1 Introduction

In recent years, the functional value of design has gained increasing relevance in regulatory governance theory, leading to what is generally referred to as ‘Regulation By Design’ (henceforth RBD).Footnote 1 The entry of design into these regulatory discussions follows a theoretical transition from a passive, essentialist view of regulation, which presents regulation as a set of rules enacted and enforced by the state (Baldwin et al., 1998; Hood, 1983), to an active, functionalist view, which presents regulation as having purposes beyond simply enforcing the law (e.g., modifying behaviour), thus expanding its scope to include additional mechanisms and actors (Black, 2001). Functional design has come to be viewed as a critical component of effective regulation because design can act as (a) another regulatory modality that provides constraints and affordances to regulatees, alongside law, markets, and community norms (Lessig, 1998, 1999); and (b) an enabler and facilitator of the regulative function of other regulatory modalities, such as the law (Reidenberg, 1997).

Murray and Scott have analysed the regulatory modalities that stem from the functionalist view in a framework comprising four categories of control – hierarchical (e.g., law), community-based (e.g., community norms), competition-based (e.g., markets), and design-based (e.g., code) – and three forms of control – standard setting, information gathering, and behaviour modification (Murray & Scott, 2002). These regulative modalities operate interrelatedly (Leenes & Lucivero, 2014). Design can be incorporated in the process of regulation by law, for instance, by outlining design-based requirements for organisations and designers, as well as after the implementation of regulation by law, for example, in developing a new technology product that modifies the behaviour of users by design.

RBD has become a widespread practice – for example, it informs the General Data Protection Regulation (GDPR) (Floridi, 2018) and the AI ActFootnote 2 – and a research field with increasing scholarly works. However, a critical analysis of this burgeoning literature, its core themes, and its influence on the development of the RBD concept is still missing. This is the gap we address in the following pages, by reviewing the literature on RBD in the context of digital technologies. We focus on digital technologies because of the inherent synergy between RBD literature and technological design.

The article is structured as follows. In section two, we elaborate on our methodological approach. In section three, we describe the core constituting features of RBD. In section four, we integrate and analyse these features to identify three types of RBD practices. In section five, we review the challenges and the limitations of these types of practices. In section six, we explore the future directions in the governance of RBD, as identified in various strands of scholarship. In section seven, we summarise our analysis and conclude the article by highlighting the study’s limitations and suggesting areas for further research.

2 Methodology

Our literature review is based on the qualitative thematic synthesis methodology (Grant & Booth, 2009; Thomas & Harden, 2008). We begin by identifying the key features that define RBD. This involves an in-depth review of selected literature to pinpoint and list these features. In our case, the list includes: goals, regulators, regulatees, methods, and technologies of RBD. Next, we integrate, compare, and synthesise the individual analyses from qualitative studies in our sample, looking for intersectional features and constructing new themes. The first step has a descriptive function. The second step generates new interpretative constructs or explanations and focuses on the practices of RBD, the limitations of those practices, and related governance implications.

The question addressed is how to categorise and integrate the core conceptual and normative features, the practices, the limitations, and related governance implications of RBD. To answer this question, we select a sample of the literature from three databases, namely Scopus, Web of Science, and Google Scholar.Footnote 3 In Scopus and Web of Science, we used the following search criteria: ‘(regulation* “by design” OR governance* “by design” OR law* “by design”) AND (technology* OR “artificial intelligence”)’ in title, keywords, and abstracts. In Google Scholar, we searched for ‘regulation OR governance OR law “by design"’ in the title, due to the differences in the search engines. As of December 2023, these criteria yielded 124 results in Web of Science, 435 in Scopus, and 218 in Google Scholar. We first excluded duplicates and inaccessible articles. Then, we scanned the titles and abstracts to assess and select the relevant articles for the review. Our main assessment criteria were language (only articles in English) and proximity to the relevant topic (only articles that referred to ‘design’ or ‘by design’ in the context of RBD). Consequently, our selected sample consisted of 174 articles. Some potentially relevant articles may not be included in our sample. A thematic synthesis review does not require an exhaustive collection of relevant articles but only a sample that is sufficiently representative to expect other relevant articles to fit with the results of our review work (Thomas & Harden, 2008, p. 3).

