Hostname: page-component-77f85d65b8-7lfxl Total loading time: 0 Render date: 2026-03-28T09:27:27.935Z Has data issue: false hasContentIssue false
  • English
  • Français

Back to the Future-Proof: Four Reforms for the Better Regulation of Dark Patterns Under the Unfair Commercial Practices Directive and Article 25 of the Digital Services Act

Published online by Cambridge University Press:  26 March 2026

Fabrizio Esposito Open the ORCID record for Fabrizio Esposito [Opens in a new window] ,
Cecilia Isola Open the ORCID record for Cecilia Isola [Opens in a new window] ,
Cristiana Santos  and
Martim Farinha
Fabrizio Esposito*
Affiliation:
NOVA School of Law and CEDIS, Universidade Nova de Lisboa, Portugal
Cecilia Isola
Affiliation:
Department of Private Law, University of Genoa, Italy
Cristiana Santos
Affiliation:
School of Law, Utrecht University, Netherlands
Martim Farinha
Affiliation:
NOVA School of Law and CEDIS, Universidade Nova de Lisboa, Portugal
*
Corresponding author: Fabrizio Esposito; Email: fabrizio.esposito@novalaw.unl.pt
Rights & Permissions [Opens in a new window]

Abstract

The efficacy of the “future-proof” Unfair Commercial Practices Directive against dark patterns is undermined by the fragmented regulatory landscape introduced by the Digital Services Act. Article 25 DSA creates four weaknesses: a general prohibition that is vague compared to the UCPD’s detailed framework; a narrow subjective scope that excludes many online traders; an exclusion clause in Article 25(2) that replaces cumulative application with an opaque hierarchy; and slow soft-law mechanisms for updating the law in response to new dark patterns. To resolve these contradictions, this article proposes four targeted reforms: first, repurposing Article 25(1) DSA as an institutional gateway for DSA authorities to apply substantive UCPD rules using the stronger DSA sanctions and enforcement regime; second, extending the prohibition’s scope to all intermediary service providers; third, the repeal of Article 25(2) DSA; and fourth, granting the Commission the power to update the UCPD blacklist via delegated acts for a swift response to emerging dark patterns. These reforms, particularly in combination, offer a coherent, future-proof regulatory framework that restores the centrality of the UCPD, preserves the innovations of the DSA, and equips EU law to address both current and emerging forms of dark patterns.

Keywords

dark patternsDFADSAfuture-proofregulatory coherenceUCPD

Information

Type
Articles
Information
European Journal of Risk Regulation , First View , pp. 1 - 23
Creative Commons
Creative Common License - CCCreative Common License - BYCreative Common License - NCCreative Common License - SA
This is an Open Access article, distributed under the terms of the Creative Commons Attribution-NonCommercial-ShareAlike licence (https://creativecommons.org/licenses/by-nc-sa/4.0/), which permits non-commercial re-use, distribution, and reproduction in any medium, provided the same Creative Commons licence is used to distribute the re-used or adapted article and the original article is properly cited. The written permission of Cambridge University Press or the rights holder(s) must be obtained prior to any commercial use.
Copyright
© The Author(s), 2026. Published by Cambridge University Press

I. Introduction

The Unfair Commercial Practices Directive (UCPD)Footnote 1 is an ambitious, but also controversial, legal instrument. It sought to establish a maximum harmonisation approach of fairness in the internal market, prohibiting unfair commercial practices, leaving to Member States with only limited scope to introduce more protective national measures, and only in narrowly defined circumstances.Footnote 2 This limitation of national legislative autonomy was particularly significant in light of the Directive’s future-proof character, its promise to remain effective against new and evolving forms of unfair commercial conduct.

Two decades later, that promise of the UCPD is being tested, especially online. Dark patterns - online techniques used by online services aimed at influencing users’ decisions about their purchases,Footnote 3 use of time or attention,Footnote 4 and disclosure of personal dataFootnote 5 - have become ubiquitous. The magnitude and prevalence of this phenomenon is significant: 95% of mobile apps,Footnote 6 and more than 10% of global shopping websites contain at least one dark pattern.Footnote 7 The 2022 European Commission’s behavioural study reports that in the EU 97% of the most popular websites and apps used by EU consumers deployed at least one dark pattern.Footnote 8 Another investigation by the Commission and consumer protection authorities of twenty-three Member States found that over 40% of e-commerce analysed deployed dark patterns.Footnote 9

The rapid diffusion of dark patterns across different digital contexts (from e-commerce, social media, mobile apps and websites, conversational voice assistants, IoT devices, mixed reality, games, AI assistants, social robots to privacy control mechanisms) exemplifies the commercial “race to the bottom” that the UCPD was designed to prevent through its future-proof regulatory model.

Significant uncertainty persists across both academic scholarship and regulatory practice. Scholars remain divided: some express optimism about the UCPD’s capacity to address emerging commercial practices,Footnote 10 whereas others contend that “the barriers to effective consumer protection in the UCPDFootnote 11 … are too fundamental to be resolved by an extensive interpretation of the Directive.” BEUC has influentially sided with the latter position.Footnote 12 By contrast, the 2022 Commission’s Behavioural study adopted a more optimistic view.Footnote 13 Moreover, the proliferation of sectorial regimes has been criticized since it results in institutional fragmentation.Footnote 14

European institutions have also sent mixed signals. The 2021 Commission Notice on UCPD GuidanceFootnote 15 mentioned the UCPD’s future proofness,Footnote 16 which was strongly emphasised by the EU Digital Fitness Check (2024): “all stakeholders recognised the value of maintaining a technology-neutral and channel-neutral approach to ensure that the safety-net remains future-proof. The UCPD and UCTD in particular can provide a broad safety-net.”Footnote 17 Similarly, when reporting the pressing issue of digital addiction, the European Parliament noted the relevance of the UCPD, observing that “several dark patterns and manipulative practices could already be prohibited under the list of misleading commercial practices in Annex I of the UCPD; not[ing], moreover, that the principle-based Articles 5 to 9 of the UCPD concerning professional diligence, misleading omissions and actions, and aggressive practices provide a basis for assessing the fairness of most business-to-consumer practices.”Footnote 18 Indeed, national courts and enforcers have reached meaningful results in terms of consumer protection against dark patterns thanks to the UCPD.Footnote 19

Rather than reaffirming or updating the UCPD’s framework on dark patterns, the EU legislator has chosen a different regulatory approach by introducing Article 25 of the Digital Services Act (henceforth, “DSA”). This article prohibits online platforms from designing, organising, or operating their interfaces in a way that deceives or manipulates users, or in any way materially distorts or impairs users’ ability to make free and informed decisions.

In the recent 2025 report on the coordination between the DSA and other EU legal instruments,Footnote 20 the Commission demonstrates the high-level safety net. The report notes that the DSA is also a “complementary” safety net for the practices not covered by the UCPD.Footnote 21 The advantage of the DSA as a complementary safety net lies explicitly in the fact that it covers non-B2C practices. Second, the Commission stresses the potential role that the DSA could play also for B2C relations as follows:

“Although all unfair commercial practices are in the scope of the UCPD regardless of the technology used, its principle-based rules are difficult to apply in such complex cases. Article 25 of the DSA uses broad terms like “design,” “organise,” and “operate” regarding online interfaces, which can be interpreted to cover these dynamic dark patterns (...) This lack of clarity leaves room for interpretation regarding which dark pattern falls outside the scope of the UCPD and therefore should be addressed through the DSA. This creates practical enforcement challenges (...)”

Accordingly, the Commission thus acknowledges the significant legal uncertainty and also showcases a further concern: the current text of the DSA falls short of the role expected of sector-specific legislation, namely, the introduction more concrete provisions tailored to the needs of a particular sector.Footnote 22 At the same time, Article 25 DSA introduces several innovations in comparison with the UCPD: it extends protection to non-consumer recipients of digital services, establishes more dissuasive sanctioning mechanisms, and empowers the European Commission to play a more prominent enforcement role.

The Commission’s report suggests the perception that the UCPD safety net is less future-proof than the DSA’s sector-specific safety net, even for consumers. This position is striking: while the DSA prohibition on dark patterns is broadly described and articulated in just fifty-two words, the UCPD framework relies on five different articles, an extensive set of definitions, a blacklist, and over twenty years of case law and scholarship.

Moreover, the perceived advantage of the DSA over the UCPD is limited: while terms such as “design,” “organize” and “operate” in Article 25 DSA cast a wide net, the concept of “transactional decision,” as defined in Article 2(k) UCPD and interpreted by the CJEU casts even a wider net.Footnote 23 While Article 25 DSA offers some advantages over the UCPD, these do not include easier application to dark patterns (see below Sections IV. and V.).

Despite this this dissatisfactory situation, the DSA represents an opportunity to improve the regulatory framework. At the same time, however, four critical problems (P1–P4) deserve particular attention which call into question the coherence, effectiveness and added value of this prohibition within the broader EU consumer and digital acquis.

First (P1), the general prohibition of the use of dark patterns for online platforms under Article 25(1) DSA is significantly vaguer than the corresponding provisions of the UCPD. By relying on general language detached from established interpretative guidance, it offers weaker legal certainty for both regulators and service providers. Second (P2), Article 25(1) applies only to providers of intermediary services, excluding a broad range of online traders whose business models equally rely on manipulative design techniques. This narrow scope undermines the coherence and effectiveness of the regulatory response to dark patterns that pervade online services. Third (P3), Article 25(2) DSA establishes a paradoxical coordination mechanism with the UCPD, as its current wording (“The prohibition in paragraph 1 shall not apply to practices covered by Directive 2005/29/EC or Regulation (EU) 2016/679”) rather than clarifying their interplay, creates uncertainty about the respective scope of these instruments and their relation. Fourth (P4), the clarification mechanisms embedded in both regimes (UCPD and DSA) suffer from complementary weaknesses: while the UCPD’s interpretative updates are too slow, the DSA’s reliance on soft-law guidance under Article 25(3) introduces excessive uncertainty.

