interested in the liability shift, role of platforms and social media and the news provisions on fraud data sharing in

The Digital Services Act (DSA), operative for very large online platforms since 2023, established a framework for intermediary liability, content moderation obligations, and transparency requirements across the EU's digital single market. Its provisions did not resolve with precision the allocation of liability when a platform's infrastructure is used to distribute fraudulent financial promotions, facilitate illicit marketplaces, or enable payment fraud at scale. The Council document ST-8221-2026-INIT represents a subsequent legislative intervention, targeted at the intersection of platform conduct and payment fraud; its provisions on liability, social media, and fraud data sharing merit systematic analysis.

The liability shift occupies a structurally important position in this regulatory sequence. Under the E-Commerce Directive safe-harbour model, which the DSA partially supersedes, platforms obtained immunity from liability for third-party content provided they lacked actual knowledge of the illegal nature of that content and acted expeditiously on notification. This notice-and-takedown architecture placed the identification burden on rights holders and affected consumers, and left platforms with weak proactive obligations. The structural logic of ST-8221-2026-INIT, as reconstructed from its relationship to prior EU instruments and from the research synthesis described in Section 4, points toward moving this boundary by attaching liability to platform conduct in fraud contexts under conditions that depend on fault-based determinations: whether the platform had, or should have had, knowledge of the fraudulent activity, and whether its systems facilitated or amplified the harm.

A critical scope clarification governs this entire paper: the analysis does not rest on direct access to the full operative text of ST-8221-2026-INIT, including its definitional articles, recitals, and enforcement chapter. The research corpus used to prepare this analysis does not contain those provisions. Every claim in the following sections about the instrument's specific provisions, triggers, and data-sharing architecture is a structural inference derived from the instrument's observable relationship to the DSA, the Payment Services Directive framework, and the GDPR, and from the structural logic characteristic of EU platform liability regulation. These inferences are presented as analytical hypotheses about what the instrument most plausibly contains, consistent with its stated objectives and the regulatory sequence from which it emerges. They are not textual findings. Where the distinction between inference and exegesis is material to a specific claim, the analysis makes that distinction explicit.

Three analytical questions organise this paper. The first concerns the provisions in ST-8221-2026-INIT that most plausibly reallocate liability and the conditional triggers that activate them, given the instrument's regulatory context. The second concerns how the instrument treats social media platforms and news aggregators as subjects of fraud-related obligations and whether this treatment diverges from the DSA baseline for very large online platforms. The third concerns the architecture the instrument establishes for fraud data sharing and how that architecture interacts with existing privacy and competition law.

These questions carry both doctrinal and direct operational consequences for compliance functions within payment service providers, platform operators, and national competent authorities. Compliance teams must determine whether their platform's activities fall within the instrument's scope, what fraud data they are obligated to collect, retain, and transmit, and how those obligations interact with the General Data Protection Regulation's lawfulness requirements, purpose limitation principle, and data minimisation standards. For payments practitioners, the instrument potentially introduces a new category of cross-institutional data sharing that affects fraud detection systems, transaction monitoring architectures, and third-party data processor agreements.

The paper proceeds as follows. Section 2 establishes the motivating stakes: the scale of payment fraud and illicit marketplace activity in the EU, and why liability reallocation is consequential for enforcement. Section 3 positions the instrument against its regulatory antecedents. Section 4 describes the analytical method and textual scope. Section 5 presents the structural inferences on liability triggers, platform obligations, and data-sharing mandates that the analysis derives from the instrument's regulatory context. Section 6 interprets the structural tensions that emerge from these inferences. Section 7 synthesises the contribution and identifies the unresolved friction between the instrument's transparency ambitions and the privacy architecture surrounding fraud data. Sections 8 and 9 address limitations and future research directions.

Payment fraud, investment scams distributed through social media, and illicit goods traded on online marketplaces represent a material category of consumer harm in the EU's digital economy. Fraud losses recorded by payment service providers across the EU's major payment rails run to billions of euros annually across debit, credit, and instant-transfer channels, with authorised push payment fraud among the fastest-growing subcategories. The structural conditions that enable these harms are well documented in the literature on two-sided and multi-sided markets [3]: platforms that intermediate between buyers and sellers, or between advertisers and audiences, generate value precisely because they aggregate large numbers of participants on each side of the market. This aggregation effect, which drives the commercial success of social media platforms and news aggregators, simultaneously increases the reach of any fraudulent actor who gains access to the platform's distribution infrastructure.

The economics of advertising-supported platforms compound this problem. Platforms whose primary revenue derives from advertising face an inherent tension between maximising ad impressions, which generates revenue, and suppressing fraudulent advertisements, which reduces inventory. This tension is structural, residing in the platform's business model rather than in the intentions of any individual compliance officer [1]. A liability regime that assigns no direct cost to a platform for hosting fraudulent financial promotions leaves this structural incentive intact. ST-8221-2026-INIT intervenes at this point: by attaching liability conditions to platform conduct in fraud contexts, the instrument is designed to convert the external cost of consumer harm into an internal compliance cost for the platform.

