The European Union has, over the past several years, constructed one of the most comprehensive digital regulatory ecosystems in the world. The General Data Protection Regulation (GDPR), the Artificial Intelligence Act (AI Act), the Digital Markets Act (DMA), and the Digital Services Act (DSA) each address distinct aspects of the digital economy — yet their obligations increasingly overlap, creating a complex compliance environment for organisations operating across EU member states.
On 17 March 2026, the European Data Protection Board (EDPB) convened a landmark workshop on cross-regulatory interplay and cooperation, bringing together regulators, industry representatives, and legal experts to confront this complexity head-on. For privacy professionals, DPOs, and legal counsel advising organisations subject to EU digital law, the outcomes of this workshop carry significant practical implications.
This article breaks down what was discussed, why it matters, and what the regulatory direction of travel means for your compliance strategy.
Why Cross-Regulatory Compliance EU Is Now a Strategic Priority
EDPB Chair Anu Talus opened the 17 March workshop with a statement that succinctly frames the challenge: “The digital economy does not operate in silos, so nor should we.”
That observation reflects a growing tension at the heart of EU regulatory policy. Organisations subject to GDPR are simultaneously navigating obligations under the AI Act, the DMA, and the DSA — all of which intersect with data protection principles yet are enforced by different authorities, through different procedural mechanisms, and with different governance structures.
The EDPB has formally acknowledged this challenge. In its 2024–2027 strategy and subsequent Helsinki Statement, the Board identified cross-regulatory coherence as a strategic priority. The 17 March workshop represents a concrete step in translating that commitment into regulatory action, including the establishment of a dedicated expert subgroup on cross-regulatory interplay and cooperation.
For privacy professionals, the message is clear: compliance cannot be managed in isolation. Understanding how these four frameworks interact is no longer optional — it is foundational to sound compliance governance.
GDPR and Competition Law: Data Protection as a Competitive Differentiator
The workshop’s first panel addressed the intersection of data protection and competition law — an area where regulatory convergence is already producing tangible enforcement outcomes.
Speakers examined three distinct models of cross-regulatory cooperation:
- The United Kingdom’s structured approach, formalised through the 2021 Joint Statement between the Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA), which establishes a standing framework for inter-agency coordination.
- Germany’s case-by-case model, in which the Federal Cartel Office (Bundeskartellamt) and data protection authorities cooperate as specific issues arise, without a standing bilateral framework.
- Poland’s multi-framework platform, which convenes dialogue across all major EU digital frameworks to assess their coherence.
Claudia Berg, Partner at Covington & Burling and former dual-authority practitioner at both the ICO and the CMA, identified a critical convergence point: both data protection and competition frameworks share an underlying commitment to user choice and control. Her conclusion — that consumers who understand what happens to their data increasingly regard strong data protection as a quality signal — was reinforced by Massimiliano Kadar of the European Commission’s European Competition Network, who noted that if data protection is valued by consumers, companies will develop products that respond accordingly.
The compliance implication is significant. Organisations that treat data protection as a cost centre rather than a value proposition risk falling behind not just on regulatory compliance, but on market competitiveness. Privacy-by-design, meaningful consent mechanisms, and transparent data practices are increasingly factors that competition authorities may scrutinise when assessing market conduct.
GDPR and the Digital Markets Act: Toward Joint Guidance
The second panel focused on the relationship between the GDPR and the Digital Markets Act — arguably the most consequential regulatory intersection for large technology platforms operating in the EU.
The DMA, which entered into force in 2022 and has been applicable since March 2024, imposes a suite of obligations on designated “gatekeepers” — large platforms with systemic market power. Several of these obligations bear directly on how gatekeepers process personal data, including restrictions on combining personal data across services, requirements around user consent for certain data uses, and interoperability mandates that raise significant data-sharing and security questions.
The central challenge identified during the workshop is the risk of inconsistent interpretation: where DMA obligations require or permit conduct that may be ambiguous under GDPR, organisations face the prospect of conflicting regulatory expectations. Panellists broadly agreed that joint DMA and GDPR guidelines — currently in development between the EDPB and the European Commission — represent a necessary and welcome step toward resolving this ambiguity.
Critically, the EDPB has confirmed that guidance on the GDPR-DMA interplay is expected to be published before the end of 2026. Privacy professionals advising gatekeeper-designated platforms, or their downstream business partners, should monitor this guidance closely. It is likely to address consent frameworks for data combination, the application of data minimisation principles to interoperability requirements, and the allocation of controller responsibility across platform ecosystems.
GDPR and the AI Act: Defining the Data Protection Boundaries of Artificial Intelligence
The intersection of the GDPR and the AI Act is, for many organisations, the most urgent and least-settled area of cross-regulatory compliance in the EU today.
The AI Act, which became fully applicable in phases from 2024 onwards, establishes a risk-based regulatory framework for artificial intelligence systems. High-risk AI systems — including those used in employment decisions, credit assessments, biometric identification, and critical infrastructure — are subject to extensive data governance obligations that overlap substantially with GDPR requirements around lawful processing, data minimisation, and transparency.
