Europe AI & Data Rules Hub

National Guidance and Soft Law: How to Treat It

UpdatedAugust 1, 2025

ByIuliia Gorshkova

The operational reality for any entity deploying artificial intelligence, advanced robotics, or complex data processing systems within the European Union is governed by a complex, multi-layered legal architecture. While the General Data Protection Regulation (GDPR) and the AI Act represent the hard, codified outer shell of compliance, the daily work of regulatory alignment occurs within a vast ecosystem of national guidance, technical standards, and institutional recommendations. These instruments, often categorized as soft law, lack the direct binding force of a regulation or directive, yet they exert a gravitational pull on compliance strategies that is difficult to overstate. For professionals navigating the European market, understanding how to interpret and operationalize these non-binding texts is not merely a matter of best practice; it is a strategic necessity for mitigating enforcement risk and ensuring market access.

From the perspective of a legal analyst and AI systems practitioner, the distinction between hard law and soft law is functional rather than absolute. Hard law—such as the GDPR or the AI Act—establishes the “what”: the legal obligations, the rights of data subjects, the prohibited practices, and the penalties for non-compliance. Soft law, comprising guidelines from Data Protection Authorities (DPAs), European Union Agency for Cybersecurity (ENISA) recommendations, national ministry whitepapers, and harmonized standards from bodies like CEN-CENELEC, addresses the “how.” It provides the interpretative bridge between abstract legal principles and concrete technical implementation. Consequently, while a court cannot fine an organization solely for failing to follow a non-binding DPA guideline, a regulator will almost certainly use that same guideline as the benchmark against which to measure the “reasonableness” and “accountability” of the organization’s technical and organizational measures.

The Juridical Nature and Authority of Soft Law

To effectively utilize national guidance, one must first appreciate its standing within the European legal order. Soft law instruments derive their influence not from legislative mandate, but from the authority of the issuing body and the technical rigor of their content. In the context of data protection and AI, these instruments serve as the primary mechanism for regulatory harmonization across the Member States.

Interpretative Tools for Hard Law

Guidelines issued by the European Data Protection Board (EDPB) or national DPAs are the most prominent form of soft law in the privacy sphere. They are not amendments to the GDPR, but they represent the collective interpretation of the supervisory authorities. For example, the EDPB Guidelines on the processing of personal data based on Article 6(1)(f) (legitimate interest) provide a detailed framework for balancing tests that the GDPR itself leaves somewhat abstract. When a DPA investigates a company, the investigator will assess whether the company’s internal documentation reflects the logic and reasoning outlined in these guidelines. Deviation from established guidance requires a robust, documented justification; simply ignoring it is a high-risk strategy that signals a lack of diligence.

The Role of National DPAs and Sector-Specific Regulators

While the EDPB strives for consistency, national DPAs retain significant autonomy. They issue guidance that reflects local legal traditions and enforcement priorities. For instance, the French CNIL (Commission nationale de l’informatique et des libertés) has historically been very active in issuing specific recommendations on cookies and geolocation data, which have often set the tone for EU-wide debates. Similarly, the German state data protection authorities often publish technical standards for data protection management systems that are more granular than EU-level documents. Professionals must monitor the guidance issued by the DPAs in the jurisdictions where they operate or where their users are located, as enforcement will be local.

Technical Standards as De Facto Regulation

Perhaps the most potent form of soft law is the technical standard. Under the AI Act, the European Commission will request harmonized standards to be developed for specific requirements. While the adoption of these standards is voluntary for providers, compliance with relevant harmonized standards grants a presumption of conformity with the legal requirements of the Act. This creates a dynamic where soft law (the standard) effectively becomes the gatekeeper for hard law (the regulation). If a manufacturer of a high-risk AI system fails to adhere to the relevant standard, they must prove conformity through other means—a significantly more burdensome and legally uncertain path.

Operationalizing Soft Law in Compliance Frameworks

The practical challenge for organizations is translating these diverse, often narrative-heavy documents into operational reality. Soft law rarely provides a checklist; it provides principles, risk assessments, and architectural patterns. The integration of these instruments requires a systematic approach that bridges legal, technical, and governance functions.

From Principles to Architecture

Consider the “Data Protection by Design and by Default” principle in Article 25 of the GDPR. The hard law mandates the obligation. However, the practical implementation is defined by soft law. ENISA, for example, has published extensive guidance on privacy engineering technologies. An engineering team designing a new data processing application will not find the solution in the GDPR text. They will find it in the technical specifications and architectural patterns described in ENISA’s guidance or in standards like ISO/IEC 27701 (Privacy Information Management System). The compliance officer’s role is to map the organization’s technical architecture against these soft law frameworks to identify gaps that might not be visible in a legal review of the code itself.

Key Interpretation: In the eyes of a regulator, “we didn’t know the standard” is not a valid defense. The expectation is that organizations actively monitor the technical and regulatory landscape and integrate relevant guidance into their product lifecycle.

