Legal Architecture — Analysis

The CSRA ↔ Existing-Law Crosswalk

Five anatomical elements of a functioning cognitive-sovereignty framework, mapped against six existing legal instruments.

How to read a cell

At a glance

Mechanism \ LawKOSA (US)GDPR (EU)UK AADCCA AADCEU AI ActDSA (EU)Australian Model
M1 Design Standards with Enforcement Teeth◐ Partial× Gap◐ Partial◐ Partial◐ Partial◐ Partial◐ Partial
M2 Age-Differentiated Protections with Meaningful Verification× Gap◐ Partial◐ Partial◐ Partial× Gap◐ Partial✓ Covered
M3 Algorithmic Transparency with Independent Audit◐ Partial× Gap× Gap◐ Partial× Gap◐ Partial◐ Partial
M4 Liability Attachment to Design Decisions◐ Partial× Gap◐ Partial◐ Partial× Gap◐ Partial◐ Partial
M5 Enforcement Velocity Matched to Platform Scale× Gap◐ Partial× Gap× Gap◐ Partial✓ Covered✓ Covered

The five mechanisms, law by law

M1 Design Standards with Enforcement Teeth

Specific PROHIBITED design features (e.g. variable-ratio reinforcement for minors, infinite scroll without session limits, school-hours push notifications) — objectively assessable, not a self-controlled risk-assessment process. Source: what-cognitive-sovereignty-law-requires §V Element 1

LawGradeProvisionConfidenceReading
KOSA (US)◐ Partial§103(a)(1)(C) Safeguards for Minors; §102 Duty of carehighNames specific features (infinite scroll, autoplay, rewards, notifications) but only requires platforms to ‘limit by default’, not prohibit; §102 is a ‘reasonable care’ standard — the self-controlled, not-objectively-assessable form the mechanism rejects. (Not enacted.)
GDPR (EU)× GapArt 25 (Data protection by design and by default)highArt 25 governs data-processing design (minimisation, by-default safeguards), not engagement architecture; nothing minor-specific or objectively assessable.
UK AADC◐ PartialStandards 5/7/13 (detrimental use, default settings, nudge techniques); DPA 2018 s.123highNames design features (high-privacy defaults, no privacy-weakening nudges) but is a principles-based statutory code framed as data-protection design, not an objectively-scored prohibited-features schedule.
CA AADC◐ PartialCal. Civ. Code §1798.99.31(b)(7) (dark patterns); (b)(1)-(4) (detrimental/data-use constraints)highPrescribes design constraints, but the core prohibitions (dark patterns; detrimental use) remain ENJOINED on vagueness grounds (9th Cir., Mar 2026); only default-settings is in force — design teeth blocked.
EU AI Act◐ PartialArt 5(1)(a)/(b) (prohibited manipulative / vulnerability-exploiting practices)highBans subliminal/manipulative techniques and exploitation of age-based vulnerabilities, but only where they materially distort behaviour and cause ‘significant harm’ — targets manipulation/harm, not engagement-maximising design per se, and is not minor-specific.
DSA (EU)◐ PartialArt 25 (interface design / dark patterns) + Art 28(1) (minors) + Art 35(1) (VLOP risk mitigation)highArt 25 is a general anti-manipulation standard (not minor-specific), Art 28(1) requires only ‘appropriate and proportionate measures’, and Art 35 lists ‘reasonable, proportionate and effective’ mitigations (VLOP-only) — not the prescriptive, objectively-assessable prohibited-feature list the mechanism demands.
Australian Model◐ PartialOSA 2021 Part 4 (Basic Online Safety Expectations) + industry codes/standards ss.140–145highBOSE expects ‘reasonable steps’ incl. safety-by-design but is principles-based, not objectively-assessable prohibited features; the binding industry standards target content removal, not design.

M2 Age-Differentiated Protections with Meaningful Verification

Different rules by age group calibrated to developmental neuroscience; an adult-access threshold of ≥16; the platform bears a verification burden beyond self-attestation. Source: what-cognitive-sovereignty-law-requires §V Element 2; the-treaty-framework § Binding Age Floor

