There is a paradox sitting at the heart of the European Union’s digital regulatory project. The EU has produced the most comprehensive suite of digital legislation in the world — the GDPR, the AI Act, the Digital Markets Act, the Digital Services Act — each carefully drafted, debated, and enacted. And yet, for the organizations trying to comply with all of them simultaneously, the result often feels less like a coherent framework and more like four different rulebooks written by four different teams who were never quite in the same room.
Last week, Europe’s top data protection body acknowledged that problem out loud — and did something about it.
On March 17, the European Data Protection Board convened a full-day workshop in Brussels on cross-regulatory interplay and cooperation across EU digital law. The event brought together regulators, policymakers, industry representatives, and legal experts to confront a question that compliance professionals have been asking since the AI Act passed: how are all of these frameworks supposed to work together?
The short answer that emerged from the day: carefully, deliberately, and with a lot more coordination than currently exists. The longer answer is more complicated — and more consequential for anyone navigating EU digital compliance right now.
The Problem the EDPB Is Trying to Solve
EDPB Chair Anu Talus opened the workshop with a line that deserves to be quoted directly in every board-level compliance briefing in Europe right now: “The digital economy does not operate in silos, so nor should we.”
It is a simple observation. It is also, in the context of how EU digital regulation has actually developed, a significant admission.
The GDPR governs how personal data is collected, processed, and protected. The AI Act governs how artificial intelligence systems are developed and deployed. The Digital Markets Act governs how dominant technology platforms compete and interoperate. The Digital Services Act governs how platforms moderate content and manage illegal material. Each law has its own definitions, its own regulator, its own enforcement mechanism, and its own compliance timeline.
The problem is that the real world does not respect those boundaries. An AI system that processes personal data to make consequential decisions about consumers is simultaneously a GDPR matter, an AI Act matter, and potentially a DMA matter if the organization operating it holds gatekeeper status. A recommendation algorithm on a large platform touches the DSA, the GDPR, and depending on how it is classified, potentially the AI Act as well. Organizations trying to comply in good faith face genuine uncertainty about which framework takes precedence when they conflict, which regulator has jurisdiction when multiple frameworks apply, and how to satisfy requirements that were written without reference to each other.
This is not a theoretical problem. It is consuming resources, creating legal risk, and — as one industry representative noted at the workshop — driving organizations to dedicate 30% of their workforce to compliance issues while still lacking the clarity they need to compete effectively.
What the EDPB Is Actually Doing About It
The workshop was not merely a forum for identifying the problem. The EDPB used it to signal concrete action — and the specifics matter.
The EDPB has established a dedicated expert subgroup on cross-regulatory interplay and cooperation, and is working with the European Commission to develop joint guidance on the interactions between the GDPR and both the AI Act and the Digital Markets Act. Guidance on the GDPR-DMA interplay is expected before the end of 2025. Separately, the EDPB and the Commission have begun work on joint guidelines covering the intersection of data protection and competition law, which will be open for public consultation shortly.
These are meaningful developments. Joint guidance from the EDPB and the Commission carries significant interpretive weight. When the two bodies most responsible for enforcing GDPR and the broader digital regulatory framework agree on how overlapping requirements should be read together, that guidance becomes the closest thing to authoritative interpretation that organizations can rely on before enforcement decisions establish binding precedent.
The word Talus returned to repeatedly throughout the day captures what all of this is oriented toward: consistency, consistency, and once again, consistency. It sounds obvious. In practice, it has been elusive — and the EDPB is now treating it as a strategic priority rather than an aspirational value.
Three Regulatory Relationships That Need Untangling
The workshop structured its discussions around three specific regulatory pairings, each of which presents distinct coordination challenges. Understanding them is essential context for any compliance professional operating in the EU market.
GDPR and Competition Law
The first panel examined the relationship between data protection and competition regulation — a pairing that has become increasingly important as data emerges as the primary competitive asset in the digital economy.
A key synergy identified across both frameworks is a shared focus on user choice and control. The more consumers understand how their data is being used, the more companies face competitive pressure to treat data protection as an advantage rather than a burden. This is not a minor observation. It reframes the relationship between privacy compliance and business competitiveness in a way that should resonate with every organization still treating GDPR as a cost center.
The practical challenge, as speakers acknowledged, is that competition investigations and data protection enforcement have historically operated in parallel without sufficient communication. A competition investigation into a dominant platform’s data practices may not produce remedies that address the underlying data protection violation — and vice versa. Fixing this requires structured dialogue between authorities, not just goodwill.
The UK model — built on a formal joint statement between the Information Commissioner’s Office and the Competition and Markets Authority — was cited as one approach. Germany’s more flexible, case-by-case cooperation was offered as an alternative. Neither is perfect. Both are more functional than what currently exists at the EU level, where coordination is less formalized.
GDPR and the Digital Markets Act
The second discussion centered on the importance of applying the GDPR and the DMA compatibly — and the broad agreement that joint guidelines are a necessary step toward clarifying how the two frameworks interact.
The DMA imposes interoperability, data access, and portability obligations on designated gatekeepers — obligations that have direct implications for how personal data is handled, shared, and processed. In several cases, what the DMA requires for competitive reasons sits in tension with what the GDPR requires for privacy reasons. Resolving those tensions requires authoritative joint guidance, not organization-by-organization legal interpretation.