3 Regulation by Design: Goals, Regulators, Regulatees, Methods, and Technologies

Before presenting our review, two clarifications are in order. First, when discussing RBD, scholars address goals, regulators, regulatees, methods, and technology from two distinct perspectives: Governance, Ethical, Legal and Social Implications (GELSI) or Computer Science and Engineering (CS). These two approaches inform and influence each other, but as we shall see below, they also frequently diverge.

Second, RBD in the literature refers both to the forward-looking, constructionist role of design in the making of an artefact, which may be termed ‘design ad rem’, and to the regulative effect of design in an environment, which can be intended or unintended and may be called ‘design in re’. For example, designing smart grids to modernise and improve their efficiency, reliability, and sustainability (design ad rem) may have the intended effects of reducing carbon emissions and promoting clean energy (design in re). However, this design ad rem may have unintended design effects in re, resulting in harm to the privacy and security of personal data. In what follows, we shall use this terminology whenever it helps to avoid confusion.

3.1 The Purpose and Goals of Regulation by Design

According to the reviewed literature, the purpose of RBD concerns the regulative goal that design ad rem aims to fulfil. Despite a variety of 20 regulative goals advanced in the literature, the most common goal for RBD processes is privacy (89 papers), followed by data protection (28 papers).

This variety of goals in the literature reveals differences in levels of abstraction (Floridi, 2008). Some papers refer to high-level goals such as democracy, human rights, and the rule of law. Others refer to more granular, low-level goals such as contestability, explainability, and security (Table 1). The distinction between high- and low-level goals represents the granularity of analysis and the degree of practicality that we observe in the papers where those goals are discussed, with low-level goals linked to more practical and technical measures.

Table 1 Levels of goals

Given the distinct disciplinary backgrounds of GELSI and CS, it is no surprise that their approaches to the goals of RBD differ. GELSI scholars focus extensively on high-level goals, branching into two main viewpoints. The first promotes the advantages of design ad rem, while the second critiques the shortcomings of design in re. For instance, some research highlights the positive impact of focusing intentionally on the design of technologies, such as those deployed in smart cities, in achieving specific policy purposes like improving sustainability and participation in democratic processes (Helbing et al., 2021). Similar studies emphasise that the values of the rule of law, democracy, and human rights must be embedded in the design of technologies (Nemitz, 2018; Yeung et al., 2019). Conversely, a more critical stream of scholarship argues that the effects of rigid, compliance-oriented design solutions may often lead to reduced legal protection (Hildebrandt, 2015; Mulligan & Bamberger, 2018; Pagallo, 2012).

The CS literature typically focuses on low-level goals. Scholars have formulated methodologies for embedding privacy by design (Karim & Rawat, 2022; Thapa & Camtepe, 2021; Zalloum & Alamleh, 2020), for transparency by design (Schufrin et al., 2020), and for security by design (Tareke et al., 2018). Privacy by design often involves data protection and security because the solutions entail minimising data use (Conte et al., 2022) and making data more secure (Toli & Preneel, 2018), less accessible and less widely distributed (Zalloum & Alamleh, 2020).

In summary, although there is significant overlap between GELSI and CS scholarship, the GELSI literature focuses more extensively on high-level goals, for which they promote the need for design ad rem solutions without advancing detailed measures. When focusing on design in re, GELSI scholars adopt a critical approach to compliance-oriented solutions, underscoring their risks. CS scholarship, conversely, tends to focus more on low-level goals, and advances operational solutions for design ad rem.

