ICLE Comments to the European Commission’s Digital Fitness Check
I. Introduction
We appreciate the opportunity to contribute to the European Commission’s Digital Fitness Check.[1] The International Center for Law & Economics (ICLE) is a nonprofit, nonpartisan global research and policy centre dedicated to building the intellectual foundations for sensible, economically grounded policy. ICLE applies law & economics methodologies to inform public-policy debates on technology governance, competition, and consumer-protection policy. Our interest is to ensure that the EU’s digital rulebook promotes consumer welfare, innovation, and competitiveness through clear, predictable, and proportionate rules grounded in evidence and sound economics.
The Digital Fitness Check is both timely and necessary. The Commission’s recognition that the cumulative effects of EU digital regulation require systematic evaluation reflects concerns raised by ICLE and many other stakeholders. The Draghi Report, the Letta Report, and the Commission’s own Competitiveness Compass all acknowledge that the accumulation of EU digital rules may have unintended consequences for innovation and competitiveness, particularly for small and medium-sized enterprises.[2]
Unlike the Digital Omnibus—which focused on targeted, incremental reforms—the Fitness Check creates an opportunity to examine deeper structural features of the EU digital rulebook. Over time, successive legislative initiatives have produced a dense regulatory framework characterised by three recurring structural problems: weak empirical foundations for regulation, definitional and institutional spillovers across instruments, and cumulative compliance burdens that are rarely evaluated systematically. Evaluating the rulebook as an integrated system is therefore essential to ensuring that EU digital regulation supports, rather than undermines, innovation, competition, and European competitiveness.
These comments are organised as follows. Section II addresses the need for methodological rigour in the Fitness Check, including the assessment of indirect effects, the gap between projected and actual compliance costs, and the problem of last-minute legislative additions that bypass the impact-assessment process. Section III examines definitional spillovers across the EU digital rulebook, focusing in particular on the migration of key concepts—such as the DMA’s ‘gatekeeper’ designation and the DSA’s ‘very large online platform’ category—across instruments in ways that were never properly assessed. Section IV analyses the risk of an anti-commons dynamic created by overlapping data regulations, with particular attention to the interaction between the GDPR and the DMA and its implications for data use and artificial-intelligence development. Section v evaluates the institutional framework for enforcement, including the persistent under-resourcing of national supervisory authorities and the coordination challenges created by the growing number of EU and national regulators overseeing digital markets. Section VI examines the cumulative impact of the digital rulebook on startups, innovation, and European competitiveness, drawing on empirical evidence from the implementation of the GDPR and broader research on regulatory burdens in dynamic markets. Section VII concludes.
II. Evaluating the Costs and Outcomes of EU Digital Regulation
The Digital Fitness Check should be more than a mapping exercise. It should assess whether the EU’s digital rules achieve their stated objectives at the lowest effective cost. This requires more than a narrow inquiry into regulatory efficiency. It calls for a broader evaluation of how these rules affect innovation, competition, and economic growth.
Europe faces what many policymakers have described as an “existential challenge”.[3] That moment demands more than superficial reforms or procedural simplification. President Ursula von der Leyen emphasised this point at the ‘One Year After the Draghi Report’ conference, calling for a renewed “sense of urgency” and “ambition”, alongside “less paperwork, less overlaps, less complex rules”.[4] The Fitness Check should reflect that spirit. It should approach the EU’s digital rulebook with sufficient openness—and regulatory humility—to revise or repeal measures where evidence shows negative effects, or where claimed benefits remain uncertain.
The Commission’s Communication on ‘A Simpler and Faster Europe’ commits to reducing administrative costs by 25 per cent for all firms and 35 per cent for SMEs, from a baseline estimated at roughly €150 billion.[5] These are ambitious targets. The Fitness Check should provide the analytical foundation needed to meet them.
The call for evidence identifies many of the right questions, including definitional coherence, cumulative cost–benefit analysis, governance interplay, and opportunities for streamlining.[6] Experience with earlier impact assessments nonetheless suggests that the Commission’s methodology will require strengthening if the Fitness Check is to produce actionable findings.
A. Impact Assessments Miss Indirect Costs
A recurring weakness in Commission impact assessments is the failure to capture significant indirect effects of regulation. As we observed in our Digital Omnibus submission, current assessments tend to focus on the direct compliance costs borne by regulated firms while overlooking the economic consequences for third parties—e.g., “business users”—that depend on regulated services.[7]
This omission is particularly problematic in digital markets. Platforms typically act as intermediaries connecting multiple groups of users. When regulation degrades a platform’s functionality or service quality, the resulting costs do not remain confined to the platform operator. They spread across the wider ecosystem—to business users, advertisers, content creators, and consumers who rely on those services.
B. Compliance Costs Are Systematically Underestimated
Impact assessments have not only overlooked indirect costs. They have also consistently underestimated the direct compliance costs imposed on regulated firms. The Digital Markets Act (DMA) illustrates the problem.
The Commission’s impact assessment projected total compliance costs for all designated gatekeepers of approximately €21–28 million.[8] Those figures bear little resemblance to the actual costs reported by firms. As Mikolaj Barczentewicz explains in an analysis of the DMA compliance workshops held in 2025:
During recent DMA workshops, Amazon revealed that its compliance costs have been “multiple orders of magnitude beyond that predicted amount.” This carefully chosen phrase suggests costs potentially reaching hundreds of millions of euros annually for Amazon alone. Meta representatives acknowledged that reality has dwarfed initial third-party estimates of $10-20 million per year. As one Meta representative noted, “we’re a long way north of that.”
The human resource allocation tells an equally striking story.
-
Apple’s “engineers have spent hundreds of thousands of hours to bring everything to life, often on incredibly compressed timelines.” There are “thousands of employees at Apple involved in dealing with the impact of the DMA in engineering, design, operations, marketing, and more.”
-
Meta has deployed over 11,000 employees working on DMA compliance design, build, and implementation—investing close to 600,000 engineering hours, equivalent to over six decades of engineering work compressed into a two-year period.
