The European digital rulebook for agentic AI: AI Act, Data Act, DGA, eIDAS 2.0.

Why a "rulebook" is the right metaphor

European builders are sometimes tempted to read the EU's digital regulations as a tax on innovation — a thicket of acronyms that drains engineering time without creating value. The Gen4Travel consortium starts from the opposite premise. The European digital rulebook is precisely what makes a category called "sovereign agentic AI" credible. Without it, European builders compete with Big Tech on Big Tech's terms — at scale they cannot match. With it, they compete on a different axis: auditability, portability, qualified identity, user control. That axis is harder for hyperscalers to replicate, and it happens to be what enterprise customers and regulated industries are increasingly demanding.

This article walks through the five framework laws that together shape what an agentic AI platform deployed in Europe in 2026 must look like, and how Gen4Travel's design choices anticipate them. The intended reader is a product owner, an architect, or a public-affairs lead — anyone who needs to understand the obligations without becoming a lawyer.

The five frameworks at a glance

1. AI Act — Regulation (EU) 2024/1689

The world's first comprehensive horizontal AI regulation, in force since August 2024 with a phased application schedule. The core mechanism is risk tiering. AI systems are sorted into four buckets based on the use case, not the technology:

• Unacceptable risk — banned outright. Examples: social scoring by public authorities, certain biometric categorisation, manipulation through subliminal techniques. Bans applied from February 2025.
• High risk — heavy obligations. Examples: critical infrastructure, education, employment, essential public/private services, law enforcement. Operators must perform conformity assessments, register the system, maintain technical documentation, log activity, ensure human oversight, and demonstrate accuracy/robustness/cybersecurity. Most obligations apply from August 2026.
• Limited risk — transparency obligations. Users must be informed they are interacting with an AI; deepfakes must be labelled.
• Minimal risk — no specific obligations beyond existing law.

Layered on top of that, the AI Act introduces specific obligations for general-purpose AI models (GPAI), tightened further for "GPAI models with systemic risk". GPAI obligations applied from August 2025.

What this means for Gen4Travel. Most of our use cases are not classified as high-risk under the Act. Travel rebooking, inspiration, and accessibility coordination are low-risk service applications. The architecture nevertheless adopts high-risk-level discipline by design: every agent decision is logged with full provenance, every irreversible action goes through a human checkpoint, every release passes a robustness/safety regression suite. We treat the high-risk obligations not as a ceiling we have to clear but as a baseline of professional practice for any production agentic system.

2. Data Act — Regulation (EU) 2023/2854

Applicable since September 2025. The Data Act is, in our view, the most underappreciated of the five frameworks for the agentic AI conversation, because it directly reshapes who controls what data — and therefore which platforms can be built.

The Act gives users — including business users — the right to access and port data generated by connected products and services. For travel, this is consequential. A passenger using an SNCF service generates data; under the Data Act, that data is portable. An airline operator generates schedule and disruption data; under the Act, parts of that data are shareable with other operators on fair terms when there is a legitimate purpose. The legal basis for cross-operator data sharing inside data spaces — historically blocked by competition concerns and unclear ownership — now exists explicitly.

What this means for Gen4Travel. Every consortium member's MCP server exposes the data the Data Act renders portable, with the consent and provenance metadata required to share it lawfully across the consortium. Without the Data Act, this kind of cross-operator data fabric would have required hundreds of bilateral commercial agreements; with it, the legal scaffolding is in the regulation.

3. Data Governance Act — Regulation (EU) 2022/868

The DGA, applicable since September 2023, provides the legal scaffolding for data intermediaries and data altruism organisations. These are entities that broker data sharing between providers and consumers without taking ownership of the data themselves. Before the DGA, this category did not formally exist in European law; brokers had to invent governance structures from scratch.

Gaia-X-aligned data spaces such as EONA-X operate within the DGA's data-intermediary framework. They are non-profit; they do not own the data they help share; they enforce a trust framework that members opt into. The DGA gives this category legal recognition and certain obligations (notably, neutrality between providers).

What this means for Gen4Travel. The DGA is the legal basis on which EONA-X exists. Gen4Travel's entire value proposition — a sovereign vertical platform on top of a neutral data fabric — assumes the DGA's regulatory category. Without it, the consortium would have had to invent its own governance from scratch and convince regulators to accept it; with it, the path is paved.

