Hybrid warfare through large-scale disinformation campaigns has increasingly affected European elections. This was most evident in the 2024 Romanian presidential election, where Călin Georgescu unexpectedly emerged as a leading candidate after the first round (Henley, 2025). The Constitutional Court of Romania suspended the results following declassified intelligence indicating Russian digital interference (Carrozzini, 2024). This case exposed the vulnerability of democratic institutions within the European Union (EU) to foreign influence, highlighting the need to strengthen its role in the information space.
In response to these developments, the Commission launched the European Democracy Shield (EDS) in 2025, a policy package to protect the integrity of the European information ecosystem (European Commission, 2025). The Digital Services Act (DSA) already establishes a framework for platform governance and systemic risk management, which offers strong regulatory potential against disinformation and may underpin the EDS.
This insight examines the theoretical scope of the DSA’s powers to assess their regulatory potential and limits in tackling disinformation, before evaluating whether the EDS has effectively operationalised these powers.
Regulating Systems Rather Than Speech
The DSA does not harmonise what content counts as illegal, but instead relies on existing EU law and national law of Member States (MS) to determine what is unlawful (Husovec & Laguna, 2023). The regulation establishes minimum procedural requirements for how national authorities may order platforms to act against illegal content, while MS retain significant discretion in the determination of illegal content.
Accordingly, specific instances of illegal content are addressed through orders and notice-and-action procedures. Disinformation, however, rarely qualifies as illegal content under EU or national law, meaning platforms generally cannot be required to remove it.
The DSA therefore addresses disinformation primarily through a “systemic risk” framework, targeting large-scale societal harms rather than individual pieces of content. Its regulatory potential lies in governing how platforms amplify disinformation, rather than in content moderation as such (Husovec & Laguna, 2023).
Systemic risk is a broader concept than disinformation: not all disinformation qualifies, and not all systemic risks involve disinformation. It is only when disinformation is amplified at scale and produces significant negative effects on democratic processes or fundamental rights that it falls within the framework (i.e., qualifying as disinformation).
Recitals 80-83 specify that Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) must assess systemic risks across four areas (European Commission, 2025): illegal content; fundamental rights; civic discourse, democratic processes, and public security; minors, gender-based violence, and public health. Recital 84 further clarifies that these risks may also arise from lawful, context-dependent information whose harmful effects arise from amplification (Husovec, 2024).
Articles 34 and 35: The Core of the DSA’s Risk Governance Model
The DSA’s risk-based governance architecture under Articles 34 and 35 guides this risk-based regulation which can tackles qualifying disinformation by imposing certain obligations on VLOPs and VLOSEs: Article 34 requires platforms to assess systemic risks through annual evaluations of how their design, algorithms, and policies contribute to societal harm (Husovec, 2024). These assessments inform Article 35 duties of adopting reasonable, proportionate, and effective mitigation measures, such as adjusting recommender systems, modifying platform design, or demonetising disinformation. Platforms must then submit these assessments, mitigation measures, and audit materials to the Commission and the Digital Services Coordinator (DSC).
A Multi-Layered Enforcement Architecture
The DSA establishes a multi-layered enforcement architecture, operating through three channels: compliance-based platform obligations; public enforcement by the Commission and DSCs; and judicial enforcement through courts (Appelman & Leerssen, 2022).
First, the Regulation establishes transparency mechanisms to enhance oversight of platform behaviour through reporting, data access for vetted researchers, algorithmic scrutiny, and independent audits (Husovec, 2024). These tools help detect coordinated disinformation by making hidden patterns of manipulation visible. Trusted flaggers, alongside researchers and civil society actors, contribute to identifying and contextualising content whose nature and impact depend on context rather than fixed legal definitions. This makes them particularly relevant for disinformation, which rarely meets the threshold of illegality and therefore cannot be flagged through standard legal categorisation alone (Appelman & Leerssen, 2022).
Primary enforcement, however, lies with the Commission and national DSCs (Husovec, 2024). This top-down layer enables regulators to investigate VLOPs, access internal data, require independent audits, and impose fines of up to 6% of global turnover for non-compliance.
Lastly, although the DSA’s enforcement framework is primarily designed around public authorities, private enforcement and judicial oversight also remain relevant (Sanchez, 2024). As EU law, Articles 34 and 35 must be interpreted considering the Charter of Fundamental Rights, including Article 47 on effective judicial protection. This opens the door for judicial redress for those affected by platform failures. Such redress may take the form of litigation through indirect effect, tort claims, or follow-on damages, as signalled in Articles 54, 86, and 90 of the DSA (Leerssen et al., 2025).
Structural Limits of the DSA
Despite its strong regulatory potential, the DSA has significant structural limitations rooted in the indeterminacy of systemic risks. Because harms such as disinformation are difficult to define, platforms are tasked with conducting their own risk assessments. While the Commission holds primary enforcement authority under Article 56, platforms retain discretion in framing their own systemic risk assessments and mitigation measures since the Commission reviews but does not determine that initial framing (Husovec, 2024). The European Board for Digital Services solely supports this oversight and integrates national regulators to ensure a “common Union perspective” (Leerssen et al., 2025).
