Handling Conflicts Between National Requirements and EU Rules

UpdatedOctober 24, 2025

ByIuliia Gorshkova

Organizations operating across the European Union frequently encounter a complex legal landscape where national requirements and EU-level frameworks intersect, overlap, or occasionally conflict. Navigating these intersections is not merely a matter of legal compliance; it is a core component of risk management and strategic governance. The European Union is a supranational entity, meaning that while it sets overarching regulations, Member States retain significant autonomy in specific domains such as healthcare, law enforcement, and public procurement. This dual-layered system creates a dynamic environment where the supremacy of EU law is a foundational principle, yet its practical application requires nuanced interpretation at the national level. For professionals in AI, robotics, biotech, and data systems, understanding how to manage these conflicts is essential for deploying innovations legally and ethically across the continent.

This article provides an analytical framework for identifying, assessing, and resolving conflicts between national requirements and EU regulations. It focuses on the practical application of risk management principles and the necessity of documented decision-making to ensure accountability and legal certainty. We will explore the hierarchy of legal sources, the specific mechanisms of divergence in key legislative acts like the GDPR and the AI Act, and the procedural steps organizations must take to align their compliance strategies with the principle of proportionality and legal certainty.

The Principle of Primacy and the Hierarchy of Norms

At the heart of the EU legal order lies the principle of primacy, established by the Court of Justice of the European Union (CJEU). This principle dictates that EU law takes precedence over conflicting national law. When a provision of national law contradicts a provision of EU law, the national provision must be set aside to the extent of the conflict. However, this is not an absolute power; the EU acts only within the limits of the competences conferred upon it by the Member States. Areas not regulated by EU law remain the domain of national legislation.

For an organization, this creates a hierarchy of norms that must be respected:

Treaties and the EU Charter of Fundamental Rights: The highest legal authority.
Regulations: Directly applicable in all Member States without the need for national implementing laws (e.g., GDPR, AI Act).
Directives: Require transposition into national law. Member States have discretion on the exact form and methods, leading to potential divergence (e.g., NIS2 Directive, Product Liability Directive).
National Laws: Applicable in areas not covered by EU law or in implementing EU Directives.

Conflicts often arise not from direct opposition to a Regulation, but from the interpretation and implementation of Directives, or from national laws in areas where the EU has not harmonized the field completely. In such cases, the telos (purpose) of the EU legislation and the principle of effectiveness are used by courts to determine if national laws create barriers to the Single Market.

Identifying the Nature of the Conflict

Before a conflict can be managed, it must be correctly identified. Conflicts generally fall into three categories:

Direct Conflict: A national law explicitly prohibits what an EU Regulation mandates, or vice versa. This is rare due to the supremacy doctrine but can occur in highly politicized areas.
Divergent Implementation: A Member State transposes a Directive with stricter or more specific requirements than the EU baseline. For example, a national data protection authority might interpret “legitimate interest” more narrowly than the EDPB guidelines suggest.
Regulatory Fragmentation: The EU sets a horizontal framework (e.g., AI Act), but Member States retain vertical competence in specific sectors (e.g., healthcare, critical infrastructure), creating a patchwork of sector-specific rules.

Case Study: The General Data Protection Regulation (GDPR)

The GDPR is a prime example of a regulation that allows for national derogations. While it is a Regulation (directly applicable), Article 88 explicitly permits Member States to introduce more specific rules to protect the rights and freedoms of employees regarding the processing of personal data in the employment context. This creates a “floor” of protection, but Member States can build higher walls.

For instance, the German Federal Data Protection Act (BDSG-new) contains specific provisions on employee data processing that are more detailed than the GDPR. Similarly, France’s CNIL issues specific recommendations for video surveillance that may differ from guidance in other Member States.

Managing Divergence in Data Processing

When an organization relies on “legitimate interest” as a legal basis for processing data, it must perform a Legitimate Interest Assessment (LIA). If a national law imposes stricter conditions for this basis in a specific sector (e.g., financial services), the organization must comply with the stricter national rule, provided it does not undermine the core principles of the GDPR.

Key Interpretation: In the event of a conflict between a national implementing measure and a provision of a Regulation, the Regulation prevails. However, where the Regulation explicitly allows Member States to legislate (derogations), the national law applies, provided it respects the general principles of EU law and the essence of the fundamental rights.

The AI Act and National Security Derogations

The EU Artificial Intelligence Act (AI Act) introduces a harmonized framework for AI systems. However, it explicitly excludes systems used exclusively for military, defense, or public security purposes. Furthermore, it allows national authorities to deploy real-time remote biometric identification in public spaces for law enforcement, subject to strict judicial authorization and necessity tests.

This creates a potential conflict between the EU’s fundamental rights framework (protection of privacy) and national security imperatives. Organizations providing AI solutions to the public sector must navigate this.