3.2 Regulators of Design

Regulators are agents that perform RBD (Table 2). Designers are the most frequently discussed regulators in the literature (103 papers). They occupy various roles within the practice of design. Designers may be system architects, UX/UI designers, front-/back-end developers, DevOps, testers, etc. CS papers are responsible for most of the attention on designers, as they explore how designers regulate the behaviour of the technological system or the end user. The second most commonly examined regulators are policy-makers (36 papers), who use design and by-design solutions to advance public goals or supervise the implementation of legal by-design solutions (Nemitz, 2018; Yeung et al., 2019). Policymakers are more present in the GELSI literature. They occupy various roles that pursue a public interest, including legislators, civil servants, and non-governmental actors.

Other papers refer to structures that combine agents with a public interest and agents with a private interest, both acting as regulators. These papers usually focus on hybrid governance structures such as standardisation bodies (Kamara, 2017; Miettinen, 2021).

In addition, businesses and other economic operators (that is, organisations) have a role in RBD, even more so because of Article 25 of the GDPR, which obliges organisations, and not designers, to introduce technical solutions for data protection by design (Hildebrandt & Tielemans, 2013). The structures within organisations may support or inhibit the implementation of goals like privacy by design (Levin, 2018). Simultaneously, structures between organisations, such as market-based competition, may prove useful in incentivising the implementation of RBD goals within organisations (Grafenstein, 2019).

Table 2 Regulators of design

3.3 Regulatees of Design

Regulatees are patients (Floridi, 2013) who receive the effects of RBD (Table 3). Most contributions to the literature cast individual users as regulatees (73 papers). The GELSI literature focuses more on individual users, clarifying that design affects the choice set of users (Yeung, 2017), and the legal safeguards available to them (Hildebrandt, 2015). Often, technology itself is seen as an immediate regulatee (64 papers), since the design parameters essentially delineate the scope and limitations of a technological system’s behaviour (Farshid et al., 2019). This view is at the fore of CS papers. Viewing technology as a regulatee implies that the immediate goal of RBD ad rem is to modify the behaviour of the technological system. In turn, such RBD ad rem affects users in re. Other types of regulatees refer to different levels of users, including society as a whole, both individuals and society, and all levels of users.

A separate set of contributions focuses on organisations and designers as receivers of legally mandated design obligations. In the case of organisations, the literature refers mostly to legal design obligations imposed on organisations about their role in the implementation of by-design solutions (Hornung, 2013; Tatar et al., 2020). Regarding designers, the literature discusses them as regulators by referring to legally mandated requirements that fall on them or how designers are affected by other existing designs and their regulative effects (Almada, 2019; Kroll, 2018).

Table 3 Regulatees of design

3.4 Methods of Regulation by Design

Design performs its regulative function through various methods, which can be grouped into the following three categories: hardcoding requirements, softcoding requirements, and assessment criteria. First, hardcoding (Koops & Leenes, 2014) entails designing rigid and inflexible rules that affect user behaviour and technological systems. Hardcoding requirements in the CS literature focus primarily on privacy and data protection goals. They aim at the protection of information. This approach manifests in technical solutions for data security, which can be centralised or decentralised. Such techniques are not intended to accommodate contextual variation, and their main strength is the possibility of (almost) automatic execution. Some examples of hardcoding from the reviewed sample include anonymisation (Campanile et al., 2021; Kühl et al., 2021; van Haaften et al., 2020), pseudonymisation (Conte et al., 2022; Kayem et al., 2021), data obfuscation and de-identification (Berg et al., 2021; Martinelli et al., 2020), and encryption (Karim & Rawat, 2022; Toli & Preneel, 2018; Vizitiu et al., 2019).