Together, these four shortcomings suggest that Article 25 DSA, in its current formulation, fails to deliver genuine substantive coordination with the UCPD and has fragmented the EU’s regulatory framework against dark patterns. Using software engineering’s slang, the result is “spaghetti code.” The metaphor draws on the idea of a plate of spaghetti - each spaghetto representing a path through control logic that intersects, loops back, and branches in unpredictable ways. Instead of the legal framework being a neatly organised and cohesive logical system, there are many juxtapositions of “legacy” solutions with patchworks attempting to address problems that appear with temporary solutions.Footnote 24

Against this background, this article argues that the EU legislator should resist the temptation of further fragmentation and, instead, go back to the future-proof ethos of the UCPD. To this end, the article advances four targeted reforms (R1–R4) designed to improve the coordination and enforcement of EU rules on dark patterns.

First (R1), Article 25(1) DSA should not introduce a self-standing prohibition. Instead, it should empower the Digital Services Coordinators and the European Commission to apply the national transposition of the UCPD, while relying on the stronger sanctioning regime provided by the DSA. Second (R2), the scope of Article 25(1) should be extended to the interfaces of all intermediary service providers, in order to ensure comprehensive coverage of dark patterns against different providers. Third (R3), Article 25(2) DSA should be repealed; and, fourth, (R4), the Commission should be granted the power to update the UCPD blacklist through delegated acts pursuant to ensure the EU’s capacity to respond swiftly to new forms of dark patterns practices.

The forthcoming Digital Fairness Act, which seeks to address “unsolved unethical techniques and commercial practices related to dark patterns, and the addictive design of digital products,”Footnote 25 offers a timely opportunity to consider such reforms. The analytical framework developed herein is intended to inform the legislator’s work during this drafting phase by outlining how the four reforms could ensure a more coherent and effective integration of the DSA and UCPD in regulating dark patterns.

Each of these proposals individually, but especially their combination, tries to address the complex balance between horizontal and sectoral interventions by trying to make the most out of both the UCPD and the DSA (R1 and R3) while giving more consideration to the above-mentioned ideas of channel and technological neutrality (R2),Footnote 26 and complementing the Commission’s unprecedented enforcement powers under the DSA with a broader regulatory power regarding blacklisted practices (R4).

To substantiate these proposals, the article proceeds as follows. Section II offers a brief comparison between the UCPD and the DSA as regulatory instruments addressing dark patterns. Building on this analytical foundation, Section III demonstrates how R1 adequately addresses P1. Sections IV to VI then examine the respective implications of Reforms 2 to 4 for Problems 2 to 4 (P2–P4). Finally, Section VII concludes by reflecting on the interdependence and priority of the four reforms and their combined contribution to a more coherent and effective EU framework against dark patterns.

II. A brief functionalist comparison of dark patterns prohibition by the UCPD and Article 25 of the DSA

The UCPD and the DSA are the two principal legal frameworks relevant to the regulation of dark patterns. The UCPD is, alongside the Unfair Contract Terms Directive and the Consumer Rights Directive, one of the core instruments of the European consumer law acquis.Footnote 27 The Directive’s purpose is set out in Article 1, which states that it aims to ensure “the proper functioning of the internal market” and a “high level of consumer protection.” The Directive therefore stands at the intersection of two fundamental objectives of EU law: market integration and consumer welfare.Footnote 28 The DSA is more ambitious. Its objectives are to ensure a safe, predictable and trusted online environment and to create the conditions for innovative digital services to scale up within the internal market. While consumer protection remains one of its aims,Footnote 29 the Regulation more broadly seeks to guarantee the effective protection of fundamental rights enshrined in the Charter of Fundamental Rights of the European Union, including freedom of expression, media pluralism, and access to information.Footnote 30 The Regulation may therefore be read as an attempt to integrate concerns traditionally addressed in separate silos Footnote 31 - most notably, consumer law, data protection and competition lawFootnote 32 - into a more comprehensive framework for digital regulation, thereby providing a more robust protection of fundamental rights.

Both the UCPD and the DSA prohibit dark patterns; yet they are fundamentally different legal instruments.Footnote 33 The following table outlines the main differences between the UCPD and the DSA (Article 25), focusing on five parameters: (1) material and (2) personal scope of application; (3) degree of specificity of the prohibitions; (4) enforcement structure; and (5) size of the sanctions.Footnote 34

Table 1 shows where the main strengths of the DSA lie. First, in its broader personal scope, protecting not only consumers but also other recipients of online services (albeit limited to users of online platforms). Second, the DSA introduces a more centralised enforcement structure at the European level and higher, harmonised sanctions compared to the UCPD. Notwithstanding, it is clear that the UCPD’s prohibitions enjoy a higher degree of concretisation. Moreover, the directive was enacted twenty years ago and, as a result, enforcers, practitioners and judges are already well acquainted with it.

Table 1. Comparative overview of the UCPD and DSA in relation to dark patterns.

III. Empowering the Digital Services Coordinators and the European Commission to apply the national transposition of the UCPD

Both the UCPD and DSA prohibit the use of dark patterns within their respective legal frameworks. Under the UCPD, a practice is prohibited if it is considered “unfair” pursuant to Articles 5-9 UCPD. Under the DSA, Article 25 prohibits practices that deceive, manipulate, or otherwise distort the ability of recipients of a service to make free and informed decisions. Sections III.1 and III.2 discuss why the UCPD’s rules are concrete and precise, making it unlikely that Article 25(1) DSA can serve as a meaningful safety net. Building on this, Section III.3 introduces our first reform proposal, which seeks to avoid the paradox whereby sector-specific legislation functions as a safety net for a safety net in consumer transactions.

1. Prohibited practices are defined more specifically under the UCPD rather than in the DSA

The UCPD unfairness framework is articulated through a three-tiered structure: the unfairness general clause, misleading and aggressive practices, and the blacklist of commercial practices. First, the general clause in Article 5(2) provides that a commercial practice is unfair if it is contrary to the requirements of professional diligence and materially distorts, or is likely to materially distort, the economic behaviour of the average consumer, i.e., when they cause or are likely to cause the average consumer to take a transactional decision which he would not otherwise have taken.Footnote 35 Secondly, Article 5(4) of the Directive defines two precise categories of unfair commercial practices, “misleading” practices and “aggressive” practices corresponding to the criteria set out in Articles 6 and 7 and in Articles 8 and 9 UCPD respectively. Lastly, Annex I UCPD establishes a blacklist of commercial practices which, in accordance with Article 5(5) of the Directive, are regarded as unfair “in all circumstances.” Consequently, as Recital 17 explicitly states, those commercial practices alone can be deemed to be unfair without a case-by-case assessment against the provisions of Articles 5 to 9 of the directive.

The DSA prohibits in Article 25(1) any online interface that “deceives or manipulates the recipients of their service, or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions.” This provision does not explicitly mention dark patterns. While Recital 67 does not hold the normative status of chief provisions of enacting terms, it nonetheless explicitly mentions dark patterns and is rich in examples that exhibit norm-like elements. It adds that these practices “materially distort or impair, either on purpose or in effect, the ability of recipients of the service to make autonomous and informed choices or decisions (…) via the structure, design or functionalities of an online interface or a part thereof.”

Article 25(1) DSA articulates its prohibition in terms of abstract and broad influence-types of online interfaces that constitute autonomy violations: “deception,” “manipulation,” “material distortion,” and “impairment of autonomy.”Footnote 36 On the other hand, Recital 67 refers to material distortion or impairment, persuasion, deception, nudging, or unreasonably bias users’ autonomous and informed choices or decisions.

Significantly, the way Article 25(1) DSA was drafted bears a notable resemblance and translates the logic of the “general clause” of Article 5(2) UCPD. Much like Article 5(2) UCPD, it formulates a general behavioural standard, herein directed only at online platforms.Footnote 37 This can be interpreted as a deliberately flexible approach capable of encompassing a wide variety of unfair influence and design practices that continue to emerge in online environments. However, these different influence-types are not defined in the Regulation, do not map onto established legal concepts in EU consumer law,Footnote 38 nor substantiated in any European Commission’s guidelines and thus lack conceptual foundation. They operate as open-ended descriptors whose normative content must be reconstructed elsewhere.Footnote 39 Consequently, the undefined space surrounding them is likely to lead to different interpretations for platforms, designers, developers, regulators and policymakers to foreground and disambiguate, each according to their own pursuits. The afforded open clause without any foreground interpretation can be seen as challenging.

Unlike the UCPD, whose foundational concepts of unfairness practices have been clarified over more than fifteen years of interpretative practice – through more than seventy CJEU judgments and successive editions of the Commission’s GuidanceFootnote 40 – Article 25 lacks a robust doctrinal framework capable of guiding interpretation in a consistent manner.

This argument of lack of conceptual and doctrinal foundation is also exemplified with reference to Article 25(3) DSA. This paragraph introduces the only source of additional specification of the general prohibition clause set by Article 25(1). It further empowers the Commission to issue guidelines clarifying how the prohibition applies to specific practices: “(a) giving more prominence to certain choices when asking the recipient of the service to make a decision; (b) repeatedly requesting that the recipient of the service make a choice that has already been made, especially by presenting pop-ups that interfere with the user experience; and (c) making the procedure for terminating a service more difficult than subscribing to it.”

To some extent, the examples mentioned Article 25(3) recall the UCPD’s blacklist in Annex I which identifies a set of commercial practices deemed unfair in all circumstances. However, paragraph (3) does not establish a formal blacklist; it just refers to possible (and few) examples of dark pattern (potentially prohibited practices). Its reliance on the Commission guidelines to identify paradigmatic instances of dark patterns illustrates a similar regulatory technique sought in the UCPD: combining an open-ended general prohibition with targeted examples intended to provide legal certainty and to guide enforcement. The relationship between paragraphs (1) and (3) remains ambiguous. On one hand, paragraph (3) intends to operationalise the general prohibition in paragraph (1). On the other hand, its wording could be interpreted as exempting the examples from further assessment under paragraph (1), suggesting that could be regulated separately.

