The European Union has built the world's most comprehensive digital rulebook, yet it fails to protect one of the most valuable targets: the human mind itself. While the AI Act, GDPR, Digital Services Act, and Digital Markets Act form an impressive regulatory framework, they collectively leave a critical gap: cognitive manipulation and neurotechnology operate in legal gray zones that existing rules were never designed to address.

What Exactly Is the EU's AI Rulebook Missing?

The problem is deceptively simple. The AI Act prohibits subliminal manipulation conducted through AI systems, but cognitive manipulation techniques like psychometric profiling, hypernudging, and persuasive design optimized for behavioral addiction do not necessarily require an AI system in the legal sense. A traditional statistical model applied to behavioral data can produce comparable manipulative effects. An infinite-scroll feed tuned through ordinary A/B testing, with no machine-learning system involved, engineers compulsive engagement while staying completely clear of the AI Act's protections.

The regulatory approach targets the technological vector, not the actual harm. This means an entire class of cognitive threats remains lawful by default. The distinction matters enormously: where the AI Act defines its scope by technological means, a manipulation technique that achieves the same psychological result without an AI system falls outside the regulatory perimeter entirely.

How Are Companies Exploiting the Data Protection Gap?

The GDPR reserves its strongest protections for special categories of data, including biometric information directly collected from individuals. But the most sophisticated cognitive profiling today operates on inferred psychometric data: personality models and cognitive susceptibility scores reconstructed algorithmically from digital behavioral traces. This is the technique famously used by Cambridge Analytica, which mapped psychological vulnerability without ever touching a single data point the law treats as special.

These inferred profiles are not classified as biometric data in the regulatory sense, yet they enable a degree of individual manipulability functionally equivalent to what direct neural access would allow. The mind has become a new space of legal vulnerability that existing data categories do not recognize. The gap is not a minor oversight; it represents a structural mismatch between the harm being inflicted and the protections available.

Steps to Address the Cognitive Manipulation Gap

• Shift to Harm-Based Classification: Cognitive manipulation should be prohibited based on the effect it produces, the subversion of autonomous decision-making, regardless of the technological vector employed. This single change would close the most significant gap without requiring a new legislative instrument.
• Expand Data Protections: Inferred psychometric data must be brought within the protective scope of the GDPR's special categories. The distinction between directly collected and algorithmically inferred data is technically meaningful but normatively unsustainable when the manipulative potential is equivalent.
• Establish Neurotechnological Safeguards: Brain-computer interfaces and implantable neurostimulators entering the consumer market require a layered normative architecture addressing cognitive integrity at every level, including constitutional recognition of cognitive sovereignty as a fundamental right.

Why Does Neurotechnology Expose a Separate Vulnerability?

Brain-computer interfaces and implantable neurostimulators are entering the consumer market, and the EU's Cyber Resilience Act technically applies to products with digital elements. A neural implant falls within the scope on paper. But applying the same cybersecurity framework to a brain-computer interface and to a connected thermostat creates a dangerous illusion of adequacy.

When the product is inside the body, a security breach is not merely a data incident; it is a violation of bodily and cognitive integrity. The Cyber Resilience Act has no category for the difference between a compromised Internet of Things device and a compromised neural implant. This represents a fundamental mismatch between the threat and the regulatory response.

"Cognitive sovereignty, the legally recognised capacity to maintain ultimate control over one's own mental processes, free from undisclosed technological interference, is the foundational freedom of the AI age. Those who arrive late will have surrendered their citizens' cognitive architecture to the market," noted Vincenzo Colarocco, author of the analysis.

Vincenzo Colarocco, Institute for European Policymaking at Bocconi University

Can Existing Rules Be Stretched to Cover These Gaps?

Some interpretive margins exist within current EU law. Article 9 of the GDPR could theoretically be read expansively, and Article 112 of the AI Act allows delegated updating of prohibited practices. In practice, these margins are not being activated, and even if they were, they would remain structurally insufficient for three fundamental reasons.

First, the AI Act defines its scope by technological means, not by cognitive harm. A manipulation technique that achieves the same result without an AI system within the legal definition falls outside the regulatory perimeter by definition, and no delegated act can alter this architecture without reopening the legislative text itself. Second, the Cyber Resilience Act does not distinguish between an external attack surface and an internal one. Third, and most fundamentally, no existing instrument recognizes cognitive sovereignty as an autonomous legal good.

Without that recognition, every protection is derivative: data protection, product safety, unfair practice prohibition. Each derivative protection is structurally under-specified relative to the good it should protect, because none of them were designed with the inner life as their object. Regulatory flexibility is suited to managing the foreseeable evolution of a consolidated paradigm, but it does not serve to govern a paradigm shift. The transition from regulating external technological objects to protecting the cognitive integrity of the subject is not an incremental evolution; it is a change of referent.

The political implication is clear: an elastic extension of the existing framework is not enough. A new normative layer is required. Chile offers a precedent, having elevated neurorights to constitutional rank in 2021, though its implementing follow-through has since proved uneven. This demonstrates that cognitive sovereignty is not a theoretical exercise but an operational legislative programme that democracies can pursue.

Europe united its peoples around a currency. Its next historic test is to unite them around something deeper than money: the defense of the human mind and its free development.