LawGradeProvisionConfidenceReading
KOSA (US)× Gap§107 Age-verification STUDY (study only); §101(6)/§112(b) knowledge standardmediumCowork ruling: gap upheld. M2 is conjunctive (‘…with Meaningful Verification’) and the verification prong is the mechanism’s defining innovation — S.1748 expressly commissions only a feasibility study (§107) and liability turns on ‘knowledge fairly implied’, imposing no verification burden and no ≥16 access gate. A differentiation-anchored ‘partial’ would inflate KOSA; the weak <13 vs <17 parental-tools split is noted but does not meet the mechanism. (The companion KIDS Act package would add an age-verification mandate — re-check if enacted.)
GDPR (EU)◐ PartialArt 8 (child’s consent: age 16, derogable to 13)highSets a ≥16 default (most states derogated to 13) but verification is only ‘reasonable efforts… taking into consideration available technology’ and is scoped to consent for data processing — not a platform-wide meaningful-verification burden.
UK AADC◐ PartialStandard 3 (age-appropriate application / age assurance); 5 age bracketshighExplicit developmental brackets (0-5/6-9/10-12/13-15/16-17) and an age-assurance duty, but verification is risk-calibrated and permits self-declaration (or applying the code to all) — no mandated meaningful-verification floor.
CA AADC◐ PartialCal. Civ. Code §1798.99.31(a)(5) (age estimation)highAge-estimation injunction was VACATED and REMANDED (9th Cir., Mar 2026) — contested, not settled; and substantively weak — the statute lets platforms apply child protections to ALL users INSTEAD of estimating age, so it is not meaningful verification.
EU AI Act× Gap(none; Art 5(1)(b) names ‘age’ only as a vulnerability factor)highNo age-calibrated regime and no verification mandate; ‘age’ appears only as one vulnerability vector in the Art 5(1)(b) harm prohibition.
DSA (EU)◐ PartialArt 28(2)-(3) (protection of minors)highArt 28(2) bars profiling-based ads when the provider is ‘aware with reasonable certainty’ the user is a minor — but Art 28(3) expressly states this does NOT oblige providers to process additional data to verify age, so the meaningful-verification prong fails on the face of the text.
Australian Model✓ CoveredSocial Media Minimum Age Act 2024 s.63C (under-16 account prohibition); in force 10 Dec 2025; max penalty A$49.5mhighBinding, in-force, platform-borne age restriction with a real civil penalty — the strongest cell in the matrix. Limitation: ‘reasonable steps’ mandates no specific verification method, so verification rigour is delegated/unprescribed.

M3 Algorithmic Transparency with Independent Audit

Mandatory disclosure of ranking-system parameters to INDEPENDENT auditors; pre-registration of parameters plus post-deployment audit. Source: what-cognitive-sovereignty-law-requires §V Element 3

LawGradeProvisionConfidenceReading
KOSA (US)◐ Partial§105 Transparency — annual independent third-party audithigh§105 requires a yearly public report based on an ‘independent, third-party audit’ that must consider personalised-recommendation systems, with compelled platform access — a real independent systems audit. Falls short on: no pre-registration, function-level (not ranking-parameter-level) disclosure, and scope capped at >10M-MAU platforms. (Not enacted.)
GDPR (EU)× GapArt 22 (automated individual decision-making)highArt 22 reaches only decisions based ‘solely’ on automated processing with legal/similarly-significant effects; it grants contest/human-intervention rights, not ranking-parameter disclosure to independent auditors (that is DSA territory).
UK AADC× Gap(none — Standard 4 transparency is user-facing privacy-notice only)highNo provision requires recommender/ranking disclosure to independent auditors or pre-registration; profiling (Std 12) is a default-off control, not an audit.
CA AADC◐ PartialCal. Civ. Code §1798.99.31(a)(1)-(2) (Data Protection Impact Assessment)highThe only transparency analog is the DPIA, which is (a) ENJOINED (affirmed in NetChoice I, undisturbed in 2026) and (b) a mismatch — an internal self-assessment disclosed to the AG on request, not independent ranking-parameter audit.
EU AI Act× GapArt 50 / Art 74 (transparency; market-surveillance docs)highArt 50 transparency is user-facing labelling; high-risk technical documentation/source-code access (Art 74) goes to market surveillance, not independent auditors, and recommender systems are not generally high-risk — ranking-parameter audit is the DSA’s domain (see DSA column), not the AI Act’s.
DSA (EU)◐ PartialArt 37 (independent audit) + Art 40 (vetted-researcher data access) + Art 27 (recommender transparency)highThe matrix’s strongest M3 cell: Art 37 imposes binding, ≥annual INDEPENDENT audits of VLOPs (strict auditor-independence rules) and Art 40 compels vetted-researcher data access. Held to ‘partial’ on the SAME bar as KOSA: no pre-registration concept, and Art 27 discloses ranking parameters to USERS (in T&Cs), not ranking-parameter-level disclosure to the auditors; VLOP-only scope.
Australian Model◐ PartialOSA 2021 s.56(2) transparency/reporting notices + BOSE recommender expectationhighs.56(2) notices can compel reporting on recommender/algorithm practices, but this is self-reporting to the eSafety Commissioner — no binding ranking-parameter disclosure to, or audit by, independent auditors.