Moreover, since the Commission could already issue non-binding guidelines on the DSA, it is unclear why such authority is explicitly reaffirmed here. This overlap blurs the interpretative boundary between the general clause of Article 25(1) and the examples in Article 25(3), leaving regulators uncertain about how the two provisions interact in enforcement. It almost seems like a “softer” mandate, to improve and update the scope of the provision without an actual delegation of legislative power, as it occurs with delegated acts.

In sum, the UCPD arguably offers stronger protection against dark patterns than the DSA. Its rules are specifically defined, supported by extensive case law and clear guidance, making enforcement consistent. The DSA’s Article 25, by contrast, is broader and less defined, leaving key terms open to interpretation and future clarification. Thus, the UCPD provides more legal certainty, while the DSA remains flexible but vague.

2. Recipient heterogeneity is addressed only by the UCPD

Article 5 UCPD explains how to deal with consumer heterogeneity. The baseline benchmark is the behaviour of the average consumer, which can then be specified as the average targeted consumer if a particular group of consumers is targeted.Footnote 41 Moreover, Article 5(3) grants additional protection to particularly vulnerable consumers in reason of “mental or physical infirmity, age or credulity.”

The DSA is completely silent on the issue of the behavioural standard of the user. Some commentators have reasonably suggested that the standard is that of an “average user,”Footnote 42 which is in line with the ECJ’s recent approach in the field of public procurement. However, the issues of user heterogeneity and particular vulnerability are harder to address via judicial elaboration. Thus, the DSA is clearly underdeveloped in comparison to the UCPD regarding the issue of the recipient’s behavioural benchmark(s).

In sum, the comparison between the UCPD and the DSA on the scope of protection afforded to recipients of a service shows that the UCPD offers better protection than the DSA.

3. Article 25(1) as a “gateway” for the application of the UCPD within the context of the DSA

The view that the UCPD and Article 25(1) DSA build a multi-level safety net does not hold, as Sections I and II suggested and Sections V.1 and V.2 explained in detail. Nevertheless, Article 25(1) DSA remains notable for its robust enforcement mechanisms and sanctioning regime, even if it is less attractive in terms of precision and future-proofness.

This becomes evident in the Commission’s enforcement action against X (formerly Twitter). On 5 December 2025, the Commission issued its first formal non-compliance decision under the DSA,Footnote 43 fining X (formerly Twitter) €120 million for multiple breaches, including the use of dark patterns of the blue-check verification badge. The Commission found that X’s “blue checkmark” amounted to “deceptive design” because the badge continued to imply verification, even though any user could pay for it without undergoing an identity check. Accordingly, this practice was considered to deceive users by falsely signalling authenticity and thereby exposing them to impersonation risks.

The Commission decision demonstrates the need for a new course of action: X’s concerns about the lack of clarity are ignored, while the interpretive effort put by the Commission is very limited;Footnote 44 the overlap between Article 25(1) DSA and the UCPD is not discussed, so that Article 25(2) is de facto ignored;Footnote 45 the fine is calculated considering all X’s users.Footnote 46 This illustrates the current state of play: Article 25(1) DSA can be invoked and applied to address interface-driven deception, but the interpretative and doctrinal architecture underpinning this prohibition remains, for now, vague.

The question thus arises: how can the lex generalis-lex specialis governance mechanism be applied in a context where the lex specialis is superior to the lex generalis only in terms of enforcement mechanisms and sanctions, but not in semantic terms such as precision or future- proofness?

One possible approach would be to consider Article 25(1) DSA as a model for the governance of unfair commercial practices in general, thereby repealing the more detailed framework of the UCPD with Article 25(1) DSA that, with adaptations, would become applicable to all commercial practices. This approach might appeal to those who view regulatory simplification as an objective in itself, namely, the idea that fewer, more general provisions result in a clearer and more streamlined legal framework. However, such a deregulatory path is neither supported by recent EU policy documents nor by the rules versus standards scholarship.

A number of recent policy documents discussing the need for simplification and more competitiveness cautiously stress that simplifying is not the same as reducing.Footnote 47 Moreover, the rules versus standards scholarship shows that while precise norms are more complex to draft, they are easier to apply consistently. Since the UCPD already contains these precise and well-developed rules, replacing them with the more generic and open-ended text of Article 25(1) DSA would represent not simplification, but a loss of regulatory precision and efficiency – in effect, a waste of public resources.Footnote 48

We propose a more serious commitment to the ideas that the UCPD is future-proof, simplification is desirable, and semantic coordination is a source of uncertainty and regulatory costs. Article 25(1) DSA should become an institutional “gateway” for the enforcement of the substantive norms established under the UCPD and the GDPR in relation to dark patterns. In this approach, the DSA’s function would be integrative rather than substantive, creating a vertical framework in which it facilitates the application of these existing protective instruments.

To operationalise this approach, Article 25(1) could be replaced with a provision making a cross-reference to the UCPD, such as the following:

1. Regulation (EU) 2016/679 and the national provisions transposing Directive 2005/29/EC may also be applied by the Digital Services Coordinator of establishment and by the European Commission to the conduct of providers of online platforms.

The primary impact of this latter approach would be a better coordination between substantive provisions and enforcement bodies. The UCPD is a horizontal, future-proof instrument that already covers the known dark patterns, as confirmed by literatureFootnote 49 and the European Commission. The proposed reform would preserve the competence of national authorities responsible for UCPD enforcement since authorities already cooperate effectively within the CPC NetworkFootnote 50 and have gained substantial experience in addressing unfair practices in the digital environment.Footnote 51

Moreover, the revised Article 25(1) DSA would make the UCPD blacklist directly applicable by Digital Services Coordinators and by the European Commission. Under the current version of the DSA, these bodies lack a specific binding framework beyond the general prohibition of Article 25(1), relying only on the non-binding guidance issued under Article 25(3) DSA. The proposed amendment would thus enable these to draw directly on the 20+ years of UCPD enforcement experience and academic analysis, providing a ready-made and futureproof substantive foundation for tackling unfair practices online.

Two complementary clarifications are needed to ensure legal certainty under the proposed approach. The first concerns sanctions; the second, the scope of application.

  1. i). Applicable sanctions: when a provider of online platforms is found in violation of the national provisions transposing the UCPD or the GDPR, the applicable penalty regime should be the one set out in Article 52 DSA.Footnote 52 This clarification could be introduced either in a recital – preferably Recital 117, which already addresses penalties, or as an addition to Article 52 itself.Footnote 53 Such clarification would prevent any ambiguity regarding applicable penalties, given that both the UCPD and the GDPR contain their own sanctioning provisions. It would also have practical implications, as the DSA provides for higher fine caps under Article 52(3)–(4) than either of these other two instruments.

  2. ii). Scope of application: the current version of Article 25(1) DSA has the advantage of extending protection to all recipients of the service, not only consumers. This scope should be preserved. To that end, a new paragraph should be introduced to extend the subjective scope of application of the UCPD to cover all subjects protected by the DSA:

2. The national provisions transposing Directive 2005/29/EC are applicable to the transactional decisions of all recipients of the service.

This addition ensures that Article 25(1) DSA does not lose its protective function in non-B2C transactions.

IV. Extend the scope of Article 25(1) to cover the interfaces used by any trader

As noted above, the Commission has praised that the DSA offers the only EU-level protection in P2B transactions. The problem, in this regard, is that it is not apparent why it is desirable that the subjective scope of application on the supplier-side is limited to intermediaries only. The problem of digital vulnerability for consumers is not specifically associated to situations where the interface is under the control of an intermediary. Concerns arise also when one is shopping on retailers’ websites. For example, in its current version, Article 25 DSA does not protect against dark patterns on … websites.

More precisely, there is a variety of services covered by the DSA, from non-platform hosting services, infrastructure services (mere conduit and caching) to search engines that are all excluded from the scope of Article 25(1) DSA. In addition, Article 25’s inclusion on Chapter III, Section III, also has the implication that Article 25 is not applicable to providers of hosting services that qualify as SMEs, due to Article 19.

While much of the scholarship on dark patterns has focused on the activities of online platforms, it has done so by generally drawing attention to how interfaces can be used to influence and harm users.Footnote 54 Online interfaces (and dark patterns practices using them) are not a feature solely present in online platforms. Quite the contrary, online interfaces are ubiquitously found in digital services.Footnote 55 The EC Behavioural Study (2022) notes that such practices are widespread among “online traders of all sizes,”Footnote 56 including non-platform intermediaries (e.g., search engines) and even non-intermediary service providers. For instance, Continente.pt, a major Portuguese supermarket, was found to use several dark patterns steering purchases.Footnote 57 Likewise, other non-intermediary companies were sanctioned for similar techniques.Footnote 58 Many popular videogames have designed their interfaces to steer with “fake urgency” their consumers towards their online storefronts, including to purchase loot boxes, which in many jurisdictions have even been deemed has a form of online gambling. As noted, the Commission brought up exactly this type of example, despite the fact that the professional falls outside the current subjective scope of the DSA.Footnote 59

Many such practices clearly qualify as dark patterns, yet they remain beyond Article 25’s scope simply because the providers in question do not qualify as online intermediary services under the DSA.Footnote 60

In this scenario, the most desirable reform would be to extend the prohibition to all online traders whose interfaces shape user behaviour. However, such a change appears unrealistic, as it would require redefining the entire scope of the DSA, given that the Regulation applies only to intermediary services. Given these constraints, a realistic and targeted reform would be to extend Article 25(1) to all intermediary services, rather than only to online platforms. This would remain consistent with the DSA’s internal logic and material scope while addressing the most acute asymmetry in the present regime.

V. Repealing Article 25(2) DSA

Article 25(2) states that “the prohibition in paragraph 1 shall not apply to practices covered by Directive 2005/29/EC [UCPD] or Regulation (EU) 2016/679 [GDPR].” The DSA does not define what it means for a practice to be “covered” by the UCPD, and its various linguistic versions offer no clarification.Footnote 61 This paragraph regarding what the UCPD covers establishes a hierarchical relationship between the DSA and the UCPD (as well as the GDPR). In our view, Article 25(2) DSA gives rise to two problems. The first is that this hierarchical interpretation is unclear and triggers several interpretations (explained in Section V.1). The second and more fundamental problem is that establishing a hierarchical relationship is inconsistent with the general EU law approach to overlapping legal instruments, which relies on coordinated cumulation rather than hierarchy (Section V.2). Considering both problems, we argue in this section that Article 25(2) DSA should be repealed, as doing so would make the EU’s response to dark patterns simpler and more effective.

