Skip to content
CERRE think tank Logo
  • About us
    • About CERRE
    • Our team
    • Board of Directors
    • The CERRE Story
    • Careers
    • Transparency & Independence
    • FAQs
  • Areas of expertise
    • Energy, Mobility & Sustainability
    • Tech, Media, and Telecommunications
    • Cross-sector
  • Publications
    • Ambitions for EU 2024 – 2029
    • Global Governance for the Digital Ecosystems
  • Events
    • Upcoming events
    • Past events
  • Blogposts
  • Insights
  • Media Room
    • Press Releases
    • Press Coverage
  • Membership
    • Our members
    • Become a member
  • Contact
  • About us
    • About CERRE
    • Our team
    • Board of Directors
    • The CERRE Story
    • Careers
    • Transparency & Independence
    • FAQs
  • Areas of expertise
    • Energy, Mobility & Sustainability
    • Tech, Media, and Telecommunications
    • Cross-sector
  • Publications
    • Ambitions for EU 2024 – 2029
    • Global Governance for the Digital Ecosystems
  • Events
    • Upcoming events
    • Past events
  • Blogposts
  • Insights
  • Media Room
    • Press Releases
    • Press Coverage
  • Membership
    • Our members
    • Become a member
  • Contact
Filter by Sectors





Publications
#Tech, Media & Telecom

Agentic AI and Consumer Protection

  • July 16, 2026
Share.
Read the Issue Paper "Agentic AI and Consumer Protection"

Is EU Consumer Law Ready for AI Agents?

Online shopping is entering a new phase. Consumers already use AI tools to discover products and compare offers, but the more fundamental change is agentic AI: systems that do not only recommend, but act. AI agents may book a flight or switch energy supplier on the consumer’s behalf. Some estimates suggest that between 10% and 20% of e-commerce transactions could be handled by an AI agent by 2030.

This new CERRE paper by Christoph Busch asks whether EU consumer law is ready for this development. The paper spells out an implicit assumption of EU consumer law: that the person making the purchasing decision is a human being. Once an AI agent sits between consumer and trader, this assumption of consumer protection law no longer applies.

Where the framework comes under strain

Disclosure rules were built around the limits of human attention, limits that agents do not share. Consent is harder still: EU law requires consumers to explicitly acknowledge a payment obligation, and whether an agent can do so on the consumer’s behalf remains unresolved. More broadly, many consumer protection requirements presuppose a human interacting via a screen; as agents transact directly through APIs, compliance with these rules becomes not merely difficult but structurally impossible.

Several risks are specific to the agentic setting. For example, an agent operated by a merchant may have an inherent incentive to steer purchasing decisions to its own products – and its preferencing may be opaque to the consumer. Agents can also be manipulated themselves, for example through ‘prompt injection’ attacks. EU law protects consumers from dark patterns; it offers no equivalent protection for the agents acting on their behalf.

Liability is where these questions converge. When an agent buys the wrong product or authorises a payment it should not have, existing rules say little about how the risk should fall between consumer, agent provider and trader. Nor will the answer come from consumer law alone, intersecting as it does with contract law, the AI Act and product liability rules. Without a clear liability architecture, the paper warns, consumers have little reason to trust delegated decision-making, and providers little incentive to offer it.

Policy directions

The Digital Fairness Act, expected in the third quarter of 2026, offers the opportunity to respond. The paper sets out three priorities.

Settle the foundations: policy-makers must clarify the validity of contracts concluded through AI agents, and explain how consumer law applies to agentic transactions. Until this is resolved, businesses cannot confidently build agentic models and consumers have little reason to trust them.

Move from compliance by design to compliance by protocol: firms should embed information duties, consent and redress into the technical protocols that structure agentic commerce. This would make compliance largely self-enforcing.

Differentiate and keep rules proportionate: an agent whose decisions must be confirmed by the consumer at every step is not the same as one transacting autonomously. Nor is a marketplace-embedded agent the same as an independent one or an agent built into an operating system: each raises distinct concerns. Rules should be proportionate and risk-based so as to avoid unnecessarily inhibiting innovation.

The cost of waiting

Intervening too early risks regulating a technology whose trajectory is still uncertain; intervening too late risks allowing harmful practices and market structures to become entrenched. The paper concludes that the second risk is now the greater one. The DSA and the DMA arrived when the platform economy was already consolidated and intervention had become difficult and costly. Agentic commerce has not reached that point — which is precisely why this is the moment to shape its rules.

Document(s)
Read the Issue Paper "Agentic AI and Consumer Protection"
Agentic AI And Consumer ProtectionLire plus de publications sur Calaméo
Author(s)
Loading...
Christoph Busch (3)
Christoph Busch
Research Fellow
and University of Osnabrück

Christoph Busch is Professor of Law and Director of the European Legal Studies Institute at the University of Osnabrück, Germany. He is a Fellow and Council Member of the European Law Institute (ELI) and an Affiliated Fellow at the Information Society Project at Yale University. His research focuses on consumer law, platform governance and algorithmic regulation.

Christoph Busch is Professor of Law and Director of the European Legal Studies Institute at the University of Osnabrück, Germany. He is a Fellow and Council Member of the European Law Institute (ELI) and an Affiliated Fellow at the Information Society Project at Yale University. His research focuses on consumer law, platform governance and algorithmic regulation.

More publications

on #Tech, Media & Telecom

Reform of AVMSD: Towards Coherent Rules for EU-wide Platforms that Provide Access to Media Content

24 June 2026

Rules for High-Risk AI Systems under the AI Act

22 June 2026

Making Data Protection Fit for the Age of AI

18 June 2026

A More Coherent EU Digital Rulebook: Substantive and Institutional Issues

3 June 2026

AI Governance and Geopolitics

27 May 2026

DMA@2: Towards Stronger Governance and Evaluation?

30 April 2026

The role of ‘European preference’ in Europe’s economic strategy

30 April 2026

Transatlantic cooperation on AI and national security

9 April 2026

​Mandating Openness in Regulated Markets 

30 March 2026

DMA Regulatory Interplays

25 February 2026

Stay informed

Subscribe to our newsletter for our latest updates

Subscribe now

Centre on Regulation in Europe asbl (CERRE)

Avenue Louise, 475 (box 10)
1050 Brussels, Belgium
T.: +32 2 230 83 60
E-mail: info@cerre.eu  

Follow and Subscribe

Linkedin-in Youtube Link
  • Copyright CERRE 2010-2026
  • BE 0824446055 RPM Bruxelles
About
  • About Us
  • Team
  • Board of Directors
  • Annual review
  • Careers
  • Transparency & Independence
  • FAQs
Expertise
  • Energy, Mobility & Sustainability
  • Tech, Media, Telecom
  • Cross-sector
More
  • Publications
  • Events
  • Blogposts
  • Insights
  • Privacy & Legals
  • Cookie Policy

Centre on Regulation in Europe asbl (CERRE)

Avenue Louise, 475 (box 10)
B-1050 Brussels – Belgium
T.: +3222308360
E-mail: info@cerre.eu 

BE 0824446055 RPM Bruxelles

Linkedin-in Youtube
About
  • About Us
  • Team
  • Board of directors
  • Annual review
  • Careers
  • Transparency & Independence
  • FAQs
Expertise
  • Energy & Sustainability
  • Tech, Media, Telecom
  • Mobility
  • Cross-sector
More
  • Publications
  • Events
  • News & insights
  • Our members
  • Become a member

This website uses cookies to ensure you get the best experience.

OK
CERRE Privacy Policy