-
Google assigned approximately 3,000 people, mostly engineers, working full-time for two years just on Article 5(2) compliance alone. [9]
Other estimates suggest even broader economic costs. A 2025 report estimated that EU digital-services regulation imposes up to $97.6 billion annually in total costs once lost revenue is included. Compliance costs alone were estimated at $2.2 billion per year.[10]
These figures still understate the true burden because they omit opportunity costs. Every engineering hour devoted to regulatory compliance is an hour not spent on innovation that could benefit European consumers. As an Amazon representative explained during the DMA workshops:
…any dollar that you spend or euro that you spend on work necessarily takes away that work from other areas that you could be innovating and providing benefits to customers in Europe.[11]
C. The RSB Identified These Problems Early
These shortcomings are not merely external critiques. The Commission’s own Regulatory Scrutiny Board (RSB)—an independent body responsible for evaluating the quality of Commission impact assessments—raised fundamental concerns about the DMA before the regulation was adopted.
The RSB issued an initial negative opinion on the DMA impact assessment, concluding that the analysis:
… does not sufficiently justify the restriction of its scope to digital markets. It does not justify the selection of platform services within the digital sector nor does it clarify the concept of gatekeeper platforms.
… does not provide policymakers with real choices on the different policy options. It does not provide a full range of options and it does not develop these in sufficient detail. It therefore cannot assess their impacts on different stakeholders.[12]
This negative opinion forced a substantial revision of the proposal before its formal publication in December 2020. Yet even after revisions, the RSB continued to identify what it described as “significant shortcomings”. The Board also found that the report did not fully justify the selection of the core platform services covered by the regulation and failed to define adequately several measures included in the different policy options.[13]
The Board further urged the Commission to clarify the causal link between alleged market failures and the harms identified, and to consider the potential costs of curtailing size advantages arising from network economies and economies of scale.[14] In essence, the RSB questioned whether the evidence demonstrated that the targeted practices produced the harms the DMA sought to address—and whether the regulation itself might eliminate efficiencies that benefit consumers.
D. DMA Enforcement Reveals Unintended Consequences
These findings matter for the Fitness Check for two reasons.
First, they show that many of the evidentiary weaknesses now visible in DMA enforcement—including unintended consequences for European hotels and the withdrawal of political-advertising services discussed below—were foreseeable. The Commission’s own oversight body raised them at the outset.
Second, they suggest that the impact-assessment process, as currently structured, lacks sufficient authority to prevent inadequately supported proposals from advancing to legislation. The Fitness Check should therefore treat the RSB’s conclusions as a starting point for evaluating whether DMA obligations are appropriately calibrated to the harms they were meant to address and whether the assumptions underpinning those obligations have been borne out in practice.
More broadly, RSB opinions should carry greater weight in the legislative process so that the Board’s quality-control function cannot be routinely overridden by political imperatives.
Recent enforcement experience further illustrates the risks of poorly calibrated regulation. Available evidence suggests that EU hotels experienced a significant decline in direct traffic following DMA enforcement against Google Search, with gains accruing disproportionately to large travel intermediaries, rather than to the smaller European businesses the DMA was intended to support.[15]
Regulatory uncertainty has also delayed access to new products for European consumers. Google’s Gemini AI and Meta’s Threads were available abroad months before their EU launch. Google’s AI Overviews—which provide multi-step reasoning capabilities in search results to more than one billion users worldwide—also reached European users substantially later.[16] These are precisely the kinds of indirect effects that the Fitness Check should identify and help eliminate.
E. SME and Innovation Effects Are Under-Examined
The Draghi Report reached a similar conclusion regarding the Commission’s analytical framework. It found that more than half of Commission impact assessments fail to provide sufficient detail on the needs of SMEs. It also observed that the EU lacks both a commonly agreed definition of ‘small mid-caps’ and readily available statistical data on them.[17]
The Fitness Check should therefore adopt a methodology that goes beyond mapping overlaps. It should measure the cumulative economic impact of EU digital rules across firms of all sizes, including indirect effects on business users of regulated platforms and on incentives to innovate.
F. The Legislative Process Needs Stronger Safeguards
The Fitness Check’s analytical framework will shape not only how existing rules are evaluated, but also how future legislation is designed. One persistent concern is the problem of last-minute legislative additions.
Several instruments in the Digital Package underwent substantial changes during trilogue negotiations that introduced obligations without adequate drafting or analysis. The Artificial Intelligence Act provides a prominent example. Its provisions on general-purpose AI (GPAI) were introduced late in the legislative process in response to ChatGPT’s emergence and were not subject to the impact assessment accompanying the Commission’s original proposal.[18]
The result may be legislation that inadvertently slows the EU’s adoption of critical technologies. The Commission’s current effort to ease compliance burdens through the Digital Omnibus—less than a year after the AI Act’s adoption—illustrates the problem.
The Fitness Check should therefore also address procedural safeguards. Any substantive amendment introduced after the impact-assessment stage should trigger a supplementary assessment proportionate to the amendment’s significance. Such a requirement would strengthen the evidentiary foundation of EU digital legislation and reduce the risk of poorly calibrated rules.
III. Definitional Incoherence Across the EU Digital Rulebook
Beyond methodological weaknesses in impact assessments, a second structural problem concerns definitional spillovers across the EU digital acquis. Legal regimes rarely operate in isolation. Modern economic activity—especially in digital markets—falls simultaneously under multiple regulatory frameworks, including competition law, consumer protection, and data protection. Each regime pursues distinct policy objectives, but they often regulate the same underlying conduct. When key concepts across these frameworks diverge, the result is not only conceptual confusion but regulatory spillovers, where rules designed for one policy domain reshape outcomes in another.
