Assessing the Legitimacy and effectiveness of Assurance Regimes via Regulatory Intermediaries: The Case of Digital Services in the European Union

Legitimacy is a crucial concept in political, sociological, and legal theories, defined as the belief in the right of a rule, institution, or leader to govern. Illegitimate regulatory regimes may become ineffective due to their limited ability to influence the behavior of regulated actors and beneficiaries. This paper offers an analytical framework to assess the legitimacy and effectiveness of regulatory regimes that provide assurances through third-party standardisation and conformity assessment, which the paper calls ‘assurance regimes.’ The legitimacy of assurance regimes is often contested as they rely on non-state actors that do not benefit from democratic legitimacy yet still hold a critical regulatory function in these regimes. The paper uses the framework of regulatory intermediaries to assess three European assurance regimes for digital services – the Medical Device Regulation, General Data Protection Regulation, and the AI Act – to answer three questions: first, what are the implications for the legitimacy of regulatory regimes when regulatory tasks of assurance provision shifts from centralised state institutions to decentralised non-state regulatory intermediaries? Second, what are the normative bases against which we can evaluate the ideal bases of the legitimacy of regulatory intermediaries involved in protecting health and safety and ensuring respect to fundamental rights in digital services in the EU? Third, how do regulatory intermediaries involved in protecting health and safety and ensuring respect for fundamental rights in digital services in the EU subjectively perceive their role and construct legitimacy within the regulatory regime? The analysis suggests that the legitimacy of regulatory intermediaries highly depends on their capacities as well as their intended function in the regulatory process. Conclusions are then drawn to evaluate current third-party assurance governance frameworks and identify challenges for emerging AI governance models that incorporate these regimes.