Second, softcoding (Tamo-Larrieux et al., 2021) is based on rules sensitive to the context, offering more autonomy and choice to the users (Koops & Leenes, 2014; Pagallo, 2016). Focusing primarily on privacy and data protection goals, softcoding methods aim at the provision of information, thus enabling users to have control over their privacy. The most common examples of softcoding include visual presentation interfaces that enhance user choice (Schufrin et al., 2020; Vasylkovskyi et al., 2021), consent-based frameworks (Agbo & Mahmoud, 2020; Khalid et al., 2023), and privacy self-management (Lobner et al., 2021).

Hardcoding and softcoding requirements are methods of design ad rem because they dictate how a system should be built for a specific goal. It is also possible to rely on assessment criteria, which form the third category of methods. Assessment criteria evaluate the risk and impact of a design on those who are or may be affected by it, known as regulatees. These threats may originate from the system’s functioning or from contextual factors external to the system, such as the market structures on which the system is deployed. Some ancillary risks may also originate from the regulation itself, for instance, by imposing onerous obligations on developers, thereby discouraging innovation (Novelli et al., 2023b). Risk assessments are one example that features prominently in the literature on RBD (Bouchaut & Asveld, 2021). The other examples include data protection impact assessments (Miettinen, 2021; Papamartzivanos et al., 2021), and other types of impact assessments (Nemitz, 2018). Assessment criteria are used both in design ad rem, to evaluate the potential risks of the artefact during its design, and in design in re, to assess the impact of the artefact after it is made available for use.

Most of the literature focuses on requirements, with hardcoding (41 papers), softcoding (28 papers), or a combination of the two (32 papers) present in the majority of the papers that we reviewed. Only a minority of those papers examine the use of assessment criteria (22 papers). The remainder either discuss no specific RBD method or examine both requirements and assessment criteria (Table 4).

Table 4 Methods of regulation by design

The GELSI and CS literature differ in their approach to the methods of RBD. CS papers focus mainly on requirements and minorly on assessment criteria. The opposite is true for GELSI papers, in which assessment criteria dominate. This stark contrast between the perspectives underscores the methodological challenges for interdisciplinary research and accentuates the need for a closer alignment between the perspectives.

3.5 The Technology of Regulation by Design

The literature on RBD treats the underlying technology either as a target, where it acts as a passive recipient of regulation, or as a tool, where it serves as a solution to achieve regulatory goals. The treatment of technology as a target includes cases when the technology is the immediate regulatee and when RBD focuses on the designers of that target technology.

The literature tends to refer to technology as a general target (37 papers), which entails an acontextual approach to RBD. This phenomenon is more present in GELSI papers. When the literature is more specific, it tends to focus on advanced forms of AI/robots, with a particular focus on healthcare applications. The most common types of target technologies are big data analysis (23 papers), healthcare AI/robots (14 papers), autonomous decision-making systems (ADM; 12 papers), and the Internet of Things (IoT; 11 papers). The literature reveals as many as 36 types of target technologies; however, in (Tables 5, 6), we list only the most cited types.

Table 5 Technology as a target of regulation by design
Table 6 Technology as a tool for regulation by design

When technology is used as a solution for RBD goals, the most popular tools are blockchain (including smart contracts) and PETs (including encryption and anonymisation) (Table 7). Although there may be papers focusing on one specific tool of technological regulation (Hine et al., 2023), most highlight a range of different options (e.g., Guggenmos et al., 2020; Kühl et al., 2021; Posea et al., 2020). The GELSI and CS literature reveal essential differences in this case, too. GELSI papers either omit the discussion on the specific tool that is used for RBD, or they tend to focus on risk or impact assessments (Nemitz, 2018; Novelli et al., 2023a). Conversely, CS papers tend to be more explicit about the technology used for RBD, focusing primarily on blockchain and PETs.

4 Integrating the Features of Regulation by Design: A Typology of Practices

As the previous section revealed, the current literature highlights the multifaceted nature of RBD. Goals, regulators, regulatees, methods, and technologies differ widely. Table 7 contains a structured view of the features that comprise RBD as a phenomenon.

