Pub Date : 2025-11-01Epub Date: 2025-09-23DOI: 10.1016/j.clsr.2025.106209
Fabian Teichmann , Bruno S. Sergi
This article advances a governance-theoretical account of the EU Cyber Resilience Act (CRA) as a form of hybrid regulation that combines command-and-control duties with risk-based calibration, co-regulation through European harmonized standards, and enforced self-regulation by firms. The central research question is: how does the CRA’s hybrid design reallocate regulatory functions between public authorities and private actors along the digital-product lifecycle, and with what compliance and enforcement consequences? Methodologically, the paper doctrinally analyses the CRA’s core provisions and situates them in the New Legislative Framework (NLF) for product regulation, the legal regime for standards under Regulation (EU) No 1025/2012 and Court of Justice of the European Union (CJEU) case law, and adjacent EU instruments (NIS2; Cybersecurity Act). It further offers a concise comparative sidebar on the United States and the United Kingdom to contrast policy trajectories. The contribution is threefold: (i) it clarifies the legal status and governance role of harmonized standards within CRA conformity assessment; (ii) it analytically distinguishes external obligations from firm-internal “meta-regulation”; and (iii) it maps institutional interfaces with NIS2 and the Cybersecurity Act, highlighting pathways for dynamic escalation (including mandatory certification). The analysis yields implications for corporate compliance design, market surveillance, and future rule updates via delegated acts.
本文提出了欧盟网络弹性法案(CRA)的治理理论解释,将其作为一种混合监管形式,将命令与控制职责与基于风险的校准、通过欧洲统一标准进行的共同监管以及企业强制自我监管相结合。研究的核心问题是:CRA的混合设计如何在数字产品生命周期中重新分配公共当局和私人参与者之间的监管职能,以及合规和执行的后果是什么?在方法上,本文从理论上分析了CRA的核心条款,并将其置于产品监管的新立法框架(NLF)、法规(EU) No 1025/2012和欧盟法院(CJEU)判例法下标准的法律制度以及相邻的欧盟文书(NIS2;网络安全法)中。它还提供了一个简洁的比较侧边栏,以对比美国和英国的政策轨迹。其贡献有三方面:(i)阐明了协调标准在CRA合格评定中的法律地位和治理作用;(ii)分析区分外部义务与公司内部“元监管”;(iii)它映射了与NIS2和网络安全法的机构接口,突出了动态升级的途径(包括强制性认证)。该分析对公司合规性设计、市场监督和未来通过授权法案更新规则产生了影响。
{"title":"The EU Cyber Resilience Act: Hybrid governance, compliance, and cybersecurity regulation in the digital ecosystem","authors":"Fabian Teichmann , Bruno S. Sergi","doi":"10.1016/j.clsr.2025.106209","DOIUrl":"10.1016/j.clsr.2025.106209","url":null,"abstract":"<div><div>This article advances a governance-theoretical account of the EU Cyber Resilience Act (CRA) as a form of hybrid regulation that combines command-and-control duties with risk-based calibration, co-regulation through European harmonized standards, and enforced self-regulation by firms. The central research question is: how does the CRA’s hybrid design reallocate regulatory functions between public authorities and private actors along the digital-product lifecycle, and with what compliance and enforcement consequences? Methodologically, the paper doctrinally analyses the CRA’s core provisions and situates them in the New Legislative Framework (NLF) for product regulation, the legal regime for standards under Regulation (EU) No 1025/2012 and Court of Justice of the European Union (CJEU) case law, and adjacent EU instruments (NIS2; Cybersecurity Act). It further offers a concise comparative sidebar on the United States and the United Kingdom to contrast policy trajectories. The contribution is threefold: (i) it clarifies the legal status and governance role of harmonized standards within CRA conformity assessment; (ii) it analytically distinguishes external obligations from firm-internal “meta-regulation”; and (iii) it maps institutional interfaces with NIS2 and the Cybersecurity Act, highlighting pathways for dynamic escalation (including mandatory certification). The analysis yields implications for corporate compliance design, market surveillance, and future rule updates via delegated acts.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"59 ","pages":"Article 106209"},"PeriodicalIF":3.2,"publicationDate":"2025-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145118738","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Legal document building refers to the process of producing a legal textual document following a predefined schema with the support of digital, automated tools. Such systems must balance two fundamental requirements: providing targeted drafting assistance while preserving judicial autonomy and decision-making authority, and systematically leveraging existing legal document corpora to enhance consistency and quality in legal documentation. In this paper, we propose a document builder architecture, called JusBuild, designed to assist and support legal practitioners in drafting new legal documents. JusBuild supports the document assembly process by relying on a predefined legal document template and on a corpus of past legal documents. The key features of JusBuild are: (i) the use of a Conditional Random Field (CRF) model for the supervised segmentation of legal documents into functional sections according to a document template; (ii) a vector database storing segmented sections and their semantically meaningful vector representations for efficiently performing semantic search for suggestions retrieval; (iii) the suggestion, at drafting time, of relevant precedent sections retrieved from the vector database and of new, AI-generated sections, using a Large Language Model and Retrieval-Augmented Generation (RAG). A featuring design choice of JusBuild is the “human-in-the-loop” approach, which allows the user (judge) to exercise his/her decision-making freedom and full control in the formulation of the provision in working with the suggestions provided by JusBuild. Thanks to the flexible nature of the architecture, adaptable to a large number of legal contexts, with different document structures and legal matters, JusBuild makes contextualized content generation accurate and efficient for legal practitioners. The application of JusBuild to legal document building in the Italian legal context is discussed. JusBuild validation is provided by considering datasets that differ for document template, language, and judicial matter, to test its applicability and adaptability to different contexts.
