The End of Immunity for Internet Service Providers? C-188/24 WebGroup Czech Republic and NKL Associates and C-190/24 Coyote System, judgment 16 June 2026

 

Lorna Woods, Professor Emerita, University of Essex

Photo credit: TodayTesting.com, via Wikimedia Commons   

This recent CJEU judgment has been flagged in some quarters as upholding the French rules requiring age verification for porn sites. In others, it has been seen as stripping intermediary immunity from social media sites. Based on the e-Commerce Directive, however, is this just a transient discussion, fading away as the Digital Services Act (DSA) becomes the relevant law?

 

The Facts

 

The national cases in Case C-188/24 concern French rules requiring porn operators to implement technical age verification mechanisms to prevent minors from accessing those sites.  The companies were each the subject of a formal notice pursuant to Decree No 2021/1306 implementing Law No 2020-936 and Article 227-24 of the Criminal Code which prohibits any person from broadcasting a pornographic message likely to be seen by a minor. The rules in Coyote System concern the restriction on the broadcasting of information to drivers about roadside checks (eg in relation to speed or drunk driving). The relevant implementing measures were also derived from the French criminal code. These measures were subject to judicial challenge before the French Conseil d’État. The companies in question were not established in France and questioned the applicability of the French rules.

 

The Issues

 

The first question the CJEU had to address was whether the measures fell within the coordinated field of the  e-Commerce Directive (Directive 2000/31) and would therefore be caught by Article 3, which provides for the country of origin principle (COOP). Recital 22 which states that ‘information society services should be supervised at the source of the activity’. This means that services in general comply with the domestic law of the State in which they are established and do not have to comply with the laws of the States in which their services are capable of being accessed.  Article 3(3) excludes certain areas from the coordinated field and Article 3(4) et seq provide for limited grounds of derogation from the COOP and provide conditions with which the receiving State must comply to access the derogation.   The COOP applies only to laws falling within the coordinated field. Here the relevant laws were not sector specific measures targeting information society services in particular, but the general criminal law. The referring court questioned whether the provisions in issue fell within the coordinated field and referred the issue to the CJEU.

 

The ban on transmission in Coyote System was, according to the applicant, contravening the prohibition on general monitoring found in Article 15 e-Commerce Directive. This application of this article is dependent on the information society services in question falling within one of the categories of service found in Articles 12-14 e-Commerce Directive (mere conduit, caching services or hosting services respectively). The Court thus then had to consider whether the service in Coyote System was a hosting service within the meaning of Article 14 e-Commerce Directive. Article 14(1) provides:

 

Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that:

 

(a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or

(b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.

 

Judgment

 

The Coordinated Field

 

The Court emphasised that the coordinated field

 

covers all requirements laid down by the legal systems of the Member States relating to the taking up or pursuit of the activity of an information society service, … that definition does not make the coordinated field subject to the condition that only matters harmonised by that directive are covered. [para 52]

 

Following the Advocate General (at para 56 of his Opinion), it remarked that Article 3 is of particular importance precisely for the areas of law not harmonised. The mere fact that the laws apply generally cannot remove them from the coordinated field. Moreover, the Directive excludes certain areas from the scope of the Directive, so the question of exclusion had been taken into account in the Directive. Taking a different approach would undermine the purpose of the Directive.

 

The Court confirmed that requiring age verification sets the conditions for access to the information society services and is a requirement concerning the pursuit of an activity within Article 2(h)(i) (see Case C-649/18 A (Advertising and sale of medicinal products online)). For the roadside broadcasts, the Court took the view that the prohibition constituted a requirement relating to the content of the service. Both sets of measures therefore fall within the coordinated field.

 

The COOP and Derogation

 

The key question for the application of the COOP was whether the measures restricted the free movement of the services. This question the Court answered in the affirmative before considering whether the derogation in Article 3(4) could be used.

 

The derogation has substantive and procedural conditions. Substantively, the measure must be necessary in the interests of one of more of: public policy; protection of public health; public security; or protection of consumers. Further, those measures should be taken against an information society service which actually prejudices those objectives or presents a serious and grave risk to those objectives. Finally, the measures must be proportionate to the objectives. In procedural terms, the recipient Member State must first have issued an unsuccessful request to the host Member State to fix the issue and, secondly, notified the Commission.  A failure to comply renders the obligations unenforceable (Case C-390/18 Airbnb Ireland – following long established case law).

 

General rules applying without distinction do not satisfy the second of the substantive conditions. The rules, however, provided for the issuing of individual notices which satisfy this requirement [para 90]. The third substantive element – that of proportionality – was satisfied in relation to the protection of human dignity and the rights of the child as regards the broadcasting of pornography [para 94] and, without much elaboration, the prohibition on rebroadcasting is also proportionate [para 96]. 

 

So in principle, the national rules could meet the substantive criteria but it was for the referring court to determine whether the procedural rules were satisfied.

 

General Monitoring

 

Hosting

 

As noted above, the possibility of relying on Article 15 depends on whether the service in issue – here the service in Coyote System - is a host within the scope of Article 14 [see para 105]. The Court noted that the definition of hosting did not automatically preclude a service which also has elements of broadcasting from being a host, referring to long-standing caselaw as well as more recent (Case C-360/10 SABAM; Case C-682/18 YouTube and Cyanado and Case C-401/19 Poland v Parliament and Council). Conversely, just because a service includes the storage of information does it mean that the service is a host for the purposes of Article 14. The Court reiterated the limitations arising from Recital 42 – that the services should be of a mere technical, automatic and passive nature. This implies, according to the Court’s case law (Case C-324/09 L’Oréal and Case C-682/18 YouTube and Cyanado), “the information society service provider has neither knowledge of nor control over the information which is transmitted or stored” [para 108].  The Court underlined that “those two conditions requiring knowledge and control should be understood as being alternative to and independent of each other” [para 110].  The Court then held that

 

if, beyond the mere categorisation and indexation of information for the purpose of improving its accessibility, the algorithm used determines, in the interest of the operator or its service, under what conditions, how and in which order of priority that information is or is not be broadcast, that operator exercises control over that information, with the result that the service it offers cannot be classified as an ‘information society service … that consists of the storage of information provided by a recipient of the service’ [para 112].

 

Impact on Article 14(3) and Article 15

 

If a service exercises control over content, it does not fall within Article 14 and therefore the restrictions imposed on Member States by Article 15 are not applicable to such are service. The questions were for the national court to determine.