Table 7 The features of regulation by design

Such a structured view of the features of RBD can be instrumental in distinguishing different types of practices within the broad concept of RBD. These practices are formed not only by how they combine the various features of RBD, but especially by the perspective through which they approach the goal of RBD. In our review, we observed that the literature approaches the goals of RBD, whether high- or low-level, based on two distinct perspectives: compliance and value-based.

According to papers analysing the goals of RBD from the compliance-based perspective, a goal, much like a rule or a standard, entails a formal checklist of requirements. For example, the fulfilment of privacy is often equated with compliance with the GDPR rules for consent (Campanile et al., 2021; Metallidou et al., 2020). In contrast, according to papers analysing the goals of RBD from a values-based perspective, a goal entails any attempt to use design to increase a specific value within the regulatory system. To some extent, value-based approaches view goals as principles, which are norms to be realised proportionally, to the fullest extent possible (Alexy, 2000). For instance, when viewed as a value, advancing the goal of privacy may entail design choices that broaden the range of options for individuals (Pagallo, 2016). Not all the goals of RBD are subject to these two distinct perspectives; some are endemic to one. For instance, legality is a compliance-based goal, whereas legal protection has a value-based background. Other goals, such as privacy, data protection, ethics, or fairness, are subject to treatment from both perspectives.

By integrating the structured view of the features of RBD with the types of perspectives on the goal of RBD, we can distinguish at least three types of RBD practices: compliance by design, value creation by design, and optimisation by design.

The first type, compliance by design, approaches any goal of RBD as a formal checklist of requirements. Consider, for example, design solutions prohibiting users from uploading illegal content on a platform. The application aims at legality as a goal, uses hardcoded requirements as methods, with designers as regulators, users as regulatees, the platform as a target, and machine learning as a tool that detects illegal content. Depending on the example, some of the features may change; compliance by design may also rely on softcoding requirements, such as nudging. However, the static features of compliance by design are users as regulatees and a compliance-oriented approach towards the goal of regulation.

The second type, value creation by design, is oriented towards design solutions that aim to increase that value in the regulatory system. An example can be using graphic design patterns that streamline information, making it more accessible and interactive for users to understand and use it. This application may have privacy as a goal, softcoding requirements as a method, designers as regulators, users as regulatees, cookie banners as targets, and graphic design patterns as tools. The application pursues privacy as a value by improving the provision of information that users may use for their privacy protection. The two static features of value creation by design are users as regulatees and a value-oriented approach towards the goal.

The third type, optimisation by design, is oriented towards compliance of the technological system with a particular standard, which is the goal of RBD. It is similar to compliance by design, except that the regulatee is the technological system, rather than the user. Consider anonymisation techniques. The pursued goal is privacy, utilising hardcoded requirements, with designers as regulators, technology as regulatee, applied to healthcare robots as a target, using anonymisation as a tool. This type of practice strives to optimise the behaviour of the technological system through a compliance-oriented approach. The two static features of optimisation by design are technology as a regulatee and a compliance-oriented approach towards the purpose of RBD.

Dissecting the types of practices through which RBD is applied helps us understand its criticisms more specifically. Instead of seeing these criticisms as objections to the whole concept, we can view them as objections to specific features or practices. For example, RBD has been criticised for being too rigid (Pagallo, 2021) and inflexible (Mantelero et al., 2020), for restricting user autonomy (Yeung, 2017), and for interfering with the rule of law (Hildebrandt, 2015; Brownsword, 2016). These criticisms proceed from the premise that RBD is directed at ensuring user compliance. As a result, they criticise a specific practice of RBD, namely compliance by design. This critique has led some scholars to call for designs that consider values, like fairness or privacy, instead of just enforcing rules efficiently (i.e., value-based and value-sensitive design) (Flanagan, 2018; Hildebrandt, 2011), which may be understood as a call for value creation by design.

If adopted, this typology introduces more nuance into current debates in the literature on RBD, such as the one that revolves around comparing compliance by design to value creation by design. In the following sections, we employ these distinctions to clarify RBD’s diverse challenges and future directions.