M4 Liability Attachment to Design Decisions

Liability that attaches to harmful DESIGN decisions (not content hosting); for US law, reform so Section 230 immunity does not shield design decisions. Source: what-cognitive-sovereignty-law-requires §V Element 4

LawGradeProvisionConfidenceReading
KOSA (US)◐ Partial§102 Duty of care (liability on ‘creation and implementation of any design feature’); §112(a)(4) §230 rule of constructionhighLiability attaches to design features rather than content hosting (FTC/state-AG enforced; no private right), but §112(a)(4) expressly does not alter Section 230 — it routes around 230 by the design/content distinction (contested post-Moody) rather than reforming the immunity. (Not enacted.)
GDPR (EU)× GapArt 82 (right to compensation) / Art 83 (fines)highLiability attaches to infringements of the Regulation / unlawful processing, not to harmful design decisions per se; no design-liability hook.
UK AADC◐ PartialStandards 5/12, enforced via DPA 2018 / UK GDPR penalty noticeshighHarmful-design duties exist and the ICO can fine via the DPA, but liability attaches to UK-GDPR data-processing breaches the code informs, not directly to design decisions; the code is admissible evidence, not a standalone liability statute.
CA AADC◐ PartialCal. Civ. Code §1798.99.35 (AG enforcement; $2,500 negligent / $7,500 intentional per affected child)high§35 enforcement is in force, but the central design prohibitions it would attach to (dark patterns; detrimental use) are ENJOINED — so penalties presently attach only to in-force items (default settings, notices), not the design conduct the mechanism targets.
EU AI Act× GapArt 99 (administrative fines)highA public regulatory-penalty regime (up to 7% / €35m for Art 5 breaches), not a private liability cause of action attaching to design; the companion AI Liability Directive that would have done so was withdrawn by the Commission (Oct 2025).
DSA (EU)◐ PartialArt 74 (penalties up to 6% of worldwide turnover) + Art 54 (compensation)highAttaches regulatory fines up to 6% of worldwide turnover for design/systemic-risk breaches (Art 74); Art 54 grants a compensation right but ‘in accordance with Union and national law’ — deferring to national law rather than creating a harmonised private cause of action tied to design decisions. Regulatory-primary, private-derivative.
Australian Model◐ PartialSocial Media Minimum Age Act 2024 s.63C penalties; OSA 2021 BOSE / removal-notice civil penaltiesmediumPenalties attach to age-assurance failures and content-removal / BOSE non-compliance — access and takedown duties, not design decisions; the Act imposes no design duty for liability to attach to.

M5 Enforcement Velocity Matched to Platform Scale

Fast enforcement — interim/emergency design-modification orders (preliminary-injunction analogues) — rather than multi-year administrative processes. Source: what-cognitive-sovereignty-law-requires §V Element 5

LawGradeProvisionConfidenceReading
KOSA (US)× Gap§109 Enforcement (FTC UDAP + state-AG)highEnforcement is ordinary civil litigation to enjoin violations; no emergency/interim design-modification order, no preliminary-injunction analogue, no scale-matched velocity — exactly the multi-year process the mechanism contrasts against. (Not enacted.)
GDPR (EU)◐ PartialArt 66 (urgency procedure) + Art 58(2)(f) (processing ban)mediumArt 66 allows provisional measures (capped 3 months) and a 2-week Board fast-track, and Art 58(2)(f) permits a processing ban — but the one-stop-shop lead-authority model (Art 56) plus documented Irish-DPC multi-year timelines make routine velocity structurally slow.
UK AADC× Gap(none — DPA 2018 enforcement: assessment/enforcement/penalty notices)mediumEnforcement runs through ordinary DPA processes on standard timelines; no interim/fast-track order tied to platform scale.
CA AADC× GapCal. Civ. Code §1798.99.35 (standard AG civil action; 90-day notice-and-cure)highNo interim/expedited mechanism; the mandatory 90-day cure period (itself enjoined on remand) SLOWS rather than accelerates enforcement.
EU AI Act◐ PartialArt 79 (national risk procedure) + Art 74 (market-surveillance powers)mediumReal interim/recall powers exist (corrective action within 15 working days; provisional restrict/withdraw/recall; 30-day objection window for Art 5 breaches) — but it is a product-safety enforcement track, not platform-scale-calibrated injunctive orders, and most obligations phase in only by Aug 2026/2027.
DSA (EU)✓ CoveredArt 70 (interim measures) + Commission direct enforcement of VLOPshighThe Commission directly enforces VLOPs/VLOSEs (bypassing GDPR’s slow one-stop-shop), and Art 70 empowers interim measures by decision on a prima facie infringement where urgency arises from ‘risk of serious damage’ to recipients — genuine scale-matched enforcement velocity the other EU instruments lack.
Australian Model✓ CoveredOSA 2021 ss.66/88/109 (removal notices, 24-hour compliance; blocking notices; Federal Court injunctions)high24-hour removal-notice velocity across the cyber-abuse / image-based-abuse / Class-1 schemes plus injunctive relief (X Corp 2024 Federal Court precedent) — binding and scale-applicable, though it targets content not design.

