On 28 November 2025, the French Football Federation disclosed a data breach following a cyberattack on a third-party club-management software platform. The federation did not disclose the exact number of individuals affected; The Register reported that the federation has more than 2.2 million members across approximately 18,000 clubs. The intrusion was reported to France's CNIL and ANSSI. Both independent reports identify the entry point as the federation's account on the third-party platform, not its own internal systems.

Eight months before that breach, the Council of the EU had ratified the Framework Convention on Artificial Intelligence on 15 May 2026. Three months after it, on 2 August 2026, the deployer literacy obligation under the EU AI Act enters force. Federation legal officers, governance committees, and IT managers are making decisions inside that window, without a sector playbook to guide them. This report is about that space.

Signal 1: The AI Act Deadline Lands 2 August 2026

A sector-specific implementation playbook for federations does not exist in this scan.

The EU AI Act Article 4 deployer literacy obligation enters force on 2 August 2026. Every federation deploying AI in its operations — for member services, athlete performance analysis, referee support, or platform moderation — is a "deployer" within the meaning of the Act. Whether a particular deployment falls within scope depends on the system meeting the AI Act's definition of an AI system under Article 3(1), and on whether the federation acts as deployer rather than provider. Where it does, the obligation is non-delegable. A federation cannot pass it down to the AI provider in the procurement contract. The responsibility to ensure staff have a sufficient level of AI literacy — calibrated to their technical knowledge, experience, and the context of deployment — sits with the federation.

No sector-specific implementation guidance for Article 4 deployer literacy from national market surveillance authorities was identified in this scan. The European Commission's SHARE 2.0 expert paper of September 2025 is the most extensive EU-level reflection on AI in sport to date, but it is expert commentary, not binding regulator-side guidance. It is not a playbook.

Federations are therefore navigating three simultaneous pressures: a fixed deadline, growing AI deployment, and an absence of sector-specific guidance from the bodies that will eventually enforce. The legal exposure sits at federation level whether or not the practical literacy work has been resourced.

One further development is worth noting. The EU Commission's proposed Digital Package on Simplification, generally known as the AI Omnibus, was proposed in November 2025 with political agreement reached on 7 May 2026. Public reporting suggests the Omnibus may defer or modify Annex III high-risk classifications; the Article 4 obligation appears resilient to deferral in the political-agreement text available at scan time. This scan did not directly capture the proposal text, and federation planning should carry that caveat.

Signal 2: The First Federation-Tier Breach in Scope

A French Football Federation breach via a third-party platform; the federation has more than 2.2 million members across 18,000 clubs; the precise number of individuals affected by the breach has not been disclosed.

On 28 November 2025, the French Football Federation disclosed the data breach following a cyberattack on a third-party club-management software platform. The federation did not disclose the exact number of individuals affected; The Register reported that the federation has more than 2.2 million members across approximately 18,000 clubs. Both reports identify the entry point as the federation's account on the third-party platform, not its internal systems. The federation notified CNIL and ANSSI; the regulatory investigation was open at scan date, and this report does not predict its outcome.

The breach matters for three reasons. The scale potential is material: 2.2 million members across 18,000 clubs is the membership baseline, even if the precise number affected has not been disclosed. The data category is sensitive: federation member records typically include name, contact details, date of birth, often payment information, and for minor athletes, parental contact details. And the mechanism is structural: a supply-chain entry point is a recurring operational dependency for federations across Europe, not a one-off vulnerability specific to France.

Federation procurement of third-party software — for club management, accreditation, payment, ticketing, anti-doping, athlete performance — is the structural finding this signal carries forward. The scan supports the entry-point fact reported by independent journalism; it does not characterise the federation's procurement-stage diligence, which is for CNIL's ongoing investigation to determine. What the scan does support is the regulatory exposure that every comparable federation carries under GDPR Article 32 on security of processing, and under NIS2 obligations for those federations falling within its scope.

Signal 3: The Spanish Regulator Has Issued a Binding Federation-Tier Position

Spanish federations processing minor-athlete data must appoint a Data Protection Officer under LOPDGDD Article 34, per AEPD FAQ-1012.

