European digital regulation is increasingly driven by public policy concerns: illegal content, hate speech, harassment, and online harms that governments feel pressure to address quickly. The tension is that the EU’s single-market architecture for digital services was built to prevent fragmentation – so national “fast fixes” can collide with the foundational rule that online services should not be regulated differently in every Member State.
A recent Court of Justice ruling in Google Ireland and Others (C-376/22) crystallizes that trade-off. The decision doesn’t deny the legitimacy of combating illegal content. Instead, it draws a hard procedural boundary around how Member States can pursue public policy objectives when the provider is established elsewhere in the EU. The message to legislators is blunt: general, abstract obligations aimed at an entire category of providers are unlikely to survive if they bypass the EU’s country-of-origin logic.
For businesses, the message is equally important: content governance is no longer only a compliance design question – it is also a jurisdictional strategy question. Understanding where a platform is established, how the service is classified, and which legal tool a Member State uses will increasingly determine whether new national obligations apply, and whether they can be enforced.
What the Court drew a line under: “case-by-case” over “category-wide” measures
The dispute arose from an Austrian law designed to impose obligations on communication platform services in relation to illegal content – even when those services were established in another Member State. The legal backdrop is the familiar internal market bargain: under the country-of-origin principle for information society services, the primary rules governing the provider are those of the Member State where it is established.
There is, however, an escape hatch. The framework allows derogations on specific grounds, including public policy, but only within a narrow procedural lane. In C-376/22, the Court rejected the idea that this derogation could be used to support general and abstract legislation applying indiscriminately to a category of providers. The derogation, the Court indicated, is designed for targeted measures – in practice, a case-by-case approach.
This point matters because it is not simply doctrinal. It determines whether national regulators can scale obligations across the market through broad statutes – or whether they must rely on more individualized enforcement tools.
Why the ruling is bigger than content moderation: it’s about the governance of exceptions
At first glance, this can look like a technical internal market decision. In reality, it reinforces a deeper pattern in EU law: exceptions to free movement are interpreted strictly and guarded with procedural conditions. The logic is familiar:
- Public policy is politically sensitive and can vary widely between Member States.
- If every Member State can invoke public policy broadly, the single market risks fragmenting into 27 overlapping regimes.
- To manage that risk, the EU’s legal architecture often insists on individual assessment and proportionality, rather than allowing broad measures that reshape the market by default.
C-376/22 applies that logic to digital services. The Court’s line is essentially: if a Member State wants to depart from the country-of-origin model, it must do so through a constrained mechanism that minimizes systemic market fragmentation.
The emerging paradox: when public policy becomes “European,” national room to manoeuvre may shrink – not expand
The most interesting strategic implication is not the strictness itself. It’s what happens when the public policy concern is no longer purely national.
On issues like illegal content and hate speech, there is a growing sense of shared European interest. That shared interest could, in theory, reduce fragmentation risk – because Member States are moving in the same direction. But the decision suggests a different outcome: the more “European” the public policy objective becomes, the more likely the solution is expected to be European-level harmonization, rather than parallel national regimes.
This is where the Digital Services Act (DSA) becomes central. The DSA is explicitly designed to set a common EU rulebook for platform obligations. Once the EU adopts a harmonized framework, Member States generally have less space to impose additional, general obligations in the same field – especially where those obligations would reintroduce the fragmentation that harmonization is meant to eliminate.
That creates a practical dilemma for national policymakers: urgency drives them toward national regulation, but internal market constraints – and EU harmonization – push them toward EU-level solutions.
What this means for platforms and digital businesses: compliance isn’t enough; you need a jurisdiction strategy
For platform operators and digital service providers, the decision underscores that regulatory risk is not only about “what the rule says,” but also about whether the rule can validly apply under EU internal market principles.
Three implications stand out.
1) Expect more legal challenges to national platform laws – especially where they are broad by design
If a national law imposes obligations on a class of cross-border services in a general and abstract way, it becomes structurally vulnerable. Even if its policy goal is widely supported, the instrument may be challenged on the basis that it conflicts with the country-of-origin model and the strict conditions for derogations.
2) The operational burden may shift from “building controls” to “proving scope”
Many organizations treat compliance as a build-and-run exercise: implement content processes, reporting, escalation, and moderation. Increasingly, legal teams will also need a scope narrative: where the provider is established, how the service fits within EU definitions, and why certain national requirements are out of lane (or, conversely, why they validly apply).
3) Harmonized EU frameworks become the real baseline – even when national noise is loud
As EU-level rules take over more of the field, national measures may still appear – but their enforceability will depend on how the EU framework was designed and how fully it harmonized the area. For businesses, the “centre of gravity” shifts toward the EU rulebook, with national overlays becoming less predictable and more litigated.
A practical playbook for legal and compliance leaders
Organizations that manage this well treat it as an operating-model challenge: align regulatory intelligence, product governance, and enforcement readiness around a single view of cross-border obligations. A pragmatic approach typically includes five moves.
1) Build a “regulation map” that is jurisdiction-aware, not just topic-aware.
Don’t only track content rules; track how they apply cross-border. For each relevant national regime, document whether it is framed as a general obligation on providers, a targeted enforcement tool, or an implementation of EU harmonized law.
2) Stress-test national obligations against the country-of-origin logic early.
When a new national law appears, run a structured assessment: establishment location, service classification, applicability triggers, derogation pathway, and procedural conditions. The goal is to decide – quickly and defensibly – whether the law is (a) clearly applicable, (b) likely contestable, or (c) a partial overlay on an EU framework.
3) Align product teams around “EU-first” compliance design.
If the EU rulebook is becoming the true baseline, product and policy design should prioritize EU-wide harmonized requirements, and then layer country-specific adaptations only where they are clearly valid and operationally necessary.
4) Prepare an enforcement narrative, not only an internal control framework.
Supervisory and litigation risk often turns on whether a company can explain its position coherently: why it treated an obligation as applicable (or not), what it implemented, what it monitored, and how it escalated issues.
5) Create a repeatable mechanism for regulatory change under uncertainty.
This category will remain dynamic: new harms, new technologies, and new political priorities will drive new national initiatives. Winning organizations build a standing process – legal, policy, compliance, product, and public affairs – so they can respond without rebuilding the machine each time.
The bottom line: Europe is standardizing the “what,” while tightening the “how”
C-376/22 is a reminder that the EU’s internal market is not neutral infrastructure – it actively shapes what regulation can look like. Public policy goals may be widely shared, but the single market still requires discipline: strict interpretation of exceptions, procedural safeguards, and a preference for EU-level solutions when interests become European.
For businesses, the next wave of legal risk will come from the intersection of three forces: national urgency, EU harmonization, and cross-border service architecture. The organizations that stay ahead will be those that pair strong compliance execution with clear jurisdictional strategy – so they can move fast without building controls on top of rules that may not survive.
