The sovereignty scorecard

*A layer-by-layer control assessment of where enforceable EU obligations and user-governance mechanisms hold, falter, or are structurally absent across the agentic commerce architecture.*

Context

Why the Stack Matters

Traditional e-commerce locates human decision-making at the point of purchase: a consumer selects, authorises, and confirms each transaction. The regulatory architecture built around this model (payment services directives, consumer protection law, data protection rights) assumes a human actor whose consent can be obtained at a defined moment and whose recourse can be addressed through a defined pathway.

Agentic commerce displaces that assumption. An AI agent operating on delegated authority selects, negotiates, and executes transactions across multiple merchant and payment-rail integrations without per-transaction human authorisation. The architecture that supports this capability is layered: cloud and compute infrastructure at the base; LLM orchestration and reasoning above it; identity-credentialing and permission-scope management above that; payment rails and settlement mechanisms; merchant interfaces; and consumer-experience surfaces at the top [2][3]. Each layer involves different technical operators, different contractual relationships, and, critically, different regulatory perimeters.

The sovereignty question for the EU is therefore not a single question about one instrument or one authority. It is a set of layer-specific questions about which actors govern each stratum, under which jurisdiction, with which enforcement mechanism. Platform intermediation at any layer concentrates governance power in the operator of that layer [1][4], and when that operator is incorporated outside the EU, the formal regulatory perimeter and the practical control boundary diverge. The scorecard exists to map that divergence with precision rather than to produce a single headline rating that would obscure it.

Tldr Grid

NO LAYER SCORES FULL. European sovereign control requires both operative regulatory attachment and implemented user-governance mechanisms at the same layer; no current layer satisfies both conditions simultaneously.
PAYMENT RAILS: PARTIAL. PSD2 licensing and EBA oversight attach enforceable obligations at the payment-rail layer, but consumer-recourse mechanisms for AI-initiated transactions remain undeveloped in operative law.
ORCHESTRATION LAYER: UNBOUND. The AI Act's GPAI provisions entered application in August 2024 and bind general-purpose model providers, but those provisions address model-level transparency and systemic-risk obligations rather than autonomous agent permission scopes or identity-delegation chains. High-risk Annex III obligations, which carry more specific supervisory requirements, do not apply until August 2026 and are framed for bounded, human-supervised systems rather than multi-step agentic decision loops. No current operative tier of the AI Act attaches enforceable obligations to the orchestration layer's specific control points.
DATA INFRASTRUCTURE: JURISDICTION UNASSIGNED. Transactional data flows and identity-credentialing infrastructure are the load-bearing substrate of the agentic stack, yet they sit outside the perimeter of any single EU supervisory authority with clear, operative jurisdiction [8][9].

How the Scorecard Works

The scorecard assigns a control rating to each architectural layer of the agentic commerce stack using two independently assessed conditions. The first condition is operative regulatory attachment: whether an enforceable EU instrument, with a current application date, binds the specific decision loops, data flows, and identity scopes operating at that layer. Proposed legislation, politically agreed texts pending Official Journal publication, and soft-law guidance each receive a materially lower weight than operative hard law with a designated supervisory authority and sanction mechanism. The second condition is user-governance mechanism maturity: whether consent, recourse, and human-oversight rights are implemented and enforceable at the consumer-experience layer for the transaction type in question [10][11].

A layer achieves a high-control rating only when both conditions are satisfied. This two-condition structure is deliberate. A single composite score would obscure the recurring gap in EU digital regulation: instruments that establish strong institutional obligations on intermediaries while leaving the consumer-facing governance apparatus underdeveloped. The payment-rail layer illustrates this precisely. EBA licensing obligations under PSD2 bind payment service providers with specificity, yet operative consumer-recourse mechanisms for transactions initiated by an autonomous agent acting on delegated authority are absent from current EU law [12]. Rating that layer as high-control on the basis of intermediary regulation alone would produce a systematically misleading output. The scorecard therefore requires a separate rating on each condition, with the composite control score set to the lower of the two.

The grid's four enumerated entries correspond directly to the scorecard's coverage: the first entry states the overall finding across all layers; the three that follow represent the three layers assessed in detail (payment rails, orchestration, and data infrastructure). Each layer is assessed independently against both conditions; the narrative that follows this grid elaborates the specific regulatory instruments, application dates, and governance gaps at each layer.

Key Sources

Floridi (2020) [6]: the foundational definitional account of digital sovereignty as a policy construct, essential for anchoring what 'EU control' means across regulatory layers.
Pastor Sempere (2025) [9][10]: the primary legal-framework reference for EU data governance, digital asset regulation, and identity infrastructure, covering operative and proposed instruments.
Barbereau, Weigl & Pocher (2024) [12]: examines the political and technological context of EU financial regulation, with direct relevance to how PSD2/PSD3 and FiDA interact as sovereignty instruments.
Westermeier (2020) [8]: the structural argument that money has become transactional data and that control over payment infrastructure is inseparable from control over data infrastructure.

Governance Fractures and Regulatory Gaps

Three specific fractures follow from the scorecard's dual-condition structure. First, the orchestration and intelligence layer operates without operative EU regulatory attachment to its specific control points. The AI Act's GPAI provisions, operative from August 2024, address model-level transparency and systemic-risk obligations for general-purpose model providers. They do not assign supervisory jurisdiction over the autonomous agent's permission scope or identity-delegation chain as distinct from the underlying model. The Annex III high-risk obligations, which carry more targeted supervisory requirements, apply from August 2026 and were framed for systems with defined input-output boundaries and a human decision-maker in the loop. Neither tier reaches the orchestration layer's most consequential control point: the agent's real-time authority to select, negotiate, and execute transactions on a natural person's behalf [6][9].

