🚧Compliance Law as the Royal Road for regulatinf the Digital Space

Compliance Law,

the Royal Road for regulating the Digital Space

To show that Regulating the digital space is taking the path of Compliance Law, this study sets out 6 stages. The first shows the conceptual gap between the idea of Regulatory system and the 2 ideas on which the digital space was built. The second shows the practical gap between the ordinary tools of Regulatory mechanism and the functioning of the digital space. The third ....

The conclusion is that Compliance Law is the Royal Road to regulating the digital space.

I. At first sight and conceptually: the gap between the idea of Regulate and the 2 ideas on which the digital space has been built and is being deployed

1. 🏞 In the literal sense, "Regulate" consists of laying down rules. These rules are laid down before people adopt behaviour. This is why people must follow these rules, laid down Ex Ante, either because these rules prohibit behaviour, in which case contrary behaviour constitutes a violation that will be punished, or because these rules prescribe behaviour, in which case the violation will be constituted by inaction and the person will then be forced to act. This applies whether the rule is legal, technical, social, biological, climatic, etc.

2. 🏞 The person who sets the rules has immense power, since the behaviour of all the other people is either positive (authorising behaviour) or negative (prohibiting behaviour) in the light of these rules. More often than not, humans do not have the power to set the rules (physical rules, climatic rules, mathematical rules, etc.).

3. 🏞 However, some have the power to enact legal rules in Ex Ante, either general through laws and regulations, or specific through contracts and judgments. In legal systems built on the constitutional principle of personal freedom, this power to prohibit behaviour is an exception, so that freedom remains the principle: Criminal Law, which prohibits, still has the constitutional status of an exception, including in the apprehension of offences committed in the digital space📎!footnote-4385.

4. 🏞 Conceptual tensions have increased because the digital space has been built on the principle of freedom on the one hand and technology on the other. As we know, the first builders of this space were driven by a libertarian conception, which is resurfacing today in an amplified form. On this conceptual basis, "deregulation" is called for, with regulation being designated as illegitimate in principle, and even contrary to the Constitutions. Secondly, it is argued that the rules governing the digital environment are not legal but technical in nature. In fact, according to the now famous formula of the law professor Laurence Lessing, Code is Law: it is the computer coding which, in this new space finally freed from the physical laws of the old world, constitutes its constitutive laws, the necessary and sufficient laws. From then on, any rule, particularly legal rules, would be an ignorance of this space, hindering its development.

5. 🏞 We must never underestimate the importance of this conceptual battle, as ideas drive the world.

II. At first sight and in practice: the gap between the ordinary methods of Regulatory Law and the organisation of the digital space

1. 🏞 This confrontation between how the world should be represented in the future pits two worlds which were traditionally organised in their relations by a hierarchical mechanism: the world of legislators, regulators and judges on the one hand, and the world of digital companies and Internet users on the other. Traditionally, the former give orders and the latter, who are subject to them, obey. If the former believe that freedom, particularly freedom of expression, must find its limits, they impose them through laws and judgments, and the subjugated (grudgingly) comply.

2. 🏞 But we know that in practice and from the outset this has not been the case. There are two reasons for this. Firstly, the digital space is global and the authors of legal standards are surrounded by territories. This is especially true for the authors of general legal rules, in particular the legislator, as States are defined by their relationship to the national territory, a boundary that is a sign of their weakness, incapable of governing a global and immaterial space.

3. 🏞 Secondly, and in practice, Regulatory Law is a recent branch of Law📎!footnote-4386, which is most often recognised by the existence of a "Regulatory Authority" and which is characterised by an apparatus of regulations, decisions, principles and reasoning, making it possible to build a balance between the principle of competition and another principle for a sector that requires it, and to maintain this balance over time. It must be assumed that this sector does not have sufficient strength to itself produce this balance between competition and another principle (a-competitive or even anti-competitive). Regulatory system therefore compensates for this "market failure".

4. 🏞 But the digital space is not a sector. It has always been the focus of multiple regulatory corpus📎!footnote-4387. This gives rise to highly complex litigation📎!footnote-4410, since everyone is entitled to a say in the matter, as shown in particular by the legal difficulty of imposing age checks on Internet users accessing sites whose content is forbidden to minors.

5. 🏞 Faced with these conceptual and practical difficulties, what can be done?

III. The political Goals to civilise the digital space by relying on the strength of companies in the position to contribute to it

1. 🏞 Law is a practical art that every society needs to ensure that human relations are not left to force alone📎!footnote-4389. When faced with new difficulties, legal systems generate new solutions. The law is developing a new branch of Law: Compliance📎!footnote-4390.

