EU REGULATION
inconsistent outcomes, sometimes even within one country (e.g. Germany 7 ). Thus, the GDPR vividly illustrates the limits of (almost) full legal harmonization when enforcement remains nationally fragmented. Although the European Data Protection Board (“EDPB”) can issue opinions, guidelines and even sometimes binding decisions, the investigative capacity, procedural speed, and sanctioning practice continue to vary widely. The success of technical standards In our opinion, one of the most effective models of European harmonization has been achieved through harmonisation by technical standards. Sectors such as product safety and automotive regulation demonstrate that alignment succeeds where lawmakers agree on essential objectives, while detailed, operational requirements are delegated to shared technical standards. These standards translate abstract legal principles into testable and auditable compliance criteria, allowing enforcement to converge even where national authorities retain formal competence. Harmonization works here because regulators assess risk and compliance against the same technical benchmarks. For example, the General Product Safety Regulation 8 , applicable since December 2024, sets uniform safety obligations across the EU and strengthens market surveillance, including online marketplaces. What makes this regime durable is the reliance on harmonised European standards developed by bodies such as CEN and CENELEC. Compliance with these standards provides a presumption of conformity with the EU law 9 . In other regulated sectors across Europe, harmonised legal requirements are often operationalized through independent conformity-assessment organisations that perform technical testing, auditing, and certification against shared standards. A contemporary example is the development of standards and assessment frameworks for complex artificial intelligence systems. The German standards body DIN and its partners have emphasised that even highly complex systems can be
made testable and certifiable by building common technical criteria and structured conformity assessment processes. These can be supported by accredited organisations such as TÜV AI.Lab that specialise in evaluating compliance with the criteria. This work reflects a broader approach to standardisation in areas like AI, where standards (such as DIN SPECs) define measurable requirements and accredited auditors produce reproducible evidence that a system is compliant, even where inherent complexity would otherwise impede objective evaluation. The horizontal harmonization framework applicable to online gambling Horizontal harmonization is best understood as the set of cross-sector EU regimes that bind their addressees regardless of whether the respective sectoral law is harmonized. In other words, even if EU Member States retain competence, for example, over gambling policy (licensing models, product permissions, channelisation choices), gambling operators are already subject to shared EU-level rules that partially standardize the compliance infrastructure around online gambling: how player data is processed, how payment flows are monitored and controlled, how consumer communications are assessed, how online distribution and advertising are governed, and how algorithmic systems used in risk scoring and harm detection must be governed. Thus, online gambling is already subject to meaningful horizontal harmonisation, for example, in personal data governance (the GDPR), financial integrity controls (the AMLD), consumer-facing conduct (the UCPD), online distribution and content governance (the DSA), emerging algorithmic governance (the AI Act), and many others, as this list is illustrative and not exhaustive. All these instruments form part of the existing harmonized legal framework upon which gambling-specific technical standards (e.g., common reporting formats or harm markers) can be layered to drive functional convergence without requiring politically unrealistic full harmonization of national gambling laws.
7 Due to a federative organisation of Germany, each of the German States currently has its own data protection supervisory authority, meaning there are 17 data protection supervisors in Germany (16 local and 1 federal) for the private sector that have divergent approaches even within one country 8 https://eur-lex.europa.eu/eli/reg/2023/988/oj 9 https://single-market-economy.ec.europa.eu/single-market/goods/european-standards/harmonised-standards_en
IMGL MAGAZINE | MARCH 2026
PAGE 9
Made with FlippingBook flipbook maker