These spillovers create more than compliance challenges. Definitional incoherence can produce overlapping obligations, conflicting compliance requirements, weakened enforcement coordination, and legal uncertainty. As the EU digital rulebook has expanded, it has generated what commentators describe as a ‘complex matrix’ and a ‘layering of governance structures’ assembled over time for markets that were often national in scope but now operate on a supranational basis.[19] These misalignments do more than complicate interpretation. They can affect how authority is allocated among regulators, shape firms’ incentives to choose particular jurisdictions, and undermine consistent enforcement across the Union.[20]
The treatment of data across EU law illustrates the problem. Under the GDPR, personal data is framed through the lens of individual rights and informational autonomy.[21] The DMA, by contrast, treats data primarily as an economic input. It requires designated gatekeepers to enable data portability and third-party interoperability in order to lower barriers to entry in digital markets.[22] The interaction between these instruments creates tangible friction. A gatekeeper obliged, for example, under Article 6(9) of the DMA to facilitate data portability may simultaneously face GDPR constraints that limit the lawful basis or permissible scope of that transfer. In some scenarios, satisfying both regimes simultaneously may prove structurally impossible, forcing firms to prioritise one framework over the other.
The Commission and the European Data Protection Board have acknowledged this tension. Both institutions have issued draft Joint Guidelines on the interplay between the two instruments for public consultation.[23] This initiative is welcome, but further work remains necessary to reconcile the two regimes.[24]
Comparable difficulties arise in the classification of digital intermediaries. The DMA introduced the concept of a ‘gatekeeper’ to designate a small number of large platforms providing core platform services that meet specific quantitative and qualitative thresholds.[25] That concept has since migrated into other legal instruments, most notably the Data Act. Article 5(3) of the Data Act provides that any undertaking designated as a gatekeeper under Article 3 of the DMA cannot qualify as an eligible third party for purposes of receiving data at a user’s request under the Data Act’s data-sharing framework.[26]
This exclusion aims to prevent gatekeepers from leveraging internet-of-things (IoT) data to strengthen their market position. It nevertheless creates tension with the DMA’s own data-portability obligations under Article 6(9), which require gatekeepers to facilitate outbound portability to end users and authorised third parties.[27] The resulting regime is asymmetric: gatekeepers must make data available to others under the DMA but cannot receive data under the Data Act, even when users wish to share their data with a gatekeeper’s service.
This interaction was never properly assessed in the Data Act’s impact assessment, which preceded the DMA’s entry into force and the designation of specific gatekeepers. The episode illustrates a broader structural problem. When concepts designed for one regulatory context migrate into another without careful analysis of how the two instruments interact, the result is legal uncertainty and outcomes that may serve neither instrument’s objectives.
A similar concern arises with the Digital Services Act’s concept of ‘very large online platforms’ (VLOPs). VLOP designation triggers heightened obligations under the DSA, including systemic-risk assessments, independent auditing, and enhanced transparency requirements.[28] The threshold was designed for a specific regulatory purpose. Yet the concept increasingly appears in other regulatory discussions, including proposals such as the Digital Fairness Act and sector-specific legislation. Each extension risks applying obligations calibrated for one policy objective to contexts where they may be disproportionate.
Ensuring definitional coherence across the EU digital acquis therefore requires a more systematic approach.
First, the Fitness Check should conduct a cross-instrument audit of key definitions and regulatory categories across the EU digital rulebook. This exercise should identify not only textual inconsistencies but also situations in which one instrument’s concepts implicitly determine rights or duties under another.
Second, the Commission should adopt a rebuttable presumption against importing regulatory categories from one instrument into another without a dedicated impact assessment of the interaction. Concepts such as ‘gatekeeper’ or ‘VLOP’ should not become default legislative categories.
Third, where full harmonisation is neither possible nor desirable, the Union should develop conflict-management mechanisms for overlapping regimes. These may include structured cooperation clauses, clearer competence rules, express conflict provisions, and safe-harbour mechanisms for firms acting in good faith to reconcile competing obligations.
Fourth, impact assessments should evaluate cumulative effects, rather than individual instruments in isolation. The relevant question is not only whether a proposal is justified on its own terms but also how it interacts with the obligations, thresholds, and governance structures already embedded in the wider digital acquis.
The objective of the Fitness Check should not be uniformity for its own sake. It should be regulatory coherence. The EU’s digital rulebook will inevitably contain multiple regimes pursuing different policy objectives. When the same firms, technologies, and data flows are governed through inconsistent concepts transplanted across instruments without adequate justification, the result is not a coherent framework for digital governance but a layered system of potentially self-defeating obligations.
IV. Data Regulation and the Risk of an Anti-Commons
A significant problem in the EU’s digital rulebook is what could be described as an ‘anti-commons’ dynamic in the regulation of data.[29] In the classic formulation developed by Michael Heller, a tragedy of the anti-commons occurs when resources remain underutilised because too many actors hold rights to exclude others from using them.[30] In regulatory contexts, the anti-commons arises when overlapping legal regimes grant multiple authorities the power to restrict the same activity, making lawful use of a resource—here, data—difficult or impossible in practice.
The concept offers a useful lens for analysing EU data regulation, where multiple legal instruments impose distinct but cumulative restrictions on the processing, combination, and sharing of data. Each instrument is enforced by a different authority, operating under its own institutional mandate and interpretive priorities.
The joint guidelines issued by the Commission and the European Data Protection Board on the interplay between the DMA and the GDPR illustrate these tensions clearly.[31] Under Article 5(2) DMA, gatekeepers may not process, combine, or cross-use personal data across their core platform services and other services unless they obtain valid consent from end users. As the joint guidelines emphasise, this consent must satisfy the GDPR’s requirements—it must be specific, informed, and freely given.[32]
In practice, the availability of consent as a lawful basis is constrained. The Court of Justice’s judgment in Meta Platforms v. Bundeskartellamt held that a dominant market position may create power imbalances that undermine the voluntary nature of consent.[33] This interpretation significantly weakens the consent route under Article 5(2) DMA, as regulators may be inclined to presume that gatekeepers occupy such positions of power. The remaining GDPR legal bases offer little practical relief. The joint guidelines exclude reliance on ‘performance of a contract’ and ‘legitimate interests’, leaving only non-commercial bases such as compliance with a legal obligation or the protection of vital interests—grounds that rarely apply to commercial data processing.