 

On the assumption that the service were found to be neutral, the national court must decide whether the prohibition on rebroadcasting the information on roadside checks is permitted by Article 14(3) which concerns orders requiring a neutral host to terminate any infringement on the part of the recipient of the service due to, inter alia, the presence of illegal information stored on its website or on its platform by removing or blocking access to that information.

 

Considering Article 15, the Court referred to Recital 47 e-Commerce Directive, which clarifies that Article 15 does not apply to monitoring in specific cases. Referring to the test laid down in Glawischnig-Piesczek (Case C-18/18), paras 46 and 47, the Court noted in this case that the information targeted by the prohibitions “is circumscribed in such a way that its rebroadcasting may be automatically prevented by the operator concerned” [para 121].

 

 

Comment

 

Coordinated Field and COOP

 

The Court has taken a typical approach here, a broad approach to the areas covered: criminal law rules and public policy rules can fall within the scope of the directive, provided they impose requirements on the access or conduct of an information society service. Furthermore, none of the criminal law in general, public policy and public security measures appear on any of the exclusions from the scope of the directive. The Court’s ruling makes explicit that this absence from the exclusions is deliberate. This position is in the interests of ensuring that a service is not subject to multiple regulation, but it can lead to unevenness and gaps in protection from the viewpoint of a person expecting the rules of the member state in which they reside to apply to services providers providing services in that self-same Member State. This is especially the case when the aspect potentially taking the national rule outside the derogation regime is about its form, not its substance.  The COOP principle has long given rise to concerns about forum shopping and a race to the bottom (as can be seen also in the broadcasting sector and the Audiovisual Media Services Directive) but has been re-affirmed as a central tenet of the EU regime (see eg Case C-769/22 Commission v Hungary (Values of the European Union)). 

 

It is also worth noting that the Court in principle accepted that both sets of rules in the cases referred were aimed at achieving legitimate aims and were proportionate. The Court drew on the fact that the AVMSD requires age verification in relation to pornography to reach this latter assessment. In so doing, the Court engaged in a joining up the dots activity between different piece of EU digital legislation. 

 

In this ruling, the Court underlined both the importance of the right to human dignity and the rights of the child.

 

Impact on Article 14

 

The headline news from this ruling is the impact on Article 14 and the test for neutral intermediary. The hosting safe harbour in Article 14 was always meant for neutral, passive intermediaries – entities whose activity is “purely technical, automatic and passive”, implying that the provider “has no knowledge of or control over” the information stored (Recital 42 e-Commerce Directive). This has been the standard position since the early case law – for example L’Oreal.  What this means, and in particular the impact of automated tools, has been the subject of some discussion. In a different context (copyright infringement), the Court even if an operator automatically indexes infringing content to recommended videos based on each users’ use did not necessarily mean that the host had specific knowledge of the infringing content, and the Court determined that this sort of specific knowledge was what was required. This could be seen as quite a generous view towards the hosting services and the scope of immunity. It might almost be said that there was an assumption that platforms would benefit from Article 14 (provided they responded to notices). In Coyote there is a shift of focus.

 

The first point to note is the Court’s statement that hosting services do not automatically benefit from Article 14. While this is not new – and, indeed, can be seen the Court’s previous jurisprudence – the reminder feels significant, especially in the light of the rest of the ruling. The Court here confirmed that a service has to satisfy both the knowledge and the control tests, a point not laboured in previous judgments. The Court (at para 110) makes this really clear: if a service exercises control, even if it has no knowledge, it will fall outside the intermediary immunity provision.

 

Whereas Cyanado dealt with knowledge, System Coyote looks at control. Significantly, the Court held that algorithmic curation constitutes “control”.  The Court (following its Advocate General) held (para 111):

 

it is, inter alia, by means of the algorithm used that such an operator exercises control over the information stored. So long as it has predetermined, by means of that algorithm, the conditions under which such information may or may not be broadcast, it is irrelevant that that operator does not itself carry out additional interventions which have the effect of promoting, modifying or deleting information stored with a view to it being broadcast.

 

In other words, when a service which stores information uses an algorithm to determine – in its own interest or that of its service – under what conditions, in what manner, and in what order of priority information is or is not disseminated it has control (see para 112). It does not matter that this is automatic. So creating the algorithmic system is exercising control.  In focussing on control, the Court avoids outright conflict with its earlier position (for example in Cyanado), but it certainly signals a change in emphasis and (in line with thinking underpinning parts of the DSA) a recognition that the algorithm is not necessarily neutral.

 

Not all categorisation or prioritising satisfies the control test. Simple categorisation and indexing of information to improve its accessibility do not on their own constitute control. Essentially, the Court is trying to draw the line between a neutral index, or chronological feed, and something more editorial (and it is telling to remember that the services themselves have claimed first amendment rights – is relating to their speech – in relation to how results are provided). 

 

Nonetheless, this ruling will affect a wide range of services based on curating user generated content, from social networks, video-sharing services and – of course – services that rebroadcast user reports (eg about police checks), as well as recommended products on a marketplace. The judgment could be read as stripping most (if not all) of the large social media platforms of their immunity (though this does not mean they will automatically be liable in all cases – that will depend on national law and the facts in individual cases). It could also be said to follow a similar path to the Russmedia decision (Case C-492/23), discussed here, which also took a narrow view of immunity (hosting defence does not apply to liability under the GDPR).

 

Impact on Article 15

 

The prohibition on general monitoring only relates to those services covered by intermediary immunity. Although this follows the language of Article 15(1) there had been some dispute as to who could claim the protection of Article 15. The answer is now clear: fall outside Article 14 (or 12 or 13) and Article 15 does not apply. 

 

The Court also reiterates its position on the distinction between general and specific monitoring and highlighting the possibility of using automated techniques to identify particular types of content. This could be relevant for Member States’ ability to impose monitoring or filtering obligations (in services of some public interest) – these (in relation to copyright infringements, e.g. SABAM, above) had been thought problematic in the relatively early days of the e-Commerce Directive, and platforms have often challenged such obligations as constituting general monitoring. The Court’s discussion here is focussed tightly on content; it does not discuss behavioural monitoring or profiling (which might be techniques by services to reduce the incidence of illegal content or behaviour across their services). It will be interesting to see how this line of case law joins up with the jurisprudence under the e-Privacy directive on collection of metadata and intrusions into communications privacy (see eg Case C-746/18 Prokurator).