In this regard, the position expressed by the European Commission in its recent report on the coordination between the DSA and other EU law is noteworthy. The Commission suggests that the DSA could have a role (i.e., coverage) in practices such as those concerning unfair commercial practices in micro-transactions in online gaming involving minors and in violations of the GDPR in the context of “pay or ok” business models.Footnote 62 As Section V.1 makes apparent, Article 25(2) DSA makes Article 25 DSA inapplicable in similar circumstances, even if the Commission seems to have suggested otherwise. One could interpret these considerations as implying that the Commission is ignoring Article 25(2) DSA. Another interpretation, that we prefer, is that the Commission is putting into the spotlight the benefits that repealing Article 25(2) DSA would bring forward. Worryingly, the above-mentioned decision against X demonstrates that the Commission is operating under the fiction that Article 25(2) DSA does not exist.

Our first proposal explains why Article 25(2) DSA, which exists, should indeed be repealed (using the appropriate legislative procedure, of course).

1. The DSA’s residuality: consumers are between a rock and a hard place

Two interpretations are worth considering regarding what it means for the UCPD to “cover” a practice.Footnote 63

The first interpretation of Article 25(2) holds that once the interface design qualifies as a “commercial practice,” it is covered by the UCPD, rendering Article 25(1) DSA inapplicable.Footnote 64 At most, Article 25 DSA can be used as interpretive parameter.Footnote 65 Given that dark patterns used in interfaces plausibly constitute commercial practices under the UCPD,Footnote 66 this first interpretation means that Article 25(1) DSA becomes trivial in consumer-based relations. Yet, this outcome is paradoxical: rather than complementing the UCPD by strengthening the consumer’s position vis-à-vis dark patterns, Article 25(2) DSA confines Article 25(1) DSA to non-B2C contexts, despite the fact that such protection is arguably mostly needed in B2C settings.Footnote 67 Although the DSA nominally protects all “recipients of the service,” regardless of whether they qualify as consumers, one might initially expect Article 25(1) to operate alongside the UCPD to strengthen user protection. However, because Article 25(2) establishes a strict exclusion mechanism, the DSA provision becomes relevant only in narrow circumstances, specifically, when the user is not a consumer.

The second interpretation of Article 25(2) holds that if a commercial practice violates the UCPD, Article 25(1) DSA is likewise inapplicable;Footnote 68 under this reading, Article 25 DSA can still intervene within the regulatory space left open by the UCPD, namely, in relation to practices that are not considered unfair under the UCPD, thereby operating as a gap-closing instrument regarding fair practices. This second interpretation is preferable for three main reasons. First, it appears to align more closely to the wording of Article 3(1) UCPD. That article states that the Directive applies to unfair business-to-consumer (B2C) commercial practices before, during and after a transaction. The text therefore makes clear that the UCPD does not cover all commercial practices in B2C contexts, but only those that are found to be unfair after applying the Directive’s assessment criteria.Footnote 69 Accordingly, a commercial practice that is fair under the UCPD is thus not “covered” by it and could still fall within the scope of prohibition of Article 25(1) DSA. This literal reading based on the UCPD’s wording carries significant interpretive weight.

Second, this interpretation allows Article 25 DSA to warrant regulatory intervention, at least to some extent, to consumer protection, as Article 1(1) DSA requires. In fact, Article 1(1) DSA explicitly states that the DSA aims to ensure the effective protection of user rights, including consumer rights.Footnote 70

Third, the second interpretation avoids the paradox whereby consumers could never rely on the protection granted by the DSA. Under this interpretation, Article 25(1) DSA would fulfil its intended function: adding an additional layer of consumer protection beyond what was available under the pre-DSA framework.

Even assuming that Article 25(2) DSA is interpreted as establishing only the residual application of Article 25(1), the actual benefit for consumers remains limited. In fact, considering that the UCPD relies on a more organised set of criteria designed not to leave any loophole, it seems extremely difficult to identify a practice that is not prohibited under the UCPD, but is nonetheless prohibited by Article 25(1) DSA.

The literature critical of the UCPD has suggested the existence of manipulative practices that might allegedly fall outside the scope of undue influenceFootnote 71 and, in any case, would be captured by the general test set out in Article 5 UCPD.Footnote 72 Accordingly, while the second interpretation of Article 25(2) DSA acknowledges that the UCPD may, in principle, leave some residual space for the DSA, identifying this space in practice is extremely difficult. It is therefore submitted that, rather than attempting to delineate such residual application, intellectual and institutional resources would be better devoted to enforcement. This conclusion is reinforced considering that a systematic analysis demonstrates that it is hardly plausible to conclude that Article 25(2) DSA is actually needed (see below, Section V.2).

In sum, Article 25(2) DSA creates significant uncertainty regarding the scope of Article 25 DSA. Notably, only one interpretation suggests that Article 25 DSA could ever apply in B2C interactions. Yet, as discussed, this interpretation leads to the paradoxical outcome that platform business users may be more protected than consumers against unfair commercial practices by online intermediaries.Footnote 73 Thus, it is worth considering repealing Article 25(2) DSA.

2. Higher coherence and flexibility by repealing Article 25(2) DSA

EU law has a time-honoured approach that leads to the cumulative application of different legal instruments to the same conduct.Footnote 74 This approach covers the relationship between different instruments of horizontal consumer law (e.g., local information duties and the UCPDFootnote 75 or UCTD and UCPDFootnote 76 ) or between horizontal and sectoral consumer law instruments,Footnote 77 as well as between the GDPR and competition law.Footnote 78

Article 3(4) UCPD disciplines the relationship between the UCPD and sectorial legislation. The text states that “In the case of conflict between the provisions of this Directive and other Community rules regulating specific aspects of unfair commercial practices, the latter shall prevail and apply to those specific aspects.” The ECJ has clarified that this conflict “is present only where provisions, other than those of Directive 2005/29, which regulate specific aspects of unfair business practices, impose on undertakings, in such a way as to leave them no margin for discretion, obligations which are incompatible with those laid down in Directive 2005/29.”Footnote 79

The Commission has recently observed that when “the obligations laid down by lex specialis and those laid down in the UCPD are “compatible,” the application of the UCPD is not excluded and is possible. Clearly, Article 25(2) deviates from this approach. This consideration is confirmed by the dark patterns provisions that the EU legislator has introduced both prior to and following the adoption of the DSA, covering distance financial contracts,Footnote 80 personal data sharing with third parties under the Data Act,Footnote 81 artificial intelligence under the AI ActFootnote 82 and under the Digital Markets Act.Footnote 83 The application of these provisions is cumulative to the UCPD pursuant to Article 3(4) UCPD. Moreover, in the absence of any explicit coordination mechanism, they can also be cumulated with Article 25 DSA, where both sets of provisions are applicable.

In sum, Article 25(2) DSA introduces a coordination model between compatible prohibitions that derogate from the general EU approach to this matter and that the EU legislator has chosen not to replicate in other parts of EU digital law.

The immediate concern one may have in terms of coordination is that of ne bis in idem. The Court of Justice has also provided clarity regarding coordination between sanctioning schemes with two decisions on ne bis in idem in the context of administrative proceedings. According to this case law, the UCPD, GPDR and DSA should be cumulatively applicable since they protect different legal interests.Footnote 84 The CJEU has already ruled in favour of the cumulation of GDPR and EU competition lawFootnote 85 and the Commission endorses its cumulation with the UCPD.Footnote 86 In fact, the UCPD protects directly the economic interests of consumers and indirectly the economic interests of competitors (Article 1 UCPD). The DSA protects a much broader set of interests, since it is set to establish a “safe, predictable and trusted online environment that facilitates innovation and in which fundamental rights … are effectively protected” (Article 1(1) DSA). Upon a closer look, the boundaries are difficult to draw, given the many choices that “citizen-consumers”Footnote 87 make and that are influenced by online platforms, especially content sharing ones. In any case, the proposed new version of Article 25(1) DSA discussed in Section III rules out any risk of ne bis in idem. Moreover, cumulation allows for desirable flexibility in a context where different Member States have opted for different regulatory models.Footnote 88

Thus, our first reform of repealing Article 25(2) DSA fosters efficient and effective coordination between the authorities competent for the application of the DSA, UCPD and GDPR. In fact, the various coordination mechanisms between national regulatory authorities that exist for the enforcement of each of these instrumentsFootnote 89 will stimulate the circulation of best practices.

In conclusion, the expected impact of repealing Article 25(2) DSA is a more efficient and effective application of DSA, UCPD and GDPR, thereby increasing the capacity of these instruments to protect consumers and data subjects against violations of their fundamental rights. By so doing, these instruments will contribute to a level playing field between professionals complying willingly and professionals who prefer more profit-maximizing business strategies, even if they come at the expense of consumers and data subjects. Repealing Article 25(2) DSA can and arguably should be combined with the other interventions discussed below.

VI. Give the Commission the power to add elements to the UCPD blacklist

As explained from the outset, this research is motivated by a desire to fulfil the promise of a future-proof system of protection against unfair commercial practices in the EU internal market. The current regulatory cycle of the EU internal market law is too slow and cumbersome and brings to mind the sarcastic comment of John Maynard Keynes against neoclassical economics: in the long run, we will all be dead. A comprehensive review cycle is desirable. However, it fails to tackle specific problems when they arise. The issue of dual-quality goods is illustrative of the problem that reforming Article 25(3) DSA may address. In 2017, the European Commission published a Notice, after receiving several complaints. Footnote 90 The Commission then continued investigating the matter directly and by funding related studies.Footnote 91 In 2019, the Omnibus Directive established that the following factor may contribute to finding a practice misleading: “any marketing of a good, in one Member State, as being identical to a good marketed in other Member States, while that good has significantly different composition or characteristics, unless justified by legitimate and objective factors.”Footnote 92 The prohibition had to be transposed by the end of 2021, around four years after the issue started to be discussed at the EU level. In the end, the prohibition was not even included in the blacklist.

