Regulatory Map for
Cognitive Integrity

r

This document provides a systematic mapping of EU governance mechanisms relevant to how digital technologies affect brain health, mental wellbeing, and cognitive integrity. It describes the architecture of existing regulatory frameworks, their scope, core mechanisms, and enforcement structures.The map is organised around a layered governance model. At its foundation sits the constitutional layer of Fundamental rights (EU Charter, UNCRC), which establishes normative boundaries for technological interventions affecting cognition and mental health. Building on this foundation are four operational layers: Design (how systems are built), Data (information infrastructure enabling cognitive influence), Content (the information environment users encounter), and Business Incentives (market structures shaping technology development). Cross-cutting dimensions address Enforcement and Redress mechanisms, plus Peripheral instruments covering adjacent regulatory domains.For critical assessment of gaps, limitations, and reform proposals, see the companion report: Cognitive integrity in the age of AI: a conceptual framework and policy analysis.

Content

Digital Services Act (DSA)

r

Digital Services Act (DSA)The DSA establishes content moderation obligations for all platforms (addressing illegal content, transparency, protecting users from harmful material). Its significance for cognitive integrity governance also lies in its systemic risk framework for Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs). Relevant Provisions:Notice-and-action mechanisms (Articles 14-16): Platforms must act on reports of illegal content, maintain transparent content moderation processes, and provide accessible complaint-handling procedures.Risk assessment and mitigation (Articles 34-35): Platforms must identify and assess systemic risks stemming from service design and functioning (including algorithmic systems) and from how the service is used. Risk categories explicitly include dissemination of illegal content, impacts on fundamental rights, risks to the protection of minors and serious negative consequences to physical and mental wellbeing, and broader societal risks (e.g., civic discourse, electoral processes, public security). Providers must put in place reasonable, proportionate and effective mitigation measures tailored to identified risks, including changes to design, online interfaces, and recommender systems. First EU law requiring platforms to proactively assess and mitigate cognitive and psychological harms at systemic level. Independent Audits (Article 37): Article 37 mandates independent audits of these assessments and mitigationsRecommender system transparency and choice (Article 38): Users must be offered at least one recommender system not based on profiling. Creates structural alternatives to attention-maximizing design. Data Access rights (Article 40): Article 40 establishes data access rights intended to enable independent scrutiny of content dynamics by researchers and, under certain conditions, civil society organisations.Minor-specific protections (Article 28): Platforms accessible to minors must  implement age-appropriate design, and must not serve profiling-based advertisements to minors. Must avoid exploiting vulnerabilities. Must prioritize minors' best interests. Commission published Article 28 guidelines July 2025 operationalizing these requirements.Analysis: The European Commission has exclusive enforcement competence for VLOPs/VLOSEs. National Digital Services Coordinators enforce for all platforms.The EU is currently developing Digital Identity Wallet (EUDI Wallet) under eIDAS 2.0, potentially providing harmonized age verification by 2026. Commission released open-source age verification blueprints (July and October 2025) for pilot testing in Denmark, France, Greece, Italy, Spain. See CFG's Enforcement Tracker for comprehensive DSA enforcement overview.For analysis of minors as regulatory gateway and assessment of DSA's structural limitations, see “Chapter V: Governance of content and access” of the report “Cognitive integrity in the age of AI: conceptual framework and policy analysis”.

Audiovisual Media Services Directive (AVMSD)

r

Audiovisual Media Services Directive (AVMSD): Extended 2018 to include video-sharing platforms (VSPs). Applies content-focused protections for minors. Restrictions on harmful audiovisual content (e.g., content impairing minors' physical, mental or moral development or incitement to violence or hatred) and advertising. 2026 evaluation will assess adequacy for evolving platform dynamics. Enforcement: National media regulators coordinated by ERGA (to be replaced by European Board for Media Services under EMFA).

Code of Practice on Disinformation

r

Code of Practice on Disinformation: Strengthened 2022, integrated into DSA as co-regulatory tool. Addresses monetization, bot amplification, political advertising transparency. Voluntary nature creates enforcement limitations. Platform commitments reduced 31% between 2022-2025. X (Twitter) exited entirely in 2023. Enforcement: Voluntary/Co-regulatory.