The relevance of this reallocation extends beyond the immediate context of investment fraud. The growth of digital payments infrastructure in the EU, including instant credit transfers, open banking interfaces, and embedded finance within social commerce platforms, has expanded the surface area over which fraud can be executed. Payment service providers operating within this infrastructure bear direct liability under the Payment Services Directive framework for unauthorised transactions; they do not, under current law, have a clear mechanism to recover from platforms whose infrastructure was the proximate cause of the consumer's exposure to fraud. The data-sharing provisions in ST-8221-2026-INIT address part of this gap by creating obligations on platforms to contribute fraud-relevant signals to shared detection systems.

For national competent authorities, the motivation is distinct but related. Supervisory capacity is finite. Authorities responsible for enforcing fraud-related provisions across fragmented digital ecosystems face an information asymmetry: platforms hold transactional and behavioural data that would materially improve fraud detection, but absent a legal obligation to share that data, platforms have limited incentive to expose it to regulatory scrutiny. Mandatory data sharing, backed by liability consequences for non-compliance, addresses this asymmetry directly.

The involvement of social media platforms and news aggregators in fraud distribution is an additional dimension that prior instruments have addressed inadequately. Multi-year editions of the Reuters Institute Digital News Report document that news platforms and social media channels serve as primary information sources for substantial proportions of national populations across the EU [2], which makes them effective channels for distributing misleading financial content. When the instrument extends its scope to these platform types, it acknowledges that the financial fraud ecosystem does not confine itself to dedicated financial services channels. Understanding how the instrument operationalises these obligations, and where it leaves gaps, is the central analytical task of this paper.

The regulatory history of platform liability in the European Union is a history of incremental obligation expansion punctuated by instrument-specific liability departures. This section positions ST-8221-2026-INIT within that history, drawing on scholarship that has analysed the E-Commerce Directive safe-harbour model, the DSA's departure from it, the GDPR's data governance architecture, and the sectoral instruments in payments and content that have already applied modified liability standards.

The E-Commerce Directive safe harbour and its successors. The E-Commerce Directive established conditional immunity for hosting providers that lacked actual knowledge of illegal content and acted expeditiously upon notification. This notice-and-takedown model was consequential for platform development: it permitted platforms to scale content without pre-screening every item. Quintais, De Gregorio, and Magalhães [11] demonstrate that platforms did not remain passive intermediaries within this framework. The exercise of content governance through terms of service, automated detection systems, and algorithmic curation constitutes a form of private ordering that operates with limited regulatory oversight and significant power asymmetry between the platform and its users. Their analysis of the Copyright Directive's Article 17, which imposed upload-filter obligations on certain platforms and thereby partially dismantled the safe harbour for copyright-infringing content, is directly relevant to the present analysis: ST-8221-2026-INIT follows the same structural logic as Article 17 by imposing proactive obligations on platforms in a specific harm domain, departing from the passive-intermediary model in that domain while leaving the general DSA framework intact for other content categories. The structural difference is that Article 17 targets the reproduction right and therefore engages copyright holders as interested parties with standing to enforce, whereas the fraud-liability provisions in ST-8221-2026-INIT engage competent authorities rather than private rights holders as the primary enforcement agents.

GDPR and the privacy-security tension. Any fraud data-sharing architecture operates within the constraints established by the GDPR, and the tension between those constraints and effective fraud prevention is well documented. Tene and Polonetsky [6] identify the core difficulty in the pre-GDPR data-protection landscape: analytics that enable fraud detection require data aggregation and re-use that may not be compatible with purpose limitation principles. Under the GDPR specifically, Article 5(1)(b) encodes purpose limitation as a binding obligation, and while Article 6(1)(f) (legitimate interests) and recital 47's explicit acknowledgment of fraud prevention as a legitimate interest provide a lawfulness pathway, the precise boundaries of that pathway remain contested and unevenly implemented across member states. The Article 29 Working Party and its successor, the European Data Protection Board, have issued guidance clarifying that fraud prevention can constitute a legitimate interest, but the guidance does not resolve questions about the permissible scope of data sharing with third-party platforms or across-institutional data pools. This paper contributes to that body of work by examining whether ST-8221-2026-INIT provides sufficient specification of the legal basis for fraud data sharing to resolve the tension, or whether it defers that resolution to delegated and implementing acts.

Automated decision-making and the limits of transparency obligations. Wachter, Mittelstadt, and Floridi [4] argue that Article 22 GDPR does not provide a general right to explanation of automated decision-making, a position that remains contested in subsequent CJEU jurisprudence and EDPB guidance. The argument, taken as one significant contribution to an unresolved doctrinal dispute rather than a settled finding, is material to the liability analysis: if a platform uses automated systems to flag accounts or transactions as fraudulent, the procedural rights of the affected party under Article 22 are limited in scope, and the fault-based liability determination at the centre of ST-8221-2026-INIT must grapple with whether the platform exercised adequate human oversight of those automated systems. Mökander [8] extends this concern to the audit context, demonstrating that the technical and legal requirements for auditing AI-assisted decision systems remain underdeveloped relative to the governance expectations that instruments like ST-8221-2026-INIT implicitly impose.