{"title":"Enhancing legal document building with Retrieval-Augmented Generation","authors":"Matteo Buffa , Alfio Ferrara , Sergio Picascia , Davide Riva , Silvana Castano","doi":"10.1016/j.clsr.2025.106229","DOIUrl":"10.1016/j.clsr.2025.106229","url":null,"abstract":"<div><div>Legal document building refers to the process of producing a legal textual document following a predefined schema with the support of digital, automated tools. Such systems must balance two fundamental requirements: providing targeted drafting assistance while preserving judicial autonomy and decision-making authority, and systematically leveraging existing legal document corpora to enhance consistency and quality in legal documentation. In this paper, we propose a document builder architecture, called JusBuild, designed to assist and support legal practitioners in drafting new legal documents. JusBuild supports the document assembly process by relying on a predefined legal document template and on a corpus of past legal documents. The key features of JusBuild are: (i) the use of a Conditional Random Field (CRF) model for the supervised segmentation of legal documents into functional sections according to a document template; (ii) a vector database storing segmented sections and their semantically meaningful vector representations for efficiently performing semantic search for suggestions retrieval; (iii) the suggestion, at drafting time, of relevant precedent sections retrieved from the vector database and of new, AI-generated sections, using a Large Language Model and Retrieval-Augmented Generation (RAG). A featuring design choice of JusBuild is the “human-in-the-loop” approach, which allows the user (judge) to exercise his/her decision-making freedom and full control in the formulation of the provision in working with the suggestions provided by JusBuild. Thanks to the flexible nature of the architecture, adaptable to a large number of legal contexts, with different document structures and legal matters, JusBuild makes contextualized content generation accurate and efficient for legal practitioners. The application of JusBuild to legal document building in the Italian legal context is discussed. JusBuild validation is provided by considering datasets that differ for document template, language, and judicial matter, to test its applicability and adaptability to different contexts.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"59 ","pages":"Article 106229"},"PeriodicalIF":3.2,"publicationDate":"2025-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145578862","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-11-01DOI: 10.1016/j.clsr.2025.106226
Chimaobi Umezuruike
Cyber risk events have become a routine occurrence in business operations, and the shipping industry is not left out. Internet technology has been adopted in shipping for onshore and shipboard purposes. Hence, shipping businesses face dual-pronged cyber risks. On the one hand, they are exposed to shipboard cyber risks, and on the other hand, they face onshore cyber exposure much like any other business.
Conventionally, perils of the sea and other offshore risks are handled by traditional marine insurance policies, while onshore business risks are handled by non-marine insurance policies. Both sets of risks had been unique to their classes of insurance. Now, things are muddled as both aspects feature the exposure to cyber risks.
This article analyses the categories of cyber insurance available to the shipowner. It considers the coverage of cyber risks under traditional marine insurance and affirmative cyber insurance. It evaluates how traditional marine insurance tailored for ships' hulls and machinery mitigates some cyber risks and how affirmative cyber insurance covers shipboard and business cyber risks. It examines affirmative cyber insurance policies tailored to the shipping industry and those intended for businesses at large.
Instance policies from each category are analysed to answer what cyber risks may be covered and the policies’ restrictions. This paper is restricted primarily to policies from the UK and the US insurance markets and decided cases from both jurisdictions. It is concluded that shipping businesses require a combination of policies or an extensive hybrid policy to adequately mitigate cyber risks.