Political Advertising Regulation

r

Political Advertising Regulation: Adopted March 2024, applicable October 2025. Establishes transparency and targeting principles for electoral contexts. Demonstrates EU recognition that cognitive influence in political contexts requires specific safeguards. Enforcement: National authorities.

European Media Freedom Act (EMFA)

r

European Media Freedom Act (EMFA): Entered into force May 2024, applicable August 2025. Establishes a framework to protect media freedom, pluralism, and editorial independence. Rather than regulating individual platform designs, it operates at ecosystem level through safeguards for media independence, transparency, and constraints around media ownership and advertising. Enforcement: European Board for Media Services.

Business Incentives

Digital Markets Act (DMA)

r

Digital Markets Act (DMA)The DMA targets market power dynamics of "gatekeepers" - very large platforms controlling essential digital ecosystems. While not explicitly regulating brain health, market structure interventions have direct cognitive implications.Relevant Provisions:Interoperability requirements (Article 7): Gatekeepers must ensure interoperability of messaging services and social networking functionalities, such as sharing audiovisual content. Reduces lock-in effects, incentivising users’ migration to preferred alternatives. Data portability and real-time access (Article 6(9)): Users and third parties can port data and access it in real-time. Lowers switching costs. Enables competition from alternative services. Prohibition on combining personal data without consent (Article 5(2)): Gatekeepers cannot combine personal data across services without explicit consent. Limits cross-service data advantages that enable  more granular targeting .Self-preferencing restrictions (Article 6(5)): Gatekeepers cannot favor their own services in rankings and related visibility mechanisms compared to similar third-party services. Reduces incentives to optimize for attention capture over user-aligned outcomes, primarily in search and discovery contexts.Analysis: The European Commission has exclusive enforcement competence - only Commission can designate gatekeepers, investigate violations, impose sanctions. Full centralization reflects focus on small number of very large platforms with pan-European impact.For discussion of DMA limitations and coverage gaps, see “Chapter II: Governance of business incentives” of the report “Cognitive integrity in the age of AI: conceptual framework and policy analysis”.

Corporate Sustainability Due Diligence Directive (CSDDD)

r

Corporate Sustainability Due Diligence Directive (CSDDD)The CSDDD requires large companies to conduct human rights and environmental due diligence across their value chains. While not designed for digital governance, its human rights framework extends to technology companies' impacts on users' mental health and cognitive wellbeing.Relevant Provisions:Core mechanism: Large companies must identify, prevent, mitigate, and account for adverse human rights impacts throughout value chains, including impacts on the “right to the highest attainable standard of physical and mental health”.Cognitive governance relevance: For technology companies, this means assessing how products, services, and business models affect users' mental health across design decisions, deployment contexts, and value chain relationships.Cross-cutting nature: Operates across multiple governance layers - affects design decisions, data practices, content policies, and incentive structures. Companies must evaluate systemic impacts including business model effects on cognitive environments.Accountability mechanisms: Companies must report on due diligence processes. Failure to conduct adequate due diligence can trigger legal consequences. Shifts mental health from reputational concern to legal and financial risk.Analysis: In December 2025, the "Omnibus I" simplification package introduced a weakening of CSDDD. Scope reduced to companies with 5,000+ employees and €1.5 billion turnover. Covers approximately 1,600 companies EU-wide (down from original broader scope). Climate transition plan requirement eliminated. Harmonized civil liability regime removed (enforcement left to national laws). Maximum penalties reduced to 3% of global turnover. Implementation delayed to July 2029.National authorities designated by Member States enforce the directive, with coordination mechanisms for cross-border cases.

TFEU Articles 101 and 102

r

TFEU Articles 101 and 102: Traditional competition law governing anti-competitive agreements (101) and abuse of dominant position (102). DMA represents an evolution from reactive enforcement to anticipatory structural regulation. Traditional competition enforcement focuses on economic efficiency and consumer welfare narrowly defined. Enforcement: European Commission and national competition authorities.

