“The DSA-GDPR Connection: Crafting a Roadmap for Risk-Based Digital Regulation”: Building Bridges at CPDP 2026

“The DSA-GDPR Connection: Crafting a Roadmap for Risk-Based Digital Regulation”: Building Bridges at CPDP 2026

On May 20th, the Chair organized a workshop on risk assessments during the renowned CPDP Computers, Privacy and Data Protection conference. As every year, privacy professionals, academics, NGO and authorities convened in Brussels to debate and discuss ideas around the most prominent and urgent issues technology law. Digital governance, data protection, digital sovereignty as well as Europe’s Digital Omnibus simplification package, all passionate discussions beneath the glass-roofed Grande Halle of the remarkable Maison de la Poste. But it is in the more intimate Music Room that our workshop took place. 

Taking as a starting point the idea that impact and risks assessments are at the core of multiple regulations in the EU Digital Rulebook, the workshop sought to connect the well-established implementation practices of the GDPR with the nascent implementation of the DSA. Indeed, as was also revealed by the findings of our “Hack the DSA” workshop that we held in October 2025, early DSA’s reports lack depth and transparency, often prioritizing formality over substance. Meanwhile, the GDPR’s Data Protection Impact Assessments (DPIAs) now benefit from a ten-year implementation experience. Therefore, the objective of our workshop was to identify which best practices can be transferred to the DSA’s understanding of systemic risks assessments. 

Designed to promote collaboration, the workshop started with a brief introduction outlining its objectives, to then allow participants to brainstorm together in order to identify a specific issue area to dig into. Participants then formed 4 groups which worked on the following topics:  

  • Organizational factors as a key influence on conducting risk assessments; 
  • Data protection as a systemic risk, building bridges between overlapping notions; 
  • Mitigation measures, and more specifically their audit mechanisms; 
  • Inherent limits of this type of assessment.   

Groups then reported back to the plenary, sharing their insights and presenting their recommendations outlining actionable steps for stakeholders. 

Key takeaways from the working groups 

Organizational factors:  

One group investigated the impact of organisational factors in the conduct of risk assessments: who conducts the assessments, what level of information do they have, how are they getting their information?  

The underlying hypothesis of this analysis relates to the perceived mismatch between the manner in which regulators conceive risk assessments and enshrine them in regulatory frameworks and the practical realities of their implementation. If regulations approach risk assessments in a theoretical manner, conceiving them as a clear step-by-step process which includes the identification of risks, their analysis, their mitigation, and the transparent communication on the results of the process, this clear-cut and structured process does not easily translate into the actual practice of corporate risk assessments procedures.  

Risk assessment often relies in practice on the collection and sum of the existing mitigations measures, which are then appraised considering the legal obligation. But this process changes the nature of risk assessments. Instead of an evaluation done prior to the processing, as a real prevention mechanism, risks assessments become an ex-post measure, focused on collecting existing measures more than truly modifying practices. Then, a mismatch exists between the legal ambition and the implementation practices.  

A proactive action on the part of services would require the identification and monitoring of research studies or state-of-the-art academic literature. Yet, in practice, these resources are probably not well known by the individuals in charge of conducting risk assessments. As such, the Board or the European Commission could play a central role by publishing a list of relevant information, especially on state-of-the-art literature. This could be an interesting addition to the Board’s report on systemic risks and could be beneficial to VLOPSEs for clarifying how and when they should revise their systemic risks assessments and methodologies.  

Data Protection as a Systemic Risk 

Under the GDPR, when a project is likely to result in a high risk to the rights and freedoms of individuals, a DPIA is required. More broadly, the DSA identifies data protection as one of the categories of systemic risk. What is the link between the two assessments, and should the data collected for a DPIA be used to enlighten a systemic risk assessment under the DSA? 