Status of each instrument

KOSA (US) Kids Online Safety Act (S.1748, 119th Congress)

NOT ENACTED as of June 2026 — passed the Senate 91-3 in the 118th Congress (2024) but the House never floor-voted; reintroduced as S.1748 (2025), pending. House companion H.R.6484 diverges on the ‘knowledge’ standard; the bill progressed through a House Energy & Commerce subcommittee in March 2026; a 40-state-AG letter backs S.1748. All grades are of S.1748 as introduced and are capped at ‘partial’ because no provision is yet binding.

Source-checked via: primary text (congress.gov BILLS-119s1748is) + corpus the-kids-online-safety-act-record

GDPR (EU) General Data Protection Regulation (Reg (EU) 2016/679)

In force since 25 May 2018. A data-protection (lawful-basis + data-subject-rights) regime — NOT a design code or youth-safety law; several mechanisms land as gap or data-adjacent partial by design.

Source-checked via: primary text (gdpr-info.eu Articles) + corpus the-gdpr-and-what-it-actually-changed

UK AADC UK Age Appropriate Design Code (‘Children’s Code’), statutory code under Data Protection Act 2018 s.123–124

In force since Sept 2021 (12-month transition from Sept 2020). A statutory CODE issued by the ICO — not directly enforceable as law itself; ICO/courts ‘must take it into account’ and it is enforced indirectly via UK GDPR / DPA penalty notices (up to £17.5m or 4% turnover).

Source-checked via: primary text (ICO code; DPA 2018) — web

CA AADC California Age-Appropriate Design Code Act (AB-2273, Cal. Civ. Code §§1798.99.28–.40)

Enacted 2022; NEVER ENFORCED — enjoined since 2023 (NetChoice v. Bonta). Per the 9th Circuit (Mar 12 2026, No. 25-2366), the design-prohibition provisions (dark patterns (b)(7); data-use (b)(1)-(4)) and the DPIA + notice-and-cure provisions remain ENJOINED; the entire-statute and age-estimation injunctions were vacated and remanded (age estimation contested on remand). Posture is partial-and-contested; NO cell is ‘covered.’

Source-checked via: primary text (Cal. Civ. Code) + 9th Cir. opinion 25-2366 — web

EU AI Act EU AI Act (Regulation (EU) 2024/1689)

A horizontal RISK-TIER PRODUCT-SAFETY regime for AI systems — NOT a youth-safety or design-code law. Phased application (Art 5 prohibitions live since 2 Feb 2025; most high-risk obligations Aug 2026/2027). Several mechanisms are genuine gaps here whose coverage belongs to other EU instruments — recommender transparency/audit → the DSA column (added per Cowork review); private design liability → the AI Liability Directive, which the Commission WITHDREW Oct 2025.

Source-checked via: primary text (Reg 2024/1689 Articles) — web

DSA (EU) Digital Services Act (Regulation (EU) 2022/2065)

In force — general/intermediary obligations economy-wide since 17 Feb 2024; VLOP/VLOSE (≥45M EU users) obligations + designations from 2023, Commission-DIRECT-enforced. The EU's platform-GOVERNANCE regime — it actually governs recommender/interface design and systemic risk, the coverage the AI Act (product-safety) and GDPR (data-protection) gap on. Added per the Cowork legal review (DMA deliberately excluded — competition law, a different axis).

Source-checked via: primary text (Reg (EU) 2022/2065 Articles; EUR-Lex CELEX 32022R2065) — web

Australian Model Online Safety Act 2021 (Cth) + Online Safety Amendment (Social Media Minimum Age) Act 2024 (Cth)

OSA 2021 in force since Jan 2022; the under-16 social-media account ban (Amendment Act 2024, s.63C) received Royal Assent 10 Dec 2024 and COMMENCED 10 Dec 2025 (in force, early-enforcement phase as of mid-2026; max penalty A$49.5m).

Source-checked via: primary text (legislation.gov.au) + corpus the-australian-model

Methodology. The five mechanisms are inventoried from the Institute's own corpus (What Cognitive Sovereignty Law Requires, §V; The Treaty Framework) — none invented here. Each cell was graded against primary statutory text under per-law claim-integrity review; the cited provision and the verification source are shown for every cell so a reader can check it. “Gap” is a normal and common value — most instruments were not built to govern engagement design. Source of truth: data/csra-crosswalk.json. Built 2026-06-03 (D-098).