Abstract Modern regulatory frameworks assume that the phenomena they govern are knowable: harms can be identified, probabilities estimated and risks balanced against benefits. This article argues that this assumption becomes unstable when applied to genuinely novel technologies. Drawing on Frank Knight’s distinction between risk and uncertainty, it contends that contemporary EU digital regulation – particularly the EU AI Act, alongside the Digital Services Act and the GDPR – applies the form of risk-based analysis to domains where the necessary epistemic foundations are absent. These regimes borrow models developed for pharmaceuticals and environmental regulation and extend them to technologies whose future effects remain deeply uncertain. The article traces the historical development of risk-based regulation, examining both its virtues and structural limitations. It argues that such frameworks systematically marginalize diffuse, long-term and structural harms, while delegating assessment to regulated entities thus creating incentives for conservative self-evaluation. It then explores decision-making under deep uncertainty (DMDU) as a source of alternative regulatory approaches, including adaptive and precautionary techniques. Finally, the article argues that risk assessment is inherently political, embedding normative choices that risk-based methodologies often obscure rather than resolve.
Andrej Savin (Thu,) studied this question.