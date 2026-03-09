Opinion by: Agata Ferreira, assistant professor at the Warsaw University of Technology

Regulators are increasingly confronting the tough truth about digital power: The biggest risks in today´s digital world are not just about bad actors' behavior. The risks are baked into how dominant digital systems work today.

Lock-in, dependency, data hoarding, opaque control, market dominance and single points of failure are no longer isolated problems. Across competition laws, data rules, operational resilience and cybersecurity regulations, lawmakers are identifying the same pattern. When you put access, communication, storage and coordination into a handful of giant platforms, the risks pile up just as fast as these systems scale.

This shift of perception matters because it reframes the problem. Modern digital regulation is no longer primarily about punishing bad behavior. It is increasingly about managing and containing dominating centralized systems that are structurally resistant to correction.

The EU and the Digital Markets Act

The European Union is a good example. The Digital Markets Act targets entrenched gatekeepers and the power of networks. The Digital Services Act treats big online platforms as sources of systemic risk.

The Data Act tries to break user lock-in by addressing technical barriers to portability. The Digital Operational Resilience Act and NIS2 Directive treat concentrated tech infrastructure as critical dependencies and systemic vulnerabilities. These are diverse regulations, but yet they converge on a similar diagnosis: Centralization breeds dependency, concentrates power and turns local failures into widespread problems.

There is, however, a limit to what regulations can achieve. Law can impose obligations, mandate data portability, restrict certain data practices or require risk assessments. The law struggles to neutralize architectures that continuously recreate the same risks by design.

When systems are built around aggregation and control, regulations are forever trying to compensate for this with more compliance requirements, more supervision and more enforcement. Meanwhile the incentives that drive consolidation and control remain intact.

The tension is rising

This tension is not theoretical. The debate between the International Criminal court and Microsoft following US sanctions on the ICC prosecutor illustrated how infrastructure dependencies are prone to become politically sensitive. Microsoft had to publicly insist it hadn't cut off the ICC as an institution, but this episode highlights a broader issue, that when just a few companies control key digital tools, legal and geopolitical pressure can quickly translate into systemic effects. Suddenly infrastructure is not just plumbing, but a lever of control.

That is precisely the type of risk EU regulators try to address. If the risks, like lock-in, concentration, single points of failure, systemic scale and irreversible power asymmetries, are built into the structure, throwing more regulations at such systems will not eliminate such embedded risks.

Reducing risk by design

The question then shifts from how to regulate more to how to reduce structural risks by design.

A coherent solution must fulfill several conditions. Users must be able to exit the system at will and in practice, not just in theory. Critical digital functions cannot run through a handful of chokepoints. Data aggregation should not be the default operating model. An outage at one provider should not take down half the internet or paralyze entire sectors.

Centralized platforms are just not built to fulfill this. Their economic and technical logic depends on integration and aggregation across operating systems layers, user access, data flows, distribution channels, payment rails and cloud infrastructure. Even when heavily regulated, those layers remain structurally concentrated and centralized.

This is where privacy preserving, user controlled, decentralized stacks begin to look less like ideology and more like the next logical step. When coordination and computation move closer to users rather than being mediated through a single operator, control is distributed by design. When systems are modular rather than vertically welded together, substitutability becomes feasible. When data is not hoarded in one place, there is no need for constant escalation of supervision.

In such architectures, failure can stay local rather than systemic. Exit becomes a real option, not a regulatory aspiration. Concentration risk diminishes because no single intermediary becomes the universal gateway for access, communication, data storage or value transfer.

In this context, privacy is not primarily a moral slogan. It is an architectural outcome, if disintermediation is combined with privacy preserving design. Removing a single gateway reduces concentrated control, but if coordination still depends on a globally transparent or linkable state, exposure can remain systemic.

The next architectural evolution is not just decentralized consensus, but decentralized, privacy preserving coordination across the stack. It is no coincidence that parts of the Web3 ecosystem are now openly talking about a shift toward self-sovereign computing, a move away from platform-mediated execution and toward user controlled runtime environments as the next structural layer of the internet.

Policy pressure and today’s technologies push against each other. When the EU debated the “Chat Control” proposal, experts warned that scanning people's messages could push users to look for decentralized alternatives that protect privacy from the ground up and don´t rely on single control points.

None of this suggests that decentralized systems are magic fixes for everything. They have challenges of their own and they don't dispense with laws. But as regulators shift their focus to things like substitutability, resilience, reducing dependency and cutting systemic risk, it's getting harder to ignore how well decentralized privacy preserving stacks align with those goals.

This convergence is not ideological. Regulators increasingly see risks as an architectural problem. Meanwhile technologies are being built for privacy, decentralization and user control to tackle those risks by design.

Will the policymakers keep patching, with ever more regulations, audits and obligations, systems that generate and recreate systemic risks by design?

It is time the policymakers and regulators recognized that the most durable form of risk mitigation starts with digital infrastructure design. Privacy preserving, decentralized, user controlled stacks are the architecture that makes those goals achievable by default, not by endless regulatory intervention.