2. 🏞 Rather than thinking in terms of the subjection of one by the other (companies by politicians; regulators by innovative companies), we need to think in terms of "claims"".

3. 🏞 Politicians have a legitimate power to express the general will to develop what they believe is right for the future of the social group they represent. In so doing, they construct a "policy". Europe, particularly for historical reasons in that it bears the imprint of what happened in Nazi Germany with the creation of files, a memory that the United States does not📎!footnote-4388 and which largely explains the legal opposition on the issue of personal data transfers between the 2 continents, has established through its case law and successive regulations that digital and algorithmic systems must not crush the human beings who are or will be involved in them, whether willingly or not.

4. 🏞 To achieve this, since the space over which it has control is too narrow, and since it does not have the informational, financial and human resources to regulate the digital space, the Politician will not be able to regulate it directly, but will rely directly on the companies that have built and operate the digital space. The internalisation of these goals has given rise to the new branch of law known as Compliance Law📎!footnote-4409.

5. 🏞 Because it is new, Compliance Law is still very little known and its immense practical capabilities relatively unexplored, no doubt because it is buried under the "regulations mass" with which it is confused.

IV. Compliance Law, a new branch of Law anchored in its "Monumental Goals".

1. 🏞 This new branch of law is often difficult to understand because it is confused with "conformity"📎!footnote-4408 with the mass of regulations to which companies are subject. Indeed, it is sometimes claimed that "Compliance" is merely the correct English term for express the obligation of "conformity", which would be, through "Compliance Law", the obligation for the company to comply with all the regulations applicable to it and to show this "conformity". From then on, for example, companies subject to the law would no longer be authorised to act in complete freedom and then answer in Ex Post for violations proven by those who call them for liability before an Authority or a judge📎!footnote-4407, but would have to make themselves visible at all times, in all places and through each person for whom they are answerable📎!footnote-4406.

2. 🏞 Companies, especially those operating in the digital space, conceptually reject this definition because the principle of freedom is no longer primary, and practically it is impossible for a subject of law to comply with all the regulations applicable to him/her📎!footnote-4405, if only because he does not know them and the meaning of them evolves.

3 🏞 But Compliance Law has never been reduced to "conformity", and it is also this confusion leading to a definition of Compliance requiring an obligation unjustified and impossible to satisfy which, by a pendulum movement, has led to the opposite excess, namely the desire to throw all rules overboard, through the so-called "deregulation" movement, hostile to all "regulation: an excess produces the opposite excess. But Compliance Law is not 'conformity law'.

4. 🏞 Compliance Law, a terminology that should be retained in the French language ("Droit de la Compliance"), is normatively anchored in "Monumental Goals"!footnote-4402 to the achievement of which companies in the position to contribute are called upon. These Monumental Systemic Goals are first and foremost of a "Negative Nature", because the aim is to prevent systems from collapsing, whether they be banking, financial, energy, digital, climate, etc., ... or digital. These Monumental Goals can also be of a "Positive Nature", meaning that the aim is not only to ensure the sustainability of the systems📎!footnote-4401 but also to improve them so that they become more solid spaces that benefit the present and future people who live there.

5. 🏞 Companies are not legitimate to set Monumental Goals in place of political and public authorities, and the digital space is not a matter for self-regulation, even if one company or a group of companies, or all of them, are motivated by a desire to care for others. Business ethics, the spontaneous concern for a distant other, distant in space or time, an approach that corresponds to "societal responsibility", cannot replace the political choices made by politically appointed leaders. On the other hand, companies are free to organise the means by which they participate in achieving these goals📎!footnote-4403. On the other hand, they can adhere to these goals, for example by reproducing them in their "compliance tools"📎!footnote-4404, or even go beyond them if they do not contradict them, because they cannot become the new "constituents" of the world and govern it.

V. The internalisation of the monumental goals of regulation of the digital space in the crucial economic operators of the digital space

1. 🏞 Public Authorities will then, through legislation, regulations or various guidelines that constitute an "interweaving" of hard law and soft law that economic operators receive with attention and follow📎!footnote-4400, internalise this Regulatory apparatus directly in the crucial operators, i.e. those who hold the digital space, operators whose list is drawn up and whose criteria are elaborated. Once this circle of legal subjects has been tasked with implementing compliance structures, such as content monitoring, by virtue of their position as gatekeepers, compliance obligations are enacted.