 

Impact on DSA

 

Article 6 DSA, which replaces Article 14 e-Commerce Directive, provides that hosting providers are not liable for information stored at the request of a recipient of the service, provided that they do not have actual knowledge of illegal activity or content, unless the recipient acts under the authority  “or control” of the provider. It has been assumed given the similarity in the text, that the case law on Article 14 is relevant for understanding Article 6 DSA, including as regards the threshold condition of neutral. The wording of the relevant recitals in the DSA differ, however, from the text in the e-Commerce Directive (noted above) – and the Court has relied heavily on that text in its interpretation of Article 14.  Indeed, Article 14 itself does not refer to control. Recital 22 DSA specifies:

[i]n order to benefit from the exemption from liability for hosting services, the provider should, upon obtaining actual knowledge or awareness of illegal activities or illegal content, act expeditiously to remove or to disable access to that content. … The provider can obtain such actual knowledge or awareness of the illegal nature of the content, inter alia, through its own-initiative investigations or through notices submitted to it by individuals or entities in accordance with this Regulation in so far as such notices are sufficiently substantiated to allow a diligent economic operator to reasonably identify, assess and, where appropriate, act against the illegal content. However, such actual knowledge or awareness cannot be considered to be obtained solely on the ground that the provider is aware, in a general sense, of the fact that its service is also used to store illegal content. Furthermore, the fact that the provider automatically indexes information uploaded to its service, that it has a search function or that it recommends information on the basis of profiles or preferences of the recipients of the service is not a sufficient ground for considering that provider to have ‘specific’ knowledge of illegal activities carried out on that platform or of illegal content stored on it. [emphasis added]

 

At first glance, the recital seems to contradict the ruling in Coyote System. The wording of the recital seems to follow the approach the Court adopted in Cyanado and like that judgment deals with the question of knowledge. We have noted earlier, the Court’s sidestep in this case, to talk about control. The recital says nothing about control and is therefore not inconsistent with the approach in Coyote System.  Of course, this means that there is no reference to “control” in the text of the DSA because Article 6, like its predecessor Article 14, is silent on the point. It is far from clear, however, that the change in wording in the recital was intended to mark a change in meaning from Article 14 resulting in an expansion of the scope of immunity. Rather it seems an intention to align the DSA with the case law on Article 14 e-Commerce Directive. Presumably, there will be much litigation on this point as well as the linked question as to where the boundary between control and “mere categorisation and indexation of information” [para 112].

Amazon, systemic risk, and the Digital Services Act: What the General Court did and did not decide

 

 

Catalin Gabriel Stanescu, Associate Professor of Private Law at the University of Southern Denmark. His research focuses on consumer law, digital regulation, financial vulnerability, and the political economy of private law.

 

Photo credit: David Dixon, via Wikimedia Commons

 

The DSA Observatory recently published a thoughtful post on the General Court’s judgment in Amazon v Commission, which rejected Amazon’s argument that it should not have been listed as a ‘very large online platform’ (VLOP) under the Digital Services Act (DSA), and, in doing so, critiqued a working paper of mine on ‘systemic risk’ under the Digital Services Act. For me, it was a valuable engagement. The judgment does influence how arguments about systemic risk under the DSA can be framed. However, it does not support the broader claim that a financial-law analogy about the definition of ‘systemic risk’ has been displaced. When read carefully, Amazon takes a narrower approach: it rejects one specific application of the financial analogy, while preserving a more structural comparison between financial supervision and the DSA’s systemic-risk regime.

My paper’s central claim was not that the DSA should be read as banking law in another guise. Nor was it that systemic risk under the DSA must be defined by interbank contagion or by the existence of a closed system of interconnected undertakings. What I proposed was that the DSA relocates into digital governance a supervisory rationality already familiar from EU financial law: a mode of regulation built around ex ante risk assessment, differentiated obligations for systemically significant actors, and a recalibrated proportionality analysis where institutions are acting under conditions of complexity, uncertainty, and potentially large-scale harm. That remains, in my view, the right level at which to compare the two regimes.    

The General Court’s judgment, however, establishes an important limitation. Amazon contended that marketplaces could not generate “systemic” risks because, unlike financial institutions, they do not form part of an interconnected system. In paragraph 69, the Court summarized Amazon’s submission that marketplaces are not interdependent, do not constitute a system, and therefore cannot give rise to systemic risks in the manner of financial institutions. The Court rejected this argument in paragraph 70. It held that the DSA is not concerned with systemic risks posed by marketplaces due to their participation in a “system” in that sense. Instead, the DSA aims to mitigate systemic risks to society as a whole, insofar as those risks may affect a significant portion of the European Union’s population. Consequently, the Court found that the independence of marketplaces from one another does not prevent them from generating some of the risks identified in Article 34(1) DSA (ie the risks which VLOPs are obliged to assess).

This is a significant point. Under the DSA, interconnectedness in the financial-law sense is not a necessary criterion for defining systemic risk. Instead, the Court places decisive emphasis on reach, scale, and disproportionate societal impact. This approach is evident not only from paragraph 70, but also from the Court’s reliance on recitals 75 and 76 DSA, which highlight the reach of very large online platforms, their role in facilitating public debate and economic transactions, and the potential for disproportionate impact once they reach a significant share of the Union’s population. The same reasoning appears later when the Court notes that marketplaces above the Article 33 DSA threshold for designating VLOPs may pose risks to society that differ in scale and impact from those posed by smaller platforms. On this point, the Observatory’s interpretation is correct: Amazon shifts the analysis away from a narrow contagion model.

What does not follow, however, is the stronger conclusion that the judgment rejects the relevance of financial systemic-risk thinking altogether. The Observatory interprets Amazon as attributing a more autonomous meaning to systemic risks under the DSA and as introducing a break with the reliance on financial systemic-risk regulation as a reference point. I believe this interpretation overstates the case. The Court rejected Amazon’s specific application of the analogy, but did not assert that the DSA lacks structural affinity with systemic-risk governance as developed in other areas of EU law.

This distinction is important because the DSA’s regime retains a recognizably systemic-risk structure.

First, the regime is actor-specific. In the present context, Articles 34 to 43 DSA apply only to platforms designated as VLOPs, while more broadly it also includes very large online search engines (VLOSEs). The Court accepts this differentiation as resting on the legislative judgement that platforms of such scale may generate risks with a disproportionate impact in the Union. In paragraphs 52 and 53, the Court summarizes the obligations imposed on VLOPs: risk assessment, potential adaptation of service design, independent audit, profiling-free recommender options, advertising repositories, data access for researchers, internal compliance functions, transparency reports, and supervisory fees. In paragraphs 63 to 65 and 77, the Court accepts the legislative premise that VLOPs may cause societal risks that differ in scope and impact from those caused by smaller platforms, and that marketplaces above the threshold may give rise to the risks listed in Article 34(1). This is not merely a semantic distinction regarding the meaning of what qualifies as “systemic.” It is a sorting mechanism that imposes heightened obligations on actors deemed systemically significant due to their scale. This feature is central to the financial-law genealogy discussed in my paper.

