luxembourg, Austria, the Netherlands, etc) opposed the generalised scanning.Footnote 150
6. When security and fundamental rights clash in the digital single market
Having introduced the three case studies, it is now time to look at them together. Given the different approaches and priorities mapped in Section 5 above, one might expect some tensions between how they implement market, security, and fundamental rights logics. In this section, we explore these tensions by examining three guiding questions: Which, if any, of the models described in Section 4 prevails in EU digital regulation (s 6.1)? Are the tensions between policy goals handled differently across policy domains (s 6.2)? How do different actors construe the relationship between the logics of security and fundamental rights (s 6.3)? By evaluating these questions in the three case studies, we show how these logics mutually support each other in practice, rather than merely displacing one another.
A. The role of fundamental rights after digital securitisation
The first insight we extract from comparing these three instruments is that fundamental rights still occupy a place of importance in legal reasoning after the securitisation of EU digital law. From a normative standpoint, this conclusion is straightforward, as existing fundamental rights standards remain applicable. Yet, as discussed above, there is some reason to be sceptical that this normative status actually indicates that policymakers and enforcement authorities are taking fundamental rights seriously, especially as security-related concerns become more and more relevant in the rhetoric of EU digital policy.Footnote 151 Such scepticism, even if warranted, does not go as far as turning mentions to their protection into mere rhetoric.
From a formalistic perspective, the residual value of fundamental rights is evident in the structure of each of the three instruments under analysis. Though initial critiques of the AI Act suggested that it treated fundamental rights as an ‘afterthought’,Footnote 152 its final text embeds the protection of fundamental rights as a requirement for both system design and the risk management and product surveillance practices.Footnote 153 Likewise, the Cyber Resilience Act compels the providers of products with digital elements to include within their risk assessments the risk of non-compliance with national and EU obligations intended to protect fundamental rights.Footnote 154 Even in the ChatControl 2.0 proposal, often criticised as posing considerable interference with fundamental rights,Footnote 155 their protection features in substantive requirements, such as limiting the risk mitigation measures that might be requiredFootnote 156 and the reach of detection orders for child sexual abuse materials.Footnote 157 Hence, even the most security-driven formulations still include references to fundamental rights in their recitals, as well as some consideration of their implications within their binding provisions.
Alas, mere formal acknowledgement does not always translate into real-world consideration. Some of the sharpest critiques of the abandonment of fundamental rights in this domain stem, in fact, from the mismatch between legal obligations and institutional practices.Footnote 158 Any potential issues from the disregard of fundamental rights are exacerbated by the life cycle approach adopted in EU digital regulation, which requires regulated actors to implement measures throughout the design and use of digital systems, until deactivation.Footnote 159 From that approach, it follows that design measures that sacrifice some degree of protection of fundamental rights in favour of security might become entrenched in specific digital systems, while subsequent interventions might provide new venues for reinforcing security-based measures, for example, through weakening existing safeguards such as anonymisation.Footnote 160 Even a formally robust legal framework might therefore find its delicate balance between security and fundamental rights upset by the practices of those charged with implementing and enforcing it.
Given that the instruments in question are relatively novel, it is not yet feasible to get the full picture of how they are implemented by various stakeholders at the national and EU levels.Footnote 161 Important stakeholders, such as the European Data Protection Supervisor,Footnote 162 have already signalled the importance of ensuring those provisions are implemented in practice. Yet, the formal incorporation of logics of fundamental rights into the text of all three legal instruments opens up some paths for legal mobilisation. In the case of the ChatControl proposal, some of the legal requirements impose actions that can directly affect the rights of individuals, such as detection orders that mandate scanning for certain illegal practices and may thus be challenged in court by affected individuals.Footnote 163 For the AI Act and the CRA, which operate at the level of digital artefacts, there is less margin for private enforcement against measures that fail to properly respect fundamental rights, as the impact of such failures is structural rather than directed at particular individuals. Contestation of any disregard to fundamental rights would require different approaches, such as complaints to the European OmbudsmanFootnote 164 or, in the case of problems with regulatees, enforcement by regulatory authorities. Because such mechanisms might address gaps in the practical concern with fundamental rights, treating references to fundamental rights as purely rhetorical is not an accurate description of either the legal texts in question or current implementation practices. The irrelevance hypothesis, therefore, does not hold. At least for now.
B. Different balances in different domains
Although the securitisation of digital regulation does not reduce the protection of fundamental rights to rhetoric, it still shapes the form and limits of that protection. Previous scholarship on digital fundamental rights has noted that courts – including the European Court of Human Rights – have recognised that security needs can often justify restrictions to privacy and other rights, in both physical and virtual spaces.Footnote 165 Yet, even in the most permissive case law in democratic countries, interference with those rights in the name of security must serve some broader purpose. In the three case studies, that justificatory need is addressed through the remaining two prongs of the typology – synergy and clash of goals – with the latter prevailing.