2. 🏞 Compliance obligations are of two types and may therefore have two different scopes📎!footnote-4399.They may involve the establishment of "compliance structures" whereby powerful operators are required to increase their power to enable the system to be able to achieve the goals. For example, structures for receiving alerts, structures for detecting abnormal messages, etc. need to be put in place. These are obligations of result, i.e. the person who brings an action for breach or liability against the operator just has to be able to demonstrate that the result has not been obtained for obtaining the defendant sanction. However, it may also be a case of obtaining "compliance behaviour", for example ensuring that the digital space is a civilised space where respect for others is the norm of behaviour, and that people who express themselves on it do not conceal themselves, and so on. In this case, the obligation is one of means, meaning that anyone suing the operator for breach or liability will have to demonstrate the existence of a triggering event, i.e. a fault or negligence.

3. 🏞 The extension of Regulatory Law into Compliance Law largely resolves what appeared to be the aporia of territory📎!footnote-4398, then this sort of " scandal of extraterritoriality". Indeed, by internalising in a digital operator whose activity is not limited to a territory the obligation to take into consideration the goals to which it must contribute, for example when the French Media Regulatory Authority Arcom requires Meta or Google to improve content control, regulation benefits from the very power of its subject and Compliance thus exceeds Regulation, which it transforms beyond a mere extension📎!footnote-4397. Particularly in this global and a-territorial space that is digital.

4. 🏞 Regulatory Authorities thus become Supervisory Authorities📎!footnote-4396. The reference model is the banking sector, which, like the digital sector, was built by the banks themselves which continue to a large extent to govern it and invent its products, their equity and quasi-equity ensuring the solidity of the system itself, backed by common prudential standards for banking entities operating together (what Competition Law would designate as a "cartel"). Like the Central Banks, the Regulatory Authorities are also Supervisory Authorities: to ensure the sustainability of the sector or area, the Public Authority has the permanent power to control the crucial operator. This is the opposite of the competitive market model, which is based on the atomicity of operators fighting against each other, with the disparity of one player, or even a market, giving rise to the emergence of a new player or a new market. As in a regulated sector, it will be agreed that since the disappearance of the digital space is ruled out (this exclusion is a monumental negative goal of digital compliance law📎!footnote-4394), competition does not play the same role (cf. the European Digital Services Act - DSA) and Regulation becomes Supervision through the compliance mechanism.

5. 🏞 This extension of Regulatory system into Compliance also profoundly transforms the office of the judge📎!footnote-4393. One might have thought that compliance tools, in particular algorithms organising automatic compliance by "compliance by design" would eliminate the judge, since the latter is a character of the Ex Post. On the contrary, we are witnessing a "Compliance Jurisdictionalisation"📎!footnote-4392.

As the power of Compliance multiplies that of Regulation, even if Compliance also leads to contractualise relations with the Authorities, major contentious cases will appear. These cases fall under the heading of "Systemic Litigation"📎!footnote-4391. Indeed, as can be seen for example in the Epic Games v. Apple case it is the system itself that is before the judge and whose own interests must also be taken into consideration by the latter. This is logical since, as the system is internalised through regulatory texts that become compliance texts, disputes between the parties also become systemic. Procedures will become global.

VI. Articulation between, on the one hand, technical and global Regulation and Compliance derived from activities and, on the other hand, Regulation and Compliance derived from localised Monumental Goals with a global claim

1. 🏞 The digital space thus requires legal systems that are constantly adapting, in an in-depth transformation since the Law must be thought without a direct relationship to the territory. This was not done Regulatory Law, but what Compliance Law is managing, making it the branch of Law of tomorrow.

2. 🏞 This distancing of territories raises the question of a possible "Global Law", of which Digital Law could be the epigone, thus succeeding Financial Law, which it resembles in many aspects, notably the domination of American companies.

3. 🏞 This depends on the place of Monumental Goals that will be left in the practice and design of the compliance obligations that the "regulatory masses" accumulate, and in the court decisions that will come, particularly the decisions of the Court of Justice of the European Union on the one hand and the Supreme Court of the United States on the other.

4. 🏞 This has to be seen in the context of the growing importance of "digital sovereignty", which is no longer necessarily linked to a State, but rather to a project, including an industrial project. This is as true for Europe as it is for China (which has a digital sovereign plan) and California (a state sovereign project that weakens a federal will carried by a leader whose project is uncertain).

5. 🏞 As with all regulations, companies' compliance obligations may arise from the technical constraints and ambitions themselves, for example in cybersecurity. They are then on the one hand naturally global and can be left very largely to companies, supervised by Public Authorities. Regulations can also come from political ambitions of their own, such as the promotion of women in tech or the protection of children, which do not imply the same sharing, and therefore do not justify the same constraints. The compliance judge will draw up this map, bearing in mind, if he/she is a Westerner, that in the Rule of Law the first principle is that of Freedom.