The present article discussed that the concern for dark patterns did not deliver a more precise regulatory framework. However, as noted, the DSA introduced important developments in terms of enforcement and sanctioning regime. Against this background, Article 25(3) DSA goes in the right direction, but it does not go far enough. A mere mandate to issue non-binding guidelines does not properly accomplish the desired result and could also even be viewed as an overreach of powers.Footnote 93 Consistently with the future-proof promise made by the UCPD, we argue that the last sentence of Article 5(5) UCPD shall be modified as follows:Footnote 94

“6. The same single list shall apply in all Member States and the European Commission shall have the power to adopt delegated acts modifying the list.”

This provision should be accompanied by a new Article 18a in the UCPD,Footnote 95 which closely reflects the content of Article 87 DSA, including a five-year sunset clause to the conferral of powers. For example:

“Article 18a

Exercise of the delegation

  1. 1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

  2. 2. The delegation of power referred to in Article 5 shall be conferred on the Commission for five years starting from [DFA’s date of entry into force]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.

  3. 3. The delegation of power referred to in Article 5 may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect on the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

  4. 4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

  5. 5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

  6. 6. A delegated act adopted pursuant to Article 5 shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.”

The expected impact is nothing less than prompt intervention against emerging unfair commercial practices (online, offline or in both). Promptness is particularly significant in digital markets, which are less contestable than others, as recognized by the DMA.Footnote 96 This intervention will significantly contribute to honouring the commitment to futureproof governance of commercial practice in the EU.

This proposal faces a doctrinal challenge. EU institutional law scholars have traditionally expressed reservations on the possibility of conferring the power to adopt delegated acts that touch upon the core of an EU legal instrument.Footnote 97 One could argue that granting the Commission the power to add items to the blacklist violates this limit. It is clearly the case that the practice of EU law in the Common Agricultural Policy and in digital markets is in tension with such a reading. The use of delegated acts in these areas does not appear to go beyond what has been accepted in the Common Agricultural Policy for decades or in the Digital Services Act regarding central issues, such as how vetted researchers can exercise the right to access granted by Article 40 DSA.Footnote 98 Accordingly, we see no compelling reason not to propose this amendment.Footnote 99 In theory, the proposed amendment to the UCPD makes Article 25(3) DSA redundant and, therefore, it could be advisable to repeal it. As a matter of risk mitigation, it might be advisable not to repeal Article 25(3) DSA for the time being. In this way, should the conferral to the Commission of the power to amend the UCPD be considered incompatible with the Treaties by the Court of Justice, Article 25(3) DSA could still be used by the Commission to bring some clarity in this area. At the same time, the present proposal in its current wording presupposes that the proposal in Section V is also accepted. Should the legislator choose instead not to accept said proposal, then it would make sense to make explicit that the Commission the power to add items to the UCPD blacklist, while creating a DSA blacklist and granting the Commission the powers to add items to it.

VII. Conclusion

This article has shown that the current regulatory framework regulating dark patterns in EU law is subject to weaknesses primarily due to the inconsistent articulation of the DSA in relation to the UCPD. We demonstrated that the UCPD still offers the EU’s future-proof and technologically neutral framework for tackling dark patterns, equipped to adapt to forms of digital behaviour thanks to its principle-based nature, horizontal scope and mature case-law, without constant legislative intervention.

However, this potential is increasingly undermined by the way in which the subsequent sectorial law, the DSA, has been articulated in relation to it. Article 25(2) DSA deviates from the established EU approach of coordinated application (lex generalis–lex specialis) set out in Article 3(4) UCPD. Instead of serving as a refining, complementary lex specialis, Article 25(2) reverses the hierarchy. It creates a counterproductive exclusion mechanism by rendering the DSA provision inapplicable whenever the UCPD is construed as “covering” a given practice (discussed in Section V). This results in structural contradictions, legal uncertainty and fragmentation, ultimately weakening the effective future-proofness of the UCPD in practice.

To resolve these issues and restore a coherent regulatory architecture, this article proposes four targeted reforms (R1–R4), designed to simplify and uphold the UCPD’s future-proof model within an increasingly crowded regulatory landscape. R1 qualifies Article 25(1) as a UCPD/GDPR gateway, R2 extends the scope of Article 25(1) to all online traders, R3 repeals Article 25(2) DSA, and R4 proposes that the EU Commission to update UCPD Blacklist.

To conclude, we discuss the internal logic of this package of four reforms in terms of priorities, complementarity and standalone interventions.

Priorities. The primary reform is the repeal of Article 25(2) DSA (R3). As long as the exclusion clause remains in place, no coherent coordination between the UCPD and the DSA is structurally possible. It is the linchpin of the current dysfunction and must be addressed first.

Complementary solutions. Article 25(1) can be reconceived into an institutional gateway for the UCPD’s prohibitions (R1). This approach empowers Digital Services Coordinators and the European Commission to apply the national transposition of the UCPD through the stronger sanctioning regime of the DSA. This reform only becomes viable once the paradox induced by Article 25(2) is eliminated: without R3, R1 has no operational foundation.

Standalone reforms. The two remaining reforms can be pursued independently of the rest: R2 extends the scope to all intermediaries addresses the pervasive nature of interface-based dark patterns; and R4 empowers the Commission to update the blacklist through delegated acts strengthens the EU’s capacity to respond to emerging dark patterns. Both reforms deliver clear gains regardless of the fate of the specific coordination mechanisms in Articles 25(1) and (2).

These reforms, particularly in combination, offer a clearer, more coherent, and future-proof regulatory framework that restores the centrality of the UCPD, reiterates the innovations of the DSA, and equips EU law to address both current and emerging forms of dark patterns.

Acknowledgments

This article originated from discussions held at the Conference Fair Markets in the 21st Century: Digital Transition, Artificial Intelligence and Technological Neutrality, held on 14–15 May 2025 at NOVA School of Law, Lisbon, where all authors presented their respective work and decided to join forces– a collaboration that ultimately culminated in this article. The authors are also grateful for the valuable feedback received at the Conference UCPD at 20, held at UCLouvain Saint-Louis Bruxelles on 23–24 October 2025, and would like to thank all participants for the stimulating discussions for the useful inputs and, in particular, Anne-Lise Sibony, Amandine Garde, Jan Trzaskowski, Geraint Howells, Evelyn Terryn, Alain Strowel, Joasia Luzak and Alberto De Franceschi.

Financial support

This research was carried out as part of project UIDB/00714 (CEDIS/NOVA School of Law), funded by FCT, I.P. (Portugal), and was partially supported by the Utrecht Centre for Regulation and Enforcement in Europe (RENFORCE).

Competing interests

All authors declare that they have no conflicts of interest.

Authors contribution

As regards authorship, all authors contributed substantially to the conception and development of the article. As regards the attribution of sections, Section I was drafted primarily by F.E. Section II by C.I. Section III by C.S. and C.I., specifically, III.1 by C.I. and III.2 and III.3 by C.S. Section IV by C.I. and M.F. Section V by F.E. and C.I., specifically, V.1 by C.I and V.2 by F.E. Section VI by F.E. and Section VII by C.I. and C.S. General revisions of the footnotes were carried out by M.F. and C.I. All authors reviewed and approved the final version of the manuscript.

References

1 Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council.

2 See, generally, J Stuyck, E Terryn and T Van Dyck, “Confidence through Fairness – The New Directive on Unfair Business-to-Consumer Commercial Practices in the Internal Market” (2006) 43 Common Market Law Review; U Bernitz, “The Unfair Commercial Practices Directive: Its Scope, Ambitions and Relation to the Law of Unfair Competition” in S Weatherill and U Bernitz (eds), The Regulation of Unfair Commercial Practices under European Community Law (Hart Publishing 2007); G Anagnostaras, “The Unfair Commercial Practices Directive in Context: From Legal Disparity to Legal Complexity?” (2010) 47(1) Common Market Law Review; G Howells, H-W Micklitz and T Wilhelmsson, European Fair Trading Law: The Unfair Commercial Practices Directive (Routledge 2016).

3 A Mathur and others, “Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites” (2019) 3 Proceedings of the ACM on Human–Computer Interaction (CSCW), Article 81 <https://doi.org/10.1145/3359183>.

4 A Monge Roffarello, K Lukoff and L De Russis, “Defining and Identifying Attention Capture Deceptive Designs in Digital Interfaces” in Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems (ACM 2023) article 194. <https://doi.org/10.1145/3544548.3580729>.

5 M Nouwens and others, “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating Their Influence” in Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (ACM 2020). <https://doi.org/10.1145/3313831.3376321>.

6 L Di Geronimo and others, “UI Dark Patterns and Where to Find Them: A Study on Mobile Applications and User Perception” in Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (ACM 2020). <https://doi.org/10.1145/3313831.3376600>.

7 A Mathur and others (2019) “Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites,” supra, note 3.

8 Commission, Directorate-General for Justice and Consumers, “Behavioural Study on Unfair Commercial Practices in the Digital Environment: Dark Patterns and Manipulative Personalisation – Final Report” (Publications Office of the European Union 2022) <https://doi.org/10.2838/859030>.