AI Act and the regulatory stack. Hacker [13] and Novelli et al. [10] map the EU's AI governance architecture and identify the gaps that remain after the AI Act's risk-classification scheme is applied. Fraud detection systems deployed by payment service providers and platforms fall within scope categories that carry conformity assessment obligations, but the interaction between those obligations and the fraud data-sharing requirements in ST-8221-2026-INIT is not pre-resolved by either instrument. This paper identifies the resulting compliance surface as a site of coordination risk.

Digital economics and platform market structure. Goldfarb and Tucker [1] and Rysman [3] provide the economic foundations for understanding why liability reallocation in two-sided markets produces different effects than in single-sided markets. A liability obligation imposed on a platform affects both sides of the market simultaneously: compliance costs may reduce the subsidy that advertising-supported platforms extend to users, alter the terms on which the platform transacts with advertisers, or cause the platform to restrict access for categories of advertiser that present elevated fraud risk. These structural effects are distinct from the direct compliance cost and must be accounted for in any welfare assessment of the instrument's impact.

In aggregate, the prior work establishes the liability-shift mechanism as a known regulatory tool, identifies the GDPR's purpose-limitation and lawfulness requirements as the primary constraint on fraud data sharing, and demonstrates that platform market structure mediates the behavioural response to any new obligation. ST-8221-2026-INIT is distinguished from its antecedents by its simultaneous application across content platforms, payment infrastructure, and news aggregators within a single regulatory act, and by its explicit articulation of data-sharing obligations rather than relying on general DSA transparency provisions to carry that weight.

This analysis applies a structured inferential method to reconstruct the most plausible regulatory architecture of ST-8221-2026-INIT, given the instrument's stated objectives and its relationship to prior EU instruments. The method is explicitly not a close-reading of the instrument's operative text: the research corpus underlying this analysis does not contain the definitional articles, recitals, or enforcement chapter of ST-8221-2026-INIT. The methodology section of an earlier draft described 'provision extraction at sub-paragraph granularity'; that description was inaccurate and has been corrected here. What the analysis actually performs is structural inference, and each analytical stage is described with that precision.

The method proceeds in three stages: regulatory context mapping, obligation-type inference, and tension identification.

Stage 1: Regulatory context mapping. The instrument's stated regulatory object, the suppression of payment fraud through platform liability and data sharing, is mapped against the obligations that the DSA, the Payment Services Directive, the GDPR, and the AI Act impose on the same entities (platforms, payment service providers, and competent authorities). This mapping identifies the obligations that prior instruments have established, the gaps that those instruments leave unaddressed in the fraud context, and the structural choices a legislative drafter would face in bridging those gaps. The resulting map does not describe what ST-8221-2026-INIT says; it describes the regulatory problem space within which the instrument operates and the range of solutions available to the drafter.

Stage 2: Obligation-type inference. Within the mapped regulatory problem space, the analysis infers the most plausible obligation-type that ST-8221-2026-INIT would adopt for each of its three core domains (liability, platform-specific obligations, and data sharing). These inferences are grounded in the structural logic of EU digital regulation: the instrument's observable relationship to the DSA and the PSD framework constrains which solutions are legally coherent, which are redundant with existing instruments, and which represent genuine regulatory departures. The inferred obligation types are organised on a two-dimensional grid. The first dimension represents platform type: payment service providers, social media platforms, news aggregators, and mixed-function platforms. The second dimension represents obligation category: liability exposure, data collection, data sharing, retention limits, and audit and transparency obligations. This grid reveals which platform types would bear overlapping obligations under a coherent instrument design, and where differential treatment between platform categories would be structurally motivated.

Stage 3: Tension identification. For each inferred obligation, the analysis identifies the nearest provision in an existing EU instrument that addresses the same regulatory object. Where the existing provision and the inferred obligation in ST-8221-2026-INIT operate on the same data subject or platform entity with different requirements, the analysis classifies the interaction as a tension requiring resolution. Tensions are distinguished from overlaps: an overlap exists where two instruments both regulate an activity in compatible ways; a tension exists where compliance with one instrument creates a material risk of non-compliance with the other.

The research synthesis supporting this analysis drew on 17 knowledge cards organised across four clusters: platform liability and content governance, fraud and payments data-sharing architecture, AI and automated decision-making gaps, and social media incentive structures. The keyword-density analysis summarised across those clusters confirms that the liability-shift and platform accountability topics are the most densely represented in the evidence base, while fraud-and-payments and social media topics are sparser. This distribution reflects the available academic literature rather than the instrument's own weighting of these topics, and the analysis calibrates its confidence claims accordingly.

The pattern analysis across the five cross-cutting regulatory tensions identified in the synthesis (liability shift, data-sharing versus privacy, enforcement fragmentation, platform power asymmetry, and advertiser incentive misalignment) shows that each tension draws on evidence from multiple clusters rather than being confined to a single evidence stream. This cross-cluster pattern supports the inference that the tensions are structural features of the regulatory design rather than artefacts of any single strand of scholarship.