{"title":"Cyber risk insurance in the shipping business: What cover is available?","authors":"Chimaobi Umezuruike","doi":"10.1016/j.clsr.2025.106226","DOIUrl":"10.1016/j.clsr.2025.106226","url":null,"abstract":"<div><div>Cyber risk events have become a routine occurrence in business operations, and the shipping industry is not left out. Internet technology has been adopted in shipping for onshore and shipboard purposes. Hence, shipping businesses face dual-pronged cyber risks. On the one hand, they are exposed to shipboard cyber risks, and on the other hand, they face onshore cyber exposure much like any other business.</div><div>Conventionally, perils of the sea and other offshore risks are handled by traditional marine insurance policies, while onshore business risks are handled by non-marine insurance policies. Both sets of risks had been unique to their classes of insurance. Now, things are muddled as both aspects feature the exposure to cyber risks.</div><div>This article analyses the categories of cyber insurance available to the shipowner. It considers the coverage of cyber risks under traditional marine insurance and affirmative cyber insurance. It evaluates how traditional marine insurance tailored for ships' hulls and machinery mitigates some cyber risks and how affirmative cyber insurance covers shipboard and business cyber risks. It examines affirmative cyber insurance policies tailored to the shipping industry and those intended for businesses at large.</div><div>Instance policies from each category are analysed to answer what cyber risks may be covered and the policies’ restrictions. This paper is restricted primarily to policies from the UK and the US insurance markets and decided cases from both jurisdictions. It is concluded that shipping businesses require a combination of policies or an extensive hybrid policy to adequately mitigate cyber risks.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"59 ","pages":"Article 106226"},"PeriodicalIF":3.2,"publicationDate":"2025-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145424763","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-11-01Epub Date: 2025-09-05DOI: 10.1016/j.clsr.2025.106181
Laura Aade
Social media commerce, defined as the direct selling of goods and services through social media, is emerging as a prominent business model in the platform economy. As social media platforms introduce e-commerce features, they are becoming what I call social marketplaces: a new category of online platforms found at the intersection of social networks and online marketplaces. This article examines how the Digital Services Act (DSA) protects consumers in relation to social media commerce, and what specific obligations it imposes on social marketplaces to increase transparency in online transactions. While the DSA does not explicitly address social media commerce, it indirectly applies through Section 4 which imposes obligations on ‘online platforms allowing consumers to conclude distance contracts with traders'. I argue that because social marketplaces fall within this category of online platforms, they are subject to the obligations laid down in Section 4 DSA, namely Article 30 DSA (traceability of traders), Article 31 DSA (compliance by design), and Article 32 DSA (right to information). This article critically analyses the application of these provisions to social marketplaces and examines their interaction with EU consumer laws. Based on the analysis, it identifies three shortcomings in the DSA’s approach to protecting consumers on social marketplaces: (i) regulatory complexity due to overlaps with the EU consumer acquis, (ii) interpretative ambiguity, as the DSA was not designed with social marketplaces in mind, and (iii) an enforcement gap specific to social media commerce. Rather than calling for new legislation, this article concludes that effective consumer protection on social marketplaces requires clarifying the interaction between legal instruments, interpreting existing provisions in light of evolving platform practices, and ensuring coordinated enforcement across relevant actors.