__________

Cette conception de la Règle et des mœurs (que l’on peut retrouver par exemple chez Kant – Métaphysique des mœurs, 1797), continue de régir le Droit occidental sans qu’il vaille exacerber la distinction que on exagère souvent la primauté entre les systèmes dits de Civil Law et les systèmes dits de Common Law car tous les systèmes juridiques européens et américains sont construits sur l’idée de la personne, sujet de droit, qui agit librement en utilisant l’autonomie de sa volonté dans le cadre des lois et réglementation, tandis que cette conception n’est pas partagée ni en Asie ni en Afrique. Cela aura une grande importance par exemple dans le Droit des données à caractère personnel.

mafr, Le Droit de la Régulation, 2001.

M-A. Frison-Roche, « L’hypothèse de l’interrégulation » in M-A. Frison-Roche (dir.), Les risques de régulation, coll. « Droit et Économie de la Régulation », t.3, Dalloz / Presses de Sciences-Po, 2005, p.69-80 ; V. aussi M-A. Frison-Roche (dir.), Internet, espace d'interrégulation, Série "Régulations", coll. "Thèmes & Commentaires", Dalloz, mai 2016.

M-A. Frison-Roche (dir.), Contentieux systémique émergent, LGDJ – Lextenso, coll. « Droit & Economie, 2025.

Ubi societas, ubi jus.

mafr, Le Droit de la compliance, 2016.

M.-A. Frison-Roche, Compliance : hier, aujourd’hui, demain, ….

M.-A. Frison-Roche, « Du Droit de la Régulation au Droit de la Compliance », in M.-A. Frison-Roche (dir.), Pour une Europe de la compliance, ….

M.-A. Frison-Roche, « Compliance et conformité : les distinguer pour mieux les articuler », Recueil Dalloz, 2024, chron., pp.

Ce qui est le socle des Etats de droit occidentaux, comme il a été expliqué plus haut (n°1).

Par exemple à travers chaque personne à leur chaine de valeur, ou à travers chaque internaute qui s’exprime sur une plateforme, alors même que le Droit de l’Union a repris le principe dit « d’irresponsabilité ». Pour l’analyse de cette situation particulière au regard de la responsabilité civile, v. M.-A. Frison-Roche, « Compliance, Vigilance et Responsabilité civile : remettre en ordre et raison garder », in M.-A. Frison-Roche (dir.), L’obligation de compliance, Journal of Regulation & Compliance et Lefebvre-Dalloz, coll. « Régulations & Compliance », 2025.

Ce que promettent pourtant les prestataires technologiques à travers la compliance by design… (dont la responsabilité a vocation à être engagée à ce titre). Voir sur cette question, M.-A. Frison-Roche, « Le juge requis pour une obligation de compliance effective », in M.-A. Frison-Roche (dir.), L’obligation de compliance, préc.

M-A. Frison-Roche (dir.), Les buts monumentaux de la compliance, …..

La durabilité est une notion-clé du Droit de la compliance, notion qui n’est pas limitée aux enjeux climatiques mais prend plutôt naissance dans le secteur bancaire.

Pour une description complète et détaillée de toutes les obligations de compliance, notamment concernant celles qui concernent les acteurs du numérique, v. M.-A. Frison-Roche, (premier article), in M.-A. Frison-Roche (dir.), L’obligation de compliance, préc.

M.-A. Frison-Roche (dir.), Les outils de la compliance, ….

Sur la puissance de cet intermaillage mondial et les raisons de cette puissance, v. M.-A. Frison-Roche, L’apport du Droit de la compliance à la gouvernance d’Internet, rapport au gouvernement, préc.

Pour une description plus précise et les références de droit positif, v. (premier article).

L’aporie du territoire qui à première vue est pourtant difficile à dépasser ; voir sur ce point n°2.

M.-A. Frison-Roche, « Le Droit de la Compliance au-delà du Droit de la Régulation », Recueil Dalloz 2023, chron., …

M.-A. Frison-Roche (dir.), Régulation ,Supervision, Compliance, ….

Sur la notion de « but monumental négatif », v. n°…

Conseil d’Etat & Cour de cassation, De la régulation à la compliance : quel rôle pour le juge ? , ….

Sur ce mouvement, voir d’une façon générale, M.-A. Frison-Roche (dir.), La juridictionnalisation de la compliance….

M.-A. Frison-Roche (dir.), Contentieux systémique émergent, préc.

Get our newsletters

🚧Compliance Law as the Royal Road for regulatinf the Digital Space

comments are disabled for this article