Second, the data and identity-infrastructure layer is subject to fragmented supervisory authority. Transactional data generated by agent-mediated commerce falls within the scope of GDPR, the Data Governance Act, and financial data regulations simultaneously, without a designated authority holding consolidated oversight [8][10]. The FiDA framework addresses financial data spaces through a hybrid hard-law and soft-law co-regulatory structure; its operative application date and the scope of mandatory participation for agentic intermediaries await supervisory clarification [11]. The result is a layer where regulatory intent is established as an identified risk position but operative control is not.

Third, the consumer-experience layer carries a structural governance deficit that runs across all other layers. Even where intermediary obligations exist at the payment-rail or merchant-interface layer, the consumer's ability to identify that an agent rather than a human initiated a transaction, contest that transaction through a defined recourse pathway, and withdraw delegated authority without foreclosing commerce access is not addressed in any operative EU instrument reviewed here [4][12]. This deficit means that sovereignty claims resting on intermediary regulation alone overstate the EU's actual control position.

Counterpoint

The Interoperability Case

The strongest case against layer-by-layer sovereignty as a governing objective runs as follows. Agentic commerce systems derive their functional value from interoperability across jurisdictional boundaries. A European orchestration layer that can only execute transactions through EU-licensed payment rails, EU-credentialed identity providers, and EU-hosted data infrastructure would operate at a significant capability disadvantage relative to systems built on globally interoperable infrastructure. The EU's own internal market logic, as expressed through PSD2's open-banking mandates and the Data Governance Act's data-sharing obligations, prioritises interoperability and competitive openness over jurisdictional closure [5][12].

On this reading, layer-by-layer sovereignty fragmentation is a rational outcome of market integration: each layer settles at the provider that offers the best capability-to-cost ratio, and the EU's regulatory role is to set conduct standards and consumer protections that apply to those providers regardless of their home jurisdiction, with extraterritorial reach substituting for domestic control. The GDPR precedent is the clearest example: Brussels rules binding non-EU processors without requiring EU-domiciled infrastructure.

The structural limit of this argument is that extraterritorial conduct standards require enforcement capacity and supervisory access that the EU demonstrably lacks at the orchestration and identity layers. Applying the GDPR model to autonomous agent decision loops presupposes that the supervisory authority can audit those loops, assign liability to a specific responsible party, and impose sanctions that alter behaviour (none of which the current EU supervisory architecture for agentic systems provides [6][9]). The interoperability case is coherent as a market-design argument; it does not constitute a sovereignty argument until the EU supervisory architecture acquires the audit access and liability-attribution capacity the orchestration layer requires.

European sovereign control over the agentic commerce stack remains structurally incomplete. The EU has developed enforceable obligations at the intermediary level across several layers without simultaneously building the consumer-facing consent, recourse, and oversight mechanisms that would close the governance circuit at the point where autonomous agent decisions produce binding commercial consequences for natural persons.

Unresolved Control Boundaries

Which EU supervisory authority holds jurisdiction over the autonomous agent's permission scope and identity-delegation chain at the orchestration layer (EBA, ESMA, EDPB, or a national NCA), and whether any operative instrument assigns that jurisdiction, remains undocumented in the public record.
FiDA's co-regulatory framework for financial data spaces names obligations and governance structures, but the operative application date and the scope of mandatory participation for agentic intermediaries await supervisory clarification from the competent EU authorities.
Whether the EU's extraterritorial conduct-standard model, which functioned for GDPR's data-processor obligations, is structurally transferable to real-time autonomous agent decision loops (where auditability, liability attribution, and sanction timing differ categorically from data-processing contexts) lacks authoritative doctrinal guidance and is contested among EU legal practitioners.

References

[1] Goldfarb, A., & Tucker, C. E. (2019). Digital Economics. American Economic Association.

[2] de Reuver, M., Sørensen, C., & Basole, R. C. (2017). The Digital Platform: A Research Agenda. SAGE Publishing.

[3] Rysman, M. (2009). The Economics of Two-Sided Markets. American Economic Association.

[4] Langley, P., & Leyshon, A. (2017). Platform capitalism: The intermediation and capitalisation of digital economic circulation. Cambridge University Press.

[5] Rodrik, D. (2000). How Far Will International Economic Integration Go?. American Economic Association.

[6] Floridi, L. (2020). The Fight for Digital Sovereignty: What It Is, and Why It Matters, Especially for the EU. Springer Nature.

[7] Nelms, T. C., Maurer, B., Swartz, L., & Mainwaring, S. (2017). Social Payments: Innovation, Trust, Bitcoin, and the Sharing Economy. SAGE Publishing.

[8] Westermeier, C. (2020). Money is data: the platformization of financial transactions. Routledge.

[9] Pastor Sempere, M. del C. (2025). Governance and Control of Data and Digital Economy in the European Single Market. Springer International Publishing.

[10] Pastor Sempere, C. (2025). The Legal Framework for New Digital Assets, Identities, and Data Spaces. Introduction. Springer International Publishing.

[11] Pastor Sempere, C. (2025). Crypto Assets and Financial Data Space Regulation in the EU's Hybrid System of Hard and Soft Law. Springer International Publishing.

[12] Barbereau, T., Weigl, L., & Pocher, N. (2024). Financial Regulation, Political Context, and Technology in the European Union. Financial innovation and technology.