The Spanish data protection authority AEPD has published a formal FAQ (FAQ-1012) confirming that Spanish sport federations processing personal data of minor athletes must appoint a Data Protection Officer under the Spanish Organic Law on Personal Data Protection and Guarantee of Digital Rights (Ley Orgánica 3/2018, LOPDGDD), Article 34. Youth pathways are embedded across virtually every federation recognised by the Consejo Superior de Deportes, which means this position reaches the Spanish federation tier broadly where minor athletes are involved.

This is the strongest regulator-binding federation-tier observable in the scan. It pairs with Signal 4 — the Irish Data Protection Commission sports survey — to bracket the current landscape: Spain binds, Ireland measures. Together they represent the two clearest cases of a European regulator directing sustained attention at the sport sector. No comparable position from other Member State DPAs was identified in this scan.

The compliance implication is also budgetary. A federation appointing a DPO takes on a recurring cost line. For mid-sized national federations, that is not a trivial commitment. The signal therefore lands in budget-cycle conversations across Spanish federations as they approach the 2026 to 2027 planning window.

The geographic boundary matters here. AEPD's FAQ-1012 binds Spanish federations; this scan does not support the generalisation that European federations are generally obliged to appoint a DPO. Each Member State's DPA operates under its own national implementation of the GDPR plus national-law additions. The AEPD position is the most direct national-DPA intervention on federation-tier practice captured in this scan. It is not yet a pan-European norm.

Signal 4: The Only Pan-European Federation-Adjacent Regulator Survey

An Irish Data Protection Commission survey of approximately 100 sports clubs found compliance gaps; equivalent surveys at national-federation tier elsewhere in Europe were not identified in this scan.

In 2024, the Irish Data Protection Commission published findings from a survey of data protection practices in Irish sports clubs. The survey covered approximately 100 clubs across rugby, the Ladies Gaelic Football Association, the Gaelic Athletic Association, and association football. It found a substantial share of clubs without formal data protection policies or retention schedules, and a significant share processing children's data without the controls expected under GDPR Article 8 and Irish supplementary law.

This is the only regulator-grade quantitative measurement of sport-organisation data protection practice surfaced in this scan. One boundary matters for how it is read: the Irish DPC measured clubs, not federations. The findings cannot be extrapolated to European federation practice as a whole; they are evidence of what one regulator found at one tier of one country's sport ecosystem. Nothing more, and nothing less.

What the signal actually carries is the structural absence behind it. No other national DPA in the scan has published a comparable sport-sector survey. The Irish DPC is the only European regulator in this scan that has directed quantitative measurement at sport-organisation data protection practice. That gap is the finding. The Federation Readiness Ladder used later in this report is in part a response to it. Where no regulator has measured, the sector is operating without a mirror.

Signal 5: Spain Has €75.6 Million Behind Federation Digitalisation

The Spanish Ministerial Order CUD/684/2023 anchors the regulatory bases for federation digitalisation subsidies under Recovery Plan Milestone 370, with a budgetary execution target of at least €75.6 million.

The Spanish Ministerial Order CUD/684/2023, published in the Boletín Oficial del Estado on 26 June 2023 (BOE-A-2023-14993), establishes the regulatory bases for grants and aid from the Consejo Superior de Deportes to Spanish sport federations for digitalisation projects. The Order names objective and milestone 370 of Component 26 of the Recovery, Transformation and Resilience Plan, Digitalización del sector del deporte, with a budgetary execution target of at least €75.6 million. The BOE text uses ejecución presupuestaria de al menos 75,6 millones de euros — budgetary execution, not disbursement. The framing in this report uses "committed" and "execution target" to preserve that distinction.

This is the largest national public investment in federation digitalisation captured in this scan. It positions Spanish federations to meet AI Act Article 4 and NIS2 obligations with budgetary headroom that other Member States do not visibly match in the captured evidence base. Paired with AEPD FAQ-1012 (Signal 3), it creates a picture of a jurisdiction that is moving on both the regulatory and the funding sides simultaneously.

The Spain-only scope is important. This envelope is Spanish Recovery Plan funding; the scan does not support a generalisation that European federations broadly have equivalent investment behind them. Other Member States may have analogous programmes that this scan did not capture. What the scan supports is what it found.

Trend 1: Federation Cybersecurity Has Moved From the Vendor Layer to the Procurement Layer

A French Football Federation incident in November 2025 illustrates that European national federations are operationally exposed via third-party platforms whose own NIS2 obligations are firmer than the federations' own.