The “Accountability” Trap

The GDPR and the AI Act are built on the concept of accountability. This principle requires organizations to not only comply but to demonstrate compliance. Soft law is the primary source of “demonstration” material. When conducting a Data Protection Impact Assessment (DPIA), the organization must document the measures taken to mitigate risks. If the organization has ignored specific DPA guidance on the risks associated with a particular technology (e.g., facial recognition or predictive analytics), the DPIA will be deemed insufficient. The regulator will argue that the organization failed to account for known risks identified in the soft law literature. Therefore, documenting the consideration of soft law is as important as documenting the decision to follow it.

Managing Divergence: The National Patchwork

While the EU aims for a single market, soft law often reveals deep national divergences. This is particularly evident in the employment sector. The GDPR provides a general basis for processing employee data, but Member States have specific derogations. Consequently, national DPAs issue highly specific guidance on workplace monitoring, biometric timekeeping, and health data processing. A multinational corporation cannot simply implement a single global policy based on EU-level guidance. It must analyze the soft law of each relevant Member State. For example, the approach to monitoring employee communications in the Netherlands may differ significantly from the approach in Poland or Spain, based on local interpretations of “transparency” and “proportionality” found in non-binding DPA recommendations.

Enforcement Dynamics: How Soft Law Drives Fines

It is a common misconception that soft law is “risk-free” because it is not directly enforceable. In reality, soft law is the primary lens through which regulators assess the severity of violations and the magnitude of fines. It serves as the baseline for what constitutes “good” or “bad” behavior in a specific technical context.

The Standard of Care

In administrative law, regulators often apply a “standard of care” test. They ask: What would a reasonably competent operator have done in this situation? In the rapidly evolving fields of AI and data science, the “reasonable operator” is defined by the prevailing soft law. If a company suffers a data breach because it failed to encrypt data in transit, and ENISA has long recommended specific encryption protocols, the regulator will view the failure not just as a technical oversight, but as a breach of the standard of care. This elevates the violation from a technical glitch to a failure of governance, which significantly increases the likelihood and size of a fine.

Aggravating and Mitigating Factors

When regulators calculate fines, they consider aggravating and mitigating circumstances. Ignoring clear guidance from a supervisory authority is a classic aggravating factor. Conversely, an organization that can demonstrate it followed a specific standard or recommendation—even if a breach still occurred—may benefit from a reduced penalty. The narrative of the enforcement action often centers on whether the organization acted “negligently” or “intentionally.” Adherence to soft law is the strongest evidence of non-negligence. It shows that the organization took its obligations seriously and sought to align with industry best practices.

Case Study: The Cookie Banners

The evolution of cookie consent enforcement provides a clear illustration of soft law in action. The ePrivacy Directive (hard law) requires consent for non-essential cookies. However, it was the soft law—specifically the guidelines and opinions from the Article 29 Working Party (the predecessor to the EDPB)—that defined what “valid consent” means in practice (e.g., no pre-ticked boxes, easy withdrawal). National DPAs, particularly the French CNIL and the Hamburg DPA, used these soft law interpretations to launch coordinated enforcement campaigns against major tech players. The fines levied were not for violating the text of the Directive, but for violating the specific implementation standards established in the soft law guidance. This forced a global redesign of consent mechanisms based entirely on non-binding recommendations.

Strategic Integration of Soft Law for AI and Robotics

With the entry into force of the AI Act, the role of soft law is set to expand dramatically. The Act is a horizontal regulation with broad principles, but the technical reality of AI development is highly specific. The “Implementation Roadmap” for the AI Act will rely heavily on standardization requests and guidance from the newly established European AI Office.

Standardization Requests and the “Presumption of Conformity”

The European Commission will issue standardization requests to CEN-CENELEC to develop harmonized standards covering the requirements for high-risk AI systems (e.g., data governance, transparency, human oversight). These standards will be the “how-to” manual for the AI Act. For a developer of a medical device AI or a critical infrastructure management system, engaging with the drafting of these standards is a strategic imperative. Once adopted, these standards will define the market. Products built to these standards will flow freely; those built to lower, internal standards will face regulatory friction. The soft law of today (the draft standard) becomes the hard market access requirement of tomorrow.

Regulatory Sandboxes and Soft Law Creation

Many Member States are establishing AI regulatory sandboxes—controlled environments where companies can test innovative technologies under regulatory supervision. The experiences and “best practices” emerging from these sandboxes are essentially new soft law in the making. The regulators observe what works and what poses risks, and they issue recommendations based on these observations. Participating in a sandbox is not just a testing ground for the product; it is an opportunity to influence the future soft law that will govern the sector. It allows companies to demonstrate that a certain approach to safety or data privacy is viable, potentially shaping the guidance issued to the wider industry later.