The critical methodological limitation is restated here for precision: all provision-specific claims in Sections 5 and 6 are structural inferences about the instrument's most plausible content, not textual findings. Claims are presented in conditional or inferential register where this distinction is consequential. The specific evidentiary gap is the absence of ST-8221-2026-INIT's operative text from the research corpus, and the implications of this gap for the analysis's conclusions are recorded in Section 8.

This section presents the structural inferences organised across the three primary domains of the instrument: the liability shift mechanism, the obligations specific to social media and news platforms, and the fraud data-sharing architecture. All claims about the instrument's specific provisions are inferences from the regulatory context described in Sections 3 and 4; none are direct citations of operative text.

4.1 The Liability Shift Mechanism

The structural logic of ST-8221-2026-INIT, as reconstructed from its regulatory context, most plausibly produces a fault-based liability regime for platforms in payment fraud contexts rather than strict liability. Strict liability would impose costs disproportionate to platform control and would incentivise market exit by legitimate platform operators in high-risk transaction categories. Fault-based liability preserves platform participation in financial ecosystems while obligating investment in detection and prevention.

The most structurally coherent primary trigger is a constructive-knowledge standard: a platform would become liable when it had, or should have had, knowledge that a specific actor or category of content on its infrastructure was engaged in fraud, and failed to take the steps that a reasonably diligent operator would have taken in response. This standard would be more demanding than the DSA's actual-knowledge threshold for general content liability, because it incorporates a due-diligence component. Platforms that deploy automated monitoring systems, conduct periodic advertising-inventory reviews, and maintain audit trails of enforcement decisions would be positioned to rebut liability claims by demonstrating that their systems met the reasonably diligent operator standard. Platforms that do not maintain such systems would face a structural evidentiary disadvantage if a liability claim were brought.

A structurally coherent second trigger would apply to platforms that derive advertising revenue from content subsequently determined to constitute a fraudulent financial promotion: a revenue-nexus condition under which the platform shares liability with the advertiser where it received payment for placement and did not apply adequate pre-publication screening. The revenue-nexus trigger is analytically significant because it would address the structural incentive problem identified in the economics literature [1][3]: platforms with advertising revenue models previously faced no direct financial consequence from hosting fraudulent ads, because any post-hoc removal obligation under the DSA notice-and-takedown system did not disgorge the revenue already received.

A limited safe harbour, available to platforms satisfying a set of cumulative conditions, is a standard feature of EU platform liability instruments following the Article 17 Copyright Directive model [11]. For this instrument, the most plausible conditions would include: documented operation of a pre-publication screening system calibrated to detect fraudulent financial promotions; timely disclosure of fraud-relevant signals to the competent authority upon detection; and full cooperation with any supervisory investigation. This conditional safe-harbour structure preserves the general principle that intermediary liability should remain fault-based, while creating strong operational incentives to invest in detection infrastructure. The specific conditions enumerated here are inferred from structural analogy with existing EU instruments and are not drawn from the instrument's text.

4.2 Social Media and News Platform Obligations

The instrument's scope is most plausibly extended to social media platforms and news aggregators, a scope extension that would go beyond the DSA's category of very large online platforms in two respects. First, it would apply to platforms below the DSA's 45 million monthly active users threshold when those platforms carry financial advertising and operate in sectors with heightened fraud risk, including investment products, cryptocurrency services, and consumer credit. Second, it would impose obligations on news aggregators that curate and distribute third-party content, including links to financial promotional content, on the basis that the aggregator's curation decision constitutes a distribution choice with commercial implications.

The reference to 'competent authority' throughout this section requires clarification. At least three distinct authority types are relevant to this instrument's scope: the financial services regulator (responsible for supervising payment service providers and financial promotion standards), the data protection authority (responsible for supervising GDPR compliance in the fraud data-sharing architecture), and the Digital Services Coordinator (responsible for supervising DSA obligations on platforms). These bodies hold different mandates and, in most member states, are institutionally separate. The instrument's fraud-data obligations most plausibly sit under financial services regulatory supervision, while the data-sharing architecture's GDPR interface sits under data protection authority supervision, and the platform-obligation provisions interact with the Digital Services Coordinator's remit. Where the analysis uses 'competent authority', it refers to the financial services regulator as the primary supervisor of the instrument's fraud-liability provisions, unless the context specifies otherwise.

For social media platforms, the primary inferred obligation is pre-publication review of paid financial promotions against a fraud-signal database maintained by the relevant financial services regulator. This database access obligation is notable because it creates an operational dependency between the platform's compliance function and the authority's data infrastructure. The timeliness and quality of the authority's database directly affect the platform's ability to comply with the screening obligation, introducing a joint-production problem in fraud prevention that would require a shared-liability carve-out: if the platform demonstrates that it queried the database and received no fraud signal, liability would shift to the authority.