Two signals converge here. Signal 2 — the French Football Federation breach — is the operational observable. The NIS2 Directive (Directive (EU) 2022/2555), in force across EU Member States after the 17 October 2024 transposition deadline, is the regulatory frame. What the convergence reveals is that NIS2 reaches federations' typical software suppliers more firmly than it reaches the federations themselves. Sport software vendors of sufficient size and service criticality may fall within NIS2 scope under Member State transposition; national federations frequently sit at the boundary of that scope depending on how each Member State has implemented it.

The structural shift this represents is significant. Federation cybersecurity governance has moved from an internal IT question into a procurement question. A federation cannot delegate its GDPR Article 32 security-of-processing obligation by contract; the obligation remains with the controller regardless of what any supplier agreement says. But the federation's compliance posture in practice depends on what its supplier does. Procurement diligence at contract stage, followed by continuing supplier oversight in operations, is now the layer where federation cybersecurity outcomes are actually determined.

The trend is visible in three jurisdictions in different forms. In France, the supply-chain exposure has materialised through the FFF breach. In Germany, the Datenschutzkonferenz biometric resolution of September 2024 addresses federation-relevant biometric-data processing at a level that implicitly requires supplier governance. In Spain, the AEPD federation-DPO position (Signal 3) and the €75.6 million Recovery Plan envelope (Signal 5) together suggest that federation procurement governance is being scoped on both the regulatory and the funding sides. The DOSB framing of digital-foundation prerequisites for AI adoption provides an NGB-umbrella validation that procurement governance and supplier oversight are foundational, not peripheral.

The governance question this creates for federation legal and governance functions is direct: which third-party platforms hold which categories of member, athlete, and minor-athlete data, on what contractual terms, with what supplier-side risk-management posture, and with what audit cadence? This is not IT operations work. It is board-level work, and it happens at board level or it does not happen.

Trend 2: European Federation Strategic Posture Diverges by Regional Cluster

Western and Nordic federations publish AI and digital strategies; Mediterranean federations pair governance frameworks with Recovery Plan funding; Eastern European federations remain visible in this scan only at landing-page level.

Three clusters of European federation strategic posture emerge from the captured evidence. The cluster boundaries are evidence-based; the labels describe the institutional dialect each region operates in, not a ranking of speed or ambition.

The Western and Nordic cluster — covering the United Kingdom, Ireland, Norway, and Germany in this scan — operates within national governance frameworks that produce federation strategic-plan instruments at NGB-umbrella or national-authority tier. The UK Code for Sports Governance anchors a tiered framework with funding consequences. Sport Ireland's Statement of Strategy 2023 to 2027 sets a four-year operational frame. Norges Idrettsforbund's Idretten Vil! 2023 to 2027 does the same for Norwegian sport. DOSB publishes a dedicated AI and digitalisation framing on its KI und Digitalisierung im Sport page. The posture of this cluster is plan-publication: the document layer is in place.

The Mediterranean cluster, anchored by Spain and Italy in this scan, pairs regulator-binding instruments with funded digitalisation programmes. Spain brings AEPD FAQ-1012 (the DPO obligation), the CSD i+ programme portal, the BOE convocatoria of 3 July 2023 (BOE-B-2023-20560), and the Ministerial Order CUD/684/2023 anchoring the €75.6 million Recovery Plan Milestone 370 envelope. Italy brings the CONI Modello strategico, the bilingual English homepage, the Bilancio 2024 PDF, and CONI's Numeri dello Sport 2021 to 2022 highlights, which record approximately 14.2 million persons registered to a national sport federation, associated sport discipline, or sport promotion body in 2022, with 114,038 amateur sport associations and societies on the CONI Registry. The posture of this cluster is regulator-binding plus funded programming: the regulatory floor and the financial infrastructure are both moving.

The Eastern European cluster — covering Poland, Hungary, and Switzerland on the regulator side in this scan — is identity-confirmed at landing-page tier. The Polish UODO and Hungarian NAIH are evidence-logged as institutional identities; sport-specific binding positions from either DPA were not identified in the scan window. Polish PKOl, Hungarian MOB Baku, and the Swiss FDPIC are present at the institutional identity tier. The Swiss Olympic federation strategic plan was not captured. Whether these institutions publish substantive strategic content in less publicly indexed forms is a question for the next scan cycle; what can be said is that the evidence layer captured here is thinner.