{"title":"The regulation of social media commerce under the DSA: A consumer protection perspective","authors":"Laura Aade","doi":"10.1016/j.clsr.2025.106181","DOIUrl":"10.1016/j.clsr.2025.106181","url":null,"abstract":"<div><div>Social media commerce, defined as the direct selling of goods and services through social media, is emerging as a prominent business model in the platform economy. As social media platforms introduce e-commerce features, they are becoming what I call <em>social marketplaces:</em> a new category of online platforms found at the intersection of social networks and online marketplaces. This article examines how the Digital Services Act (DSA) protects consumers in relation to social media commerce, and what specific obligations it imposes on social marketplaces to increase transparency in online transactions. While the DSA does not explicitly address social media commerce, it indirectly applies through Section 4 which imposes obligations on ‘online platforms allowing consumers to conclude distance contracts with traders'. I argue that because social marketplaces fall within this category of online platforms, they are subject to the obligations laid down in Section 4 DSA, namely Article 30 DSA (traceability of traders), Article 31 DSA (compliance by design), and Article 32 DSA (right to information). This article critically analyses the application of these provisions to social marketplaces and examines their interaction with EU consumer laws. Based on the analysis, it identifies three shortcomings in the DSA’s approach to protecting consumers on social marketplaces: (i) regulatory complexity due to overlaps with the EU consumer <em>acquis</em>, (ii) interpretative ambiguity, as the DSA was not designed with social marketplaces in mind, and (iii) an enforcement gap specific to social media commerce. Rather than calling for new legislation, this article concludes that effective consumer protection on social marketplaces requires clarifying the interaction between legal instruments, interpreting existing provisions in light of evolving platform practices, and ensuring coordinated enforcement across relevant actors.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"59 ","pages":"Article 106181"},"PeriodicalIF":3.2,"publicationDate":"2025-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144997703","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-11-01Epub Date: 2025-11-25DOI: 10.1016/j.clsr.2025.106236
Shujie Feng
The tremendous capacity of AI to generate abundant content at minimum cost will revolutionize all creative endeavors in the literary, artistic and industrial sectors. Whether to protect AI-generated content (AIGC) as copyrightable work is a challenging question common to all countries. While most countries remain attached to the traditional copyright doctrine of absolute human authorship and reluctant to extend copyright protection to AIGC over which AI users have no sufficient control, Chinese courts have recognized the copyrightability of AIGC once AI users’ intellectual investment in the creation process can be shown. This paper explains the political motivation behind the innovative approach of Chinese judges and its favorable support from Chinese scholars, clarifies the Chinese judicial practice, analyzes the significance of its underlying doctrine and evaluates the possible consequences of the Chinese solution for the market. It concludes that the Chinese judicial practice is not a deviation from traditional copyright doctrine, but rather provides a solution to make the traditional standard of human authorship more accessible. The Chinese solution is efficient because it avoids the difficult distinction between users’ and AI’s contribution to AIGC, and it is inclusive of creators assisted by AI as it values the creative genius of humankind instead of physical operation. With that said, for a better balance of interests between prior copyright owners on AIGC and posterior creators, the criteria as well as the burden and standard of proof for determining copyright infringement should be adjusted to protect freedom of creation by human beings.
{"title":"The copyrightability of AI-generated content: A doctrinal exploration of the pioneering chinese judicial practice","authors":"Shujie Feng","doi":"10.1016/j.clsr.2025.106236","DOIUrl":"10.1016/j.clsr.2025.106236","url":null,"abstract":"<div><div>The tremendous capacity of AI to generate abundant content at minimum cost will revolutionize all creative endeavors in the literary, artistic and industrial sectors. Whether to protect AI-generated content (AIGC) as copyrightable work is a challenging question common to all countries. While most countries remain attached to the traditional copyright doctrine of absolute human authorship and reluctant to extend copyright protection to AIGC over which AI users have no sufficient control, Chinese courts have recognized the copyrightability of AIGC once AI users’ intellectual investment in the creation process can be shown. This paper explains the political motivation behind the innovative approach of Chinese judges and its favorable support from Chinese scholars, clarifies the Chinese judicial practice, analyzes the significance of its underlying doctrine and evaluates the possible consequences of the Chinese solution for the market. It concludes that the Chinese judicial practice is not a deviation from traditional copyright doctrine, but rather provides a solution to make the traditional standard of human authorship more accessible. The Chinese solution is efficient because it avoids the difficult distinction between users’ and AI’s contribution to AIGC, and it is inclusive of creators assisted by AI as it values the creative genius of humankind instead of physical operation. With that said, for a better balance of interests between prior copyright owners on AIGC and posterior creators, the criteria as well as the burden and standard of proof for determining copyright infringement should be adjusted to protect freedom of creation by human beings.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"59 ","pages":"Article 106236"},"PeriodicalIF":3.2,"publicationDate":"2025-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145623493","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-11-01Epub Date: 2025-09-04DOI: 10.1016/j.clsr.2025.106191
Ryan Yang Wang , Sydney Forde , Ahmed Al Rawi , Erika Solis , Krishna Jayakar
This study offers the very first investigation of the global diffusion and convergence of domain name dispute resolution policies (NDRPs) by analyzing 34 policies adopted by country code top-level domains (ccTLDs) between 1999 and 2023. While prior research has largely focused on ICANN’s Uniform Dispute Resolution Policy (UDRP), this paper offers a novel cross-national comparison of NDRPs to evaluate textual convergence and underlying policy drivers. Combining qualitative content analysis with network-based similarity modeling, the study constructs a matrix representing pairwise textual similarity between policy documents. To account for network dependencies, we apply Multiple Regression Quadratic Assignment Procedures and generalized linear mixed models with beta regression. The analysis identifies key predictors of policy similarity, showing that countries with similar levels of government effectiveness and differing export intensities are more likely to share convergent policy texts. This suggests that policy convergence occurs not merely through regional or legal affinity, but through a combination of institutional alignment and economic asymmetry. Despite the decentralized and uncoordinated adoption of NDRPs globally, a substantially unified dispute resolution framework for domain names appears to be emerging.