Second, the regime is preventive. The obligations upheld in Amazon are not limited to sanctioning completed infringements, but are intended to identify, assess, and mitigate risks before harm occurs. The Court’s summary of Articles 34 to 43 confirms this preventive orientation. This is why the financial-law comparison remains relevant at the level of supervisory logic. In both contexts, the law acts proactively rather than waiting for collapse or completed harm before intervening. My paper identified this preventive approach as a central element of systemic-risk governance in EU law, both in finance and under the DSA. Nothing in Amazon contradicts this analysis.

Third, and most importantly, Amazon strongly supports the argument that systemic-risk governance is accompanied by a relatively flexible form of proportionality review. The Court explicitly recognizes that Article 33(1), by subjecting VLOPs to Articles 34 to 43, interferes with the freedom to conduct a business under Article 16 of the Charter, as these obligations may entail significant costs, substantial organizational effects, and complex technical solutions. Nevertheless, the Court upholds this interference because the legislature possesses broad discretion when making political, economic, and social choices and undertaking complex assessments. In this context, only measures that are “manifestly inappropriate” can be deemed unlawful. The Court further emphasizes that the freedom to conduct a business is not absolute and must be balanced with the objective of ensuring a high level of consumer protection under Article 38 of the Charter. It concludes that the legislature did not commit a manifest error in treating marketplaces above the threshold as capable of generating the risks identified in Article 34(1), and that Article 33(1) DSA was not shown to be manifestly inappropriate for achieving the Regulation’s objectives.

This aspect of the judgment is at least as significant as paragraph 70. Even if one accepts that DSA systemic risk is not linked to interconnectedness in the financial sense, the Court’s reasoning still supports a model of anticipatory, differentiated, and intrusive supervision, constitutionally sustained through broad institutional discretion and limited judicial review. This is precisely the dimension of systemic-risk governance that my paper sought to highlight. EU financial-law jurisprudence exhibits the same pattern: preventive intervention, differentiated obligations for systemically significant actors, and a proportionality review tailored to technical complexity and predictive judgment. At this level, the comparison is not only valid but also illuminating.

The core disagreement with the Observatory is not whether Amazon alters the analytical landscape –it does – but rather concerns the appropriate level of abstraction for comparison. If the argument were that DSA systemic risk merely replicates bank-contagion logic, the judgment would be difficult to defend. However, that was not my position. My argument is that the DSA adopts a macroprudential style of governance: it identifies a subset of actors whose scale enables them to cause significant harm, subjects them to enhanced due diligence and supervision, and justifies these obligations through a preventive public-interest rationale. Amazon does not undermine this claim, it only refines it.

One further point should be noted. The judgment did not resolve all interpretive questions regarding Article 34 DSA. Specifically, it did not explicitly determine whether the list of risks to be assessed, set out in Article 34(1), is exhaustive. While the Observatory may reasonably infer from certain passages that this is the case, such an inference does not constitute a definitive holding. The repeated references to the risks “referred to in Article 34(1)(a) to (d)” are consistent with the narrower view that these were the risks relevant to the case at hand. On this issue, a cautious approach remains advisable.

In my view, the most accurate reading of Amazon is as follows. The judgment narrows the conceptual overlap between financial and digital systemic risk by rejecting interconnectedness as a necessary definitional criterion under the DSA. However, it reinforces the structural overlap at the level of governance. Under the DSA, systemic risk continues to justify a regime that is differentiated, preventive, supervisory, and constitutionally sustained through a broad margin of institutional discretion. Therefore, the financial analogy I proposed remains useful, provided it is applied at the appropriate level of abstraction. The DSA is not banking law for platforms, but it is law crafted in a distinctly macroprudential register.

 

EU values, LGBTQI+ rights and the future of democracy in Hungary and beyond: On the wider significance of case C-769/22

 

Benedetta Lobina* and Esther Martínez**

* re:constitution fellow and lecturer at the UCD Sutherland School of Law

** Co-founder and director of RECLAIM, a human rights NGO that campaigned for Member States to join in the proceedings in this case against Hungary

Photo credit: Budapest Pride march 2025, photo by bannedpride via Wikimedia Commons

 

In what has been a momentous 10 days for Hungary, after the elections that ousted Orban as Prime Minister after 16 years, the Court of Justice of the European Union delivered its much-anticipated judgment in the Hungarian “anti-LGBT propaganda” case. This case is remarkable for a number of reasons: for the first time, the Court found a breach of Article 2 TEU as a stand-alone plea in law; it expanded upon the protection of LGBTQI+ rights under the scope of EU law; and it saw an unprecedented number of interventions in support of the Commission, namely from the European Parliament and 16 Member States. Additionally, the timing of the Court’s delivery makes this the first opportunity for the new Magyar government to turn a new leaf for the country, after pledging its commitment to Europe during the course of the electoral campaign. In this blogpost, we will break down the wider significance of this judgment, beyond the undoubtedly groundbreaking use of Article 2 (and related doctrinal debates), especially with regards to the implementation of LGBTQI+-related CJEU judgments in Hungary and in the rest of the EU, and as pertains to what it signals for future litigation efforts.

Background of the case

The case was triggered by Orban’s far-reaching reforms seeking to restrict access to LGBTQI+ content (see here for an accessible breakdown). According to the arguments presented by the Commission (which the Court found well-founded in their entirety), the laws infringed a wide range of EU instruments related to the provision of services and the internal market, several rights protected by the Charter (Articles 1, 7, 11, 21), and lastly but most crucially, Article 2 TEU. This was the first use of Article 2 TEU on its own merits, underscoring the gravity of the departure from EU values witnessed in Hungary.

In its ruling, the CJEU sitting as a full court agreed with the Commission on all the pleas in law, specifically finding for the first time an infringement of Article 2 TEU, based on the nature of the legislative provisions at issue as a coordinated series of discriminatory measures, amounting to a manifest and particularly serious curtailment of LGBTQI+ rights. Consequently, it found that the Hungarian law is “contrary to the very identity of the Union as a common legal order in a society in which pluralism prevails” (counterarguments based on national identity notwithstanding).