Any pan-European federation AI-readiness initiative inherits this asymmetric foundation. The Western and Nordic cluster has the publication discipline to absorb new AI obligations through existing strategic-plan mechanisms. The Mediterranean cluster has the regulatory instruments and the funding to operationalise compliance. The Eastern European cluster, on this scan's evidence, operates in a different visibility tier. That divergence shapes what a pan-European approach can realistically achieve at this moment.

The EOC EU Office and the EU Commission DG EAC, through SHARE 2.0 and adjacent initiatives, provide the pan-European overlay. The Revised European Sports Charter and the Council of Europe Enlarged Partial Agreement on Sport are the international-organisation layer above the three clusters.

Trend 3: A Focused Academic Spine on AI in Sport Governance Is Forming

Three peer-reviewed pieces from 2022 to 2025, the EU SHARE 2.0 expert paper, and the Council of Europe Framework Convention on AI together form a first concentrated body of scholarship and institutional reflection on AI deployment in sport.

Three things are happening in parallel in the academic and institutional space, and this scan window caught them converging. Girginov (2022) offers a methodological critique of governance measurement in sport, engaging directly with the infrastructure Play the Game operates through the Sport Governance Observer. Westerbeek and van Schaik (2025) publish a systematic review of platform power, athlete branding, generative AI, and the future of sport governance in Frontiers in Sports and Active Living. Kwon (2025), in the same journal, addresses athlete data sovereignty and the legal and policy gaps in sports technology. Three pieces do not constitute a mature literature. They are the beginning of a focused one.

Alongside the academic output, the institutional layer has moved. The EU Commission DG EAC SHARE 2.0 expert paper of September 2025 provides an extensive institutional reflection on AI in sport at EU level. The Council of Europe Framework Convention on Artificial Intelligence (CETS 225) was ratified by the EU on 15 May 2026, per Council of Europe Treaty Office records — six days before the close of this scan. The Convention is primarily state-facing but reaches private-sector actors through state implementation. The convergence of academic output, EU institutional reflection, and international primary-instrument ratification within a single scan window is notable.

To be clear about what this trend is not: three peer-reviewed pieces plus one EU expert paper plus one treaty does not constitute a discipline. The framing throughout this report stays at "a first concentrated body of scholarship is taking shape", not "a mature academic field has emerged".

What the literature does offer is scaffolding. It gives federation governance functions vocabulary — athlete data sovereignty, platform power, generative AI in governance — and citation infrastructure to position their AI readiness narrative. It does not substitute for the sector-specific implementation guidance from market surveillance authorities that Signal 1 found absent. The scholarship is engaging the regulatory horizon; it has not yet produced an empirical instrument that federations can use to measure themselves against peers.

The Gap: No European Yardstick for Federation AI Readiness

Across the ten jurisdictions captured in this scan, no third-party instrument measures federation AI readiness at federation tier with comparable methodology. The closest existing pan-European federation-tier measurement infrastructure, Play the Game's Sport Governance Observer, covers governance dimensions; an AI-readiness dimension within the SGO's published methodology was not identified in this scan.

There are instruments at adjacent tiers and adjacent dimensions. Sport England's Digital Futures 2024 survey measures digital maturity across a UK mixed cohort of fitness, leisure, and sport organisations, placing the sector average at 51 per cent in the Digital Experimenter band — below the Digital Performer band of 60 to 79 per cent and well below the Digital Leader band at 80 per cent and above. The Irish DPC sports clubs survey of 2024 measures data protection practice across approximately 100 clubs in Ireland, at club tier. Play the Game's Sport Governance Observer covers governance scaffolding — transparency, integrity, democratic accountability — across federations and countries; Girginov (2022) engages critically with its methodology. An AI-readiness dimension within the SGO's published methodology was not identified in this scan. The EU Commission DG EAC SHARE 2.0 expert paper reflects on AI in sport at EU level, but it is institutional commentary, not a measurement instrument.

What does not exist is a third-party, pan-European, federation-tier AI-readiness measurement instrument with comparable methodology that allows a national federation in one Member State to benchmark itself against a national federation in another. Sport England's instrument approaches this in one country with a mixed cohort. The Sport Governance Observer approaches it across countries on governance dimensions only. The academic spine (Trend 3) is engaging the conceptual layer but has not yet produced a measurement instrument. The absence of sector-specific guidance from market surveillance authorities (Signal 1) is the parallel gap on the regulatory side.