The expected guidance on the GDPR-DMA interplay — due before the end of this year — will be one of the most closely watched compliance documents of 2025. Organizations operating at scale in EU markets, particularly those with any gatekeeper-adjacent status, should be tracking its development closely.
GDPR and the Digital Services Act
The third panel produced perhaps the most candid discussion of the day, with regulators acknowledging structural challenges that joint guidance alone cannot fully resolve.
Among the difficulties identified was the differing levels of maturity between the GDPR and the DSA, with some member states still lagging in fully empowering their Digital Services Coordinators — the national authorities responsible for DSA enforcement. The GDPR has been in force since 2018 and has a well-developed enforcement infrastructure, even if cross-border cases remain contested. The DSA is newer, and national implementation is uneven.
The governance structures are also asymmetric: the GDPR operates through equal national regulators in each member state, while the Commission holds primary enforcement power directly over very large online platforms and search engines under the DSA. When a matter involves both frameworks — which, for any large content platform processing personal data, is almost always — the question of which authority leads and how they coordinate is not yet cleanly answered.
Why This Matters Beyond Brussels
It would be easy to read a workshop summary about EU regulatory coordination as a story that matters only to Brussels-based policy professionals. That would be a mistake.
For any organization operating in the EU digital market — which, given the extraterritorial reach of the GDPR and the scale of the EU economy, includes a significant portion of the global technology sector — the resolution of these cross-regulatory tensions will directly determine what compliance programs need to look like.
Right now, many organizations are managing GDPR compliance, AI Act readiness, DMA assessments, and DSA obligations as separate workstreams, staffed by different teams, often with limited coordination between them. That approach made some sense when each framework was new and the interactions between them were theoretical. It makes less sense now, when enforcement is active across all four frameworks and the interactions are producing real legal uncertainty.
The EDPB’s push toward joint guidance and structured cross-regulatory cooperation is, in effect, an invitation for organizations to make the same move internally — integrating their digital compliance functions around shared principles rather than maintaining parallel silos that mirror the fragmentation they are trying to navigate.
The Competitive Dimension
One of the most underreported aspects of the EU’s cross-regulatory challenge is its competitive dimension — and the EDPB workshop surfaced it directly.
Industry representatives at the workshop were clear: organizations want to comply with EU digital law. They are committing substantial resources to do so. But they also need to remain competitive, and that requires clarity — both between the texts of different frameworks and in how they are enforced — and a functioning single market.
This is not a complaint about regulation. It is a structural observation about what effective regulation requires. Laws that are individually well-designed but collectively incoherent impose costs on compliant organizations without producing corresponding benefits for the consumers and citizens the laws are designed to protect. The compliance burden falls most heavily on organizations trying to do things right, while less scrupulous actors exploit the ambiguity.
Getting cross-regulatory coherence right is therefore not just an administrative nicety. It is a prerequisite for the EU’s digital regulatory project achieving its stated goals — protecting fundamental rights, enabling competitive markets, and establishing global standards that others follow.
EDPB’s Cross-regulatory initiative
The EDPB’s cross-regulatory initiative is moving on a timeline that matters for planning purposes. Joint GDPR-DMA guidance is expected before the end of this year. GDPR-AI Act guidance is in development. Competition-data protection guidelines are heading toward public consultation.
For organizations managing EU digital compliance, several practical steps are worth taking now rather than waiting for the guidance to arrive.
Map the intersections in your own operations. Before the guidance tells you how the frameworks interact, identify where they currently intersect in your data processing activities, AI deployments, platform operations, and competitive practices. The intersections that are creating uncertainty for your legal team today are likely to be addressed — or at least clarified — by the guidance being developed.
Integrate your compliance workstreams. If your GDPR, AI Act, DMA, and DSA programs are operating independently, begin building coordination mechanisms now. The joint guidance will assume that organizations are thinking about these frameworks together. Your compliance architecture should reflect that assumption.
Engage with consultations. The competition-data protection guidelines are heading into public consultation. Organizations with a genuine stake in how these frameworks interact have an opportunity to shape the guidance before it is finalized. That opportunity is worth taking seriously.
Monitor the EDPB’s expert subgroup outputs. The subgroup on cross-regulatory interplay will produce technical guidance that sits below the level of formal EDPB opinions but carries significant interpretive weight. Tracking its outputs is part of staying current on EU digital compliance.
EDPB Workshop
What the EDPB’s March 17 workshop ultimately represents is a mature regulatory body grappling honestly with the consequences of its own success. The EU built the world’s most comprehensive digital regulatory framework. It built it in pieces, over time, with different legislative teams working on different priorities. The pieces are now in place — and the work of making them function as a coherent system is underway.
Talus closed the workshop with a commitment to continue developing guidance on the interplay between EU digital frameworks. It was a measured promise, not a dramatic one. But for compliance professionals navigating the daily reality of operating across GDPR, the AI Act, the DMA, and the DSA simultaneously, it is exactly the commitment that was needed.
The digital economy does not operate in silos. Neither, finally, are the regulators who govern it.