This platform discretion is only partially mitigated by the DSA’s reliance on multistakeholder mechanisms, such as trusted flaggers. These bring external expertise to identifying harmful content whose nature and impact frequently depend on context and scale rather than fixed legal definitions. However, these mechanisms are not neutral: trusted flaggers are selected through processes that may reflect institutional or financial interests, introducing biases linked to funding structures. Moreover, as identification becomes increasingly automated, platforms retain significant discretion in how flagging criteria are defined, which may reinforce existing biases in practice rather than delivering genuine external oversight (Appelman & Leerssen, 2022).
These difficulties are compounded by information asymmetries: platforms have far greater insight into their systems than regulators, increasing the risk of underreporting and formalistic compliance, and producing a “double discretion” that creates legal uncertainty in case-by-case enforcement (Coli, 2026).
Finally, the DSA’s content-neutral approach, while normatively justified, means that even robust enforcement may reduce rather than eliminate the spread of disinformation.
The Democracy Shield’s Policy Design
Faced with both the DSA’s regulatory potential and its limits, the EDS’s 50 action points nonetheless emphasise a distinct set of policy instruments. The Shield’s developments include the European Centre for Democratic Resilience (ECDR), the European Network of Fact-Checkers, the AgoraEU Programme, and a range of civil society-oriented and soft-law initiatives. While these measures contribute to democratic resilience through administrative coordination and financial support, they largely mirror or expand on existing soft-law frameworks (Coli, 2026). For instance, critics argue that the ECDR resembles the EEAS Rapid Alert System, while the Network of Fact-Checkers builds on the European Digital Media Observatory (EDMO) (Quaritsch, 2025).
The Shield leverages the DSA’s potential by officially integrating the strengthened Code of Practice on Disinformation as a formal Code of Conduct under Article 45. The Code, a collaborative, multistakeholder framework, is thus now serving as the official benchmark for determining whether platforms are fulfilling their mandatory systemic risk obligations under Articles 34 and 35 (Quaritsch, 2025; Coli, 2026). While the Code’s role as an evidence base for non-compliance may create a powerful incentive structure, its voluntary character makes this contingent on platform cooperation rather than binding obligation.
The EDS, moreover, proposes new procedural tools within the DSA framework, such as the Incidents and Crisis Protocol under Article 48 and updates to the Elections Toolkit, aimed at coordinating responses to large-scale information manipulation (Coli, 2026). Furthermore, it relies on existing DSA mechanisms, including data access for vetted researchers and regulatory dialogues with platforms, to strengthen monitoring and oversight.
Next to these soft law measures, two binding instruments within the broader EU information governance system nuance this picture. The Political Advertising Regulation makes it mandatory for political advertising to be transparent, tackling a key channel for foreign-funded disinformation. The European Media Freedom Act (EMFA), meanwhile, establishes structural protections for editorial independence and media pluralism, which are essential conditions for a functioning information ecosystem that the DSA, as a platform regulation, cannot itself guarantee (Coli, 2026).
Overall, the Shield prioritises softer governance tools, even as harder mechanisms exist both within the DSA framework and beyond it.
Why the DSA’s Powers Remain Underused
This reflects both a strategic choice and the structural limits of regulating disinformation, which is largely lawful and further constrained by freedom of expression concerns. These constraints, however, do not fully account for the limited use of the DSA’s more robust enforcement powers, such as mandating algorithmic changes, imposing stricter mitigation measures, or systematically enforcing the demonetisation of disinformation providers (Coli, 2026). Several additional factors help explain this implementation gap.
Enforcement actions against large technology platforms often involve geopolitical sensitivities, economic pressures, and lobbying, which may make the EU cautious in deploying the DSA’s strongest enforcement mechanisms (Coli, 2026). Moreover, investigating platform algorithms requires substantial resources, technical expertise, and specialised personnel that take time to develop.
While the EDS has emphasised the DSA’s systemic risk obligations by strengthening monitoring and data access through regulatory dialogues and the Common Research Support Framework, and has also put forward a significant budget proposal, the precise terms and amounts remain under negotiation and may ultimately fall short of what is required (Quaritsch, 2025).
Finally, the DSA’s systemic risk provisions remain relatively untested in court. Articles 34 and 35 rely on open-textured standards such as “reasonable” and “proportionate” mitigation measures, whose exact legal meaning has yet to be clarified by the Court of Justice. This legal uncertainty may make regulators hesitant to push the boundaries of enforcement too quickly (Leerssen et al., 2025).
The Real Test for Europe’s Information Governance
Overall, the EDS does not fully operationalise the DSA’s regulatory potential, leaving a gap between the EU’s capacity and its policy practice. Yet this gap reflects not only institutional caution but also the genuine legal and political complexity of regulating disinformation without compromising the freedoms it threatens. For now, the EDS is neither the iron wall it promises to be, nor the paper shield it is feared to be. It is something in between, and perhaps that is all it can be.