The Federation Readiness Ladder used in this report is itself a scan finding, scaffolded on Sport England's Digital Maturity Index, DAMA-DMBOK at framework-reference tier, and the DOSB digital-foundation framing. It is not a third-party instrument; it is what this report uses to read the federation landscape in the absence of one.

Who carries the exposure from this gap? National federations approaching the Article 4 deadline without a self-assessment instrument. National sport funders and ministries investing in federation digitalisation without a sector-level outcome measure — the Spanish €75.6 million envelope is the most visible example, but Sport England and Sport Ireland operate in the same logic. The EU Commission DG EAC and the EOC EU Office in any pan-European coordination initiative, inheriting an asymmetric measurement foundation. National DPAs scoping sport-sector enforcement. The academic research community building federation-AI governance scholarship without an empirical anchor.

The risk if this gap stays unaddressed is compounding. Federations make compliance investment without comparative reference, so neither over-investment nor under-investment can be demonstrated. National programmes deploy capital without a sector-level outcome instrument. The regional cluster divergence identified in Trend 2 cannot be addressed by pan-European policy because the measurement infrastructure that would enable cross-cluster comparison does not exist. The academic spine builds on conceptual foundations rather than measurement data. And the procurement governance trend (Trend 1) compounds, because federations cannot benchmark their own procurement maturity against peers.

To be precise: this is not a claim that no measurement instrument exists anywhere in Europe. It is a claim that no widely adopted third-party European federation-tier AI-readiness measurement instrument with comparable methodology across jurisdictions was identified in this scan. Sport Singularity has begun exploring the Federation Readiness Ladder as a product concept; that positioning is stated here rather than implied, in the interest of transparency.

Wild Card 1: When One Becomes a Pattern

A second European national federation breach within twelve months of the French Football Federation incident, at materially worse scale or data sensitivity, could push at least one Member State to translate NIS2 risk-management obligations into binding sport-sector application, turning federation cybersecurity governance from a procurement question into a legislative one.

This is a scenario assessment, not a prediction.

The trigger has two legs. First, a federation cybersecurity incident within twelve months of the FFF breach of November 2025, exposing athlete biometric data, anti-doping records, minor-athlete data, or member data at materially worse scale or sensitivity than the French case. Second, a political response in the affected Member State that translates NIS2 risk-management obligations into binding sport-sector application — through legislative transposition, regulator-published binding guidance comparable to AEPD FAQ-1012 in scope and force, or a sport-authority directive carrying NIS2 risk-management content. The wild card is the regulatory response, not the breach itself.

The probability sits in the tail. A second incident at French scale is plausible — federations are systemic targets and operate on third-party platforms with mixed security maturity. The legislative-response leg is the genuinely uncertain one. Member State transposition of NIS2 followed the standard EU timeline; sector-specific re-opening of that transposition for sport is a separate political act with its own coalition requirements. The trigger is in the tail; the response is non-linear; the combination is wild card territory.

If it materialises, the impact would restructure federation strategic calculus. Procurement governance moves from best practice to legal requirement. Federations holding athlete biometric, anti-doping, or minor-athlete data could face binding NIS2 standards with sport-sector-specific obligations: mandatory CISO-equivalent oversight; mandatory supply-chain due-diligence on third-party platforms; mandatory incident response and reporting timelines; potentially mandatory cybersecurity audit at board level. Federation budgets reorient toward compliance. Smaller federations in the Mediterranean and Eastern European clusters face capacity strain disproportionately.

The early weak indicators to watch are specific: AEPD-style binding-position publications from any national DPA with federation-tier reach; the CNIL formal decision on the FFF breach, whatever its content; national parliament committee inquiries addressing sport-sector cybersecurity explicitly; federation cyber insurance structures becoming visibly more restrictive; national sport authority statements on federation cybersecurity standards; Recovery Plan reallocations oriented toward mandatory cybersecurity rather than discretionary digitalisation. None of these has materialised at scan date.

This wild card pairs with Trend 1. Trend 1 describes the present-day pattern of supply-chain federation exposure. This wild card is the non-linear regulatory response if that pattern produces a second material incident.

Wild Card 2: The First Federation Case

A first formal enforcement decision by a national data protection authority against a national sport federation, addressing the convergence of GDPR Article 9 special-category processing, AI Act Article 4 deployer literacy, and federation procurement governance, would convert dispersed regulatory expectations into a concrete sector precedent.