In practice, DPIAs have been falling short of their promise. Often, they are not diligently prepared and enforcement on this specific requirement appears very weak. As a consequence, addressing data protection as a systemic risk first requires a focus on the GDPR’s implementation. Here, an effective enforcement of DPIAs would not only ensure they are well prepared, but also useful to platforms as a basis for systemic risks reports.One of the group’s recommendations was then to give more financial support to national Data Protection Authorities to allow them to extent their enforcement on this specific issue.  

A stricter oversight of controllers is also needed. Especially because, as underscored by the team, companies sometimes use data protection as an excuse for less transparency. For example, this can take the form of redacting entire sections of their systemic risks’ reports allegedly to protect personal data, as well as trade secret, and other mechanisms). This practice could result in an abuse and must be addressed. 

Mitigation Measures: 

Mitigation measures must be assessed by the controller or VLOPSEs to ensure accountability. To assess their effectiveness, external audits are required by both regulations. However, in reality these audits provide only a limited basis for an effective compliance assessment: they, in fact, focus on a measure-by-measure assessment at the expenses of a more holistic approach. As a consequence, compliance is more understood as a tick-the-box exercise that fails to capture the broader effectiveness and impact of mitigation measures.  

To address these shortcomings and to improve the audit of compliance measures,  a public oversight is needed. This oversight could be implemented through independent working groups. These groups would establish a set of audit methodology principles and assess their implementation in audit practices.  

An additional recommended measure would include the opening of platforms through middleware as well as the creation of sandboxes or test environments for high-risk components like interfaces or algorithms which are prone to generating or contributing to systemic risks.  

Limits of Risk Assessments:  

A final group decided to focus its attention on the existing limitations of risk assessments, identifying two main ones.  

The first limitation relates to the lack of knowledge and/or awareness of the corporate teams conducting risk assessments: these enterprises, in fact, run into practical obstacles such as lack of resources, insufficient knowledge-sharing, inadequate tools, or time pressure (echoing observations from the group on organizational factors). As such, it is essential for these teams to “train-the-trainer” and obtain management support.   

A second limit relates to the interpretation of “high risk”. Divergent conceptions of the notion have made it difficult for controllers or services to implement legal requirements in their practices. The DSA lacks sufficient practical guidance, as it “does not add any meat to the body”. Consulting Data Protection Authorities could help clarify this definition, as well as combine the perspectives of researchers and regulators. In the end, the definition of high risk could be established in centralized resources such as guidelines. 

Behind these two limits, a bigger challenge relates to demonstrating compliance, as organizational blind spots and information asymmetry complicate risk assessment processes. 

Conclusion 

Participants’ conclusions revealed the need for clearer guidance from public bodies and a stronger enforcement of existing risk assessment mechanisms. DPIAs enforcement remains largely underdeveloped and lacks oversight. Conversations confirmed that risk assessments obligations can’t be developed in isolation, especially when one’s results are necessary to the other’s evaluation. 

The Chair warmly thanks all participants for their dedication, enthusiasm, and the excellent output produced during this workshop. Their contributions made this discussion intellectually engaging and valuable in practical terms, and we hope that these exchanges in the Music Room were only the start of a longer symphony!

Évènements

Vous pourriez être intéressé par

Suzanne Vergnolle
Membres Publique

Lunch & Learn #12

La Commission européenne : un acteur clé dans la mise en oeuvre du DSA, échanges avec Arthur Tréguier Le 5 mai de 12h30 à 13h30 Bientôt quatre années après l’entrée en vigueur du règlement sur les services numériques (DSA), les risques que les plateformes en ligne présentent pour la société

Clara Tabuteau
Membres Publique

Lunch & Learn #11

Protection des mineurs en ligne : la vérification de l’âge et ses limites échanges avec Jessica Galissaire Le 7 avril 2026 de 12h30 à 13h30 Hyper-connexion, troubles du sommeil, problèmes liés à l’image corporelle, mais aussi exposition à des contenus choquants, cyberharcèlement… Les risques liés à l’utilisation des