It is common to view agreements between regulators and regulated entities, such as enforcement settlements, voluntary compliance agreements, and even permits and licenses, as a specific regulatory tool grounded in negotiation, exchange, and consensus. In a forthcoming article in the Harvard Negotiation Law Review, titled “The Hidden Nature of Regulation,” I offer an alternative view and suggest that all types of regulation–including command-and-control (c&c), self-regulation, voluntary programs, regulatory sandboxes, disclosure, and “naming and shaming”– are based on agreements between government regulators and regulated entities (e.g. corporations and businesses).
In the evolving landscape of regulatory governance, few concepts generate as much enthusiasm—and skepticism—as voluntary compliance. Across jurisdictions and different regulatory domains, policymakers increasingly champion the notion that citizens and regulated entities should comply with the law not through coercion, but through intrinsic motivation and shared commitment to public goals. This aspiration promises to transform adversarial regulatory relationships into cooperative partnerships, reduce enforcement costs, and foster genuine behavioral change rather than mere box-ticking compliance.
Yet as Yuval Feldman’s forthcoming book Can the Public be Trusted? The Promise and Perils of Voluntary Compliance (Cambridge University Press, 2025) demonstrates, the reality of implementing voluntary compliance strategies reveals a far more nuanced picture. Focusing on three main case studies in tax, environmental behavior, and public health, the book poses a fundamental question that challenges regulatory orthodoxy: if voluntary compliance offers such compelling benefits, why do regulatory agencies worldwide continue to default to deterrence-based approaches?
On June 14, 2023, the Parliament of Georgia took a significant step toward safeguarding personal privacy by adopting a new Law “On Personal Data Protection”. Entering into force on March 1, 2024, the legislation marks a transformative shift in Georgia’s legal framework for data protection, aligning it more closely with the European Union’s (EU) General Data Protection Regulation (GDPR).
In 1861, Mill wondered how to hold to account Parliament, which checks the Ministers’ actions, but whose own behaviour is subject to little control. A similar logic is inherent to another branch of government: the judiciary. Legislation usually sets up a system of remedies against wrongful decisions; however, what if the court of last instance disregarded the law?
The proper mechanism of EU law answering to this question is judicial liability as per the Köbler case. Alongside the actions in Articles 258-259 TFEU and other non-EU remedies, this latter judgment enforces the duty laid down in Art.267(3) TFEU. Pursuant to the abovementioned legal framework, a Member State must compensate the injury caused by a manifest breach of the acquis on the part of a court of last instance (see also the Hochtief Solutions case, para. 41-43).
In May 2025 a second edition of Regulation in Australia was published.
This book provides a comprehensive analysis of the nature of regulation, its origins and development in Australia, why governments regulate, how they regulate, and who regulates whom at the federal, state and local government levels. Management of the regulatory process, the principles of good regulation and ‘red tape’ in regulation are examined. The role of soft law, prescriptive, performance-based and principle-based regulation, as well as the use of rewards and incentives in regulation is also explored.
Due to the high influx of migrants to the European Union (EU), migration is a European challenge that requires a European solution. The EU legislator’s aim is to realize a comprehensive approach that aims at strengthening and integrating key EU policies on migration, asylum, border management and integration. With firm but fair rules, these policies are designed to manage and normalize migration for the long term, providing EU countries with the flexibility to address the specific challenges they face, and with the necessary safeguards to protect people in need. The national courts and the Court of Justice have the task to review whether these new rules are in line with EU law and the fundamental rights of the migrant in order to protect the rule of law.
Europe’s capacity for innovation has come under intense scrutiny in recent years, recently fueled by reports from Draghi and Letta that highlight a widening innovation gap between Europe, China, and the U.S. With escalating geopolitical tensions and the increasing urgency for Europe to maintain independent competitiveness in especially digital markets, the mission letters to incoming Commissioners underscore the vital role of disruptive innovation. These letters establish Europe’s competitiveness as intrinsically linked to its ability to prioritize groundbreaking innovations.
This post examines Case C-134/23, where the CJEU ruled that asylum claims cannot be deemed inadmissible if readmission to a safe third country is unfeasible. The decision represents progress in ensuring access to asylum procedures, but it highlights persistent flaws in the EU system of remedies.
The road to what might be called regulatory maturity is often a long one. In EU cybersecurity regulation, a culture of vertical and horizontal collaboration is optimistic but seemingly ineffective. It likely leaves the European Union Agency for Cybersecurity (ENISA) feeling somewhat envious of the centralised enforcement powers recently vested in the Anti-Money Laundering Authority (AMLA). How feasible would it be for ENISA to follow in AMLA’s footsteps? This blog post examines whether there is regulatory space, or even a solid legal basis for such an evolution. Due to the differing contexts of financial crime prevention and cybersecurity, the limits of an analogy between the trajectories of the two agencies will become clear.