This is a scenario assessment, not a prediction.

The trigger is a published formal enforcement decision — not guidance, not an informal opinion — by a national DPA against a national sport federation. Several DPAs have built the relevant infrastructure. AEPD has published its FAQ-1012 DPO obligation. The ICO's Age-Appropriate Design Code is in force. CNIL has an active investigation following the FFF breach of November 2025. The German Datenschutzkonferenz issued its biometric resolution in September 2024. The Irish DPC published its sports clubs survey in 2024. Any of these regulators, or another, could move first; this scan does not predict which. For the wild card to materialise, the decision needs to engage substantively with at least two of three things: GDPR Article 9 special-category processing for athlete biometric, health, or anti-doping data; AI Act Article 4 deployer literacy for AI systems deployed by the federation after 2 August 2026; or federation procurement governance for third-party platforms processing member or athlete data. The decision is published with reasoning a federation can engage with, and is appealable.

The probability is low. DPA enforcement cycles are slow; sport-sector federations have not been a stated enforcement priority for any captured DPA in this scan window. The regulatory ground has nonetheless been prepared. AEPD's FAQ-1012 demonstrates binding-position infrastructure. The CNIL framework and current FFF investigation status demonstrate an active-case mechanism. The ICO Age-Appropriate Design Code and the Datenschutzkonferenz biometric resolution demonstrate the substantive doctrine. The Article 4 leg of the triangulation requires deployer obligations to have been binding long enough to produce enforceable non-compliance, which moves the realistic horizon toward 2027 and into H2.

The impact, if the wild card materialises, is a sector precedent with lasting effects. Federation legal counsel can read the reasoning. Federation governance functions can map their posture against the enforcement basis. Insurance underwriters can price risk against a precedent rather than a speculative obligation. The decision creates a compliance template: the cited Articles, the cited evidence, and the cited gaps in the federation's posture become the framework others use to audit themselves. A second DPA following the first DPA's reasoning is plausible on a twelve to twenty-four month tail.

Early weak indicators to watch: AEPD enforcement decisions against any sport-sector entity; the CNIL formal decision on the FFF, whatever its content; ICO sport-sector publications including any federation-tier audit engagement; a DPC Ireland follow-on to the 2024 clubs survey at federation tier; application of the Datenschutzkonferenz biometric resolution to a German federation case; GDPRhub case-law aggregations showing sport-sector decisions from the Polish UODO or the Hungarian NAIH; EU Athletes or athlete representative body statements publishing complaint patterns against federations on data-protection grounds. None has been observed at scan date.

This wild card pairs with the Gap. The absence of a third-party federation AI-readiness measurement instrument is the structural condition. This wild card is the regulatory event that would make that absence costly: federations under an enforcement precedent risk would reach for a self-assessment instrument in defensive posture, if one existed at sector tier. The Gap and this wild card are in dialogue.

So What Now?

Three priorities emerge from the analysis. Each describes an operational direction; the report does not advocate for any specific policy outcome.

Federation legal and governance functions may treat the period before 2 August 2026 as the immediate frame for AI Act Article 4 deployer literacy. The obligation is non-delegable. Staff who deploy any AI-bearing system within scope of the Act need to demonstrate sufficient AI literacy in the relevant context. Sector-specific implementation guidance from market surveillance authorities is absent — federations are operating without a playbook. The European Commission's SHARE 2.0 expert paper is a useful reference but not a binding implementation framework. Federation governance functions — the Secretary General, the legal counsel where one exists, the board's governance committee — approaching the Article 4 deadline may consider running internal AI deployer inventories, mapping each relevant staff role against a literacy training plan, and documenting those decisions in board minutes that can be produced under future regulator inquiry.

Federation procurement governance may move from IT operations into board-level oversight in light of the FFF breach. The incident demonstrates that supply-chain exposure is operational reality, not theoretical risk. The procurement governance question is which platforms hold which data categories, on what contractual terms, with what supplier-side risk-management posture, and with what audit cadence. These questions are easier to ask than to answer at federation scale. For smaller federations, the practical move is to start with one platform — the most data-sensitive — and document baseline answers rather than attempt full estate coverage at once. NIS2 obligations vary by Member State implementation, but the procurement-stage diligence and continuing oversight responsibility sit with the federation under GDPR regardless of NIS2 scoping. Where federations procure AI-bearing software, the Article 4 obligation overlays the GDPR Article 32 obligation.