The result is a formal legal pathway for data processing that, in practice, is largely unavailable. The likely consequence is that the use of data—including by the gatekeepers discussed above—will fall below socially optimal levels. This matters not only for gatekeepers but for the broader digital economy. Data that cannot lawfully be processed, combined, or cross-used cannot be deployed to improve services, develop new products, or train artificial-intelligence systems. The anti-commons dynamic thus produces systematic underutilisation of data and complementary assets, with consequences for compliance, consumer welfare, and innovation.[34]
The problem is compounded by the joint guidelines’ approach to consent interfaces. The guidelines require gatekeepers to obtain separate consent for each distinct processing purpose—such as personalised advertising, personalised content, and service development—through individual questions within a consent flow.[35] At the same time, they caution that the process must not create ‘choice fatigue’ for users.[36] Navigating this tension will be difficult in practice. Poorly designed consent flows could undermine the validity of consent while also risking classification as an ‘aggressive’ commercial practice under EU consumer-protection law.[37]
These requirements may therefore generate conflicting outcomes in EU data regulation. The Commission has simultaneously recognised the need to reduce cookie-consent fatigue. Requiring consent interfaces that multiply user prompts under the DMA risks producing the opposite result, creating additional complexity for both users and firms.
Similar anti-commons effects may arise in the context of artificial intelligence. AI development depends on the ability to process, combine, and cross-use large datasets to train models and improve outputs. The DMA’s restrictions on data combination and cross-use could prevent gatekeepers from using data generated across their services to train AI models.[38] The AI Act introduces an additional layer of obligations relating to training data, including requirements on data governance, bias testing, and documentation. These obligations may, at times, prove difficult to reconcile with the DMA’s and GDPR’s overlapping constraints on data use.[39]
Recent case law illustrates the uncertainty surrounding these interactions. A judgment of the Higher Regional Court of Cologne tentatively addressed the issue, concluding that Meta’s use of data from Instagram and Facebook to train generative AI models did not violate the DMA.[40] The broader legal landscape remains uncertain. Other courts or regulators across the Union could reach different conclusions regarding the interaction of these instruments.
This emerging anti-commons dynamic has clear implications for the Fitness Check. The Commission should evaluate whether the EU’s expanding body of data regulation collectively makes it less attractive to conduct data-driven activities within the Union. Such an outcome would lead to inefficient underutilisation of Europe’s data resources, with negative consequences for European consumers and businesses.
The Fitness Check should therefore examine whether the ‘without prejudice’ clauses that accompany many of these instruments operate effectively in practice or merely obscure conflicts that generate anti-commons outcomes.[41] In particular, it should assess the cumulative effects of the GDPR, the DMA, the Data Act, and the ePrivacy framework on the lawful processing and use of data. These constraints also have broader implications for the EU’s competitiveness in artificial intelligence, where access to large and diverse datasets is a key input for innovation. This analysis would help identify areas where overlapping restrictions produce inefficiencies without corresponding gains in data protection.
V. Institutional Capacity and Regulatory Coordination
Effective enforcement of EU digital regulation requires supervisory authorities with strong technical expertise, adequate financial and human resources, and sufficient operational independence to exercise their powers without undue political or market influence. The forthcoming Fitness Check should therefore examine whether the EU’s current institutional framework is equipped to deliver effective enforcement in practice. Two governance challenges deserve particular attention: institutional capacity and coordination across authorities.
The evaluation should consider whether the national authorities designated under the EU digital rulebook—including those responsible for the GDPR, the Digital Services Act, and the Digital Markets Act—possess the staffing levels, technological capabilities, and investigative expertise necessary to fulfil their increasingly complex mandates. Digital markets evolve rapidly. Regulated firms operate at a high level of technical sophistication, and many services function across borders. These realities place significant demands on regulators. Without sustained institutional capacity, enforcement risks falling short of legislative ambition.
Experience with the implementation of the GDPR offers important lessons. Although the regulation assigns central enforcement responsibilities to national data-protection authorities (DPAs), many DPAs remain significantly under-resourced relative to the scale and complexity of their tasks. This structural imbalance has contributed to the widely documented challenges associated with the GDPR’s one-stop-shop mechanism, particularly in cross-border cases involving large digital platforms. Any comprehensive evaluation of the EU digital rulebook should therefore examine not only the design of legal obligations but also whether supervisory authorities have the institutional capacity needed to enforce those obligations consistently across the Union.
A further concern relates to the limited coordination among the multiple regulatory bodies that now share oversight of digital markets. The EU’s digital regulatory framework—including the DMA, GDPR, DSA, AI Act, NIS2 Directive, Data Act, and several sector-specific regimes—allocates supervisory and enforcement responsibilities across numerous authorities. These bodies operate under different legal mandates, institutional structures, and enforcement priorities, often reflecting distinct regulatory traditions and policy objectives.
Institutional diversity may sometimes be justified by the aims of individual instruments. Yet it also creates challenges for the coherence of the overall regulatory system. The risk extends beyond duplicative administrative efforts. Overlapping jurisdictions and fragmented oversight may produce situations in which obligations imposed by one authority are difficult to reconcile with those enforced by another. Firms may then face conflicting requirements, higher compliance costs, and greater legal uncertainty, undermining both the effectiveness and the credibility of the EU’s digital regulatory framework.
Fragmentation may also arise when new regulatory initiatives pursue objectives already addressed under existing EU or national law. The DMA illustrates this risk. The regulation’s justification for EU-level harmonisation rests on the cross-border nature of digital-platform services, which makes it difficult for individual Member States to address the identified competition concerns effectively. In practice, however, the boundaries between the DMA and traditional competition law—both at EU and national levels—remain uncertain.
Since the adoption of the DMA, several Member States have introduced or expanded national initiatives addressing digital markets. These include new competition-law provisions tailored to digital platforms, rules addressing economic dependence, and expanded market-investigation powers for national authorities. The result is a growing landscape of overlapping regulatory initiatives.
The parallel application of the DMA at the EU level alongside the enforcement of both existing and newly adopted national rules creates risks of double jeopardy, inconsistent enforcement outcomes, and conflicting decisions across jurisdictions.[42] These developments threaten the integrity of the internal market and risk undermining the very rationale for adopting a harmonised EU framework for digital markets.[43]
VI. Competitiveness and EU Digital Regulation
The Fitness Check’s stated purpose is to assess how the EU digital rulebook affects—and supports—the Union’s competitiveness.[44] This is ultimately the most important question. The evidence available to date suggests cause for concern.