The Cybersecurity Act granted ENISA a permanent mandate along with increased responsibilities, transforming it from a “Cinderella” agency into a key cybersecurity entity in the EU. ENISA aims to achieve a high common level of cybersecurity across the Union. Its main tasks include:
Supporting EU legislation implementation and the development of EU-wide cybersecurity standards
Enhancing operational cooperation and coordination among Member States, Union institutions and private sector actors
Managing cybersecurity certification schemes to increase trust in information and communication technology (ICT)
Photo credits: ENISA website
The Emergence of AMLA
The evolution of the EU’s anti-money laundering framework has seen notable advancements, starting from the initial anti-money laundering Directive (AMLD1) in 1990 to the latest updates with AMLD6, Anti-Money Laundering Regulation (AMLR), and Anti-Money Laundering Authority Regulation (AMLAR). This development signifies an expanding regulatory focus that originally targeted drug trafficking in the 1990s, evolving into a robust framework that addresses intricate financial crimes like cyber-enabled money laundering. A significant shift occurred with AMLD3, which embraced risk-based approaches for customer due diligence (CDD). The enactment of AMLD4 improved transparency by creating mandatory central registers for beneficial ownership information, a refinement further augmented by AMLD5 (2018), which required public accessibility. The recent introductions of AMLR, AMLAR, and AMLD6 establish centralised oversight while adapting to technological advancements by creating a unified supervisory body across the EU, effectively standardising anti-money laundering initiatives among member states and confronting new technological hurdles. This evolution exemplifies direct enforcement and is a new form of functional spillover that arises from internal pressure and functional necessity, rather than from external crises. This indicates that achieving the established policy goals necessitates the expansion and uniform application of EU law. Below, we delve into why and how direct enforcement is essential for ENISA to attain a high common level of cybersecurity throughout the EU.
Why should ENISA follow the same trajectory as AMLA?
However, this might be an impossible mission or one that lies in the fairly distant future… Direct enforcement for the wandering ENISA faces a steep climb, blocked by the EU’s limited competences in security matters, an area still fiercely guarded by the Member States.
How this trajectory can be beneficial
As referred to above, the sole competence of Member States in matters of public and national security (recognised under Article 4(2) TEU) currently limits ENISA’s ability to gain direct enforcement powers; there is, however, precedent for derogation from the national security exemption, as can be observed in the Privacy International case (paragraph 44) in relation to the e-privacy Directive.
For now though, we must not jump ahead but instead envisage some preliminary steps that may take ENISA some distance down AMLA’s beaten path. A prerequisite of any centralisation is an unequivocal delineation of the agency’s role in a crowded regulatory environment. The elaboration of the EU cybersecurity landscape in recent years has led to a blurring of the lines between the competences of the entities involved, particularly with the emergence of several networks and centres at the EU level aiming to prepare for, respond to, or analyse cybersecurity threats and incidents. Although the notion of collaboration seems to be favoured in EU cybersecurity policy, the lack of exclusive specialisation on ENISA’s part would undermine any future enforcement remit for the agency. Thus, policymakers should pinpoint the tasks and responsibilities the execution of which would allow ENISA to contribute most optimally to the improvement of EU cybersecurity. This prioritisation of tasks would enable ENISA to enhance its operational efficiency, and ultimately its reputation, potentially paving the way for a transition to a more substantively empowered role.
ENISA
AMLA
Legal basis
Cybersecurity Act (2019) & NIS2 Directive
AML/CFT Regulation (2024) & AMLD6
Enforcement powers
No direct enforcement (supports national authorities)
Still Relevant After 50 Years: A Reality Check for Cedefop
Cedefop turns 50!
Source: Pinterest
In a world where labour markets are evolving rapidly, driven by digital transitions, demographic shifts, and green ambitions, it is vital that EU education and skills development is set up for success. Marking its 50th anniversary in 2025, the European Centre for the Development of Vocational Training (Cedefop) has been a cornerstone of EU cooperation in education and skills development. Some critics might question the effectiveness of Cedefop, pointing to its lack of enforcement powers as a barrier to achieving its goals. But when one looks at these goals, the role of Cedefop remains relevant and important in achieving the mission to enhance cooperation and knowledge-sharing among Member States in the field of vocational education and training (VET).
Is ‘soft power’ enough to shape the future of work?
Cedefop’s mandate is broad, and it relies solely on soft powers to achieve this. The term ‘soft power’ usually describes an ability to influence others through shared values, consensus, and cooperation, rather than through legislation or formal authority.
Source: Cedefop website
In practice, Cedefop has focused on two main goals: enhancing transparency in qualifications and facilitating transferability of learning outcomes across Member States. These goals support freedom of movement for learners and workers, so that credentials in one country are understood and accepted in another. This naturally raises the question about whether Cedefop has effectively fulfilled these goals.