{"title":"Textual convergence in national domain name dispute resolution regimes: a mixed-methods analysis of ccTLD arbitration policies","authors":"Ryan Yang Wang , Sydney Forde , Ahmed Al Rawi , Erika Solis , Krishna Jayakar","doi":"10.1016/j.clsr.2025.106191","DOIUrl":"10.1016/j.clsr.2025.106191","url":null,"abstract":"<div><div>This study offers the very first investigation of the global diffusion and convergence of domain name dispute resolution policies (NDRPs) by analyzing 34 policies adopted by country code top-level domains (ccTLDs) between 1999 and 2023. While prior research has largely focused on ICANN’s Uniform Dispute Resolution Policy (UDRP), this paper offers a novel cross-national comparison of NDRPs to evaluate textual convergence and underlying policy drivers. Combining qualitative content analysis with network-based similarity modeling, the study constructs a matrix representing pairwise textual similarity between policy documents. To account for network dependencies, we apply Multiple Regression Quadratic Assignment Procedures and generalized linear mixed models with beta regression. The analysis identifies key predictors of policy similarity, showing that countries with similar levels of government effectiveness and differing export intensities are more likely to share convergent policy texts. This suggests that policy convergence occurs not merely through regional or legal affinity, but through a combination of institutional alignment and economic asymmetry. Despite the decentralized and uncoordinated adoption of NDRPs globally, a substantially unified dispute resolution framework for domain names appears to be emerging.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"59 ","pages":"Article 106191"},"PeriodicalIF":3.2,"publicationDate":"2025-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144989981","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-11-01Epub Date: 2025-11-07DOI: 10.1016/j.clsr.2025.106227
Marilyne Ordekian , Ingolf Becker , Tyler Moore , Marie Vasek
Centralized cryptocurrency exchanges have quickly become internal components of the digital finance ecosystem, mirroring traditional institutions by offering custody, investments, and transactional services. Despite their increasing prominence, the regulatory oversight has historically been fragmented and inadequate, leaving them largely relying on self-regulation. The resulting environment has been marked by exchange collapses, connections to criminal activities, cyber attacks, and poor operational security. High-profile failures, such as Mt. Gox and FTX, highlight the systemic risks and failure of internal governance models to properly mitigate or protect user funds from cascading risks or security breaches. In response, the European Union introduced the Markets in Crypto-Assets (MiCA) regulation and the Digital Operational Resilience Act (DORA), intending to standardize regulatory oversight and enhance user protection.
This paper presents the first comprehensive interdisciplinary analysis of centralized exchanges under the MiCA and DORA frameworks. Drawing on methods from both law and computer science, we systematically translate regulatory requirements into measurable compliance standards, and develop a novel doctrinal and empirical methodology to evaluate current self-regulatory practices of 75 centralized exchanges operating in Europe. Through a detailed analysis of 143 exchange legal documents, we identify major compliance gaps and regulatory uncertainties. Our findings indicate significant shortcomings in exchange practices relating to asset custody, cybersecurity, and liability. This suggests that serious efforts are needed to change these practices and ensure their alignment with regulatory requirements. Our framework enables a systemic comparison between regulation and practice, and establishes a baseline for evaluating the effectiveness of regulatory measures. This approach can be replicated to study other self-regulating emerging sectors.