Synergy-based approaches to the relationship between security and fundamental rights can be found in the non-binding provisions of both instruments. The AI Act, for instance, presents the promotion of cybersecurity as a technical requirement that mitigates the potential harm promoted by the use of high-risk AI systems,Footnote 166 while the Commission frames the protection of the fundamental rights of children, as enshrined in Article 24(2) of the Charter of Fundamental Rights, as central to the objectives of ChatControl 2.0.Footnote 167 In fact, the ChatControl 2.0 proposal offers a peculiar type of synergy rationale. Not only are the security-promoting measures framed as necessary to promote the fundamental rights of children, but the rationale of the proposal itself acknowledges that such regulatory interventions are admissible only because of the special value ascribed to the protection of children.Footnote 168 Even previous instruments geared towards the fight against serious crime, such as the Terrorist Content Regulation, have fallen short of proposing measures that entail general monitoring of online content,Footnote 169 as is arguably the case with some of the ChatControl 2.0 provisions.Footnote 170 Therefore, the protection of fundamental rights is not simply a constraint for the pursuit of security in EU digital policy, and it can even become an enabler of further securitisation.
Nonetheless, legal instruments, accompanying policy documents, and scholarly literature are all quick to acknowledge the need for pressing trade-offs. None of the three instruments under analysis affords an explicit lexical priority to security. However, such a priority can be found among the stakeholders involved in the design and implementation of those instruments. Consider the final report of the High-Level Group on law enforcement access to data,Footnote 171 which defends extensive access as necessary for promoting public security.Footnote 172 It defines the European Union as ‘an area of freedom, security and justice where fundamental rights […] are respected’.Footnote 173 This formulation suggests that fundamental rights are important – and indeed the document mentions the need to ensure that access provides safeguards to fundamental rightsFootnote 174 – but nonetheless positions security as foundational to the EU project. Yet, this conceptual precedence of security over fundamental rights is not reflected in any of the legal sources under analysis.
Evidence for the articulation of both goals is more extensive. In the ChatControl 2.0 proposal, 15 of the 19 mentions of ‘balancing’ refer to balancing fundamental rights, including the rights of individuals affected by the measure, such as freedom of expression, as well as the children’s rights enshrined in Article 24 of the CFR.Footnote 175 The AI Act is less explicit on the question of the balancing exercises that might be necessary, but it nonetheless imposes the protection of fundamental rights as a requirement in the classification of high-risk AI applicationsFootnote 176 and of models with systemic risk,Footnote 177 as well as in the definition of the measures applicable to either category. Finally, the Cyber Resilience Act does not include an explicit obligation to protect fundamental rights, but it does set compliance with fundamental rights law as one of the criteria for assessing the presence of a cybersecurity risk in a real-world environment.Footnote 178 Therefore, all three instruments place fundamental rights as constraints in the pursuit of security.
The mere existence of a constraint is not enough to show that it substantially restricts actions that interfere with fundamental rights. After all, it might be the case that security is deemed so much more important for relevant stakeholders that any but the most egregious violations of fundamental rights might be deemed politically acceptable if they lead to an increased sense of security. As such, it becomes necessary to consider how stakeholders have framed these balancing exercises in practice.
C. The dramatis personae of prioritisation
The AI Act, the CRA, and the ChatControl 2.0 proposal feature many of the same institutional actors. All three are proposals subject to the ordinary legislative procedure, in which the Commission initiates discussions, and the Parliament and the Council are co-legislators on equal footing.Footnote 179 Furthermore, their implementation involves the articulation of EU-level actors,Footnote 180 private companies, and national regulators. The differences in context, however, mean that actors aligned on one regulation are not necessarily on the same page for another.
To illustrate the fluidity of those coalitions, one can contrast the AI Act and the ChatControl 2.0 proposal. As Francesca Palmiotto’s analysis of the AI Act’s travaux shows, the Council has consistently formed an institutional position in favour of reducing fundamental rights constraints to the use of AI in law enforcement and asylum and migration, while ensuring that the legal text does not touch on matters of national security and defence, understood in a broad sense, seen as the domain of the Member States.Footnote 181 The Parliament’s position, in contrast, has pushed for clearer safeguards to fundamental rights in the governance of high-risk AI systems and general-purpose AI models, even including individual rights that were not present in the Commission’s original proposal.Footnote 182 The result is a regulatory instrument that, despite falling short of the expectations of some scholars and civil society stakeholders in this regard,Footnote 183 nonetheless featured a more extensive engagement with the protection of fundamental rights than the original proposal.Footnote 184
For ChatControl 2.0 – at least to this point – there has been much less alignment among states on how to accommodate both fundamental rights and security. Some Member States draw red lines on the interference with fundamental rights that certain provisions entail. Some of these red lines, in fact, are sharper on fundamental rights protection than the agreement produced by the Parliament.Footnote 185 In particular, the concerns stemming from the mandatory mass scanning of private communications that fundamentally undermines end-to-end encryption by creating ‘backdoors’ have resulted in the different Council Presidencies being obliged to offer different approaches, for example, by watering down the scope of the detection orders to visual content only.Footnote 186 Nonetheless, the potential of vulnerabilities that can be exploited by hackers and hostile nation states remains margnialised, under the pretext of children’s protection.Footnote 187 It is not always straightforward to find institutional actors that constantly prioritise security over fundamental rights, or vice versa.