This approach seems to crystallise a test whereby the sheer scale and seriousness of violations of relevant EU law – for instance several rights of the Charter embodying Article 2 TEU values – is enough to demonstrate a departure from shared values and therefore lead to a breach of Article 2 as a whole (para 548). Moreover, in order to remain within the limits and scope of EU law, the CJEU underlined “only manifest and particularly serious breaches of one or more values common to the Member States may give rise to a finding [of Article 2 violations, which are] incompatible with the very identity of the Union as a common legal order of a society in which pluralism prevails.” This reasoning would suggest that systemic stigmatisation of the LGBTQI+ community in and of itself (i.e. without any link to other provisions of the acquis) would give rise to an Article 2 breach – although in practice, the offending behaviour at issue is more than likely to also infringe upon several directives or regulations (as it did in this case), which may or may not raise questions over the logical soundness of the Court’s argument (see here and here). As such, this judgment sets the stage for stronger and more systemic infringement proceedings in the future, which can use multiple severe violations to prove a pattern that ultimately triggers an Article 2 violation.  

What happens next?

Such an emphatic decision is bound to have consequences beyond the black letter of the law, both in Hungary – especially after a dramatic shift in its political landscape – and in the rest of the Union. After winning a super majority in Parliament on a pro-EU platform, newly elected Prime Minister Peter Magyar will have his first chance to prove his commitment to EU values and the EU legal order by swiftly implementing this judgment. After being sworn in (presumably in the next month), repealing the offending legislation should be high up on his priority list.  Considering that the legislation at issue was blatantly lifted from Putin’s autocratic playbook, there would be a great amount of symbolic significance in using this as one of the first olive branches extended to Hungary’s European partners.

Whether this is likely to happen, however, remains up to question. Magyar was conspicuously silent on LGBTQI+ rights during the campaign and did not mention the issue in his victory speech, beyond pledging to rule for all Hungarians. When directly asked, he remained vague by simply emphasising that the general right to freedom of assembly should be enjoyed by everyone. At the same time, there are significant incentives for compliance which inspire hope for a change of course in Hungary on this front (including not only the somewhat distant threat of financial penalties for non-implementation, but also horizontal enabling conditions that tie LGBTQI+ rights restoration to €700M worth of frozen EU cohesion funds). Nonetheless, the offending legislation is just the tip of the iceberg when it comes to the state of LGBTQI+ rights in the country.

In the present judgment, the Court was particularly vocal, in its finding of several violations of the Charter, in stressing that laws of this kind reinforce stigmatisation of sexual identity and orientation in the public sphere, leading to hateful behaviour and fostering social “invisibility” for the marginalised communities targeted, contrary to the value of human dignity. Additionally, it also reaffirmed, in light of its previous jurisprudence, that MS have “a positive obligation to ensure respect for everyone’s right to develop a sexual identity” (at 447). Conversely, and in line with the aforementioned reasoning as to what constitutes a freestanding breach of Article 2 TEU, the Court ruled that the Hungarian law violates said Article because it seriously and manifestly breaches LGBTQI+ rights, such as respect for human dignity, equality and respect for human rights, including the rights of persons belonging to minorities (at 556).

This is of huge importance, as it can serve as the basis to consider the broader body of anti-LGBTQI+ laws as contrary to EU law. Indeed, it is crucial to note that the case at hand is not comprehensive of all the restrictions imposed by the Orbán government on LGBTQI+ rights, and that efforts must therefore not be limited to repealing the legislation at issue. For instance, in 2018, the Fidesz government banned gender studies from state-accredited university programmes; in 2020 it banned legal gender recognition and adoptions for rainbow families. These measures, by the logic of the CJEU, fit within the pattern of persistent stigmatisation of non-cisgender and non-heterosexual persons, as well as breaching the principle of non-regression by lowering the protection of LGBTQI+ rights over time. Therefore, in order to truly comply with the spirit of the judgment, the new government should go further and repeal these discriminatory pieces of legislation as well.

Secondly, there is a long and growing list of landmark CJEU rulings that do not necessarily originate from Hungary, but are nonetheless not complied with by national authorities here, including judgments on freedom of movement and family life (Coman, V.M.A.; Cupriak-Trojan; Rzecznik Praw Obywatelskich), on legal recognition of transgender identity (Mirin; Deldits; Shipov), and on protection of human dignity for LGBTIQ+ people (Makeleio and Zougla). Without respect for these precedents, even after the repeal of the legislation at issue, the situation of LGBTQI+ people in Hungary would remain acutely precarious.

Thus, the Commission and Member States must insist on full implementation of all outstanding jurisprudence, in line with the principle of sincere cooperation, free movement, and the internal market. Generally speaking, the aforementioned line of jurisprudence – which remains mostly unimplemented also in the respective countries of origin – highlights that more is to be done to preserve not only equality, but also a harmonious legal order where all EU citizens can enjoy their EU-derived rights. This new judgment’s emphasis on human dignity sets a strong precedent, and should spur better monitoring and enforcement efforts across the Union.

Lastly, beyond Hungary, there are several member states that have emulated Orban’s so-called “LGBT propaganda” laws. Similar measures to the ones found foul of EU law in this judgment are in force in Bulgaria and Slovakia, and are currently being discussed in other MS, such as Portugal and Lithuania. This judgment should shift scrutiny in their direction, to make sure Hungary is not simply replaced by an exponentially larger number of Member States freely pursuing the same (unlawful) anti-LGBTQI+ agenda.

What to learn from this: a new standard we should be proud of and build on

This case marks a significant breakthrough in how the EU approaches violations of its founding values, and one that should serve as a template for future litigation. Firstly, this is a massive improvement from the initial line taken by the Commission at the dawn of backsliding in Hungary, moving closer to the idea of systemic infringement proceedings that clearly show a pattern of departure from the commitments at the very basis of the integration process. As argued by AG Capeta, it is important to frame these sort of violations, especially those that affect a marginalised group, as a violation of a value like human dignity, which “constitutes the actual Grundnorm (basic norm) of post-World War Two European constitutionalism against the horrors of totalitarianism which denied any value of the human person.”

Equally significant is the unprecedented show of solidarity from Member States and the European Parliament. A total of 16 MS intervened before the Court, together with the EU’s democratic body par excellence, which further underlines the widespread commitment to shared values and adds a layer of democratic legitimacy and accountability to the legal process. This is an effective way to bolster the Commission’s case, while also diffusing (bad faith) arguments as to EU priorities being dictated by a detached technocratic “Brussels elite”, instead proving that values matter to the vast majority of the Union

The combination of a strong response from the Member States, the EP and the CJEU should thus inspire confidence in the Commission to bring similarly framed cases on these salient issues in the future, especially in the face of the aforementioned Member States currently enforcing anti-LGBT propaganda laws. Taking Slovakia for example, it is clear that the regression of LGBTQI+ rights operated under Fico since 2023 can satisfy the test for manifest and serious curtailment of rights amounting to an Article 2 TEU infringement – as the reforms have included halting funding for comprehensive sex-ed initiatives, removing guidelines banning forced sterilisation for transgender persons, mandating parental consent for any teaching on sexuality, denying same-sex couples from legal recognition as parents, and entirely banning legal gender recognition for non-cisgender individuals. In this sense, the judgment at hand is timely and its impact should be felt beyond Budapest, at least by giving the Commission leverage to pursue cases against any government operating such deliberate curtailment of values.