{"title":"Raising the bar: Assessing historical cryptocurrency exchange practices in light of the EU’s MiCA and DORA regulation","authors":"Marilyne Ordekian , Ingolf Becker , Tyler Moore , Marie Vasek","doi":"10.1016/j.clsr.2025.106227","DOIUrl":"10.1016/j.clsr.2025.106227","url":null,"abstract":"<div><div>Centralized cryptocurrency exchanges have quickly become internal components of the digital finance ecosystem, mirroring traditional institutions by offering custody, investments, and transactional services. Despite their increasing prominence, the regulatory oversight has historically been fragmented and inadequate, leaving them largely relying on self-regulation. The resulting environment has been marked by exchange collapses, connections to criminal activities, cyber attacks, and poor operational security. High-profile failures, such as Mt. Gox and FTX, highlight the systemic risks and failure of internal governance models to properly mitigate or protect user funds from cascading risks or security breaches. In response, the European Union introduced the Markets in Crypto-Assets (MiCA) regulation and the Digital Operational Resilience Act (DORA), intending to standardize regulatory oversight and enhance user protection.</div><div>This paper presents the first comprehensive interdisciplinary analysis of centralized exchanges under the MiCA and DORA frameworks. Drawing on methods from both law and computer science, we systematically translate regulatory requirements into measurable compliance standards, and develop a novel doctrinal and empirical methodology to evaluate current self-regulatory practices of 75 centralized exchanges operating in Europe. Through a detailed analysis of 143 exchange legal documents, we identify major compliance gaps and regulatory uncertainties. Our findings indicate significant shortcomings in exchange practices relating to asset custody, cybersecurity, and liability. This suggests that serious efforts are needed to change these practices and ensure their alignment with regulatory requirements. Our framework enables a systemic comparison between regulation and practice, and establishes a baseline for evaluating the effectiveness of regulatory measures. This approach can be replicated to study other self-regulating emerging sectors.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"59 ","pages":"Article 106227"},"PeriodicalIF":3.2,"publicationDate":"2025-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145473809","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-11-01Epub Date: 2025-09-09DOI: 10.1016/j.clsr.2025.106186
Patrick Smieskol , Timo Jakobi , Max von Grafenstein
In an increasingly digitized world, personalization has emerged as a key mechanism for matching users with relevant content, advertisements, services, and other products. For personalization to work, typically, users' online behavior is tracked to create unique profiles about their individual behavior and interests. This process creates trade-offs between data collection and users' privacy concerns. These conflicts are regulated, amongst other laws, by the General Data Protection Regulation (GDPR) as well as the ePrivacy Directive. While the ePrivacy Directive requires the data controller to get the consent from data subjects for the setting of cookies through which data subjects can be tracked across different websites and even devices, the GDPR requires further user control and transparency with respect to the processing of such data, especially profiling, on which the personalization of content is based. However, plenty of research shows that, up to date, users do neither understand the effects of tracking technology on their online experience nor do they feel in control of their profiles created. As a consequence, users report helplessness and even fatalism instead of being able to effectively control tracking for personalization, even where controls are provided to the users. Based on the rich research on feedback design, we argue that for learning how to effectively control tracking and, as a consequence, personalization, users need effective feedback mechanisms to learn about the outcomes of their settings and evaluate their performance. One of the key elements for effectiveness of feedback in general are its situatedness and timeliness. In this paper we therefore address the question of how feedback mechanisms should be designed so that they enable users to make an effective decision for or against tracking and personalization. To this aim, we conducted in a first research phase 20 qualitative interviews to explore users' privacy expectations, what benefits of personalization they value and which risks they see and, most importantly, what controls do they think they should have? The results of this study suggested an immediate feedback mechanism. In a second phase, we therefore prototyped an on/off switch that users could use to enable or disable the personalisation of advertising and other content on a website and compare the results of the two settings. A preliminary evaluation confirms such a feedback mechanism as a promising approach for effective user control according to the data protection by design requirement in Art. 25 sect. 1 GDPR. If this mechanism were to be further developed and evaluated into an effective solution available on the market, it would represent the so-called state of the art, which would have to be considered by all data controllers in accordance with Art. 25 sect. 1 GDPR.
{"title":"From consent to control by closing the feedback loop: Enabling data subjects to directly compare personalized and non-personalized content through an On/Off toggle","authors":"Patrick Smieskol , Timo Jakobi , Max von Grafenstein","doi":"10.1016/j.clsr.2025.106186","DOIUrl":"10.1016/j.clsr.2025.106186","url":null,"abstract":"<div><div>In an increasingly digitized world, personalization has emerged as a key mechanism for matching users with relevant content, advertisements, services, and other products. For personalization to work, typically, users' online behavior is tracked to create unique profiles about their individual behavior and interests. This process creates trade-offs between data collection and users' privacy concerns. These conflicts are regulated, amongst other laws, by the General Data Protection Regulation (GDPR) as well as the ePrivacy Directive. While the ePrivacy Directive requires the data controller to get the consent from data subjects for the setting of cookies through which data subjects can be tracked across different websites and even devices, the GDPR requires further user control and transparency with respect to the processing of such data, especially profiling, on which the personalization of content is based. However, plenty of research shows that, up to date, users do neither