Data Act

r

Data Act: Extends data portability obligations to IoT and connected products beyond gatekeepers. Supports incentive logic that users should be able to exit services without losing data. Focus on economic data markets rather than personal data protection limits direct cognitive governance relevance. Enforcement: National authorities.

Peripheral Instruments

Corporate Sustainability Reporting Directive (CSRD)

r

Corporate Sustainability Reporting Directive (CSRD) and Sustainable Finance Disclosure Regulation (SFDR): Create mandatory ESG disclosure obligations. Could compel technology companies to document mental health impacts as material social risks. Address transparency and disclosure rather than substantive prevention or remediation. Status/Impact: In force.

Sustainable Finance Disclosure Regulation (SFDR)

r

Corporate Sustainability Reporting Directive (CSRD) and Sustainable Finance Disclosure Regulation (SFDR): Create mandatory ESG disclosure obligations. Could compel technology companies to document mental health impacts as material social risks. Address transparency and disclosure rather than substantive prevention or remediation. Status/Impact: In force.

BIK+ strategy

r

BIK+ strategy (European strategy for a better internet for kids): Addresses digital literacy and critical thinking education. Necessary complement to governance but not substitute for regulation. Status/Impact: Ongoing.

ePrivacy Regulation

r

ePrivacy Regulation: Would provide sector-specific protections for electronic communications data (cookies, tracking, communications confidentiality). Would complement GDPR by addressing communication services and browsers. Status/Impact: Under negotiation since 2017 (persistent delays).

FDI Screening Regulation

r

FDI Screening Regulation: Addresses foreign investment in sensitive technologies. Could prevent acquisition of European cognitive technology capabilities by entities with incompatible fundamental rights frameworks. Status/Impact: In force (increasingly relevant due to digital sovereignty concerns).

Design

AI Act (Regulation (EU) 2024/1689)

r

AI Act (Regulation (EU) 2024/1689)The AI Act is the EU's first comprehensive framework regulating manipulative system design directly. It addresses design, development, and deployment of AI systems through a risk-based approach.Relevant Provisions:Prohibited practices (Article 5): Prohibits AI systems that:Deploy subliminal, manipulative and deceptive techniques to distort behavior and impair the ability to make informed decisions, causing significant harmExploit vulnerabilities related to age or disability to distort behaviour and cause significant harmUse social scoring and classification systems based on social behaviour or predicted personal or personality characteristics, leading to detrimental treatmentInfer emotions at workplace or educational institutions, except for medical/safety reasonsMakes manipulative design itself unlawful, regardless of downstream effects.High-risk systems (Articles 6-7, Annex III): Systems classified as high-risk under Annex III — including emotion recognition, biometric categorisation, and those used in education, training or employment — must comply with Chapter III, Section 2 requirements, for example:Conformity assessmentTechnical documentationData governance (Article 10)Human oversight requirementsRobustness standardsNote: Compliance deadline provisionally deferred to December 2027 pending formal adoption of Digital Omnibus on AI.Articles 10 and 53(1)(d): Requires GPAI providers to publish a "sufficiently detailed summary" of the content used for training, according to a template provided by the AI Office. The template requires disclosure covering data from all training stages, including sources, nature of data, and data processing measures. It is designed to help copyright holders and data subjects exercise and enforce their rights, and to allow researchers to evaluate risks and assess data diversity. Transparency obligations (Article 50): AI systems interacting with humans must disclose they are AI systems. Systems generating or manipulating content must mark it as artificially generated. The Commission published the first draft Code of Practice on AI-generated content marking in 2025.General-purpose AI models (Chapter V): Providers of GPAI models must supply technical documentation, ensure transparency about training data, and implement copyright compliance policies. GPAI models posing systemic risk, assessed against compute thresholds and capability benchmarks, face additional obligations including risk assessment and mitigation, adversarial testing, and incident reporting.Analysis: Enforcement has a mixed model. The AI Office supervises general-purpose AI models posing systemic risk and, following the Digital Omnibus provisional agreement (May 2026), AI systems embedded in VLOPs and VLOSEs. National market surveillance authorities enforce requirements for other AI systems.For discussion of gaps in AI Act coverage, particularly systems falling below high-risk thresholds, see “Chapter IV: Governance of Design” of the report “Cognitive integrity in the age of AI: conceptual framework and policy analysis”.