9 Commission, “Consumer protection: manipulative online practices found on 148 out of 399 online shops screened” (Press Release, 30 January 2023) <https://ec.europa.eu/commission/presscorner/detail/en/ip_23_418>

10 For example, C Isola and F Esposito, “A Systematic Literature Review on Dark Patterns for the Legal Community: Definitional Clarity and a Legal Classification Based on the Unfair Commercial Practices Directive” (2025) 58 Computer Law & Security Review; C Isola, “Regulating Dark Patterns in the EU: Did Europe Shed Light on Dark Patterns? Conceptual Foundations, the Unfair Commercial Practices Directive, the Digital Services Act, and their (obscure) interplay (DPhil thesis, University of Genoa, 2025), available at <https://hdl.handle.net/11567/1273676>; S Orlando, “Reflections Upon ‘The Privacy Fallacy’ by Ignacio Cofone” (2025) 1 European Journal of Privacy Law & Technologies 10–11; F Galli, “Online Behavioural Advertising and Unfair Manipulation between the GDPR and the UCPD” in M Ebers and M C Gamito (eds), Algorithmic Governance and Governance of Algorithms: Legal and Ethical Challenges (Springer 2021). This view was also rather consensual (solid foundations; possible improvement; but no need for extreme makeovers) at the recent conference “UCPD at 20” held on 23–24 October 2025 in Brussels. The UCPD is also central in attempts to tackle specific issues, for example: F Esposito F and T M C Ferreira, “Addictive Design as an Unfair Commercial Practice: The Case of Hyper-Engaging Dark Patterns” (2024) 15(4) European Journal of Risk Regulation (focusing on hyper-engaging dark patterns); J Laux, S Wachter and B Mittelstadt, “Neutralizing Online Behavioural Advertising: Algorithmic Targeting with Market Power as an Unfair Commercial Practice” (2021) 58 Common Market Law Review 719 (focusing on online behavioural advertising).

11 B Duivenvoorde, “Redesigning the UCPD for the Age of Personalised Marketing” (2023) 12 Journal of European Consumer and Market Law.

12 Natali Helberger and others, “EU Consumer Protection 2.0 Structural asymmetries in digital consumer markets” (BEUC 2021) <https://www.beuc.eu/sites/default/files/publications/beuc-x-2021-018_eu_consumer_protection_2.0.pdf> (last accessed December 2025).

13 Commission, Directorate-General for Justice and Consumers, “Behavioural Study on Unfair Commercial Practices in the Digital Environment” (2022), supra, note 8.

14 M Namysłowska, “The Silent Death of EU Consumer Law and Its Resilient Revival: Reinventing Consumer Protection Against Unfair Digital Commercial Practices” (2025) 48 Journal of Consumer Policy 317.

15 Commission, “Guidance on the interpretation and application of Directive 2005/29/EC of the European Parliament and of the Council concerning unfair business-to-consumer commercial practices in the internal market” (Commission Notice, 2021) C/2021/9320 (“UCPD Guidance”).

16 Ibid, p. 37.

17 Commission, Directorate-General for Justice and Consumers, “Study to Support the Fitness Check of EU Consumer Law on Digital Fairness and the Report on the Application of the Modernisation Directive (EU) 2019/2161 – Part 1” (2024) 85, available at <https://commission.europa.eu/publications/study-support-fitness-check-eu-consumer-law-digital-fairness-and-report-application-modernisation_en> (last accessed December 2025); Commission, “Fitness check of EU consumer law on digital fairness” (2024), available at <https://commission.europa.eu/law/law-topic/consumer-protection-law/review-eu-consumer-law_en#digital-fairness-fitness-check-of-eu-consumer-law> (last accessed: December 2025).

18 European Parliament resolution of 12 December 2023 on addictive design of online services and consumer protection in the EU single market, P9_TA(2023)0459, para. 6.

19 See, for example: Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004 (“CPC Regulation”); Autorità Garante della Concorrenza e del Mercato (Italian Competition Authority, “AGCM”), decision No 22511, 15 June 2011, PS892 – Ryanair; AGCM, decision No 24823, 6 October 2014, PS8985 – EasyJet; AGCM, decision No 26138, 11 May 2017, PS10601 – WhatsApp, concerning coercive practices forcing consumers to accept personal data-sharing related terms; AGCM, decision No 27432, 29 November 2018, PS11112 – Facebook, concerning Facebook’s misleading practice of characterising as free their service when it actually collected personal data as remuneration and, therefore, is not free; Hungarian Consumer Protection Authority (“GVH”), VJ/17-110/2018 decision of 28 April 2020, concerning unfair commercial practices on Booking.com’s website; GVH, VJ/37/2024 decision of 2 August 2024, concerning unfair commercial practices on Wizz Air’s website; Dutch Consumer and Market Authority (“ACM”)”, decision of 25 October 2024, concerning unfair commercial practices on Reinzendeal’s website; Polish Consumer and Market Authority (“UOKIK”), decision of 1 September 2023, concerning unfair commercial practices on BAK DROP’s website; UOKIK, decision of 26 March 2024, concerning unfair commercial practices on Amazon’s website; UOKIK, decision of 21 May 2025, concerning unfair commercial practices on AZA Group’s website.

20 Commission, “Report from the Commission to the European Parliament, the Council and the European Economic and Social Committee on the application of Article 33 of Regulation (EU) 2022/2065 and the interaction of that Regulation with other legal acts” (2025), COM(2025) 708 final; Commission, “Staff Working Document on the Application of Article 33 of Regulation 2022 2065 and the Interaction of that Regulation with Other Legal Acts” (2025), SWD(2025) 368 final.

21 Ibid, p. 60: “in the particular case of dark patterns, it is the DSA that acts as the ‘safety net’ complementing the UCPD.”

22 UCPD, Art. 3(4).

23 Ibid.

24 On this problem, see, for example, C Politowski and others, “A Large-Scale Empirical Study of the Impact of Spaghetti Code and Blob Anti-Patterns on Program Comprehension” (2020) 122 Information and Software Technology.

25 Commission, “Questions and Answers on the Digital Fairness Fitness Check,” (Press release, 3 October 2024). Available at <https://ec.europa.eu/commission/presscorner/detail/fi/qanda_24_4909> (last accessed December 2025). See also European Parliament, “Briefing Commitments made at the confirmation hearings of the Commissioners-designate 2024-2029,” (2024) 29, 329, 368, available at

<https://www.europarl.europa.eu/RegData/etudes/BRIE/2025/700896/IPOL_BRI(2025)700896_EN.pdf> (last accessed December 2025); Commission, “Mission Letter Ursula von der Leyen Michael McGrath Commissioner-designate for Democracy, Justice, and the Rule of Law” (2024) 7, available at

<https://commission.europa.eu/document/download/907fd6b6-0474-47d7-99da-47007ca30d02_en?filename=Mission%2520letter%2520-%2520McGRATH.pdf> (last accessed December 2025).

26 UCPD Guidance (2021) supra, note 15. See also M Almada, “Technology neutrality in EU digital regulation” (SSRN 2025). Available at <https://doi.org/10.2139/ssrn.5292321> (last accessed December 2025); M Hildebrandt and L Tielemans “Data protection by design and technology neutral law” (2013) 29(5) Computer Law & Security Review <https://doi.org/10.1016/j.clsr.2013.07.004>.

27 G Howells, T Wilhelmsson and C Twigg-Flesner, Rethinking EU Consumer Law (Routledge 2017).

28 This is in line with the position recently reaffirmed by the EU Consumer Agenda 2030. Commission, “Communication on 2030 Consumer Agenda and action plan for consumers in the single market “A new impulse for consumer protection, competitiveness and sustainable growth” {SWD(2025) 848 final} COM(2025) 848 final, available at <https://commission.europa.eu/document/download/84cfc60e-f264-4f31-9f79-9ec83dce064d_en?filename=JUST_template_comingsoon_standard_14.pdf&prefLang=pt> (last accessed December 2025). See also F Esposito, The Consumer Welfare Hypothesis in Law and Economics: Towards a Synthesis for the 21st Century (Edward Elgar Publishing 2022) 9–10, explaining how market integration appears to be instrumental to consumer welfare, rather than the other way around, as sometimes argued by academic.

29 For an analysis of consumer protection in the context of the Digital Services Act, see C Busch and V Mak, “Putting the Digital Services Act in Context” (2021) 10(3) Journal of European Consumer and Market Law; C Cauffman and C Goanta, “A New Order: The Digital Services Act and Consumer Protection” (2021) 12 European Journal of Risk Regulation. See also B Duivenvoorde and C Goanta, “The Regulation of Digital Advertising under the DSA: A Critical Assessment” (2023) 51 Computer Law & Security Review. More recently, for a discussion of consumer protection in new EU digital legislation, see N Helberger, H-W Micklitz and C Twigg-Flesner, “Escher’s Relativity: Consumer Law as Surreal Staircase?” (2025) 48 Journal of Consumer Policy <https://doi.org/10.1007/s10603-025-09597-y>.

30 DSA, Art. 1(1).

31 A Reyna, “Breaking Down Silos in Public Enforcement: Lessons from Consumer-Facing Markets” (SSRN 2021), available at <https://www.ssrn.com/abstract=3838697> (last accessed December 2025); M W Hesselink, “Private Law, Regulation, and Justice” (2016) 22 European Law Journal 681. See also P Nebbia, “The Interaction of Competition, Consumer and Data Protection Laws: A Few Comments Inspired by the Recent Case Law of the Court of Justice of the European Union” (2023) 23 ERA Forum; C Koolen, “Consumer Protection in the Age of Artificial Intelligence: Breaking Down the Silo Mentality Between Consumer, Competition, and Data” (2023) 31 European Review of Private Law. More recently, on the Emerging Trend of Blending the Boundaries between Consumer Law and Financial Law, see F Morello, “Blending Silos. The Crowdfunding Regulation and the Transformation of EU Retail Financial Law” (2025) 62 Common Market Law Review.

32 A Reyna, “Breaking Down Silos in Public Enforcement (2021), supra, note 31.

33 For an in-depth comparative analysis on how the UCPD and the DSA address dark patterns, see Cecilia Isola, “Regulating dark patterns in the EU” (2025), supra, note 10.

34 Commission, “Report from the Commission to the European Parliament, the Council and the European Economic and Social Committee on the application of Article 33 of Regulation (EU) 2022/2065 and the interaction of that Regulation with other legal acts” (2025), supra, note 20.

35 UCPD, Art. 3(k).

36 An important difference between the two instruments’ general clauses concerns the fact that the UCPD prohibits practices that materially distort or are likely to distort consumers’ behaviour, whereas the DSA requires only material impairment or distortion, without any mention of likely distortions. This fact suggests that the threshold set by the UCPD is lower than the DSA. F Hofmann and B Raue, Digital Services Act Article-by-Article Commentary (Hart Publishing 2025).