In a recent white paper, ICLE scholars examined whether the EU’s Digital Package—comprising the DMA, DSA, Data Act, and AI Act—responds to the needs of technology startups and scaleups.[45] The analysis found considerable heterogeneity. Some instruments attempt to address startup-specific concerns, while others scarcely acknowledge them. All the acts provide some exemptions or carveouts for SMEs, but these differ significantly in scope. The DMA focuses almost exclusively on large gatekeepers, while the AI Act contains more extensive provisions intended to support smaller firms. Despite these carveouts, contradictions across the Digital Package complicate efforts to support SMEs and increase compliance burdens for startups and other firms. These frictions risk harming competition, investment, and innovation.
A central difficulty lies in the fragmented origins of the Digital Package. The instruments were not designed as a single integrated framework. Instead, they emerged at different moments to address distinct perceived problems in digital markets. The result is a regulatory environment that startups encounter as complex and fragmented. Each instrument introduces its own definitions, obligations, and compliance mechanisms. From the perspective of a young firm attempting to launch or scale within the EU, the relevant question is therefore not whether any single rule appears reasonable in isolation but whether the cumulative effect of multiple rules creates barriers to entry or expansion. Scholars of regulatory economics have long observed that such cumulative burdens can be particularly harmful in dynamic sectors where experimentation, rapid iteration, and risk-taking drive innovation.[46]
Empirical evidence from the implementation of the GDPR offers a cautionary precedent. A study by Jian Jia, Ginger Zhe Jin, and Liad Wagman found that, within a year of the GDPR’s enforcement, European technology startups experienced an average reduction of 26.1 per cent in monthly venture-funding deals relative to their U.S. counterparts.[47] The decline persisted through at least 2020. The contraction was most pronounced among data-driven startups, firms aged zero to three years, and business-to-consumer ventures.[48] A separate study found that the GDPR prompted websites to reduce their use of third-party technology vendors, leading to a 15 per cent decline in vendors serving EU visitors and a 17 per cent increase in market concentration among service providers.[49] Larger firms—including Google and Facebook—expanded their market shares at the expense of smaller advertising-technology providers. As Michal Gal and Oshrit Aviv conclude, the GDPR’s privacy safeguards have had the unintended effect of limiting competition and increasing concentration in data-related markets.[50]
These findings highlight a broader structural concern about regulatory design in digital markets. Digital innovation often depends on network effects, access to data, and rapid scaling. Even modest regulatory frictions can therefore produce disproportionate effects on entrepreneurial activity.[51] Venture-capital investment is particularly sensitive to these frictions. Investors routinely assess regulatory risk when deciding where to allocate capital. Jurisdictions perceived as imposing unpredictable or costly compliance obligations tend to attract less early-stage investment. Empirical research suggests that regulatory shocks can influence not only the number of startups created but also where those firms choose to locate their operations.[52] Regulatory policy thus shapes not only the performance of existing firms but also the geographic distribution of future innovation.
These dynamics are likely to recur as additional layers of regulation accumulate. Compliance costs tend to fall disproportionately on smaller firms that lack the diversified data assets, legal teams, and compliance departments that allow large incumbents to absorb new requirements more easily. Higher fixed compliance costs raise barriers to entry, weaken incentives for entrepreneurship, and risk consolidating market power in the very firms that regulation seeks to constrain.
This dynamic creates what might be called a ‘compliance paradox’: regulations designed to constrain large platforms may inadvertently strengthen their competitive position by raising the fixed costs that potential challengers must bear. A two-person startup cannot maintain a compliance department. The fixed costs of understanding and complying with overlapping requirements under the GDPR, AI Act, DSA, and Data Act are substantial, regardless of firm size. These costs divert resources that would otherwise support product development, customer acquisition, and innovation. Surveys of European digital startups confirm that these concerns are widely shared. A recent Stripe survey found that 83 per cent of startups believe EU policymaking is geared toward incumbents and that entrepreneurs want policymakers to prioritise reforms that save them time and money.[53]
Compliance costs also shape firms’ strategic decisions. When regulatory obligations become complex and uncertain, entrepreneurs may avoid entering regulated sectors altogether. Others may redirect their efforts toward jurisdictions with clearer or lighter regulatory frameworks. In digital markets, this dynamic can produce a form of ‘innovation migration’, in which promising firms establish themselves outside the EU to access more favourable investment environments. Multiple factors contribute to this pattern—including capital-market depth and labour mobility—but regulatory complexity frequently appears among the cited drivers.
The Draghi Report reached similar conclusions. It emphasised that scale is crucial for performance, innovation, and competitiveness. The report warned that the EU’s regulatory burden risks preventing European firms from achieving the scale needed to compete globally.[54] Among leading software and internet companies, EU firms account for only 7 per cent of global research-and-development expenditure, compared with 71 per cent for U.S. firms.[55] Between 2008 and 2021, 147 European unicorns were founded, yet 40 later relocated their headquarters abroad—most of them to the United States.[56] These figures point to structural weaknesses in the European innovation ecosystem that regulation may exacerbate, rather than resolve.
The cumulative nature of digital regulation also raises institutional questions about how impact assessments are conducted. EU legislative procedures typically evaluate the expected effects of individual proposals. They rarely examine how multiple regulatory instruments interact once implemented simultaneously. Policymakers may therefore underestimate the real compliance burdens facing firms operating across several regulatory regimes. Each framework introduces its own reporting obligations, governance requirements, and liability risks. The combined effect can exceed the sum of the individual rules.