As for Hungary, the first test will be whether the Magyar government will be willing to repeal the legislation which bans the Budapest Pride. This is a very time-sensitive issue, since unless the law is off the books by May 28^th, the organisers will not be able to obtain the necessary permits within the required 1-month window.

Ultimately, this judgment is to be welcomed as a seminal piece of EU jurisprudence, and one that expands both the justiciability of EU values, and the protection of LGBTQI+ rights. Moreover, it should be seen as the future of values-related litigation, promoting wider accountability and clearly demarking the Union’s commitment to democratic values in the face of aspiring autocrats. At a time in which fundamental values and specifically minority rights are under attack globally, this is a powerful signal. However, it is paramount that the momentum remains strong, lest yet another powerful values-related decision remains merely a paper tiger.

Time to ring the Bell: Luxembourg’s Light on Pushbacks, Strasbourg’s Shadow on Pullbacks

On Frontex’s Operational Powers, Allocation of Responsibility for Fundamental Rights Violations and Fragmented Justice

 

By Prof. Jean-Yves Carlier and Dr. Eleonora Frasca, 

Université catholique de Louvain (UCLouvain), members of Equipe droits et migrations (EDEM)

 This is a revised version of extracts from the yearly case law column “Droit européen des migrations”, published in French in the Journal de droit européen, no. 3, March 2026.

Photo credit: Luxofluxo, via Wikimedia commons

1.     The Fragmented Architecture of Accountability in EU Migration Control

The judgments of the Court of Justice of the European Union (CJEU) in Hamoudi v. Frontex (C-136/24 P) and WS and Others v. Frontex (C-679/23 P), together with the decision of inadmissibility in S.S. and Others v. Italy by the European Court of Human Rights (ECtHR), can be read as addressing a common structural problem from two different judicial perspectives: how responsibility for fundamental rights violations is allocated in a system of composite, and externalised border controls. Read together, the Luxembourg rulings on Frontex’s non-contractual liability and Strasbourg’s approach to extraterritorial jurisdiction reveal, on the one hand, a tightening of accountability within the EU legal order and, on the other, a persisting fragmentation of protection under the Convention system. Their juxtaposition reveals an emerging asymmetry between pushbacks and pullbacks and highlights the risk of a fragmented landscape of remedies in a field where operational powers are increasingly shared and strategically displaced.

The CJEU confirmed the centrality of access to the territory of the Union in contemporary EU migration policy by subjecting obstacles to external border crossings to strict judicial review. Overturning decisions by the General Court that absolved the Agency from any responsibility for its border operations (T-136/22 and T-600/21), the Court contends that Frontex may incur in non-contractual liability and must comply with fundamental rights obligations when exercising its powers in border control operations. The two rulings provide interpretative clarifications regarding the conditions for engaging Frontex’s non-contractual liability under Article 340(2) TFEU. Anchoring the Agency’s operational role firmly within the constitutional framework of fundamental rights, the Court redefined the division of responsibility between Frontex and Member States in joint operations (Hamoudi v. Frontex) and partially reshaped the concept of causation, clarifying the link between Frontex’s conduct and alleged pushbacks (WS and Others v. Frontex). In contrast, the Strasbourg Court did not approach joint state responsibility in externally coordinated maritime Search-and-Rescue (SAR) operations involving cooperation with Libya (S.S. and Others v. Italy).

The real challenge in the interpretation of EU migration and asylum law no longer lies in the technical refinement of positive norms. Rather, it stems from the operational choices through which the Union and its Member States implement migration control. In particular, maritime operations and cooperation with EU agencies as well as third countries’ national authorities generate complex legal questions precisely because border control activities are organised (and presented) as technical or operational, rather than as exercises of public authority with distinct legal consequences. Two structural features amplify this complexity. First, Frontex’s operational activities are embedded in a hybrid administrative framework that blurs the boundaries between Union and national competences. Second, joint operations disperse decision-making and execution across multiple actors, including third countries’ migration control authorities. In the context of pushbacks, this model of composite governance waters down the attribution of responsibility where illegal coercive practices occur. In the context of pullbacks, the expansion of controls at and beyond the Union’s external borders – through externalisation techniques – further complicates accountability.

2.     Asylum Seekers’ Vulnerability Requires an Adjustment of the Burden of Proof Regarding the Damage Suffered and Caused by Frontex’s Pushbacks

In the CJEU’s own words in Hamoudi v. Frontex, a pushback operation undermines the effectiveness of judicial protection for asylum seekers who have reached the territory of the Union and it “is characterised by the significant vulnerability of the persons subject to it and by the absence of the identification and personalised treatment of those persons by the authorities” (para 88). Following the Advocate General’s Opinion and on the very basis of the Frontex Regulation, the Court clarifies the division of responsibility between Frontex and the Member States: “while Frontex and the national authorities responsible for border management have a shared responsibility […], Frontex is fully responsible and accountable for any decision it takes and for any activity for which it is solely responsible under that regulation” (para 66).

For the time being, the CJEU has adopted a substantive approach to responsibility attribution, refusing to allow operational powers to serve as Frontex’s procedural shield. The Court recalls that Article 97(4) of the same Regulation “provides – like the second paragraph of Article 340 TFEU, to which it gives a concrete expression – that, in the case of non-contractual liability, Frontex is, in accordance with the general principles common to the laws of the Member States, to make good any damage caused by its departments or by its staff in the performance of their duties. Consequently, the case-law of the Court relating to that provision of the TFEU is relevant in the present case” (para 67). Next, and most importantly, after reiterating the obligation to compensate any damage, the Court acknowledges “the need to adapt the burden of proof” in respect of that damage, adapting it to the “specific circumstances” of operations conducted by Frontex, even when carried out jointly with a Member State (paras 86 et seq.).