Furthermore, one must keep in mind the intimate connection between security and the legitimacy of national states. Thanks to that link, institutional positions at the EU level do not necessarily preclude Member States from diminishing the relative weight of fundamental rights in their balancing exercises. For example, Xavier Groussot and Gunnar Thor Petursson point out that both the Charter of Fundamental RightsFootnote 188 and Treaty on European UnionFootnote 189 have the potential to encroach into national autonomy to delimitate what matters fall outside the scope of EU law due to the manifold national security carve-outs in the Treaties and secondary legislation.Footnote 190 Yet, Member State apex courts have developed doctrinal positions that empower them to disapply decisions of the Court of Justice of the European Union that exceed what those courts deem appropriate.Footnote 191 As a result, evaluations about how to balance fundamental rights and security as regulatory goals in EU digital law remain fragmented and subject to changes in light of political developments at the European and national levels.
7. Conclusions
The EU’s contemporary approach to digital regulation serves many masters. Far from being solely a vehicle to economic interests, it is also mobilised to protect fundamental rights in the digital age and to address Europe’s security anxieties. Because these policy aims do not necessarily pull in the same direction, a growing body of literature has identified tensions between them and suggested potential ways to defuse those tensions. In this article, we have shown that such tensions tell only part of the story: even if the trade-offs are real, the logics of markets, fundamental rights, and security are also, to some extent, mutually reinforcing. Accordingly, we propose that the relationship between these three logics in the digital domain is better understood as a triple helix, in which the connections between these three policy aims produce a stable pattern that both supports and limits the development of each individual strand.
Casting the relationship between markets, fundamental rights, and security as a triad has some implications for how we should interpret EU digital regulation. On the one hand, this framing suggests that the prioritisation of one of these goals can affect how we interpret the others, as seen in the security-inflected readings of fundamental rights discussed in Section 6 above. On the other hand, each of the strands of the helix depends on the other to remain in place, which suggests that putting too much emphasis on one of the goals over the others may be harmful not just for the downplayed policy aims but for the prioritised goal itself. In particular, measures being advanced in the ChatControl proposal might undermine cybersecurity and, in doing so, increase the risk to the fundamental rights of children and the possibilities for exploiting cybersecurity vulnerabilities in ways that undermine public and national security. Therefore, the relationship between policy aims in digital regulation should not be understood just in terms of rhetorical legitimation or of trade-offs. It is necessary to take into account their mutually reinforcing dynamics.
In addition, the structure developed in this article points to potentially fruitful directions for research. It suggests the need to examine how the balancing between security and fundamental rights in particular contexts is affected by the relationship among market, security, and fundamental rights, and how they shape that relationship in turn. It also indicates the need to interpret the legal instruments discussed above in light of the particular balances between security and fundamental rights logics identified in each case, rather than relying on a one-size-fits-all view. Last but not least, the account of securitisation of the digital environment presented above also hints at the need for further attention to the role of digitalisation in the overall legitimacy of the EU. By enabling these lines of inquiry, the triple helix offers a model that can advance our view of how digitalisation transforms – and is transformed by – the growing securitisation of EU law.
Acknowledgements
The authors have used Grammarly Pro to revise grammar, word choice, and style. All sentences were written by the authors, and every change to the language employed in the manuscript was carried out by a human, even when acting on the tool’s suggestion. No generative AI was utilised to produce the contents of the article.
The authors would like to thank Pier Georgio Chiara, Harm Schepel, and two anonymous reviewers for their comments on previous versions of the manuscript.
Funding statement
This work received no specific grant from any funding agency, commercial or not-for-profit sectors.
Competing interests
The work of the three authors was funded under the University of Luxembourg’s Chair in Cyber Policy, an initiative supported by the Directorate of Defence of the Luxembourgish Ministry of Foreign and European Affairs. The Directorate did not direct, review, or otherwise participate in the research process.
Niovi Vavoula has co-authored a ‘Complementary impact assessment’ commissioned by the European Parliamentary Research Service with regard to the ChatControl 2.0 proposal. (PE 740.248, published in April 2023).
After leaving the Chair in Cyber Policy, Giacomo Zampieri joined the Italian Ministry of Foreign Affairs. His contribution to the article does not reflect the opinions of the current employer, nor was it subject to prior approval by the ministry.