4. eIDAS 2.0 and the EU Digital Identity Wallet — Regulation (EU) 2024/1183

The revised eIDAS regulation, in force since May 2024 with phased application through 2026, introduces the European Digital Identity Wallet (EUDI Wallet). Every EU citizen will be entitled to a wallet by 2026; member states must accept wallets issued by any other member state.

The wallet carries qualified credentials — identity attestations, accessibility status, payment authorisations, professional qualifications — that any European service must accept under specific conditions. In practice, it is the substrate that lets users carry their travel-relevant identity (passport, frequent-traveller status, accessibility profile, employer travel policy) across borders without giving any single platform custody of it.

Docaposte, the consortium's identity partner, operates "L'Identité Numérique La Poste" — France's first eIDAS-substantial-level scheme — and is positioned to be among the first wallet issuers. The Gen4Travel architecture treats the wallet as a first-class component: every memory disclosure to an agent goes through a wallet permission, every irreversible action is gated behind a wallet confirmation, every audit trail is signed by a wallet-anchored identity.

What this means for Gen4Travel. The wallet is the architectural feature that makes the system European-sovereign rather than another silo. Without it, "user controls their data" remains a slogan; with it, control is enforced cryptographically and legally at every step.

5. The ambient regulatory context — GDPR, NIS2, DSA, DMA

Beyond the four pillars above, four additional frameworks shape the operating environment.

• GDPR — Regulation (EU) 2016/679, applicable since 2018. Sets the privacy floor: lawful basis for processing, data minimisation, user rights (access, rectification, erasure, portability), DPOs, DPIAs, breach notification. Every agentic system processing personal data must be GDPR-compliant, full stop.
• NIS2 — Directive (EU) 2022/2555, transposed by member states through 2024–2025. Raises cybersecurity obligations for "essential" and "important" entities, including transport operators and critical infrastructure. Most consortium members fall within scope.
• Digital Services Act (DSA) — Regulation (EU) 2022/2065, applicable since 2024. Constrains how online platforms moderate content, advertise, and treat users. Travel platforms above thresholds incur obligations.
• Digital Markets Act (DMA) — Regulation (EU) 2022/1925, applicable since 2023. Re-shapes gatekeeper behaviour, including default settings, interoperability, and data portability. The DMA is the regulatory lever that has begun to reshape the dependencies of European travel companies on a small set of US-based platforms.

Together with the four pillars above, this rulebook is denser than any single jurisdiction in the world. That density is the point. It defines a market in which a sovereign, consortium-led, agentic platform is not a defensive alternative but the natural answer.

How the rules compose

The rules are not five independent constraints to satisfy in parallel. They are a single, coherent system, and reading them as such reveals the architectural pattern they invite.

The AI Act tells you what an AI system must do internally — log decisions, ensure human oversight, demonstrate robustness. The Data Act and DGA tell you what the system can pull from outside — and on what conditions, with what consent, through which intermediaries. eIDAS 2.0 tells you who the parties are — citizens, businesses, agents — and gives each of them a way to prove identity and carry credentials. GDPR, NIS2, DSA, DMA set the ambient floor on privacy, security, content, and competition.

Read together, the rulebook describes a specific architectural pattern: a vertical agentic platform built on a neutral data space, anchored in qualified identity, with auditable internal decision-making and graceful escalation to humans for irreversible actions. That is, almost word for word, the description of Gen4Travel. The regulations did not make us pick this architecture; we picked it because it solved the problem. But the fact that the regulations describe it explicitly is a compounding advantage. It makes Gen4Travel regulation-fluent by design, which translates into shorter sales cycles, smoother conformity assessments, and faster international replication.

Compliance as competitive advantage

The standard frame on European digital regulation is "Brussels effect": the EU sets stringent rules, the rest of the world adopts them by gravity. There is something to that. But for builders inside Europe, the more useful frame is different.

Hyperscalers can comply with the AI Act, the Data Act, eIDAS 2.0 and the rest. They will. They have armies of lawyers and the regulatory engineering to absorb compliance costs. What they cannot do — at least not as easily — is turn compliance into a product feature. A platform that genuinely gives users custody of their travel-relevant identity, that genuinely operates on a neutral data fabric, that genuinely provides cryptographic auditability of every agent decision, is selling something materially different from a hyperscaler-hosted equivalent.

This is the competitive thesis underneath Gen4Travel and, more broadly, underneath the European sovereign-AI playbook. Not "we are like the hyperscalers but European"; "we offer something the hyperscalers structurally cannot match because their architecture cannot accommodate it".