When outcomes are seen as beneficial, rather than being forced, there is generally less pushback from governments and other actors. For many EU countries, vocational education and training has a direct influence on efforts to reduce unemployment, especially for people who may lack skills relevant to changing labour markets.
The skills puzzle: solving labour gaps through EU cooperation
Zooming into cooperation, there is still room for improvement. Cedefop’s effectiveness in VET partly depends on how closely it works with Member States, social partners, the European Commission, and the European Parliament. By gathering data and sharing knowledge, Cedefop encourages different national and EU-level actors to align strategies in addressing skills mismatches.
During the European Year of Skills 2023, particular emphasis was placed on upskilling and reskilling, lifelong learning, and fostering both innovation and competitiveness. These aims also support people and businesses in meeting green and digital objectives. Recognising the importance of collective efforts, and in celebrating 50 years of activity, Cedefop joined the Eurofound, the European Agency for Safety and Health at Work (EU-OSHA), the European Training Foundation (ETF) and the European Labour Authority (ELA), in hosting a major event. This gathering highlighted how the five agencies contribute to enhancing skills development.
In discussions with the Parliament and Commission, Cedefop presented its latest report: Skills in transition – the way to 2035. The report’s key message was that Europe is facing urgent labour shortages, especially in science, technology, engineering, mathematics (STEM) and IT fields. Green and digital transitions are rapidly reshaping Europe’s labour market. To remain competitive and resilient, Europe needs well-targeted policy decisions and a fresh approach to skill-building.
Navigating duplication risks and collaborative leadership
Questions arise about overlapping responsibilities between EU agencies. Cedefop, Eurofound, and EU-OSHA share certain priorities, including improving working conditions and aligning skills with the needs of evolving economies. Nevertheless, Cedefop’s soft-power strategies continue to offer added value. It promotes collaboration by disseminating research, guiding Member States on reskilling, and working closely with other agencies to produce policy recommendations that address real-world challenges. Together, they act as “political entrepreneurs,” pushing Europe’s skills agenda forward.
Still, as Cedefop cannot compel countries to adopt its insights, progress depends on politicians and policymakers embracing them. This reality often leads to uneven outcomes; some countries quickly integrate Cedefop’s recommendations, while others may hold back. Another common concern is “duplication risk,” where different agencies might be seen as doing the same work. Cedefop’s defenders point out that each EU agency has a specific focus: Cedefop zeroes in on vocational training, Eurofound studies broader social and work conditions, and EU-OSHA looks at safety and health. Where their work converges, they aim to coordinate rather than compete.
Inconsistent Adoption of Cedefop’s Recommendations Across EU Member States
Cedefop has made recommendations for improving access to skills development and adult learning, particularly for marginalised groups. One approach Cedefop endorses is the use of financial assistance for vulnerable learners. However, the adoption of these recommendations has been far from uniform across EU Member States, with progress varying widely.
For example, Germany offers support through the National Skills Strategy for low-qualified adults who may otherwise struggle, and France has a similar program, Compte Personnel de Formation, allowing individuals, including those from disadvantaged backgrounds, to access training. Both initiatives align with Cedefop’s goals at making upskilling more accessible.
In contrast, Bulgaria remains in the early stages of reforming their VET system. Although there are positive indications, reforming VET can take time as it often faces challenges like legislative changes and budgetary allocations which slow the pace of progress. Romania records one of the lowest levels of adult learning participation in the EU, raising concerns about whether people there can adapt to ongoing economic and technological changes.
These discrepancies highlight the need for a more consistent approach to improving skills development across Europe. However, they also indicate that responsibility does not rest with Cedefop. Given the number of EU citizens who agree that VET plays an important role in reducing unemployment, it should be clear there is incentive to work with Cedefop in improving VET.
Shaping the future
Cedefop’s impact is greatest when stakeholders recognise the tangible benefits and engage with Cedefop’s contributions to VET development. By continuing to promote advancements to VET systems, Cedefop reinforces its central role in building a competitive, forward-looking EU workforce. These efforts show that lacking enforcement powers does not necessarily limit an agency’s ability to make a difference.
Even if Cedefop’s goals remain aspirational, its contributions to policy debates and collaborative initiatives show that progress is possible despite the constraints of soft power. With half a century of experience rooted in research, collaboration, and policy, Cedefop remains committed to making VET and skills development accessible to everyone, always keeping a future-oriented perspective.
In the end, the lack of direct enforcement powers reflects the EU’s decision to preserve Member State sovereignty over education. As labour markets continue to evolve, vocational education will likewise transform, and a central EU-level body devoted to coordinating these changes seems likely to remain important. It is still an open question whether exclusive reliance on soft powers is the most effective long-term strategy for shaping vocational education, training, and skills policies, but the work of Cedefop over the past 50 years provides plenty of evidence that such an approach can achieve significant results.
ENISA – 
During the 
www.wordsandquotes.com