High-Risk AI Systems in Critical Sectors

For high-risk AI systems listed in Annex III (e.g., critical infrastructure management), the AI Act sets strict conformity assessment requirements. However, the management of critical infrastructure is often a competence of the Member States. If a national authority requires a specific security standard for an AI system controlling a power grid that exceeds the AI Act’s requirements, the provider must meet both.

The strategy here is modular compliance: design the system to meet the highest common denominator (the strictest applicable standard) to ensure it can be sold across the EU without modification, while documenting the specific national deviations.

Risk Management Approach to Regulatory Conflicts

Treating regulatory divergence as a risk factor is the most effective approach. This involves a structured process of identification, analysis, evaluation, and treatment, integrated into the organization’s overall compliance and governance framework.

1. Jurisdictional Mapping

Organizations must map the regulatory requirements of every jurisdiction in which they operate or intend to operate. This is not limited to the country of headquarters but includes every country where data is processed, products are placed on the market, or services are rendered.

Practical Step: Create a “Regulatory Matrix” that lists EU-level obligations (e.g., GDPR Art. 30 records of processing) in one column and corresponding national variations in another. Highlight areas where national law imposes additional burdens.

2. Conflict Identification and Legal Opinion

Once the landscape is mapped, potential conflicts must be flagged. This requires input from legal counsel specializing in EU law and the specific national law. Internal compliance teams should not rely solely on automated legal tech tools for this step; human interpretation is crucial.

Documented Decision: Every identified conflict must be logged in a “Compliance Register.” The entry should include: the specific EU rule, the specific national rule, the nature of the conflict, and the proposed resolution strategy.

3. The Proportionality Test

When a national requirement seems to conflict with an EU rule, the organization should assess the proportionality of the requirement. Does the national rule achieve its objective (e.g., public safety) in a way that is less restrictive on trade or fundamental rights than necessary?

If the organization believes a national rule is disproportionate or incompatible with EU law, it has two paths:

Compliance under Protest: Comply with the national rule to avoid immediate penalties, while initiating a dialogue with the national regulator or challenging the rule in national courts (referencing EU primacy).
Referral to CJEU: The national court may refer the question of validity to the CJEU (preliminary ruling).

4. Implementation of “Gold Plating” Strategies

Organizations often face the dilemma of “Gold Plating” – voluntarily exceeding regulatory requirements to ensure safety. While this seems prudent, it can lead to unnecessary costs and operational friction if different “gold standards” are required in different countries.

Recommendation: Adopt a “Core + Modules” architecture. The core product complies with the strictest EU-wide standard. Modules are added to address specific national requirements (e.g., specific data retention periods in France vs. Germany). This avoids creating a fragmented product line while ensuring local compliance.

Documented Decision-Making: The Audit Trail

In a regulatory environment defined by ambiguity and rapid change, the process of decision-making is as important as the outcome. Regulators and auditors look for evidence that an organization acted diligently, reasonably, and in good faith. This is where documented decision-making becomes a shield against liability.

The Compliance Impact Assessment (CIA)

Before deploying a technology or process that touches on conflicting regulations, the organization should conduct a CIA. This is similar to a Data Protection Impact Assessment (DPIA) but broader in scope.

The CIA should document:

The Conflict: A precise description of the national vs. EU requirement.
Stakeholder Analysis: Who is affected? (Employees, customers, the state).
Legal Analysis: The interpretation of the legal texts.
Alternative Solutions: Why the chosen solution is preferred over others.
Approval: Sign-off by the Data Protection Officer (DPO), Chief Compliance Officer, or Legal Counsel.

Example: Cross-Border Telemedicine

Consider a telemedicine platform operating between Sweden and Germany. EU rules on cross-border healthcare (Directive 2011/24/EU) facilitate patient mobility. However, national laws on medical device certification and doctor licensing differ. A Swedish doctor using the platform to treat a German patient might be licensed in Sweden but face requirements in Germany regarding specific certifications for remote diagnostics.

Documented Decision: The platform must document that it verifies the doctor’s credentials according to the source country (EU principle of mutual recognition) but also informs the patient that specific reimbursement or liability rules may differ in their country of residence. The decision to operate is based on a legal opinion that the Directive overrides the need for dual licensing, but the risk of local litigation is accepted and insured against.

Practical Workflow for Conflict Resolution

To operationalize these concepts, organizations should establish a clear workflow for handling regulatory conflicts.

Step 1: Detection

Monitoring mechanisms must be in place. This includes subscribing to regulatory updates from EU institutions (e.g., EUR-Lex) and national gazettes. For AI and tech companies, engaging with industry associations (like DigitalEurope or national digital associations) is vital for early warnings on proposed national laws that may diverge from EU norms.

Step 2: Triage

Not all conflicts are equal. Use a risk matrix:

High Risk: Conflict involves fundamental rights, criminal liability, or immediate market access barriers.

Medium Risk: Conflict involves administrative burdens or financial penalties.

Low Risk: Conflict involves minor reporting differences.