Impact assessments accompanying key elements of the Digital Package appear not to have fully accounted for these dynamics. ICLE’s analysis suggests that the DMA, Data Act, and AI Act assessments at times overlooked the potential effects of these regulations on startups and on venture-investment incentives.[57] This concern is echoed by France Digitale, the largest startup advocacy organisation in Europe, which has called for regulatory ‘breathing space’ to allow startups to comply with successive regulations. The organisation proposes extended moratorium periods beyond the 12 months currently provided under the DSA and Data Act.[58]
The Fitness Check should therefore evaluate the cumulative compliance burden that the Digital Package imposes on SMEs and startups, rather than examining each instrument in isolation. This evaluation should consider interaction effects across instruments. A startup operating in the health-technology sector, for example, may simultaneously face obligations under the GDPR, the AI Act, the Data Act, the NIS2 Directive, the Medical Devices Regulation, and the forthcoming European Health Data Space Regulation. Each framework introduces its own definitions, reporting requirements, and supervisory authorities. The cumulative burden of this regulatory web may prove qualitatively different—and substantially greater—than the sum of the individual obligations.
The Fitness Check should also examine whether digital regulation creates barriers that prevent firms from scaling, including by constraining exit opportunities. Competitiveness and innovation do not arise solely from startups. Large firms play a central role in modern innovation ecosystems, particularly in research-intensive sectors such as software, artificial intelligence, and digital infrastructure. Empirical research consistently finds that larger firms account for a disproportionate share of global R&D spending and often possess the resources needed to transform early-stage ideas into scalable technologies.[59] Startups frequently depend on these firms as partners, customers, and sources of capital. Acquisition by an established company is a common exit pathway that allows new technologies to be deployed at scale.
Policies that focus exclusively on promoting startups while constraining the firms that provide scale, capital, and commercialisation pathways risk weakening the broader innovation ecosystem. Article 14 of the DMA, which requires gatekeepers to inform the Commission of intended concentrations, has therefore attracted concern among venture investors. Acquisition by large technology companies represents a common and often essential exit strategy for European startups.[60] Empirical research also suggests that acquisitions by large technology firms can stimulate venture-capital activity globally, including in Europe and the United States.[61] If regulatory frameworks make such acquisitions more uncertain or costly, venture investment may shift toward less regulated jurisdictions, with long-term consequences for European innovation.[62]
Given these dynamics, the Fitness Check should also establish a mechanism for continuous evaluation of the cumulative effects of EU digital regulation, rather than treating this exercise as a one-off review. Regulation in fast-moving markets requires continuous learning. If evidence shows that specific rules discourage startup formation, investment, or innovation, policymakers should have the institutional tools needed to adjust thresholds, refine obligations, or introduce targeted exemptions. A standing efficiency-review mechanism—supported by systematic cost-benefit analysis and structured stakeholder consultation—would help ensure that the EU digital rulebook remains fit for purpose as markets and technologies evolve.
VII. Conclusion
The Digital Fitness Check offers the Commission an opportunity to assess the cumulative effects of the EU’s digital rulebook with analytical clarity. Individual instruments within the Digital Package may address legitimate concerns. Taken together, however, they have produced a regulatory architecture characterised by overlapping obligations, inconsistent definitions, fragmented governance, and cumulative compliance costs that risk undermining the objectives these measures were meant to achieve.
Several conclusions follow.
First, the Fitness Check should adopt a methodology capable of capturing indirect effects, interaction effects, and the full economic impact of regulation. Current impact assessments often focus narrowly on direct compliance costs while overlooking ecosystem effects, opportunity costs, and cumulative burdens. The large gap between the Commission’s projected DMA compliance costs and the actual costs reported by designated gatekeepers illustrates this problem. The Commission’s own Regulatory Scrutiny Board identified serious evidentiary shortcomings in the DMA impact assessment before the regulation was adopted. Those findings should serve as a baseline. Substantive amendments introduced after the impact-assessment stage should also trigger supplementary assessments proportionate to their significance.
Second, the Commission should address definitional spillovers across the digital acquis. Concepts such as ‘gatekeeper’ and ‘very large online platform’ increasingly appear outside the instruments for which they were originally designed. The migration of the gatekeeper concept into the Data Act and the potential extension of the VLOP designation illustrate the risks. The Fitness Check should therefore include a cross-instrument audit of key regulatory definitions, a rebuttable presumption against importing regulatory categories without dedicated interaction assessments, and clearer conflict-management rules for overlapping regimes.
Third, overlapping data regulations risk creating an anti-commons dynamic that suppresses socially valuable data use. The interaction between the GDPR and the DMA is particularly illustrative. Article 5(2) DMA permits cross-service data use with user consent, yet the interpretation of consent following Meta Platforms v. Bundeskartellamt—combined with the exclusion of alternative GDPR legal bases—may render that pathway unavailable in practice. The result may be systematic underutilisation of data without corresponding gains in privacy protection, with implications for service development, AI training, and innovation.
Fourth, the institutional framework for enforcement warrants careful scrutiny. Effective enforcement requires supervisory authorities with sufficient resources, technical expertise, and operational independence. Experience under the GDPR suggests that many national authorities remain under-resourced relative to their responsibilities. At the same time, the growing number of EU and national regulators exercising authority over digital markets creates coordination challenges. The parallel application of the DMA alongside expanding national digital-competition initiatives risks fragmented oversight and inconsistent enforcement.
Fifth, the Fitness Check should examine empirically the cumulative regulatory burden facing startups and SMEs. Evidence from the GDPR experience suggests that regulatory shocks can reduce venture investment and increase market concentration. These findings illustrate a compliance paradox: rules designed to constrain large platforms may entrench their position by raising the fixed compliance costs that smaller firms struggle to absorb. Such dynamics can discourage entrepreneurship, reduce venture-capital investment, and limit scaling opportunities for European startups.
The Fitness Check should therefore evaluate the EU digital rulebook as an integrated system rather than as a collection of isolated instruments. Establishing a mechanism for ongoing assessment—supported by systematic cost-benefit analysis and structured stakeholder input—would help ensure that EU digital regulation remains coherent, proportionate, and supportive of innovation and competitiveness. Ensuring that future legislation is grounded in robust evidence, coherent definitions, coordinated governance, and careful assessment of cumulative economic effects will be essential if the EU’s digital rulebook is to support—rather than constrain—innovation and competitiveness.
[1] Eur. Comm’n, Call for Evidence for an Evaluation/Fitness Check: Digital Fitness Check, Ref. Ares(2025)10018469 (19 Nov. 2025), https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/15554-Digital-fitness-check-testing-the-cumulative-impact-of-the-EUs-digital-rules/public-consultation_en [hereinafter Call for Evidence].