5 The Challenges and Limitations of Regulation by Design

Thus far, we have examined the features and practices of RBD. However, many challenges and limitations undermine the potential of these practices for achieving regulatory purposes effectively. In this section, we will present a synthesised account of the challenges identified in the literature.

RBD faces three types of challenges. They stem from risks associated with compliance by design, contextual limitations, or methodological uncertainty.

Compliance by design poses several risks related to individual agency as an attempt to alter user behaviour, approaching the goal of regulation through compliance, and focusing on users as regulatees. This mode of RBD may reduce tolerance (Floridi, 2016), infringe on the autonomy of individuals (Pagallo, 2012), and violate the rule of law (Hildebrandt, 2015). Compliance by design can rely on hardcoded or softcoded rules. For instance, if policymakers wish to guarantee that drivers comply with the legal speed limit, they may use RBD in the shape of speedbumps (hardcoding) that force the driver to slow down. Alternatively, they may use nudging (softcoding) by equipping speed limit signs with digital displays that leverage social and emotional cues, i.e., when a driver obeys the speed limit, a smiley face is displayed, as opposed to a frown face displayed in the opposite case. The challenges that using hardcoded rules engenders appear graver because those rules are inflexible and acontextual (Lederman et al., 2016). In our example, speedbumps perform their regulative function on a reckless driver and an emergency vehicle (Floridi, 2016). However, softcoding techniques can also considerably impact individuals’ autonomy (Schmidt & Engelen, 2020). On the whole, compliance by design is liable to systemic harm (Zalnieriute et al., 2020), particularly because public actors, including the courts, may lack the expertise to exercise their typical supervisory functions in this domain (Mulligan & Bamberger, 2018).

A second challenge relates to contextual limitations, which manifest in one version of value creation by design. That version prioritises providing meaningful information to empower individuals to exercise their rights and self-determination. This orientation is reflected in frameworks like pro-ethical design (Floridi, 2016), privacy self-management (Agbo & Mahmoud, 2020), or consent management (Calani et al., 2021), which aim to enhance the quality and the quantity of the information that is provided to users. Such reliance on information provision sets unrealistic expectations in contexts where (a) frequent expressions of consent are needed or (b) information complexity is high. Cookie banners, known to induce consent fatigue, are a salient example of settings where information provision fails to deliver on its objectives (Choi et al., 2018). The problem of complex information is exemplified by ADMs (Prifti et al., 2023). Individuals may lack knowledge of the intended use of information or fail to grasp it. Even if they are informed and knowledgeable, they may not possess the resources, e.g., time and money, necessary to use the information to their advantage (Yeung, 2017). These problems are exacerbated by the various power imbalances in the relationship between organisations and individuals. Organisations generally seek to extract information. Individuals, conversely, are assumed to be interested in protecting their rights and ensuring that organisations comply with the law. These expectations are often based on the information provided to individuals by those same organisations (Rommetveit et al., 2017; Finn & Wadhwa, 2014). Such a burden imposed on individuals results in misalignments between design ad rem, where the system is intentionally built so that information provision and user controls enhance legal protection, and design in re, where contextual factors like information overload, ignorance about how the provided information can be used, and resource scarcity compromise the effectiveness of legal protection.

The third challenge for RBD is the methodological and epistemological problem of operationalising open-ended normative concepts (e.g., ethical principles) into workable solutions for design ad rem. Translating values into engineering solutions is not straightforward (Koops & Leenes, 2014; Tamo-Larrieux et al., 2021). Designers enjoy a margin of discretion in redefining the concepts through implicit and explicit decisions (Rommetveit et al., 2017; Rommetveit & van Dijk, 2022). For example, we may consider the design of digital twins, which are virtual representations of a physical system that help improve decision-making over that system by testing different scenarios without affecting the physical system. Digital twins are used, among other contexts, for wind turbines’ safety, reliability, and optimal efficiency (Solman et al., 2022). While designing digital twins, designers must translate the themes of the physical system into the virtual representation. However, some themes may be represented inadequately or incompletely. In the case of designing digital twins of wind turbines, landscape considerations were reduced to a single theme of ‘visual impact’. As a result, these methodological choices impacted the decision-making for wind turbine governance, since the governance decisions were based on the visual representation embodied in digital twins (Solman et al., 2022).