understand the effects of tracking technology on their online experience nor do they feel in control of their profiles created. As a consequence, users report helplessness and even fatalism instead of being able to effectively control tracking for personalization, even where controls are provided to the users. Based on the rich research on feedback design, we argue that for learning how to effectively control tracking and, as a consequence, personalization, users need effective feedback mechanisms to learn about the outcomes of their settings and evaluate their performance. One of the key elements for effectiveness of feedback in general are its situatedness and timeliness. In this paper we therefore address the question of how feedback mechanisms should be designed so that they enable users to make an effective decision for or against tracking and personalization. To this aim, we conducted in a first research phase 20 qualitative interviews to explore users' privacy expectations, what benefits of personalization they value and which risks they see and, most importantly, what controls do they think they should have? The results of this study suggested an immediate feedback mechanism. In a second phase, we therefore prototyped an on/off switch that users could use to enable or disable the personalisation of advertising and other content on a website and compare the results of the two settings. A preliminary evaluation confirms such a feedback mechanism as a promising approach for effective user control according to the data protection by design requirement in Art. 25 sect. 1 GDPR. If this mechanism were to be further developed and evaluated into an effective solution available on the market, it would represent the so-called state of the art, which would have to be considered by all data controllers in accordance with Art. 25 sect. 1 GDPR.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"59 ","pages":"Article 106186"},"PeriodicalIF":3.2,"publicationDate":"2025-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145020155","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-11-01Epub Date: 2025-09-26DOI: 10.1016/j.clsr.2025.106187
Albina Orlando, Mario Santoro
This study introduces an explainable Artificial Intelligence (XAI) framework that couples legal-domain NLP with Structural Topic Modeling (STM) and WordNet semantic graphs to rigorously analyze over 1,900 GDPR enforcement decision summaries from a public dataset. Our methodology focuses on demonstrating the pipeline’s validity respect to manual analyses by inspecting the results of four well-know research questions: (1) cross-country fine distribution disparities (automated metadata extraction); (2) the violation severity–fine amount relationship (keyness and semantic analysis); (3) structural text patterns (network analysis and STM); and (4) prevalent enforcement triggers (topic prevalence modeling) The pipeline’s validity is underscored by its ability to replicate key findings from previous manual analyses while enabling a more nuanced exploration of GDPR enforcement trends. Our results confirm significant disparities in enforcement across EU member states and reveal that monetary penalties do not consistently correlate with violation severity. Specifically, serious infringements, particularly those involving video surveillance, frequently result in low-value fines, especially when committed by individuals or smaller entities. This highlights that a substantial proportion of severe violations are attributed to smaller actors. Methodologically, the framework’s ability to quickly replicate such well-known patterns, alongside its transparency and reproducibility, establishes its potential as a scalable tool for transparent and explainable GDPR enforcement analytics.
{"title":"A semantic approach to understanding GDPR fines: From text to compliance insights","authors":"Albina Orlando, Mario Santoro","doi":"10.1016/j.clsr.2025.106187","DOIUrl":"10.1016/j.clsr.2025.106187","url":null,"abstract":"<div><div>This study introduces an explainable Artificial Intelligence (XAI) framework that couples legal-domain NLP with Structural Topic Modeling (STM) and WordNet semantic graphs to rigorously analyze over 1,900 GDPR enforcement decision summaries from a public dataset. Our methodology focuses on demonstrating the pipeline’s validity respect to manual analyses by inspecting the results of four well-know research questions: (1) cross-country fine distribution disparities (automated metadata extraction); (2) the violation severity–fine amount relationship (keyness and semantic analysis); (3) structural text patterns (network analysis and STM); and (4) prevalent enforcement triggers (topic prevalence modeling) The pipeline’s validity is underscored by its ability to replicate key findings from previous manual analyses while enabling a more nuanced exploration of GDPR enforcement trends. Our results confirm significant disparities in enforcement across EU member states and reveal that monetary penalties do not consistently correlate with violation severity. Specifically, serious infringements, particularly those involving video surveillance, frequently result in low-value fines, especially when committed by individuals or smaller entities. This highlights that a substantial proportion of severe violations are attributed to smaller actors. Methodologically, the framework’s ability to quickly replicate such well-known patterns, alongside its transparency and reproducibility, establishes its potential as a scalable tool for transparent and explainable GDPR enforcement analytics.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"59 ","pages":"Article 106187"},"PeriodicalIF":3.2,"publicationDate":"2025-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145158696","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2025-11-01Epub Date: 2025-09-19DOI: 10.1016/j.clsr.2025.106196
Giancarlo Frosio , Faith Obafemi
This article examines regulated data access (RDA) in the metaverse—an interconnected and immersive digital ecosystem comprising virtual, augmented, and hyper-physical realities. We organise the argument across taxonomy (Section 2), Digital Services Act (DSA)-anchored doctrine (Section 3), implementation challenges (Section 4), platform practices (Section 5), and a global blueprint (Section 6). Building on the European Union’s DSA, particularly Article 40, the analysis evaluates whether metaverse platforms qualify as Very Large Online Platforms or Very Large Online Search Engines and thus fall within the DSA’s data access rules. Drawing comparative insights from the UK’s Online Safety Act and the United States’ proposed Platform Accountability and Transparency Act, the article highlights differing global approaches to data sharing and the significant governance gaps that persist.