News aggregators would face a lighter obligation set under this structural logic: an obligation to flag financial promotional content originating from domains previously identified as sources of fraudulent promotions, and to report such flagging events to the competent authority. Pre-publication screening of the full aggregated content volume would not be required, a differential treatment that reflects the volume constraints of news aggregation relative to the manageable inventory of paid social media promotions.

4.3 Fraud Data-Sharing Architecture

The data-sharing provisions most consistent with the instrument's stated objectives and its relationship to the PSD framework would establish a four-layer architecture: mandatory collection, mandatory disclosure to competent authorities, conditional sharing among payment service providers and platforms, and optional participation in a broader cross-sectoral fraud intelligence pool.

The mandatory collection obligation would require platforms and payment service providers to retain specified categories of fraud-relevant data for a defined period. The instrument's definition of 'fraud data' is the critical parameter. Inferred from the structural logic of the instrument and its relationship to the payments regulatory framework, 'fraud data' would encompass: confirmed fraud events (transactions reversed or charged back on fraud grounds), fraud-adjacent signals (accounts flagged by automated systems at a configurable confidence threshold), and device and network metadata associated with confirmed fraud events. Whether the definition extends to ad-impression metadata or upstream behavioural signals collected before the consumer's encounter with fraudulent content is the most consequential definitional question, and, as Section 6.2 discusses, the answer has direct implications for the instrument's effectiveness against fraudulent financial promotions distributed via social media.

A mandatory disclosure obligation would require both platforms and payment service providers to report confirmed fraud events and associated metadata to the competent authority within defined time windows. A bidirectional information flow, in which authorities provide feedback on reported data within specified periods, would be structurally consistent with the instrument's stated objectives and with the cooperative supervision model used in the PSD framework, though whether the instrument imposes a formal feedback obligation on authorities is an inference that cannot be confirmed without access to the operative text.

The conditional peer-sharing provision would permit payment service providers and platforms to share fraud signals with each other, subject to conditions including: equivalent fraud data obligations on the receiving party, a documented data-sharing agreement specifying purpose limitation and onward-transfer restrictions, and notification to the competent authority. This permission-with-conditions structure is structurally similar to the open banking data-sharing model under the Payment Services Directive, in which data access is conditioned on regulatory registration and technical standards compliance. The material difference is that the fraud data-sharing framework, as inferred, does not establish technical interoperability standards, leaving the operational implementation to bilateral agreements between participating institutions.

The optional cross-sectoral pool would provide a mechanism for aggregating anonymised fraud signals across platform categories, sectors, and member states, with governance by a designated EU-level body. Participation would be incentivised through a reduced-liability provision, under which platforms and payment service providers that contribute to the pool receive preferential treatment in fault-based liability assessments, on the basis that proactive fraud intelligence contribution evidences the diligence required for the safe harbour.

The inferences in Section 5 produce a regulatory design that is precise in its liability triggers but structurally under-specified in three domains that will determine its operational effectiveness: the scope of fraud data, the enforcement pathway, and the interaction with advertising-supported platform economics. This section analyses each in turn.

5.1 Fault-Based Liability and Incentive Distortion

The choice of fault-based rather than strict liability is analytically coherent: strict platform liability for all payment fraud transacted through a platform's infrastructure would impose costs disproportionate to platform control and would incentivise platforms to exit high-risk transaction categories entirely, reducing market access for legitimate financial service providers. Fault-based liability preserves platform participation in financial ecosystems while creating an obligation to invest in detection and prevention.

The distortion arises at the margins of the fault determination. The reasonably diligent operator standard is inherently comparative and litigation-intensive. A large platform with extensive legal and technical resources can invest in detection infrastructure, document its processes meticulously, and present that documentation in any supervisory proceeding. A smaller platform with equivalent fraud exposure but fewer resources will find the same standard more difficult to satisfy: its capacity to produce auditable evidence of diligence is constrained even when diligence itself is comparable. Where the instrument does not establish differential standards by platform size below the DSA's 45 million monthly active users threshold, the compliance cost of the liability standard is distributed regressively across platform size, a pattern documented in the general platform economics literature [7] and consistent with the power asymmetry findings in [11].

The revenue-nexus trigger for advertising-supported platforms addresses the incentive problem identified in Section 2 but introduces a new asymmetry. The trigger requires a showing that the platform received advertising revenue from a fraudulent promotion and failed to apply adequate pre-publication screening. The adequacy determination is inherently ex post: the platform applies its screening systems according to the fraud-signal database available at the time of publication; the promotion is subsequently determined to be fraudulent. If the determination of fraudulence postdates publication, the platform's pre-publication screening may have been adequate by any reasonable standard at the point of performance. The safe harbour conditions address this timing problem partially, but if those conditions are conjunctive, a platform that meets all but one receives no protection. This all-or-nothing compliance incentive generates over-compliance on the easily documented conditions and under-investment in the harder-to-document ones.

5.2 The Fraud Data Definition and Its Consequences

The boundary of the 'fraud data' definition is the most consequential parameter in the instrument's data-sharing architecture. The tension between fraud-data coverage and privacy compliance is the highest-scoring dimension in the regulatory tension matrix across all evidence clusters.