This methodological challenge generates legitimacy concerns on the input, throughput, and output levels (Schmidt, 2013). Input legitimacy pertains to the inclusiveness and representativeness of the stakeholders involved in the decision-making process. Concerns arise when users and other affected groups are not adequately involved or represented during critical stages of the design processes where methodological choices are made. Throughput legitimacy concerns the transparency and accountability of the design processes, that is, when decision-making is not transparent or when those responsible for the choices are not held accountable. Output legitimacy concerns the effects and effectiveness of the RBD. Problems occur when the methodological choices made during the design ad rem stage have an unjust or undesirable effect on users in re.

6 Digital Governance: Future Directions in Regulation by Design

The three challenges and limitations highlighted in the preceding section hinder the potential and may compromise the intended effects of RBD. Fortunately, they can be overcome, or at least mitigated, through Digital Governance, which is the practice of implementing policies, procedures, and standards for the proper development and management of the infosphere (Floridi, 2018). Digital Governance, thus, may account for the regulative function of design and steer the practices of RBD.

Depending on the nature of the actors, governance can be private, public, or hybrid. RBD may be embedded in private governance structures through self-regulatory measures. The literature has explored how organisations can effectively integrate by-design solutions into their structures (Picker, 2011). Two recurring themes are the need for senior managers to support privacy assimilation processes (Attili et al., 2022) and for general internal support, which need not take the form of establishing a privacy office (Levin, 2018). Despite their limited function, market-based, self-regulatory mechanisms are insufficient, necessitating public governance involvement (Bygrave, 2022; Hornung, 2013; Nemitz, 2018).

Public governance solutions, such as legislation and administrative policies, can oblige and guide designers and organisations to implement by-design solutions (Hildebrandt & Tielemans, 2013; Hornung, 2013). Public agencies should enforce the resultant legal requirements (Nemitz, 2018; Yeung et al., 2019). Based on the reviewed literature, we suggest considering two approaches: extending the supervisory functions of public bodies and enabling participation. First, public bodies must evaluate the extent to which legal and ethical principles are reflected in the design of technological systems (Yeung et al., 2019). This form of oversight may help mitigate the risks arising from compliance by design and the limitations of information-provision frameworks identified on the preceding pages. Oversight competencies are usually allocated to data protection authorities (DPAs), which need not be the case (Brown, 2014). It may be desirable to rely on other public actors, such as the courts (Bygrave, 2022; Vivarelli, 2020). Additionally, broader public oversight may take the form of third-party auditing, which may further facilitate the oversight by public institutions (Raji et al., 2022). Second, the participation of users and interested stakeholders from the broader public may support the goals of public governance (Helbing et al., 2021; Lederman et al., 2016; Miettinen, 2021). The literature has underscored the importance of collaboration with different stakeholders when making design decisions (Bouchaut & Asveld, 2020, 2021; Brown, 2014). Specifically, regulatory sandboxes can enhance stakeholder participation by allowing the affected and interested groups to provide input into the design of technologies (De Filippi et al., 2022; Kera, 2020).