Digital Fairness Act (forthcoming)

r

Digital Fairness Act (forthcoming)Expected to complement the AI Act by addressing manipulative design practices outside AI system definitions, particularly dark patterns (deceptive techniques used by online platforms to manipulate users' behaviour without their knowledge or consent) exploiting cognitive biases.Commission launched call for evidence July 2025 (closed October 2025) specifically addressing addictive design features including infinite scrolling, autoplay, disappearing content, and engagement-maximising mechanics. Legislative proposal expected Q4 2026.DFA likely to: Target dark patterns and manipulative choice architecture; Mandate platforms disable addictive features by default for minors; Prohibit engagement-based recommender algorithms for young users; Fill gaps between GDPR (consent requirements) and UCPD (unfair commercial practices).Enforcement architecture is currently undefined; likely to rely on national consumer authorities coordinated through Consumer Protection Cooperation (CPC) network.Supporting Design-Layer InstrumentsGeneral Product Safety Regulation (GPSR) (Applicable Dec 2024): Establishes products must be safe, explicitly including mental health risks (WHO definition: "complete physical, mental and social well-being and not merely the absence of disease or infirmity"). Requires manufacturers assess risks including cognitive abilities, sleep quality, depression, and anxiety. Applies to standalone software, apps, digital products. Creates reporting obligations for mental health impacts as serious harm. Enforcement: National market surveillance authorities.Unfair Commercial Practices Directive (UCPD): Prohibits misleading and aggressive commercial practices. Dark patterns and manipulative choice architectures can violate UCPD. Scope focuses on commercial transactions and economic behavior. Enforcement: Consumer Protection Cooperation (CPC) network for cross-border coordination.Consumer Rights Directive (CRD): Establishes pre-contractual information requirements, withdrawal rights, transparency. Modernisation recognises services paid with personal data constitute contractual relationships. More relevant for ensuring informed choice than preventing manipulative solicitation. Enforcement: National consumer authorities.Digital Content and Digital Services Directive: Addresses conformity requirements for digital content and services. Relevant when framing harmful design as product defect, though legally uncertain. Enforcement: National consumer authorities.For assessment of whether supporting instruments adequately address manipulation outside AI contexts, see “Chapter IV: Governance of Design” of the report “Cognitive integrity in the age of AI: conceptual framework and policy analysis”.

General Product Safety Regulation (GPSR)

r

General Product Safety Regulation (GPSR) (Applicable Dec 2024): Establishes products must be safe, explicitly including mental health risks (WHO definition: "complete physical, mental and social well-being and not merely the absence of disease or infirmity"). Requires manufacturers assess risks including cognitive abilities, sleep quality, depression, and anxiety. Applies to standalone software, apps, digital products. Creates reporting obligations for mental health impacts as serious harm. Enforcement: National market surveillance authorities.

Unfair Commercial Practices Directive (UCPD)

r

Unfair Commercial Practices Directive (UCPD): Prohibits misleading and aggressive commercial practices. Dark patterns and manipulative choice architectures can violate UCPD. Scope focuses on commercial transactions and economic behavior. Enforcement: Consumer Protection Cooperation (CPC) network for cross-border coordination.

Consumer Rights Directive (CRD)

r

Consumer Rights Directive (CRD): Establishes pre-contractual information requirements, withdrawal rights, transparency. Modernization recognizes services paid with personal data constitute contractual relationships. More relevant for ensuring informed choice than preventing manipulative solicitation. Enforcement: National consumer authorities.

Digital Content and Digital Services Directive

r

Digital Content and Digital Services Directive: Addresses conformity requirements for digital content and services. Relevant when framing harmful design as product defect, though legally uncertain. Enforcement: National consumer authorities.