37 C Isola, “Regulating dark patterns in the EU” (2025), supra, note 10, p. 146 seq.

38 Santos and others “Which Online Platforms and Dark Patterns Should be Regulated under Article 25 of the DSA?” (SSRN 2024), available at <https://doi.org/10.2139/ssrn.4899559> (last accessed December 2025).

39 C Isola, “Regulating Dark Patterns in the EU” (2025), supra, note 10, p. 152 seq.; S Ahuja and others, “Towards Key Contributing Factors in Identifying Dark Pattern Autonomy Violations under the EU Digital Services Act” in Companion Publication of the 2025 ACM Designing Interactive Systems Conference (ACM 2025) <https://doi.org/10.1145/3715668.3736336>; S Ahuja and others “Dark Patterns and the EU Digital Services Act: Mapping Autonomy Violations and Design Factors” (2025), available at <https://hal.science/hal-05301214> (last accessed December 2025).

40 UCPD Guidance (2021), supra, note 15; Commission, “Guidance on the Implementation/Application of Directive 2005/29/EC on Unfair Commercial Practices” (2016), SWD/2016/0163 final.

41 See, the forthcoming ERPL special issue on the images of the average and particularly vulnerable consumer edited by F Esposito, M Grochowski, and A-L Sibony. In extreme synthesis, this survey of twenty jurisdictions finds that the average consumer is a concept in continuity with that of the reasonable person acting as a consumer; see, for an overview, F Esposito, M Grochowski, A Piron, and A-L Sibony, “The National Lives of the EU Consumer Standards: How Courts Develop the Average and Particularly Vulnerable Consumer and Create the Above-average Consumer” (forthcoming) ERPL.

42 T Akhurst and others, “How Should the European Union Regulate Dark Patterns?” (2023) 11, available at <https://www.sciencespo.fr/public/chaire-numerique/wp-content/uploads/2023/09/Dark-Patterns.pdf> (last accessed December 2025; F Hofmann and B Raue, Digital Services Act Article-by-Article Commentary (2025), supra, note 36, 511–14.

43 European Commission, Decision of 5 December 2025 in cases DSA.100101, DSA.100102 and DSA.100103 – X.

44 Ibid, paras 126–30.

45 Ibid, para. 131.

46 Ibid, para. 169.

47 Commission, European Political Strategy Centre, “The Future of European Competitiveness Part A | A Competitiveness Strategy for Europe” (2024) 30, 68–69 and Commission, European Political Strategy Centre, “The Future of European Competitiveness Part B | In-Depth Analysis and Recommendations” (2024), pp. 317–18. Both available at <https://commission.europa.eu/topics/competitiveness/draghi-report_en> (last accessed December 2025). For a discussion, see N Divissenko, “From Draghi Report to the European Commission’s Regulatory Agenda: Regulatory Transformation or Deregulation?” (2025) European Law Blog.

<https://www.europeanlawblog.eu/pub/88zaty7d/release/1> (last accessed December 2025).

48 H-B Schäfer, “Legal Rules and Standards” in C K Rowley and F Schneider (eds), The Encyclopedia of Public Choice (Springer US 2004). Seminal, L Kaplow, “Rules Versus Standards: An Economic Analysis” (1992) 42 Duke Law Journal. See also A J Casey and A Niblett, “The Death of Rules and Standards” (2017) 92 Indiana Law Journal.

49 C Isola and F Esposito, “A Systematic Literature Review on Dark Patterns for the Legal Community “ (2025), supra, note 10; S Orlando, “Reflections upon ‘The Privacy Fallacy’ by Ignacio Cofone” (2025), supra, note 10, pp. 10–11.

50 Commission, “2022–2023 biennial overview of actions carried out by national authorities under Regulation (EU) 2017/2394 on consumer protection cooperation and key market trends that might affect consumers’ interests in the future” (2024), SWD(2024) 186 final.

51 Commission, “Fitness Check of EU Consumer Law on Digital Fairness” (2024), supra, note 17.

52 Regarding compensation, instead, the current wording of Art. 54 DSA seems clear enough not to require modifications.

53 Another option would be to open the new version of Art. 25(1) DSA as follows: “Without prejudice to the national provisions establishing rules on penalties pursuant to Art. 52 DSA, ….” However, it seems that the provision would become excessively wordy.

54 See, for example, C Santos, V Morozovaite and S De Conca, “No Harm No Foul: How Harms Caused by Dark Patterns Are Conceptualised and Tackled under EU Data Protection, Consumer and Competition Laws” (2025) 34 Information & Communications Technology Law; C Isola and F Esposito, “A Systematic Literature Review on Dark Patterns for the Legal Community” (2025), supra, note 10; S Orlando, “Reflections upon ‘The Privacy Fallacy’ by Ignacio Cofone” (2025) supra, note, 10, 10–11.

55 N Helberger, and others “Digital fairness for consumers” (BEUC 2024). Available at <https://www.beuc.eu/sites/default/files/publications/BEUC-X-2024032_Digital_fairness_for_consumers_Report.pdf> (last accessed December 2025.

56 Commission, Directorate-General for Justice and Consumers, “Behavioural Study on Unfair Commercial Practices in the Digital Environment” (2022), supra, note 8, pp. 42–3.

57 Ibid, pp. 44, 47 and 58.

58 See case law cited in n 19.

59 Commission, “Report from the Commission to the European Parliament, the Council and the European Economic and Social Committee on the application of Article 33 of Regulation (EU) 2022/2065 and the interaction of that Regulation with other legal acts” (2025), supra, note 20, Annex II, p. 60.

60 For an in-depth discussion on the limited scope of DSA, Art. 25, see C Isola, “Regulating dark patterns in the EU” (2025), supra, note 10, p. 148 seq.

61 Translations such as coperto (Italian), coberto (Portuguese), couvert (French), abgedeckt (German), and cubierto (Spanish) are semantically consistent but generic. None indicates that “coverage” should extend to practices permitted by the UCPD.

62 See Commission, “Report from the Commission to the European Parliament, the Council and the European Economic and Social Committee on the application of Article 33 of Regulation (EU) 2022/2065 and the interaction of that Regulation with other legal acts” (2025), supra, note 20, pp. 60–61.

63 See, on this point, C Isola, “Regulating Dark Patterns in the EU” (2025), supra, note 10, p. 164 seq.

64 B Raue, “Dark Patterns on online platforms and the interplay between the Digital Services Act and the Unfair Commercial Practices Directive” (2025) 14(3) Journal of European Consumer and Market Law; F Hofmann and B Raue, Digital Services Act Article-by-Article Commentary (Hart/Nomos/Beck 2025), supra, note 36, 503; T Akhurst and others, “How should the European Union Regulate Dark Patterns?” (2023), supra, note 42; F Esposito and T M C Ferreira, “Addictive Design as an Unfair Commercial Practice: The Case of Hyper-Engaging Dark Patterns” (2024), supra, note 10; J Herman, “Dark Patterns: EU’s Regulatory Efforts” (2024) 7 (6) Security and Privacy; S Orlando, “A proposito Dei Deceptive Design (Già Dark) Patterns” (2024) Collana di studi dell’Unione dei privatisti 63–107; M R Leiser and C Santos, “Dark Patterns, Enforcement, and the Emerging Digital Design Acquis: Manipulation beneath the Interface” (SSRN 2023), available at <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4431048> (last accessed December 2025); M R Leiser, “Dark Patterns: The Case for Regulatory Pluralism between the European Union’s Consumer and Data Protection Regimes” in E Kosta and R Leenes (eds), Research Handbook on EU Data Protection Law (Edward Elgar Publishing 2022); Santos and others, “Which online platforms and dark patterns should be regulated under Article 25 of the DSA?” (2024), supra, note 38; J Trzaskowski, “Persuasion, Manipulation, Choice Architecture and Dark Patterns” in A Savin and J Trzaskowski (eds), Research Handbook on EU Internet Law (Edward Elgar Publishing 2023); From a regulatory perspective, see Digital Fitness Check (2024), supra, note 17X. In the case law, see OLG Bamberg, Judgment of 5.2.2025 – 3 UKl 11/24e, ECLI:DE:OLG-BAMB:2025:0205.3UKL11.24E.0A = GRUR-RS 2025, 6221.

65 OLG Bamberg, Judgment of 5.2.2025, supra, note 60.

66 C Isola and F Esposito, “A Systematic Literature Review on Dark Patterns for the Legal Community” (2025), supra, note 10.

67 Santos and others, “Which online platforms and dark patterns should be regulated under Article 25 of the DSA?” (2024), supra, note 38; F Esposito and T M C Ferreira, “Addictive Design as an Unfair Commercial Practice: The Case of Hyper-Engaging Dark Patterns” (2024), supra, note 10.

68 For an in-depth discussion of this interpretation, including its rationale and limits, see C Isola, “Regulating dark patterns in the EU” (2025), supra, note 10, p. 171 seq.

69 The recent Commission’s report builds on this interpretation. See Commission, “Report from the Commission to the European Parliament, the Council and the European Economic and Social Committee on the application of Article 33 of Regulation (EU) 2022/2065 and the interaction of that Regulation with other legal acts” (2025), supra, note 20. See, already, J Trzaskowski, “Behavioural Innovations in Marketing Law”, in H-W Micklitz, A-L Sibony, and F Esposito (eds), Research Methods in Consumer Law (Edward Elgar Publishing 2018), pp. 299 ss. (“The Directive applies to unfair business-to-commercial practices”).

70 DSA, Art. 1(1): “The Regulation aims to contribute to the proper functioning of the internal market for intermediary services by setting out harmonised rules for a safe, predictable and trusted online environment that facilitates innovation and in which fundamental rights enshrined in the Charter, including the principle of consumer protection, are effectively protected”.

71 B Duivenvoorde, “Redesigning the UCPD for the Age of Personalised Marketing” (2023), supra, note 11.

72 F Galli, supra, note 10; Esposito and Cathoud Ferreira, supra, note 10; E Kaprou, “Aggressive Commercial Practices 2.0: Is the UCPD Fit for the Digital Age?” (2023) 12 Journal of European Consumer and Market Law.

