Dr. Diana Năsulea & Dr. Christian Năsulea // 9 April 2026

This briefing examines a growing tension at the heart of EU digital regulation: how the Digital Markets Act (DMA) is being applied to artificial intelligence. While the DMA seeks to boost competition by opening up dominant platforms, its current application risks conflicting with the EU’s cybersecurity and data protection frameworks.

Focusing on the European Commission’s 2026 proceedings against Google, the paper shows how requirements to grant third-party AI services deep system access and share search data create structural contradictions. These obligations clash with the Cyber Resilience Act’s “secure by design” principles and the GDPR’s standards on data minimisation and anonymisation, creating a framework where compliance with one set of rules may breach another.

These tensions are amplified by the nature of AI itself. Unlike traditional digital services, AI systems are rapidly evolving and increasingly autonomous. Rules designed for static platforms risk becoming outdated, while expanded access to sensitive system features may increase security risks and expose users to harm.

The briefing also explores implications for innovation and competitiveness. Regulatory uncertainty may already be delaying or deterring new technologies in Europe, while asymmetric obligations and rising transatlantic tensions risk distorting global competition.

To address this, the paper proposes a tiered-access framework, aligning interoperability with the sensitivity of access. Deeper system and data access would be conditional on cybersecurity and privacy safeguards, while maintaining baseline openness and strengthening user choice over how AI services access their devices and data.

The main findings of the briefing include:

• The DMA’s current application to AI creates unresolved conflicts with the Cyber Resilience Act and GDPR.
• Mandated system-level access for third-party AI services introduces significant cybersecurity risks.
• Data-sharing obligations under the DMA are difficult to reconcile with GDPR-compliant anonymisation.
• Static regulatory specifications are ill-suited to rapidly evolving, increasingly autonomous AI systems.
• Regulatory asymmetries risk weakening Europe’s competitiveness and exacerbating geopolitical tensions.
• A tiered-access framework can better balance competition, security, and privacy while remaining adaptable to technological change.