This article categorizes metaverse-native data, including spatial, biometric, and eye-tracking data, into personal and non-personal types, stressing the heightened complexity of governing immersive, multidimensional information flows. While existing legal frameworks offer a starting point, the metaverse’s novel data practices demand targeted adaptations to address challenges like decentralised governance, user consent in real-time environments, and the integration of privacy-enhancing technologies. Through an examination of data access regimes across selected metaverse platforms, the article identifies a lack of uniform, transparent processes for external researchers.
In this context, the article highlights RDA's broader public-interest function, facilitating external scrutiny of platform activities and ensuring service providers are held accountable. The absence of consistent RDA frameworks obstructs systemic risk research, undermining both risk assessment and mitigation efforts while leaving user rights vulnerable to opaque platform governance. To address these gaps, the article advances a set of policy recommendations aimed at strengthening RDA in the metaverse—adapting regulatory strategies to its evolving, decentralised architecture. By tailoring regulatory strategies to the metaverse’s dynamic nature, policymakers can foster accountability, innovation, and trust—both domestically (in jurisdictions like the UK, where data access provisions remain underdeveloped) and internationally. The analysis extends beyond mere applications to metaverse platforms, providing insights that can be applied to the online platform ecosystem in its entirety. Ultimately, this article charts a path toward harmonized, future-ready data governance frameworks—one that integrates RDA as a core regulatory mechanism for ‘augmented accountability’, essential for safeguarding user rights and enabling independent risk assessment in the metaverse.
{"title":"Augmented accountability: Data access in the metaverse","authors":"Giancarlo Frosio , Faith Obafemi","doi":"10.1016/j.clsr.2025.106196","DOIUrl":"10.1016/j.clsr.2025.106196","url":null,"abstract":"<div><div>This article examines regulated data access (RDA) in the metaverse—an interconnected and immersive digital ecosystem comprising virtual, augmented, and hyper-physical realities. We organise the argument across taxonomy (Section 2), Digital Services Act (DSA)-anchored doctrine (Section 3), implementation challenges (Section 4), platform practices (Section 5), and a global blueprint (Section 6). Building on the European Union’s DSA, particularly Article 40, the analysis evaluates whether metaverse platforms qualify as Very Large Online Platforms or Very Large Online Search Engines and thus fall within the DSA’s data access rules. Drawing comparative insights from the UK’s Online Safety Act and the United States’ proposed Platform Accountability and Transparency Act, the article highlights differing global approaches to data sharing and the significant governance gaps that persist.</div><div>This article categorizes metaverse-native data, including spatial, biometric, and eye-tracking data, into personal and non-personal types, stressing the heightened complexity of governing immersive, multidimensional information flows. While existing legal frameworks offer a starting point, the metaverse’s novel data practices demand targeted adaptations to address challenges like decentralised governance, user consent in real-time environments, and the integration of privacy-enhancing technologies. Through an examination of data access regimes across selected metaverse platforms, the article identifies a lack of uniform, transparent processes for external researchers.</div><div>In this context, the article highlights RDA's broader public-interest function, facilitating external scrutiny of platform activities and ensuring service providers are held accountable. The absence of consistent RDA frameworks obstructs systemic risk research, undermining both risk assessment and mitigation efforts while leaving user rights vulnerable to opaque platform governance. To address these gaps, the article advances a set of policy recommendations aimed at strengthening RDA in the metaverse—adapting regulatory strategies to its evolving, decentralised architecture. By tailoring regulatory strategies to the metaverse’s dynamic nature, policymakers can foster accountability, innovation, and trust—both domestically (in jurisdictions like the UK, where data access provisions remain underdeveloped) and internationally. The analysis extends beyond mere applications to metaverse platforms, providing insights that can be applied to the online platform ecosystem in its entirety. Ultimately, this article charts a path toward harmonized, future-ready data governance frameworks—one that integrates RDA as a core regulatory mechanism for ‘augmented accountability’, essential for safeguarding user rights and enabling independent risk assessment in the metaverse.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"59 ","pages":"Article 106196"},"PeriodicalIF":3.2,"publicationDate":"2025-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145106269","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号