There is no free market online
Every market runs on rules someone enforces. The internet is a place that has no rules, and AI is about to make that a problem.
5 min read. In this piece:
Why the digital market is the one place with no real enforcement
What AI agents break that spam and fake reviews never did
Why Europe, not the hyperscalers, gets to set the terms
The datacenter’s location, as I argued in a previous article, is but a small part of sovereignty discussion. Sovereignty is about who sets the rules and whether those rules mean anything. The interesting question, the one worth actually fighting over, is not who owns the hardware, but who gets to build the enforcement layer that the digital economy has never had.
The AI economy badly needs something it does not yet have. And Europe is better placed to build it than anyone else.
The free market was never free
We talk about "free markets" as if freedom meant absence of rules. It doesn't. Every functioning market runs on enforcement: contract law, property rights, courts, regulators, audits. The right to sue someone who breaks a deal is not a constraint on the market, it is what makes the market real. Nobody serious calls the New York Stock Exchange unfree because it has a compliance department.
The digital market is the strange exception. It is close to genuinely free in the libertarian sense, meaning that while rules exist on paper, very little is actually enforced. Terms of service are not contracts in any practical sense. Liability for data misuse is hard to establish and harder to collect. Platforms are simultaneously market participants and the infrastructure the market runs on, which creates conflicts of interest that offline markets resolved decades ago. We built a trillion-dollar marketplace and decided to skip the enforcement layer.
That worked, after a fashion, while the stakes were low. The worst that usually happened was spam, fake reviews, a manipulated ad auction. Annoying, but not structurally dangerous.
The stakes are not low anymore.
It won't build itself
When AI agents act on your behalf, the enforcement gap stops being an academic problem. An agent that books your travel, signs your contracts, manages your financial positions, or interacts with government services needs to carry something more than a username and a password. It needs identity: a verifiable answer to the question "who authorised this action?" It needs auditability: a record that cannot be edited after the fact. It needs a provable mandate, a way to trace what the agent did back to the human authority that actually sanctioned it.
None of this appears on its own. The market will not volunteer it, because the current setup, where agents act in opacity and accountability is hard to establish, is profitable for the platforms running them. Lock-in and opacity tend to go together.
This is not a hypothetical concern. In February 2026, NIST published a concept paper on giving AI agents formal identity, authorization, auditing, and non-repudiation, explicitly designed to tie an agent's action back to the human authority that approved it. The EU AI Act already requires automatic logging and conformity assessment for high-risk systems. eIDAS 2.0, Europe's digital identity framework, lets an organisation carry a provable, verifiable mandate to act on behalf of someone else. The rules are arriving, piece by piece.
The common response from technology companies is that regulation slows innovation. The companies saying this built their market positions precisely because the enforcement layer was absent. Refusing to build it is not neutrality, it is a choice to leave the gap open for whoever can extract the most value from it.
The right reins, less paperwork not more
The obvious objection is that "enforcement" sounds like surveillance: a central authority that requires everything to be reported upward, logged in one place, visible to someone with the wrong incentives. That is a legitimate concern, and part one of this series made a version of it. A sovereign cloud that replicates the dependency structure is not sovereignty.
The answer is not a central authority that aggregates everyone's data. The answer is to build the rules into the interfaces themselves.
Compliance-by-design means the auditability lives at the moment of action, not in a reporting portal assembled afterward. When an agent signs a contract, the authorisation chain is written into the transaction itself. A regulator can verify the rule was followed by checking the record. The counterparty can check exactly what they're entitled to see. Nobody needs to open everything to everyone, and nobody can quietly edit the trail after the fact.
The counterintuitive result: the bureaucracy gets lighter and saves labour cost.
Compliance officers stop stitching audit trails from five systems that don't talk to each other. Regulators get grip through verifiability rather than through demanding everything be reported upward in advance. The cost of proving you did the right thing falls. That's the property mintBlue builds toward: auditability as something the data carries, not something you reconstruct above it.
Europe is unusually well placed to set this layer's terms, not because it has the most capital, but because it already writes the rules the rest of the world ends up following. The GDPR became the de facto global data standard. The AI Act is shaping compliance programmes at companies headquartered in California. The Brussels Effect may have passed its peak, but that barely matters here. The demand for tooling that proves a rule was followed grows whether or not new rules keep arriving, because the rules already on the books still have to be satisfied.
The online market was always going to need rules that bite. The only real choice was whether we built the enforcement layer deliberately, or waited for something to break badly enough that we had no option. We are arriving at that point now.
Europe now has a chance to embed rules into the interface, done in a privacy-preserving manner this can equal the playing field and bring more trust to our increasingly digital society. The question is will they respect PET solutions to make this happen or take the reins and start dictating? Will government be more accountable than the platforms they replace?
Sources
US hyperscaler capex ~$410bn in 2025, guiding ~$725bn for 2026 (figure covers Alphabet, Amazon, Microsoft and Meta; five-firm totals incl. Oracle run higher): https://finance.yahoo.com/sectors/technology/article/meta-microsoft-amazon-and-alphabet-are-about-to-spend-a-shocking-amount-of-money-to-dominate-the-ai-era-115359575.html ; corroborated by Epoch AI: https://epoch.ai/data-insights/hyperscaler-capex-trend
EU AI gigafactories, €20bn within the €200bn InvestAI initiative (European Commission): https://digital-skills-jobs.europa.eu/en/latest/news/commission-launches-new-investai-initiative-mobilise-eu200-billion-investment-ai
NIST concept paper (request for comment, 5 Feb 2026) on AI agent identity, authorization, auditing and non-repudiation: https://csrc.nist.gov/pubs/other/2026/02/05/accelerating-the-adoption-of-software-and-ai-agent/ipd
EU AI Act (Reg. 2024/1689), automatic logging (Art. 12) and conformity assessment: https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
eIDAS 2.0 (Reg. 2024/1183), EU Digital Identity Wallet and electronic attestation of mandates: https://eur-lex.europa.eu/eli/reg/2024/1183/oj/eng
The Brussels Effect, EU regulation as de facto global standard (Anu Bradford): https://scholarship.law.columbia.edu/faculty_scholarship/271