[2] Mario Draghi, The Future of European Competitiveness (Rep. to the Eur. Comm’n, 9 Sept. 2024), https://commission.europa.eu/topics/competitiveness/draghi-report_en [hereinafter Draghi Report]; Enrico Letta, Much More Than a Market: Speed, Security, Solidarity (Rep. to the Eur. Council, Apr. 2024), https://www.consilium.europa.eu/media/ny3j24sm/much-more-than-a-market-report-by-enrico-letta.pdf [hereinafter Letta Report]; Eur. Comm’n, A Competitiveness Compass for the EU, COM(2025) 30 final (29 Jan. 2025) [hereinafter Competitiveness Compass].
[3] Draghi Report, pt. A, at 5.
[4] Ursula von der Leyen, President of the Eur. Comm’n, Opening Keynote Speech at the ‘One Year After the Draghi Report’ Conference, Eur. Comm’n (15 Sept. 2025), https://ec.europa.eu/commission/presscorner/detail/en/speech_25_2102 (‘We can move mountains when we have the ambition, the unity and the urgency. It is our choice. So let us make that choice again. For prosperity.’).
[5] Eur. Comm’n, A Simpler and Faster Europe: Communication on Implementation and Simplification, COM(2025) 47 (11 Feb. 2025), https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52025DC0047.
[6] Call for Evidence, supra note 1.
[7] Miko?aj Barczentewicz & Kristian Stout, ICLE Comments on the European Commission Digital Omnibus, Int’l Ctr. for L. & Econ. (13 Oct. 2025), https://laweconcenter.org/resources/icle-comments-on-the-european-commission-digital-omnibus, § IV.
[8] Eur. Comm’n, Impact Assessment Report on the Proposal for a Regulation of the European Parliament and of the Council on Contestable and Fair Markets in the Digital Sector (Digital Markets Act), SWD(2020) 363 final, § 3.2 (15 Dec. 2020), https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52020SC0363.
[9] Miko?aj Barczentewicz, The Digital Markets Act as an EU Digital Tax: When Compliance Costs Dwarf Regulatory Estimates, Truth on the Mkt. (8 July 2025), https://truthonthemarket.com/2025/07/08/the-digital-markets-act-as-an-eu-digital-tax-when-compliance-costs-dwarf-regulatory-estimates.
[10] Carl J. Schramm, Costs to U.S. Companies from EU Digital Services Regulation, Comput. & Commc’ns Indus. Ass’n (July 2025), https://ccianet.org/research/reports/costs-to-us-companies-from-eu-digital-services-regulation.
[11] Barczentewicz, supra note 9.
[12] Eur. Comm’n, DMA Impact Assessment, supra note 8, annex 1, § 4 (Consultation of the RSB).
[13] Eur. Comm’n, Regul. Scrutiny Bd., Regulatory Scrutiny Board Opinion on the Proposal for a Regulation of the European Parliament and of the Council on Contestable and Fair Markets in the Digital Sector (Digital Markets Act), SEC(2020) 437 (10 Dec. 2020), at 3.
[14] Id. The RSB also noted that the impact assessment should ‘better distinguish problems relating to size advantages from the monopolisation of data and the imposition of market rules such as exclusive dealing’.
[15] Geoffrey A. Manne, Dirk Auer, Lazar Radi?, Selçukhan Ünekba?, & Mario A. Zúñiga, ICLE Response to First Review of the Digital Markets Act 20–22, Int’l Ctr. for L. & Econ. (24 Sept. 2025), https://laweconcenter.org/resources/icle-response-to-first-review-of-the-digital-markets-act.
[16] Id. at 23.
[17] Draghi Report, pt. B, at 322.
[18] See Barczentewicz & Stout, supra note 7, § II.C.
[19] Peter Alexiadis et al., Coherence versus Fragmentation: Institutional Challenges to EU Digital Markets Regulation, 24 Bus. L. Int’l 233, 235 (2023).
[20] Ireland’s Balance Between Big Tech and Data Privacy, Simmons & Simmons (4 Oct. 2021), https://www.simmons-simmons.com/en/publications/cktn6s3w12h5v0a21q1n0i8l/irelands-balance-between-big-tech-and-data-privacy.
[21] Regulation (EU) 2016/679 of the Eur. Parl. & of the Council of 27 Apr. 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, 2016 O.J. (L 119) 1 [hereinafter GDPR], arts. 5–6 (establishing principles of lawfulness, purpose limitation, and data minimisation).
[22] Regulation (EU) 2022/1925 of the Eur. Parl. & of the Council of 14 Sept. 2022 on Contestable and Fair Markets in the Digital Sector, 2022 O.J. (L 265) 1 [hereinafter DMA], arts. 2–3.
[23] Eur. Data Prot. Bd. & Eur. Comm’n, Joint Guidelines on the Interplay between the Digital Markets Act and the General Data Protection Regulation (public consultation, 9 Oct.–4 Dec. 2025), https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/joint-guidelines-interplay-between-digital_en.
[24] Miko?aj Barczentewicz, Comments of the International Center for Law & Economics on the Joint EDPB–European Commission Guidelines on the Interplay Between the DMA and GDPR, Int’l Ctr. for L. & Econ. (4 Dec. 2025), https://laweconcenter.org/wp-content/uploads/2025/12/2025.12-GDPR_DMA-consultation.pdf.
[25] DMA, arts. 2–3
[26] Regulation (EU) 2023/2854 of the Eur. Parl. & of the Council of 13 Dec. 2023 on Harmonised Rules on Fair Access to and Use of Data, 2023 O.J. (L 2854) 1 [hereinafter Data Act], art. 5(3).
[27] DMA, art. 6(9).
[28] Regulation (EU) 2022/2065 of the Eur. Parl. & of the Council of 19 Oct. 2022 on a Single Market for Digital Services, 2022 O.J. (L 277) 1 [hereinafter DSA], arts. 33–37.
[29] James M. Buchanan & Yong J. Yoon, Symmetric Tragedies: Commons and Anticommons, 43 J.L. & Econ. 1 (Apr. 2000).