Unequivocally, the judgment is rooted in the constitutional framework of Article 47 of the Charter, inviting the General Court, where necessary, to make use of the exceptional measures of inquiry permitted under its Rules of Procedure “in order to guarantee [effective judicial] protection […] which is fundamental in the European Union as a Union based on the rule of law” (paras 78 and 80–84). This means that Frontex can no longer rely on the complexity of its operational arrangements nor on the intermediation of Member States to escape effective judicial review of the activities for which it is “fully responsible” (para 66). The Agency cannot claim a “de facto immunity” that would hinder “all legal action by victims of a pushback operation against Frontex” (para 105). The “full respect” for the right to an effective remedy requires an “adjustment of the burden of proof,” which, in particular, must allow applicants to limit themselves to “present prima facie evidence that that operation, in which Frontex participated, occurred and that they were present during it” (para 106). In the present case, this may consist of the applicant’s testimony corroborated by a press article concerning the pushback.

The General Court ought to have granted the requests for measures of inquiry and hearings to actively seek the evidence held by Frontex, for example by ordering the Agency to produce documents in its possession. The Court notes that, on the one hand, Frontex is “likely to possess information that is relevant for the purpose of proving the existence of pushbacks” (para 96) and, on the other hand, that that failure to cooperate by Frontex “justif[ied] the General Court’s involvement” (para 148). The standard of proof must necessarily be relaxed, considering the informational asymmetry inherent in situations of pushbacks at the borders. Operational decisions adopted by Frontex must be traceable, and the Agency’s practices – long presented as purely technical – must be acknowledged in their full legal significance (on Frontex’s growing power not matching its fundamental rights responsibility, see G. Raimondo).

3.     On the Reasonableness of Asylum Seekers’ Choices in the Assessment of the Causal Link

The Court further develops the analysis of causation in light of the asylum seekers’ conduct in WS and Others v Frontex (Joint return operation). In its 2023 judgment, the General Court had taken into account numerous factual elements relating to the applicants’ conduct in order to dismiss their claim for damages. However, these elements concerned events subsequent to the refusal of entry into Greek territory and the return to Turkey, such as their departure from Turkey and their settlement in Iraq. According to the General Court, such decisions were autonomous choices, the risks and costs of which the applicants had knowingly assumed. They were, in a sense, rational choices comparable to those made by economic operators in other cases concerning the Union’s non-contractual liability. The General Court, therefore, concluded that the damage resulting from such choices could not be attributed to Frontex’s conduct, in the absence of a sufficiently direct causal link with the Agency’s actions.

At that time, we already believed that this line of reasoning was highly questionable (see our analysis in the Journal de droit européen). It characterised the subsequent conduct of the Syrian asylum seekers as “autonomous choices” and effectively neutralised the prior legal and factual constraints inherent in the asylum context. Access to the territory of the EU is not a strategic option. Without access to the territory, there can be no access to the asylum procedure. Where Frontex, through the actions of its agents – whether alone or in cooperation with those of a Member State –, unlawfully prevents access to the EU territory, those actions constitute a decisive cause of the damage consisting in the impossibility of accessing the refugee status determination procedure. Even if shared with the Member States, there is a responsibility of the Union that cannot be ignored.

Similarly, the CJEU censured the General Court’s flawed causal reasoning. The Court observed that, while an “entirely rational decision-making may be expected of economic operators experienced in the management of risks involved in the exercise of their usual activities […], such rational behaviour cannot be elevated to the rank of a criterion of general application, in particular when natural persons are concerned” (para 155). The applicants’ decision, “although not the only possible response, may be regarded as a reasonable response having regard to all the circumstances characterising that situation” (para 157, emphasis added). Such choices are not capable of breaking any sufficiently direct causal link between the conduct complained of and the alleged damage without first assessing in concreto their reasonableness “in the light of all the circumstances characterising the context in which they were made” (paras 161 and 197).

The Court thus clarifies the method for examining the causal link between alleged violations of fundamental rights committed by Frontex and the damage suffered by asylum seekers following their expulsion from Union territory. To that end, the Court provides a clear reconstruction of the obligations incumbent upon Frontex regarding the protection of fundamental rights, particularly in the context of joint return operations. These obligations include verifying the existence of “written and enforceable return decisions […] for all persons whom a Member State intends to include in such operations” (para 107), in order to ensure compliance with the principle of non-refoulement. Admittedly, the Court specifies that this obligation of verification does not automatically entail the existence of a causal link, the assessment of which “must be undertaken taking into account of all the relevant facts […] and the legal assessments required” (para 112).

Furthermore, given the joint nature of such operations, the fact that Frontex provides “technical and operational” support to Member States does not mean that any alleged violation of the asylum seekers’ fundamental rights would result exclusively from the Member State’s conduct (in this case, Greece), thereby excluding the possibility of engaging Frontex’s liability. In doing so, the Court requires a well-articulated reading of liability arising from the exercise – even in hybrid form – of the Union’s public authority, subject to full and effective judicial review.

The lesson is clear: litigation concerning Frontex cannot constitute exceptional litigation. The more autonomous capacities the Agency possesses, the more it might be held legally accountable for their exercise. Clearly defining the contours of responsibility thus becomes a central issue of the EU administrative and constitutional law. The Court’s judgment reflects a firmer recognition of Frontex’s own obligations regarding fundamental rights protection and a more open approach to causation in joint operations. It stands in clear opposition to the restrictive interpretations of the conditions for engaging the Agency’s non-contractual liability adopted by the General Court in 2023.

4.     On Allocation of Responsibilities for Fundamental Rights Violations and Competences? 

One can only endorse these two Frontex rulings, which hold the EU agency accountable for its actions. That is not to say that assessing their consequences will be straightforward. As the cases have been referred to the General Court following the annulment of its original decisions, the concrete analysis of causation, damage and compensation for the harm suffered remains open. However, it cannot be denied that the Court’s reasoning leads to a certain shared responsibility between the Member States and the EU agency. Could this division of responsibility result in joint and several liability (in solidum) of all the actors for the entirety of the damage? The question is not definitively settled. Advocate General Tamara Ćapeta devoted a fairly extensive analysis to this issue in her Opinion in WS and Others. Limiting herself on this point to examining causation, she nevertheless suggested that “in situations in which both Frontex and Member States share obligations in joint return operations, Frontex can be held liable for damage caused by the breach of such obligations, even if a Member State can be liable in parallel for the same damage” (para 93). Her reasoning drew on a possible analogy with the joint liability of another EU agency, Europol (Kočner v. Europol). In the case of Europol, it might be difficult a posteriori for a person harmed by an abusive alert to determine whether the source was the EU agency or a Member State. In contrast, with Frontex there would be, in a sense, a priori responsibility on the part of each actor – both the State and the Agency – each being fully required to prevent any serious violation of fundamental rights. Both scenarios could lead, in similar fashion, to joint and several liability.