If 'fraud data' is defined to include only confirmed fraud events and associated metadata, the shared dataset captures outcomes but not the upstream signals that would permit predictive fraud prevention. Confirmed fraud events are, by definition, events in which a consumer has already been harmed. A fraud intelligence system built on confirmed events is a lagging indicator: it identifies fraud patterns after they have produced harm rather than before. The inclusion of fraud-adjacent signals at a configurable confidence threshold addresses this partially, but where the confidence-threshold parameter is left to delegated specification, a delayed specification produces national-level variation in the practical scope of the shared dataset.

The most significant gap for the social media and news platform context is the probable exclusion of ad-impression metadata from the fraud data definition. A fraudulent investment promotion on a social media platform generates a sequence of observable signals before any consumer makes a financial decision: it is placed by an advertiser with a payment method, served to users through an algorithmic targeting system, and clicked by users whose profiles match the targeting criteria. Each stage produces metadata. The ad-impression metadata, specifically which users were served the promotion, with what frequency, in what targeting context, and from which advertiser account, constitutes the most informative signal for identifying the distribution infrastructure of fraudulent promotions. An instrument focused on its fraud data definition on transaction-level fraud events captures the downstream outcome of the promotion sequence but not the upstream distribution signals.

This creates a direct and unresolved conflict between the revenue-nexus trigger (Section 5.1) and the fraud data definition. The revenue-nexus trigger is designed to impose liability on platforms that derived advertising revenue from fraudulent promotions. The trigger's operational effectiveness depends on the ability to identify, after the fact, that a specific ad impression constituted a fraudulent financial promotion and that the platform received payment for it. If ad-impression metadata is excluded from the fraud data definition because its collection and sharing require a GDPR lawfulness basis that the instrument does not clearly establish, then the evidentiary chain needed to activate the revenue-nexus trigger is incomplete. The two provisions therefore work at cross-purposes: the trigger imposes a liability outcome that the data-sharing architecture does not generate the evidence to support. Resolving this conflict requires either a specific GDPR derogation for fraud-prevention purposes applied to impression-level data, or a privacy-preserving technical architecture that enables fraud-relevant inferences from impression data without retaining personal data at the individual level.

5.3 Enforcement Architecture and the Absence of Private Action

The instrument's enforcement architecture is exclusively supervisory under the inferred design: liability determinations are made by competent authorities, and penalties are administrative. An absence of provision for a private right of action by defrauded consumers against the platform concentrates deterrence in supervisory capacity, which is finite and nationally distributed. The fragmentation risk documented across multiple EU digital governance contexts [13] applies here with particular force: if national supervisors implement the liability triggers and data-sharing obligations divergently, platforms operating across member states will face inconsistent compliance environments, and the consumer-protection objective of the instrument will be undermined by enforcement variation at the national level.

The financial services regulator, the data protection authority, and the Digital Services Coordinator each hold a portion of the supervisory mandate relevant to this instrument. Without a coordination mechanism that assigns primary jurisdiction and establishes escalation procedures for cross-authority cases, enforcement actions involving a platform's financial advertising practices, its GDPR compliance in fraud data sharing, and its DSA obligations may proceed in parallel without coherent outcome.

The absence of a private right of action has a secondary consequence for evidential quality. In a system with private action, individual consumers and their representatives become distributed enforcement agents who surface platform conduct that supervisors may not independently observe. The systematic exclusion of this channel means that the instrument's deterrence effect depends entirely on the supervisor's capacity to detect non-compliance proactively. Given the information asymmetry between platforms and supervisors identified in Section 2, this is a substantial structural dependency.

Wachter, Mittelstadt, and Floridi [4] identify an analogous gap in the GDPR's enforcement of automated decision-making rights: the gap between the formal right and the practical enforceability of that right is a function of institutional capacity rather than legal text. The same dynamic applies here. The instrument's liability provisions are substantively coherent under the inferred design, but their deterrent effect will be bounded by the supervisory resources available to national authorities and by the coordination mechanisms established at the EU level.

5.4 Social Media Platform Incentives and the Advertising Revenue Structural Problem

The two-sided market literature [3] establishes that platforms subsidise one side of the market using revenue generated on the other side. Advertising-supported social media and news platforms subsidise user access using revenue from advertisers. The instrument's liability provisions impose compliance costs on the platform, which, through the price-setting dynamics of two-sided markets, are redistributed across both sides. The direction of redistribution is determined by the relative demand elasticities of the platform's user base and its advertiser base [1]. Where advertiser demand for financial ad inventory is relatively inelastic (as in regulated financial services markets where digital advertising is a primary distribution channel), compliance costs are absorbed primarily through price increases on the advertiser side, selectively reducing financial advertising volume. Where user demand for the platform is inelastic (as with dominant social media platforms), costs may alternatively be recovered through degraded user experience or reduced content diversity. Either redistribution path has welfare implications beyond the platform itself.