Step 3: Resolution Strategy

Select the appropriate management strategy:

Avoidance: Cease the activity in the conflicting jurisdiction.
Mitigation: Implement controls (technical or organizational) to satisfy both requirements.
Transfer: Use third-party processors or partners who are established in a compliant jurisdiction.
Acceptance: Proceed with the activity, accepting the legal risk, provided it is not criminal.

Step 4: Documentation and Review

Every step of the resolution must be recorded. The regulatory environment is dynamic; a conflict resolved today may change tomorrow due to a new court ruling or legislative amendment. Therefore, the Compliance Register must be reviewed quarterly.

Specific Challenges in Biotech and Robotics

The biotech and robotics sectors face unique challenges due to the intersection of product safety laws (EU level) and ethical frameworks (National level).

Biotech: The Dual-Use Dilemma

While the EU has harmonized rules for medical devices (MDR) and in vitro diagnostics (IVDR), the ethical approval of research involving human embryos or genetic modification varies drastically. For example, research permitted in the UK (post-Brexit, but historically aligned with EU norms) might be prohibited in Poland or Italy.

Organizations must separate their research and development activities from their product placement activities. If a conflict arises regarding the origin of biological material used in a product, the organization must ensure that the product placed on the market in a specific Member State complies with that state’s specific ethical import restrictions, even if the manufacturing process was compliant with EU GMP (Good Manufacturing Practice) guidelines.

Robotics: Civil Liability

The EU is working on updating the Product Liability Directive to cover AI and robotics. However, national tort laws still govern non-product liability (e.g., negligence in operating a robot). If a robot causes damage in a public space, the liability framework might differ between France (which has specific laws on “smart robots”) and other countries relying on general civil code.

Strategy: Insurance policies must be tailored to cover the “gaps” between EU harmonization and national liability regimes. Organizations should not assume that a harmonized CE mark covers all liability risks in all Member States.

The Role of the European Data Protection Board (EDPB) and National Authorities

In the context of data protection, the EDPB aims to ensure consistent application of the GDPR. However, national Data Protection Authorities (DPAs) retain enforcement powers and can interpret rules differently.

If an organization faces conflicting guidance from the EDPB and a national DPA, the organization should:

Adhere to the EDPB guidance as the “EU baseline.”
Engage with the national DPA to seek clarification or a “super-compliance” approach.
If the conflict remains unresolved, the organization may request the EDPB to issue an opinion on the matter (via the consistency mechanism).

This proactive engagement demonstrates a “culture of compliance” which is a mitigating factor in the event of an investigation.

Conclusion: The Imperative of Agility

Managing conflicts between national requirements and EU rules is not a static legal exercise; it is a dynamic operational capability. For professionals in high-tech and regulated industries, the ability to map, analyze, and document these conflicts is a competitive advantage. It allows for faster market entry, reduces the risk of fines, and builds trust with regulators and the public.

The key takeaway is that compliance is not about finding the “lowest common denominator.” It is about identifying the “highest standard of care” required by the intersection of EU supremacy and national sovereignty. By embedding rigorous risk management and documented decision-making into their governance structures, organizations can navigate the European regulatory maze with confidence and legal certainty.

AI in Education: Fundamentals & Tools

Understanding AI Basics

Practical AI Tools for Educators

Integrating AI into Teaching

Case Studies & Success Stories

Ethical AI & Inclusive Practices

Ethical & Legal Frameworks for AI Systems

Equity & Inclusion

Transparency & Trust

Algorithmic Bias, Discrimination & Legal Risk

AI Errors, Accountability & Legal Responsibility

Institutional AI Governance & Policy Design

AI, Security & GDPR Compliance

Data Protection & Privacy

Cybersecurity in AI

EU Regulations & Policies

Engaging Parents & Guardians

Data Protection, Privacy & AI Governance

Additional Resources

Glossary of Terms

Templates & Guides

Webinars & Research

AI for Administrative & Pedagogical Support

AI for Time Management

AI in Student Performance Tracking

AI for Automated Communication

AI for Document Management

AI, Robotics & Biotech Regulation in Europe

EU AI Act Explained: Scope, Risk Levels, Obligations

AI-Enabled Products: Robots, Medical Software, Smart Devices

Machinery Regulation & Safety Standards for Intelligent Systems

AI in Healthcare & Biotech: MDR, IVDR, EMA

Liability & Responsibility for AI-Driven Systems

Compliance in Practice: From Risk Assessment to CE Marking

Country-Specific AI Regulation & Enforcement

How EU AI Law Is Applied at National Level

Different Compliance Models

National AI Sandboxes & Regulatory Experiments

Public Sector AI Rules Across Europe

Cross-Border AI Deployment Challenges

When National Law Overrides EU Guidance

Legal Cases, Enforcement & Real-World Precedents

AI Act, GDPR & Algorithmic Decision-Making Cases

Liability Disputes Involving Automated Systems

Robotics Accidents & Legal Responsibility

Medical & Biotech AI Failures: Lessons Learned

What Enforcement Trends Tell Us About Future Regulation