However, the CJEU held that the plea alleging possible joint and several liability was inadmissible on the ground that it had not been raised before the General Court (WS and Others, paras 80–89). Consequently, at least in the cases at issue, it is highly likely that – not least because of the division of competences – separate findings of liability will be made corresponding to each actor’s share of responsibility. This latter scenario could generate complex litigation, leading to parallel proceedings before Luxembourg and Strasbourg. In his commentary on the two judgments, Johan Callewaert highlights their systemic significance for protection under the European Convention on Human Rights (ECHR). The complex cooperative frameworks of a hybrid administration (such as joint operations) create new situations from the ECHR perspective. Certain actions carried out on the territory and under the jurisdiction of Member States, but by EU agencies such as Frontex, result in fragmented Convention protection: “patchwork coverage”. Some actions would remain covered by the Convention when attributable to national authorities, whereas those attributable to EU bodies would escape it and fall instead within the jurisdiction of the EU courts, with the result that the ECtHR would no longer be able to hold a State liable for the entirety of the damage arising from a joint operation. In other words, while the 2025 Frontex case law shed some light – by reducing the grey areas regarding EU liability – it also cast a shadow, as any light does, in this case concerning the extent of damage that the ECtHR may attribute to the responsibility of States. The way out of this paradox would, of course, be the completion of the EU’s accession to the ECHR. Yet that prospect still appears remote.

5.     Non-Justiciability of Human Rights Violations Arising from the Coordination of Search-and-Rescue (SAR) Operations at Sea

While the evolving case law concerning Frontex has led the two European courts – Luxembourg and Strasbourg – to review, concurrently if not jointly, compliance with fundamental rights in pushback operations at the borders, for the time being, so-called pullback operations still escape review by the Strasbourg Court. Even if the ECtHR emphasised that “entering into bilateral agreements on migration with third States has the effect of placing extremely vulnerable individuals at serious risk of infringements of their fundamental rights” (S.S. and Others v. Italy, para 110), such arrangements do not automatically bring those individuals within the jurisdiction of a Contracting State for the purposes of the Convention, thereby limiting access to Strasbourg protection.

The inadmissibility decision delivered in S.S. and Others v. Italy reveals the limits of Convention responsibility in the face of the EU policy of delegating migration control, including maritime control, to third countries. The involvement of EU Member States in SAR operations in the Mediterranean cannot be understood without reference to the central role entrusted, for more than a decade, to the border coast guards of third countries such as Libya or Tunisia. In the absence of an integrated EU SAR programme, the Union and its Member States have progressively externalised the management of SAR obligations, while adopting an increasingly restrictive approach toward humanitarian operations conducted by non-governmental organisations (NGOs). This development has been accompanied by financial, material and operational support to third countries: provision of vessels, training, technical assistance and the establishment of a coordination centre (on this topic see E. Frasca). Although the strengthening of SAR capacities in these countries is officially carried out in the name of saving human lives, it is structurally linked to the objective of preventing irregular Mediterranean crossings into the EU territory.

By relocating such actions, externalisation also makes it possible to shield these practices from scrutiny under the obligations arising from the ECHR. Yet this strategy unfolds in a context marked by interceptions at sea that systematically expose migrants to serious violations of their fundamental rights, including treatment contrary to Articles 2 and 3 of the Convention. Like the cases concerning Frontex before the CJEU, S.S. and Others v. Italy raises the issue of the dilution and segmentation of the exercise of powers and, consequently, of responsibilities in the conduct of SAR operations at sea. The Strasbourg Court confirms that its jurisdiction over extraterritorial actions of Contracting States remains exceptional. To fall within its jurisdiction, such extraterritorial actions require the establishment, in the control exercised over individuals, of a direct link with the respondent State. In this way, a dissociation occurs between factual causation and legal attribution, creating a procedural obstacle that is practically insurmountable (on this topic, see C. Ryngaert). In the present case, the Court held that the financial, logistical and operational support provided by Italy to strengthen the capacities of the Libyan coast guard does not, absent effective control or direct operational direction, amount to sufficiently decisive influence to trigger jurisdiction within the meaning of Article 1 of the Convention. In doing so, it effectively casts a veil of ignorance over any responsibility of a Contracting State under the ECHR. Any notion of indirect, functional, or remote control is rejected, even where the risks faced by the persons “rescued” at sea – only to be returned to Libya and subjected to torture and inhuman treatment that has been widely documented – are fully known.

Conclusion: A Rebuttable Presumption Grounded in Prima Facie Evidence

Rulings on matters of access to the EU territory are likely to become more and more significant, signalling a new focus not only by Member States but also by national courts and, consequently, by the CJEU and the ECtHR, on the control of the Union’s external borders and their heir harmful consequences on asylum seekers. The ECtHR’s inadmissibility decision may be read as consistent, confirming the Court’s settled case law on extraterritorial situations (Banković, Al-Skeini, M.N. v. Belgium). It may also be read as a retreat from an evolutive interpretation of fundamental rights in light of today’s conditions. Indeed, a well-established case law recognises indirect responsibility or secondary accountability (par ricochet) in cases of extradition or refoulement, and this restrictive interpretation of jurisdiction refuses to adapt this case law to the reality and contemporary transformations of migration control. There is a middle ground between the frequently criticised slippery slope of judicial overreach whereby Courts are deemed overly protective and the equally problematic territorial lock that shields fundamental rights violations of a serious nature from scrutiny. The middle ground advocated here may appear modest: a rebuttable presumption grounded in prima facie evidence. However, it is precisely in such narrow interpretative openings that the protection of fundamental rights may evolve, by adapting interpretation to the context – a context marked, on the one hand, by situations of extreme vulnerability and, on the other hand, by elements such as bilateral agreements and conspicuous funding which make it possible to presume a genuine link between the contested acts and a Contracting State. Just as the Luxembourg Court has done with regard to Frontex, the Strasbourg Court would be well advised to accept that prima facie evidence gives rise to a rebuttable presumption (juris tantum) requiring the Contracting State to produce evidence capable of rebutting responsibility through facts and documents that would exonerate it. “There’s a crack in everything. That’s how the light gets in”, sang the poet Leonard Cohen. In the present context, we believe that European courts and judges must now more than ever try to maintain a balance. That crack is the space within existing doctrine, mindful of the rights of the individuals concerned, that allows Courts to remain faithful to their jurisdictional frameworks while adapting to new realities of migration control.