Data

General Data Protection Regulation (GDPR)

r

General Data Protection Regulation (GDPR)The GDPR does not explicitly regulate "mental states" or "cognitive integrity," but governs the profiling and inference practices through which emotional, cognitive, and psychological characteristics are derived and exploited. For data governance obligations specific to AI systems, including training data transparency, see Design Layer (AI Act, Articles 10 and 53(1)(d)).Relevant Provisions:Key definitions (Article 4): Personal data covers any information relating to an identified or identifiable natural person (Art 4(1)). Biometric data means data resulting from specific technical processing relating to physical, physiological or behavioural characteristics which allows unique identification (Art 4(14)). Data concerning health covers data related to physical or mental health revealing information about health status (Art 4(15)).Profiling and automated decision-making (Article 22, Article 4(4)): Defines profiling as automated processing to evaluate personal aspects, particularly to analyze and predict behavior, personal preferences, interests and health. Covers behavioral prediction and psychological inference enabling cognitive influence. Article 22 gives individuals the right not to be subject to decisions based solely on automated processing, including profiling, where these produce legal or similarly significant effects.Consent requirements (Article 6(1)(a), Article 7): Consent for processing personal data must be freely given, specific, informed, and unambiguous. Must be as easy to withdraw as to give. Applies to data collection for behavioral manipulation.Purpose limitation (Article 5(1)(b)): Data collected for one purpose cannot be repurposed for incompatible uses without new legal basis. Constrains cognitive surveillance by limiting repurposing of behavioral data.Data minimization (Article 5(1)(c)): Personal data must be "adequate, relevant and limited to what is necessary." Principle directly conflicts with data maximization logic of engagement-driven business models.Special category data protections (Article 9): Health data, including mental health information, receives heightened protection. Gap: Inferred psychological characteristics or emotional states not classified as special category data unless they reveal health information.Data protection by design and by default (Article 25): Controllers must build GDPR compliance into systems and processes from the outset and throughout processing. By default, only personal data necessary for each specific purpose may be processed, including limits on amount, scope, storage period, and accessibility. Analysis: The law is enforced by National data protection authorities (DPAs) in coordination with the European Data Protection Board (EDPB). Lead authority mechanism for cross-border processing. Regulation (EU) 2025/2518 adds harmonized procedural rules.Data subjects can exercise rights to access, rectification, erasure, and objection against controllers. These rights create leverage points where users can disrupt data-driven manipulation.Note: The Digital Omnibus Regulation (proposed November 2025) proposes targeted GDPR amendments relevant to cognitive governance, including narrowing the personal data definition and refining Article 22 on automated decision-making. Trilogue negotiations ongoing; adoption expected late 2026.For discussion of GDPR's structural limitations for cognitive protection, particularly regarding inference and consent mechanisms, see “Chapter III: Governance of Data” of the report “Cognitive integrity in the age of AI: conceptual framework and policy analysis”.

Enforcement & Redress

Enforcement Architecture by Layer

r

Enforcement Architecture by LayerFoundational Rights: Courts interpret operational law; Regulators invoke Charter rights.Design Layer: AI Office (general-purpose AI); National market surveillance (other AI systems, GPSR); Consumer authorities (UCPD, forthcoming DFA).Data Layer: National DPAs coordinated by EDPB (Lead authority mechanism; Regulation (EU) 2025/2518).Content Layer: Commission (VLOP/VLOSE systemic risk under DSA); National Digital Services Coordinators (other DSA); National media regulators (AVMSD).Incentives Layer: Commission (DMA - fully centralized); National authorities (CSDDD).For analysis of enforcement fragmentation see Chapter VI: Governing cumulative harm” of report “Cognitive integrity in the age of AI”: a conceptual framework and policy analysis”.