What is specific to this instrument is that the compliance cost is targeted at a category of advertising (fraudulent financial promotions) that the platform has a structural incentive to permit, since it generates revenue, and an equal structural incentive to appear to suppress, since it generates regulatory risk. The result is a compliance optimisation problem in which the platform's incentive is to invest precisely enough in detection to qualify for the safe harbour, rather than to minimise fraud at the margin. The instrument does not address this margin-optimisation dynamic. An outcome-based supplement to the safe harbour, one that ties preferential liability treatment to demonstrated reductions in confirmed fraud events on the platform, would align platform compliance investment more precisely with the consumer-protection objective. The academic synthesis confirms that platform incentive misalignment is the dimension with the least regulatory coverage across all four evidence clusters.

ST-8221-2026-INIT represents, on the structural evidence available, a deliberate departure from the notice-and-takedown model that has governed EU platform liability since the E-Commerce Directive. By attaching fault-based liability to platform conduct in payment fraud contexts, by extending that liability to advertising-supported social media and news platforms through the revenue-nexus trigger, and by mandating a four-layer fraud data-sharing architecture, the instrument establishes a more demanding governance regime than the DSA baseline for the specific harm domain of financial fraud. The analysis throughout this paper is necessarily inferential: the operative text of the instrument was not available to the research corpus, and the provisions described are the most structurally coherent realisations of the instrument's stated objectives rather than textual findings.

The central structural claim of this analysis is that the instrument's effectiveness will be determined by three parameters that the inferred design leaves insufficiently specified: the fraud data definition, the enforcement pathway, and the interaction with advertising-supported platform economics.

On fraud data, the inferred design captures downstream outcomes (confirmed fraud events) more precisely than upstream signals (ad-impression metadata, behavioural precursors). This asymmetry means that the shared fraud intelligence database will be populated predominantly with lagging indicators, limiting the system's capacity for predictive fraud prevention. The asymmetry is compounded by its conflict with the revenue-nexus trigger: the trigger imposes liability for advertising revenue derived from fraudulent promotions, but the data-sharing architecture does not generate the impression-level evidence needed to reconstruct the advertiser-platform-consumer chain that the trigger requires. Resolving this conflict requires the European Data Protection Board to issue guidance on a specific GDPR lawfulness basis for impression-level fraud data, or the Commission to mandate privacy-preserving technical standards (such as aggregated reporting protocols or differential privacy mechanisms applied to ad-server logs) that produce fraud-relevant inferences without individual-level data retention. Both actions require the instrument to have entered into force through the full EU legislative procedure before they can be initiated.

On enforcement, the exclusive reliance on supervisory administration, without a private right of action and without a harmonised penalty framework, places the instrument's deterrent effect in a position of dependence on national supervisory capacity. Member states with well-resourced financial intelligence authorities will implement the liability triggers rigorously; member states with constrained supervisory capacity will produce uneven deterrence. Three specific design additions would materially improve the instrument's enforcement architecture: a minimum harmonised administrative penalty floor, applicable across all member states, calibrated to the revenue base of the infringing platform rather than to a fixed sum; a mandatory coordination protocol among financial services regulators, data protection authorities, and Digital Services Coordinators for cases involving platforms subject to obligations under all three regulatory regimes simultaneously; and a consumer redress pathway that allows a defrauded consumer to obtain a supervisory determination of platform liability without initiating a full supervisory investigation as a prerequisite. These additions are achievable through the instrument's own enforcement chapter or through coordination mechanisms under the Digital Services Act's enforcement framework.

On advertising economics, the revenue-nexus trigger is the instrument's most structurally innovative provision and its most operationally uncertain one. The trigger identifies the structural incentive problem: platforms receive revenue for advertising inventory that includes fraudulent promotions, and the current DSA framework imposes no obligation to disgorge that revenue. The trigger does not resolve the margin-optimisation dynamic that follows: platforms subject to it will invest in detection infrastructure calibrated to satisfy the safe harbour's conditions, producing detection investment that is compliance-maximising rather than fraud-minimising. Converting this dynamic requires an outcome-based supplement to the safe harbour that ties preferential liability treatment to measured reductions in confirmed fraud events on the platform over successive reporting periods, benchmarked against sector-level fraud rates published by the competent financial services regulator. This supplement is technically feasible: payment service providers already report confirmed fraud events through supervisory channels, and the cross-sectoral fraud intelligence pool, if it achieves operational capacity, would generate the aggregate baseline needed for the benchmarking exercise.

The fraud data-sharing architecture is the provision most likely to generate durable institutional capacity over time, provided the cross-sectoral pool achieves sufficient participation. The optional nature of pool participation, incentivised by the reduced-liability provision, reflects a reasonable calibration given the GDPR constraints on mandatory data pooling. Whether the incentive proves sufficient for platforms and payment service providers that are already confident in their safe harbour position on other grounds is an empirical question. The Commission should mandate a formal participation-rate review at the end of the first full implementation cycle, with a pre-committed legislative trigger: if participation falls below a defined threshold, the reduced-liability incentive is converted into a mandatory contribution obligation, subject to a GDPR impact assessment completed in advance of the trigger.