Interplay with Sector-Specific Regulations

AI and robotics rarely operate in a legal vacuum. They intersect with product liability, medical device regulations, and machinery safety directives. Soft law is often the only place where the interplay between these different regimes is addressed. For example, how does the “right to explanation” in the GDPR interact with the safety requirements of an autonomous vehicle under the Machinery Regulation? There is no single hard law article that answers this. Instead, we look to joint opinions from regulatory bodies, whitepapers from industry associations (which regulators often cite), and technical reports from safety agencies. These documents provide the interpretative glue that holds the regulatory stack together.

Practical Methodology for Managing Soft Law

For the practitioner, managing the influx of soft law requires a disciplined, systematic methodology. Relying on ad-hoc reading is insufficient for complex systems.

1. The Regulatory Intelligence Function

Organizations must establish a dedicated regulatory intelligence function. This is not necessarily a full-time role, but a designated responsibility to monitor the output of relevant bodies: the EDPB, national DPAs, ENISA, the European AI Office, and relevant national ministries. The output of this monitoring must be triaged: which documents are merely informative, and which represent a shift in regulatory expectation that requires a review of current products or policies?

2. The Gap Analysis Framework

When new soft law is published, it should be subjected to a gap analysis against current internal standards. For example, if the German BSI (Federal Office for Information Security) publishes a new recommendation for securing Large Language Models (LLMs), the AI engineering team should assess their current LLM deployments against this recommendation. The output is a gap report that feeds into the risk management process. This ensures that the organization is not caught off guard when a regulator eventually investigates a specific vulnerability that was highlighted in a recent recommendation.

3. Documentation of Deviation

There will be instances where following a specific piece of soft law is technically infeasible, commercially impractical, or legally incorrect. This is acceptable, provided it is managed correctly. The organization must document the deviation. The documentation should state: “We have reviewed Recommendation X. We are not adopting it because [specific technical or legal reason]. Instead, we are adopting [alternative measure Y], which achieves the same objective of [risk mitigation] because [justification].” This creates an audit trail that demonstrates active engagement and reasoned decision-making, which is the core of the accountability principle. Blind adherence is not required; reasoned deviation is.

4. Training and Culture

Soft law is often highly technical. It requires translation for legal teams and translation for engineering teams. The compliance team must act as the bridge, interpreting the technical nuances of a standard or guideline into actionable requirements for developers and understandable policies for business units. A culture that views soft law as “guidance” rather than “rules” is vulnerable; a culture that views soft law as the “current best definition of compliance” is resilient.

Conclusion: The Living Regulatory Ecosystem

The European regulatory landscape for technology is not a static set of rules but a living ecosystem. Hard law provides the constitution, but soft law provides the daily legislation. For professionals in AI, robotics, and data systems, the ability to navigate this ecosystem is a core competency. It requires looking beyond the Official Journal of the EU and engaging with the technical committees, the regulatory opinions, and the national recommendations that define the operational reality of the market. Treating soft law as a peripheral concern is a strategic error that exposes the organization to enforcement risk. Treating it as an integral part of the product development and compliance lifecycle is the foundation of sustainable innovation in Europe. The nuance lies in understanding that while these instruments are “non-binding,” their influence on the regulatory mindset and the enforcement landscape is absolute.

Table of Contents

AI in Education: Fundamentals & Tools

Understanding AI Basics

Practical AI Tools for Educators

Integrating AI into Teaching

Case Studies & Success Stories

Ethical AI & Inclusive Practices

Ethical & Legal Frameworks for AI Systems

Equity & Inclusion

Transparency & Trust

Algorithmic Bias, Discrimination & Legal Risk

AI Errors, Accountability & Legal Responsibility

Institutional AI Governance & Policy Design

AI, Security & GDPR Compliance

Data Protection & Privacy

Cybersecurity in AI

EU Regulations & Policies

Engaging Parents & Guardians

Data Protection, Privacy & AI Governance

Additional Resources

Glossary of Terms

Templates & Guides

Webinars & Research

AI for Administrative & Pedagogical Support

AI for Time Management

AI in Student Performance Tracking

AI for Automated Communication

AI for Document Management

AI, Robotics & Biotech Regulation in Europe

EU AI Act Explained: Scope, Risk Levels, Obligations

AI-Enabled Products: Robots, Medical Software, Smart Devices

Machinery Regulation & Safety Standards for Intelligent Systems

AI in Healthcare & Biotech: MDR, IVDR, EMA

Liability & Responsibility for AI-Driven Systems

Compliance in Practice: From Risk Assessment to CE Marking

Country-Specific AI Regulation & Enforcement

How EU AI Law Is Applied at National Level

Different Compliance Models

National AI Sandboxes & Regulatory Experiments

Public Sector AI Rules Across Europe

Cross-Border AI Deployment Challenges

When National Law Overrides EU Guidance

Legal Cases, Enforcement & Real-World Precedents

AI Act, GDPR & Algorithmic Decision-Making Cases

Liability Disputes Involving Automated Systems

Robotics Accidents & Legal Responsibility

Medical & Biotech AI Failures: Lessons Learned

What Enforcement Trends Tell Us About Future Regulation