Redress Mechanisms

r

Redress MechanismsIndividual rights: GDPR: Access, rectification, erasure, objection rights against controllers. DSA: Rights to challenge content moderation decisions.Collective redress: Representative Actions Directive (2020/1828): Qualified entities can bring claims for collective consumer harm. Enables injunctions, damages, or other remedies.Product Liability Directive (adopted Oct 2024, implementation by Dec 2026): Covers software, AI systems, digitally connected products. Explicitly includes "medically recognized damage to psychological health" as compensable harm. If manipulative design constitutes "defect," users could potentially claim compensation for psychological harm.For analysis of redress inadequacy see Chapter VI: Governing cumulative harm” of report “Cognitive integrity in the age of AI”: a conceptual framework and policy analysis”.

Fundamental rights:
Constitutional Framework

UN Convention on the Rights of the Child (UNCRC)

r

UN Convention on the Rights of the Child (UNCRC)The UNCRC, while an international treaty rather than EU constitutional law, functions as a parallel constitutional framework specifically for children.Relevant Provisions:Best interests principle (Article 3): All actions concerning children must make the child's best interests a primary consideration. Provides constitutional grounding for precautionary approaches to technologies affecting children.Development rights (Articles 6, 27, 29): Children have rights to development "to the maximum extent possible," including cognitive and psychological development. Systems interfering with healthy cognitive development violate these rights.Protection from exploitation (Articles 36, 17): Requires protection from all forms of exploitation and from information/material injurious to wellbeing,while ensuring access to information that promotes social, physical, and mental wellbeing.Right to express and to be heard (Article 12): Children capable of forming views have the right to express those views in matters affecting them.Analysis:The UN Committee on the Rights of the Child's General Comment No. 25 (2021) interprets these obligations for the digital environment, establishing that children's rights apply fully to algorithmic systems, data practices, and platform design.

EU Charter of Fundamental Rights

r

EU Charter of Fundamental RightsThe Charter provides constitutional grounding for cognitive integrity claims, though it does not explicitly mention brain health, attention extraction, or cognitive manipulation. Its provisions establish why cognitive interference matters legally, not merely as consumer harm or market distortion, but as potential violations of fundamental rights. Relevant/Core Provisions:Human dignity (Article 1): Establishes inviolability of dignity, invoked in contexts where data practices or system design treat persons as manipulable objects rather than autonomous agents.Right to mental and physical integrity (Article 3): Protects physical and mental integrity. While traditionally applied to biomedical contexts, including Article 3(2)'s prohibition on making the human body a source of financial gain, increasingly relevant to digital systems that interfere with cognitive autonomy or psychological wellbeing.Respect for private and family life, home and communications (Article 7): Privacy extends to cognitive and psychological dimensions. CJEU has recognized that data protection is instrumental to autonomy and self-determination.Protection of personal data (Article 8): Elevates data protection to constitutional status. Courts invoke Article 8 to ensure data practices respect dignity, autonomy, and mental integrity beyond mere compliance technicalities.Freedom of thought (Article 10): While often understood in religious or ideological contexts, it encompasses the capacity to form beliefs free from undue manipulation.Freedom of expression and information (Article 11): Protects the right to receive and impart information without interference. Relevant where algorithmic curation and recommender systems shape the information environment, and for concerns around amplification and recommendation dynamics.Rights of the child (Article 24): Requires children's best interests be a primary consideration in all actions relating to them. Provides constitutional grounding for child-protective digital governance.Non-discrimination (Article 21): Prohibits discrimination on grounds including sex, race, age, ethnic origin, and disability, among others. When technologies discriminate in profiling or targeting based on protected characteristics, both dignity and non-discrimination principles are engaged.Analysis:The Charter functions as interpretive infrastructure rather than directly enforceable rules. National regulators invoke dignity and autonomy when challenging manipulative practices. Courts assess proportionality of governance measures against constitutional rights. EU institutions cite child protection as constitutional imperative when designing obligations.Constitutional rights enforcement operates primarily through courts. Individuals or organisations can invoke Charter rights before national courts, which must ensure Charter compliance when applying EU law. Regulators increasingly invoke Charter rights to justify enforcement actions against practices affecting cognition.For assessment of how effectively constitutional principles translate into operational protection, see “Chapter I:Governance of constitutional rights for cognitive integrity” of the report “Cognitive integrity in the age of AI: conceptual framework and policy analysis”.