[30] Michael A. Heller, The Tragedy of the Anticommons: Property in the Transition from Marx to Markets, 111 Harv. L. Rev. 621 (1998); see also id. at 1.
[31] Eur. Comm’n & Eur. Data Prot. Bd., Draft Joint Guidelines on the Interplay Between the Digital Markets Act and the General Data Protection Regulation (Oct. 2025) [hereinafter Draft Joint Guidelines].
[32] Id. recitals 6, 10.
[33] Case C-252/21, Meta Platforms Inc. v. Bundeskartellamt, ECLI:EU:C:2023:537 (4 July 2023).
[34] Id.
[35] Draft Joint Guidelines, recitals 41–42.
[36] Id. recital 46.
[37] Id. recital 48.
[38] See, e.g., Data Act, arts. 5–7 (establishing data-portability rules, including specific obligations for gatekeepers).
[39] Regulation (EU) 2024/1689 of the Eur. Parl. & of the Council of 13 June 2024 Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act), 2024 O.J. (L 1689) 1 [hereinafter AI Act], arts. 10, 53, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689.
[40] Oberlandesgericht Köln [Higher Reg’l Ct. of Cologne], Judgment of 27 May 2025, Case No. 6 U 140/24; see also Ma?gorzata Wojtas & Heiner Mecklenburg, Use of Personal Data for AI Training Does Not Violate DMA According to Higher Regional Court of Cologne, PwC Legal (3 June 2025), https://www.pwclegal.de/use-of-personal-data-for-ai-training-does-not-violate-dma-according-to-higher-regional-court-of-cologne.
[41] Konstantina Bania, Fitting the Digital Markets Act in the Existing Legal Framework: The Myth of the ‘Without Prejudice’ Clause, 19 Eur. Competition J. 116 (2023).
[42] See, e.g., Giuseppe Colangelo, Trendy Antitrust for Digital Markets: Are Market Investigations the New Black?, 15 J. Eur. Competition L. & Prac. 289 (2024).
[43] See Giuseppe Colangelo, The European Digital Markets Act and Antitrust Enforcement: A Liaison Dangereuse, 47 Eur. L. Rev. 597 (2022).
[44] Call for Evidence, supra note 1.
[45] Lazar Radic & Dirk Auer, A Europe Fit for the Age of Startups: Rhetoric and Reality in the EU’s Digital Package, Int’l Ctr. for L. & Econ. (1 Aug. 2025), https://laweconcenter.org/resources/a-europe-fit-for-the-age-of-startups-rhetoric-and-reality-in-the-eus-digital-package.
[46] See, e.g., James Broughel, Regulation and Economic Growth: Applying Economic Theory to Public Policy, Mercatus Ctr. (18 May 2017), https://www.mercatus.org/research/books/regulation-and-economic-growth.
[47] Jian Jia, Ginger Zhe Jin & Liad Wagman, The Short-Run Effects of the General Data Protection Regulation on Technology Venture Investment, 40 Mktg. Sci. 661 (2021).
[48] Id. at 670–75; Jian Jia & Liad Wagman, The One-Year Impact of the General Data Protection Regulation (GDPR) on European Ventures, Data Catalyst Inst. (Jan. 2020), https://datacatalyst.org/wp-content/uploads/2020/01/GDPR-report-2020.pdf.
[49] Garrett A. Johnson, Scott K. Shriver & Samuel G. Goldberg, Privacy and Market Concentration: Intended and Unintended Consequences of the GDPR, 69 Mgmt. Sci. 5695 (2023).
[50] Michal S. Gal & Oshrit Aviv, The Competitive Effects of the GDPR, 16 J. Competition L. & Econ. 349, 352 (2020).
[51] Ironically, these same characteristics of digital markets often justify regulation. See, e.g., DMA, recital 2. ICLE scholars have challenged the assumption that digital-platform regulation should mirror telecoms regulation, warning that doing so may foster dependency and dampen innovation. See Eric Fruits, Digital Platforms Aren’t Telecoms and Their Regulations Shouldn’t Rhyme, Truth on the Mkt. (10 Mar. 2025), https://truthonthemarket.com/2025/03/10/digital-platforms-arent-telecoms-and-their-regulations-shouldnt-rhyme (‘regulatory frameworks that force successful companies to subsidise actual and potential competitors rarely generate meaningful innovation. They create dependency, not dynamism.’).
[52] Josh Lerner, Boulevard of Broken Dreams: Why Public Efforts to Boost Entrepreneurship and Venture Capital Have Failed—and What to Do About It (Princeton Univ. Press 2009).
[53] See Radic & Auer, supra note 45 (citing Stripe, The Startup Report: Europe Edition (2024)).
[54] Draghi Report, pt. B, at 12–13.
[55] Draghi Report, pt. B, at 12.
[56] Id. at 36.
[57] Radic & Auer, supra note 45.
[58] France Digitale, EU Startup and Scaleup Strategy: A Roadmap for European Tech Leaders (Mar. 2025), https://media.francedigitale.org/app/uploads/prod/2025/03/14182410/France-Digitale-EU-Startup-and-Scaleup-Strategy-.pdf.
[59] Draghi Report, pt. B, at 30 (‘There is a close link between the size of companies and technology adoption. Evidence from the US shows that adoption rises with firm size for all advanced technologies. Likewise, while in 2023 30 per cent of large businesses in the EU had adopted AI, only 7 per cent of SMEs had done so. Size enables adoption because larger companies can spread the high fixed costs of AI investment over greater revenues, rely on more skilled management to implement organisational changes, and deploy AI more productively using larger data sets.’).
[60] See Radic & Auer, supra note 45 (discussing the impact of DMA art. 14 on acquisition incentives and venture-capital exit strategies); DMA, art. 14.
[61] Tiago S. Prado & Johannes M. Bauer, Big Tech Platform Acquisitions of Start-Ups and Venture Capital Funding for Innovation, 59 Info. Econ. & Pol’y 100973 (2022).
[62] See Draghi Report, pt. B, at 36 (noting that 40 of 147 European unicorns founded between 2008 and 2021 relocated their headquarters abroad, mainly to the United States).