Hybrid governance, characterised by the involvement of public and private actors, is also relevant for RBD practices (Van Cleynenbreugel, 2019). The EU prefers hybrid governance for its product safety regulation; requirements are outlined in EU law and then specified during European standardisation (Weatherill, 2013), a strategy also employed in formulating the AI Act (2021). The principal advantages of hybrid governance are linked to broader expertise and enhanced flexibility (Joerges et al., 1999), which are useful in technical and highly dynamic domains such as RBD. Furthermore, hybrid governance can incentivise organisations to innovate and gain a competitive advantage (Gottardo et al., 2021; Grafenstein, 2019). However, the legitimacy of hybrid governance is often questionable. Private actors use their expertise in standardisation to advance their private interests (Kamara, 2017; Mulligan & Bamberger, 2018; Van Cleynenbreugel, 2019), which can undermine the normative requirements of public governance (Almada, 2023; Veale & Borgesius, 2021). Furthermore, the technical know-how that RBD requires is still being accumulated, and best practices are yet to crystallise (Burkart & Huber, 2021). Consequently, there is an epistemic gap between the objectives of governance and the technical state of the art, which may lead to regulatory uncertainty.

Regulatory uncertainty requires more interdisciplinary work, both in research and policymaking. Specifically, we believe a closer alignment between GELSI and CS scholarships is needed. In the current landscape, while authors from these two fields do refer to each other’s work, their analyses are not sufficiently integrated. For instance, GELSI scholars highlight the practical and contextual limitations of information-provision frameworks; however, the implications of their findings have not been fully internalised in the CS literature. Closer alignment between GELSI and CS studies should enable a shift from compliance and optimisation by design, which are paradigmatic in the CS literature, to value creation by design, which is more prominent in GELSI scholarship. Likewise, the GELSI literature should reflect the technical reality that the CS literature describes. Firmer grounding in design ad rem and a more acute awareness of technical developments are needed in governance. Such an alignment between the two perspectives may contribute to evidence-based policymaking by formulating experimental methods that require cooperation between policymakers, technical experts, and stakeholders (Sucha & Sienkiewicz, 2020).

7 Conclusions

In this article, we provided a qualitative thematic synthesis of RBD as advanced and developed in the extant literature. We focused on its conceptual, normative, and applied elements. We first developed a structured view of the many features characterising RBD, which enables more granular analyses of the concept and more nuanced distinctions between its different applications and related criticisms. We then reviewed and highlighted the challenges that regulators and policymakers must approach carefully and precisely, before exploring digital governance implications and future directions of RBD.

The scope of our study limits the results of this article. We have reviewed only works in the English language published no later than 2023 and have conducted the literature review of RBD based on search terms that contained combinations of ‘by design’ with ‘regulation’, ‘governance’, or ‘law’, in the context of digital technologies. As a result, some contributions may not have been captured by the search design choices and may have been overlooked, such as those focusing on RBD without a clear reference to the research field. Further research may offset these limitations by expanding the search terms and scope of the review.

The analysis and results presented in this article aim to enable further, more granular analyses of RBD. First, we aim to guide further research that focuses on specific practices of RBD, whether that research advances a new solution or criticises existing practices. Second, by exposing the methodological gap between GELSI and CS scholarship in their treatment of RBD, we hope to initiate a closer alignment and more interdisciplinarity between these two perspectives. Such alignment is valuable to both perspectives, considering that, as discussed in the preceding pages, the risks and challenges associated with RBD span multiple disciplines, necessitating interdisciplinary approaches and solutions. Third, by exploring and categorising the available technical solutions, we hope to guide policymakers to account for and steer the practices of RBD. In this regard, we believe that more space is required for the role of public institutions in overseeing and steering the practice of RBD. For example, public institutions may guide and support the alignment between GELSI and CS scholarships by allocating research funds for projects that combine scholars from the two perspectives. They may also steer the practices of RBD by mandating or incentivising particular design solutions that better support public goals. Finally, assuming these three recommended developments materialise, we anticipate RBD solutions to transition from compliance and optimisation by design towards value creation by design. Compliance and optimisation are requirements, often mandated by law, but pursuing value creation by design enables private regulators to go beyond the legal requirements and fully harness the regulative potential of design in a value-oriented way.