The Federation Readiness Ladder offered in this report is one scaffold for federation self-reading. The Ladder is a scan finding, not a third-party instrument. It locates federations across six dimensions — regulatory posture, governance scaffolding, data architecture, procurement governance, cybersecurity readiness, and organisational AI literacy — in three bands: Aware (documented intention without operational change), Ready (documented policy plus governance structures plus operational practice), and Beyond Ready (AI-era practice integrated into core operations including procurement and athlete data sovereignty). Federations using this framing are doing scan-finding-grounded self-reading, not benchmarking against peers. Building the third-party instrument that would enable peer benchmarking is a separate question, identified in this scan as the structural gap. Sport Singularity has begun exploring this as a product concept; the editorial argument and the product positioning are stated together rather than separately, in the interest of disclosure.

This article is a part of the SF4Sport Strategic Foresight Series by Sport Singularity. The analysis draws on 84 verification logs across 35 audited sources — peer-reviewed research, EU and Council of Europe primary instruments, national regulator guidance, institutional reports, and quality journalism (2019 to 2026) — and maps European policy frameworks including the EU AI Act, GDPR Article 9, AEPD FAQ-1012 and the NIS2 Directive...

May 2026, Sport Singularity, SF4Sport

Bibliography

Boletín Oficial del Estado (2023). Orden CUD/684/2023. BOE-A-2023-14993, 26 June 2023. boe.es

Boletín Oficial del Estado (2023). Extracto de la Resolución de la Presidencia del CSD, de 3 de julio de 2023. BOE-B-2023-20560.

Comitato Olimpico Nazionale Italiano (CONI) (2025). Bilancio d'esercizio al 31 dicembre 2024. Giunta Nazionale CONI.

Comitato Olimpico Nazionale Italiano (CONI), Office of Studies (2024). I numeri dello sport 2021–2022 highlights. Giunta Nazionale CONI, 16 February 2024.

Council of Europe (2018). Convention 108+ for the Protection of Individuals with regard to the Processing of Personal Data.

Council of Europe (2021). Revised European Sports Charter.

Council of Europe (2024). Framework Convention on Artificial Intelligence (CETS 225); EU ratification 15 May 2026.

DAMA International (2017). DAMA-DMBOK: Data Management Body of Knowledge, 2nd edition. Technics Publications. ISBN 9781634622349. Used at framework-reference tier only.

Deutscher Olympischer Sportbund (DOSB). Künstliche Intelligenz und Digitalisierung im Sport.

European Commission, DG EAC (2025). SHARE 2.0: Artificial intelligence in the sport sector.

European Parliament and Council (2016). Regulation (EU) 2016/679 (General Data Protection Regulation).

European Parliament and Council (2022). Directive (EU) 2022/2555 (NIS2 Directive).

European Parliament and Council (2024). Regulation (EU) 2024/1689 (Artificial Intelligence Act).

German Datenschutzkonferenz (2024). Resolution on the processing of biometric data in employment-like contexts.

Girginov, V. (2022). The numbers game: quantifying good governance in sport. European Sport Management Quarterly, 23(6), 1889 to 1905. doi.org/10.1080/16184742.2022.2078851

Irish Data Protection Commission (2024). Survey of data protection practices in Irish sports clubs.

Kwon, J. W. (2025). Athlete data sovereignty: addressing the legal and policy gaps in sports technology. Frontiers in Sports and Active Living, 7, 1742484.

Norges Idrettsforbund (2023). Idretten Vil! 2023–2027.

Play the Game. Sport Governance Observer programme materials.

Sport England (2024). Digital Futures 2024.

Sport England and UK Sport (2021). A Code for Sports Governance.

Spanish Agencia Española de Protección de Datos (AEPD). FAQ-1012 on federation appointment of Data Protection Officer under LOPDGDD Article 34.

Sport Ireland (2023). Statement of Strategy 2023–2027.

The Register staff (2025). French Football Federation faces own-goal after club software data breach. The Register, 1 December 2025.

Toulas, B. (2025). FFF discloses data breach after cyberattack. Bleeping Computer, 28 November 2025.

Westerbeek, H. and van Schaik, T. (2025). Platform power, athlete branding, generative AI and the future of sport governance: a systematic review. Frontiers in Sports and Active Living, 7, 1642180.