Data law institutions: independence, enforcement powers, degree of centralisation and agencification

This article analyzes the institutional governance architecture of the EU data-law regime with a focus on independence, enforcement powers, the degree of centralization and the process of agencification across the GDPR, the Data Governance Act (DGA), the Data Act (DA), the Digital Markets Act (DMA), the Digital Services Act (DSA) and the AI Act. Applying a comparative approach, the authors synthesize primary legislative texts and scholarly literature to map how different rules allocate authority among EU institutions and national authorities, and to assess the implications for crossborder enforcement and EU-wide harmonization. A central finding is that the GDPR preserves a high standard of independence for data protection authorities, anchored in decisional, organizational and financial autonomy, and robust enforcement tools, including binding orders and substantial fines, supported by crossborder cooperation mechanisms such as the One-Stop-Shop and the coherence procedure coordinated by the European Data Protection Board. By contrast, the latest regulatory instruments of the new EU data laws largely eschew uniform, centralized sanctions in favor of different national-level enforcement, albeit within a framework of enhanced supranational coordination. The DGA and DA, for example, designate national competent authorities, but leave it completely in the hands of the Member States to configure the de facto sanctioning regime (e.g. most importantly the level of fines). The DMA centralizes enforcement against gatekeepers at the European Commission, while the DSA keeps day-to-day supervision at the national level, but relies on Commission leadership for mitigating certain systemic risks by regulating very large online platforms and Search Engines; the AI Act, eventually, inaugurates risk-based regulation intensity and mirrors this with a layered, hybrid governance structure, featuring a supranational AI Office, an AI Board, an advisory forum, and a scientific panel, all designed to coordinate not only crossborder supervision but also standard-setting, guidelines, and capacity building. Across these instruments, a hybrid institutional design emerges: centralized power and harmonized enforcement for crossborder, high-impact actors at the EU level, and decentralized, sector-specific governance at the national level for other actors. This design is further supported by coordination bodies such as the European Data Innovation 2 Board, the AI Committee, and the joint governance mechanisms under the DSA and DMA. However, the proliferation of zealous new national authorities and the lack of assertive supranational bodies raise concerns about regulatory fragmentation resulting in a chaotic, confusing and ineffective landscape of supervisory authorities as well as their democratic legitimacy, especially given resource constraints and potential jurisdictional overlaps. The paper concludes that the current architecture reflects a pragmatic response to past GDPR lessons: it seeks strong, centralized oversight where strong (especially non-EU) market power crosses borders, while preserving national regulatory autonomy in other domains. The effectiveness of this hybrid model will hinge on sufficient resources for the competent authorities, clear delineation of powers between the Commission and national authorities, and robust, ongoing coordination and cooperation mechanisms among EU and national bodies to prevent fragmentation and ensure consistent application across the Union.