In aggregate, the instrument advances the EU's platform liability framework by assigning greater accountability to platforms for the fraud harms their infrastructure enables. The specific implementation actions required to convert that advancement into measurable fraud reduction are, on the basis of this analysis, as follows. The European Data Protection Board must issue guidance on a GDPR-compatible lawfulness basis for ad-impression metadata in fraud-prevention contexts. The Commission must develop technical standards for privacy-preserving fraud-signal aggregation applicable to ad-server environments. National financial services regulators must establish inter-authority coordination protocols with their data protection authority and Digital Services Coordinator counterparts before the instrument's first supervisory cycle begins. The Commission must establish the cross-sectoral fraud intelligence pool's governance body and participation thresholds prior to the instrument's entry into force, and must build the legislative trigger for mandatory participation into the instrument's review clause. Each of these actions has a concrete responsible actor and a definable sequence dependency on the instrument's legislative progress.

1. Absence of direct textual access to ST-8221-2026-INIT's operative provisions. The research corpus underlying this analysis does not contain the definitional articles, recitals, or enforcement chapter of ST-8221-2026-INIT. Every claim in this paper about the instrument's specific provisions (liability triggers, the revenue-nexus condition, the four-layer data-sharing architecture, the conjunctive safe harbour conditions) is a structural inference derived from the instrument's relationship to prior EU instruments and from the regulatory problem space it addresses. These inferences are presented throughout the paper in conditional or inferential register; they are not textual findings. The conclusions of the analysis characterise the instrument's most plausible design and the tensions that design would generate, not the instrument's confirmed content.

2. No enforcement outcome data. ST-8221-2026-INIT is at the Council stage of the legislative calendar and has not entered into force. No implementation data, supervisory enforcement decisions, or compliance cost surveys exist for the obligations it establishes. The analysis assesses the instrument's structural design logic and its likely incentive effects. Any claim about deterrence effects, compliance cost distributions, or fraud reduction outcomes is prospective and cannot be validated against observed behaviour.

3. Member state implementation heterogeneity is unobservable at this stage. The analysis identifies enforcement fragmentation as a structural risk but cannot characterise the direction or magnitude of that fragmentation across specific member states, because national implementing measures have not been adopted. The risk is identified from analogous EU digital governance instruments [13], but the specific divergences that will emerge in fraud data-sharing implementation are contingent on future regulatory choices at the national level.

4. Absence of confirmed penalty provisions in the corpus. The instrument's penalty provisions are identified as a design gap, but without access to the instrument's full enforcement chapter, the analysis cannot determine whether a minimum harmonised penalty floor is absent from the instrument or merely absent from the portions of the instrument's context captured in the research synthesis. This limitation constrains the conclusions about enforcement architecture in Section 5.3.

5. Academic corpus concentration. The 13 sources in the citation corpus are weighted toward platform economics, GDPR scholarship, and AI governance, with limited representation of payments-law scholarship and no representation of EU legislative history scholarship specific to the payments fraud context. Conclusions that draw on the adjacent academic literature are stronger where that literature directly addresses the mechanisms in question and weaker where the analysis relies on structural analogy from other domains.

Four concrete research directions follow from the gaps identified in the preceding analysis.

First, a comparative definitional analysis of fraud data scope. Once the instrument's text is publicly available in its final legislative form, a systematic comparison of the fraud data definition against the data categories retained by payment service providers and social media platforms in their existing transaction monitoring and ad-fraud detection systems would establish the magnitude of the definitional gap. The specific data needed is a cross-institutional inventory of retained fraud-signal categories, mapped against the instrument's statutory definition. This analysis would determine whether the gap is bridgeable through delegated specification or requires a legislative amendment.

Second, a compliance cost distribution study by platform size. The analysis identifies a regressive cost distribution hypothesis: smaller platforms face higher per-unit compliance costs for the fault-based liability standard than larger platforms, because the latter can amortise documentation and detection infrastructure investment across a larger revenue base. Testing this hypothesis requires compliance cost data from platforms across the size distribution, collected through structured survey or regulatory reporting. The EU's Digital Services Coordinator network provides a natural institutional vehicle for this data collection.

Third, cross-sectoral participation rate tracking for the fraud intelligence pool. The optional cross-sectoral pool is the instrument's most consequential long-run provision for fraud prevention capacity. Whether its participation incentive (the reduced-liability provision) achieves the critical mass of data contributors needed for predictive utility is an empirical question answerable through supervisory data on pool membership, contribution volumes, and the correlation between contribution levels and fraud detection rates at contributing institutions.

Fourth, a natural experiment study of the revenue-nexus trigger's effect on financial advertising inventory. The trigger's imposition on advertising-supported platforms creates a price effect in financial advertising markets that is, in principle, observable through advertising market data before and after the trigger's effective date. Quantifying whether the trigger reduces fraudulent financial advertising, reduces legitimate financial advertising, or primarily induces re-location of fraudulent promotions to out-of-scope platforms would provide the feedback loop necessary for assessing the trigger's calibration.