73 C Isola, “Regulating dark patterns in the EU” (2025), supra note, 10, p. 170.

74 For a recent general discussion, see Francisco de Elizalde, “Fragmenting Consumer Law Through Data Protection and Digital Market Regulations: The DMA, the DSA, the GDPR, and EU Consumer Law” (2025) 48 Journal of Consumer Policy.

75 UCPD, Art. 7(5).

76 Case C-453/10, Jana Pereničová and Vladislav Perenič v SOS financ spol. s r. o. [2012] ECLI:EU:C:2012:144.

77 For example, consumer loan agreements have been a constant source of preliminary references on horizontal consumer law, despite extensive sectoral banking and consumer credit legislation.

78 Case C-319/20, Meta Platforms Ireland v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV [2022] ECLI:EU:C:2022:322.

79 Joined Cases C-54/17 and C-55/17, Wind Tre [2018] ECLI:EU:C:2018:710, para. 61.

80 The provision on the prohibition on dark patterns on interfaces for this type of contracts follows a very similar wording and structure of Art. 25 DSA, but without the exclusion of simultaneous coverage of Art.25(2) DSA. Recital 41 and Art.1 (4) (which inserts a new Article 16c on Directive 2011/83/EU), of Directive (EU) 2023/2673 of the European Parliament and of the Council of 22 November 2023 amending Directive 2011/83/EU as regards financial services contracts concluded at a distance and repealing Directive 2002/65/EC. See Martin Brenncke, “Regulating Dark Patterns” (2024) Notre Dame Journal of International & Comparative Law Vol. 14(1), p. 49–50, <https://scholarship.law.nd.edu/cgi/viewcontent.cgi?article=1194&context=ndjicl> (last accessed January 2026).

81 Even though the Data Act is not consumer law, its provisions on interfaces and dark patterns complements it, protecting consumers without affecting the application of the UCPD. See recital 38 and Art. 4(4) and Art. 6(2)(a) of Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act). Martin Brenncke, “Regulating Dark Patterns” (2024) supra, pages 50–1.

82 The AI Act prohibited practices provisions, namely Art. 5(1)(a) and (b) on deceptive, subliminal, manipulative techniques, and systems which exploit vulnerable people, align closely with the objectives of the UCPD, with a different but slightly overlapping scope. These provisions are complementary to, without being limited by, the UCPD. See recital 29 and Art. 5(1)(a) of Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act). See also, Commission Guidelines on prohibited artificial intelligence practices established by Regulation (EU) 2024/1689 (AI Act), C(2025) 5052 final, pages 44-47. Evelyne Terryn and Sylvia Martos Marquez, “AI and Consumer Protection An Introduction” in Nathalie A. Smuha (eds), The Cambridge Handbook of the Law, Ethics and Policy of Artificial Intelligence (Cambridge University Press 2025), pages 207–9, <https://www.cambridge.org/core/books/cambridge-handbook-of-the-law-ethics-and-policy-of-artificial-intelligence/0AD007641DE27F837A3A16DBC0888DD1> (last accessed January 2026).

83 The DMA does not explicitly tackle dark patterns but contains several provisions that place obligations that limit gatekeepers’ ability to use their influence, including through their interfaces, to restrict end-users and business users decision-making capabilities. As a poignant example, the Commission recently issued a decision against Apple’s anti-steering practices in their app-store, which resorted to several techniques that could be framed as dark patterns (such as presenting users with “warning prompts” each time users could use a third-party interface to conclude a contract, instead on staying in Apple’s environment). See recital 70, Art. 5, Art. 13(4) of the Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector OJ L 265 (“Digital Markets Act”). See Commission Implementing Decision, CASE DMA.100109 – Apple – Online Intermediation Services – app stores – AppStore – Art. 5(4) C(2025) 2090 final, see para 36, 101–4, available at <https://ec.europa.eu/competition/digital_markets_act/cases/202523/DMA_100109_929.pdf> (last accessed January 2026).

84 Case C-27/22, Volkswagen Group Italia and Volkswagen Aktiengesellschaft [2023] ECLI:EU:C:2023:663, para. 96 seq; and Case C-205/23, Energie Romania [2025] ECLI:EU:C:2025:43, paras 63–5. For discussions, see F Esposito, L de Almeida and C Paulesu, “EU Contract Case Law, July–December 2023” (2024) 20 European Review of Contract Law; L de Almeida, Fabrizio Esposito and Elisabeth Wondracek, “EU Contract Case Law, January - March 2025” (2025) 21 European Review of Contract Law.

85 Case C-757/22, Meta Platforms Ireland Ltd, formerly Facebook Ireland Ltd v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV [2024] ECLI:EU:C:2024:598.

86 UCPD Guidance (2021) supra, note 15.

87 This expression, used in the recitals of the UCTD, made more explicit in comparison to the UCPD, that the boundaries between one’s persona as consumer (economy) and one’s persona as citizen (politics) are difficult to draw.

88 Many studies focus on an NRA’s independence; see, for example, D Sześciło, “Challenging Administrative Sovereignty: Dimensions of Independence of National Regulatory Authorities Under the EU Law” (2021) 27 European Public Law. Others go beyond noting, a wealth of organizational differences between sectors (e.g., L van Kreij, “The Choice of EU Agencies or Networks of National Authorities: Exploring the Relevance of Regulated Industry Characteristics” in Research Handbook on the Enforcement of EU Law (Edward Elgar Publishing 2023); E M Heims, “Regulatory Co-Ordination in the EU: A Cross-Sector Comparison” (2017) 24 Journal of European Public Policy) and within sectors (e.g., P Schütz, “Data Protection Authorities Under the EU General Data Protection Regulation – a New Global Benchmark” in M Magetti, F D Mascio and A Natalini (eds), Handbook of Regulatory Authorities (Edward Elgar Publishing 2022); C Scott, “Enforcing Consumer Protection Laws” in G Howells, I Ramsay and T Wilhelmsson (eds), Handbook of Research on International Consumer Law, Second Edition (Edward Elgar Publishing 2018)).

89 We refer to the European Board for Digital Services for the DSA, the Consumer Protection Cooperation Network for the UCPD and the European Data Protection Board for the GDPR.

90 Commission, “Commission Notice on the application of EU food and consumer protection law to issues of Dual Quality of products -The specific case of food” (2017) OJ C 327.

91 See Commission, “Quality Differences Dual quality of food” (2021), available at <https://commission.europa.eu/live-work-travel-eu/consumer-rights-and-complaints/enforcement-consumer-protection/coordinated-actions/quality-differences_en> (last accessed December 2025).

92 Directive (EU) 2019/2161 of the European Parliament and of the Council of 27 November 2019 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and of the Council as regards the better enforcement and modernisation of Union consumer protection rules, OJ L 328.

93 As in the case of the exercise of de facto legislative powers through administrative guidelines. This approach goes against the simplification stressed by the Draghi Report and the competitiveness agenda, as it introduces an additional layer of legislative (or quasi-legislative) instruments, which further increases costs for businesses, consumers, regulators, and all other stakeholders. Regarding this trend of using guidelines to introduce additional layers of regulation, in EU banking law, see R Mazzocchi and K Gereon Spitzer, “Simplification, Not Deregulation? Unpacking the Debate on Simplification and Regulatory Burden for European Banks” (SSRN 2025), available at <https://doi.org/10.2139/ssrn.5702922> (last accessed December 2025); European Parliament Think Tank, “Banking Union EGOV Economic Governance and EMU Scrutiny Unit” (2025), pp. 8–10, available at <https://www.europarl.europa.eu/RegData/etudes/IDAN/2025/764389/ECTI_IDA(2025)764389_EN.pdf> (last accessed December 2025).

94 Similarly, see N Helberger and others “Digital fairness for consumers” (BEUC 2024) supra, note 52; C Busch and A Fletcher “Shaping the Future of European Consumer Protection: Towards A Digital Fairness Act? (CERRE 2024), available at <https://cerre.eu/wp-content/uploads/2024/12/Shaping-the-Future-of-European-Consumer-Protection-Towards-A-Digital-Fairness-Act.pdf> (last accessed December 2025).

95 Art. 18 is about the periodic review of the UCPD and Art. 19 is about its transposition, while Art. 20 (the last one) sets the Directive’s entry into force.

96 See Recital 2 of Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act), OJ L 265.

97 A H Türk, “Legislative, delegated acts, comitology and interinstitutional conundrum in EU law – configuring EU normative spaces” (2020) 26 European Law Journal; M Chamon, The European Parliament and Delegated Legislation: An Institutional Balance Perspective (Hart Publishing 2022); G Bellenghi and E Vos, “Rethinking the Constitutional Architecture of EU Executive Rulemaking: Treaty Change and Enhanced Democracy” (2024) 15 European Journal of Risk Regulation.

98 Commission Delegated Regulation (EU) 2025/2050 of 1 July 2025 supplementing Regulation (EU) 2022/2065 of the European Parliament and of the Council by laying down the technical conditions and procedures under which providers of very large online platforms and of very large online search engines are to share data with vetted researchers C/2025/4340 OJ L, 2025/2050, 9.10.2025.

99 As a counterargument to the doctrinal approach which cautious against this use of delegated acts, we refer to the approach found in the AI Act. The most noteworthy example is its Article 7, which confers on the European Commission the power to, through delegated acts, amend Annex III, to add or modify use-cases of high-risk AI systems, under certain conditions and through a certain procedure. Considering Article 6(2), this effectively confers on the European Commission the power to expand and modify the scope of many obligations of this regulation with tremendous regulatory and economic impact across the Union, for the same purpose and objetive that we argue for with our proposal: to have a fast procedure to update the existing standards, to protect fundamental rights (which include the protection of consumers‘ individual autonomy in decision making and their economic interests). See Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 OJ L, 2024/1689, 12.7.2024.

Figure 0

Table 1. Comparative overview of the UCPD and DSA in relation to dark patterns.