The EDPB and the European Commission are jointly developing guidance on the GDPR-AI Act interface. Key questions this guidance is expected to address include:
- How the AI Act’s requirements for training data quality and data governance interact with GDPR’s purpose limitation and storage limitation principles.
- The extent to which AI Act transparency obligations are consistent with, or supplementary to, GDPR’s information and transparency requirements.
- How data protection impact assessments (DPIAs) under GDPR align with — or should be integrated into — the AI Act’s conformity assessment processes for high-risk systems.
- The allocation of responsibility between AI providers and deployers, and how this maps onto GDPR’s controller-processor framework.
For DPOs and compliance teams, the practical priority is to begin mapping existing AI deployments against both frameworks simultaneously, rather than sequentially. Waiting for final regulatory guidance before initiating this work carries meaningful risk, particularly given the EDPB’s stated emphasis on consistency as the cornerstone of cross-regulatory interpretation.
GDPR and the Digital Services Act: Governance Structures and Enforcement Gaps
The final panel of the 17 March workshop addressed the interplay between the GDPR and the Digital Services Act — a framework that governs how online intermediaries manage illegal content, algorithmic transparency, and systemic risk on their platforms.
Two structural tensions were identified that are directly relevant to compliance professionals.
First, governance asymmetry. The GDPR operates through a network of equal national supervisory authorities coordinated by the EDPB, with jurisdiction allocated on the basis of the one-stop-shop mechanism. The DSA, by contrast, vests primary enforcement authority for very large online platforms (VLOPs) and very large online search engines (VLOSEs) directly in the European Commission — a fundamentally different model. This asymmetry creates coordination challenges when enforcement actions require both GDPR and DSA analysis, and raises questions about which authority takes precedence when the two frameworks point in different directions.
Second, implementation maturity gaps. A representative of the French Regulatory Authority for Audiovisual and Digital Communication (ARCOM) noted that some EU member states have not yet fully empowered their Digital Services Coordinators — the national authorities responsible for DSA enforcement below the VLOP/VLOSE threshold. This creates uneven enforcement capacity across the single market, which in turn creates compliance uncertainty for organisations operating in multiple member states.
Despite these structural tensions, the European Commission reiterated its commitment to a consistent regulatory approach for industry — a commitment echoed by industry representatives from the European Tech Alliance, who noted that organisations dedicating approximately 30% of their workforce to compliance issues require clarity between regulatory texts and a genuine single market for digital services.
EDPB Workshop
The EDPB’s 17 March workshop was not merely a policy dialogue — it was a signal of the regulatory direction of travel for the next several years. The following takeaways are directly actionable for privacy professionals, DPOs, and legal counsel:
1. Begin integrated compliance mapping now. Do not wait for final joint guidance on the GDPR-AI Act, GDPR-DMA, or GDPR-DSA interplays. Conduct gap analyses across all four frameworks simultaneously and identify where obligations overlap, conflict, or require coordinated governance responses.
2. Monitor forthcoming EDPB-Commission guidance closely. Joint guidelines on the GDPR-DMA interplay are expected before year-end 2026. Guidelines on GDPR-competition interplay are expected to enter public consultation shortly. These documents will shape enforcement expectations and should inform compliance programme updates as soon as they are published.
3. Reassess your data governance architecture. Cross-regulatory compliance in the EU increasingly requires that data governance not be siloed by regulatory framework. Organisations should evaluate whether their data inventories, DPIA processes, consent frameworks, and accountability documentation are capable of serving multiple regulatory purposes simultaneously.
4. Engage with the public consultation processes. The EDPB’s joint guidelines on data protection and competition will be open for public consultation. Privacy professionals — particularly those in DPO, legal, or policy roles — have a direct stake in shaping the guidance that will govern their organisations’ compliance obligations. Engagement with these processes is both a strategic opportunity and a professional responsibility.
5. Treat consistency as a compliance principle. EDPB Chair Talus identified consistency — the shared interpretive standard across regulators — as the central pillar of the cross-regulatory framework. Organisations whose compliance programmes produce inconsistent outcomes across frameworks will be exposed to increased enforcement risk as regulators develop greater capacity for coordinated action.
EU Digital Regulatory Landscapes Future
The European Union’s digital regulatory landscape is undergoing a structural transformation. The era in which GDPR, the AI Act, the DMA, and the DSA could be treated as independent compliance silos is drawing to a close. The EDPB’s accelerating work on cross-regulatory interplay and cooperation — backed by joint guidance initiatives with the European Commission — signals that regulators expect organisations to navigate these frameworks as an integrated whole.
For privacy professionals, this represents both a significant challenge and a professional opportunity. Those who build the expertise and organisational infrastructure to manage cross-regulatory compliance EU obligations cohesively will be well positioned to advise their organisations through one of the most consequential periods in the history of digital regulation.
