EPSO · EU Testing
EPSO Tests · Digital Skills

The EPSO Digital Skills Test, Explained

The newest component of EPSO selection — built on the DigComp 2.2 framework, scored into your ranking, and packed with traps around GDPR, AI and licensing.

Updated June 2026 · EPSO preparation · ~7 min read

Digital Skills is the EPSO test that has changed the most in recent competitions. It is no longer a tick-box check on whether candidates can use a spreadsheet: it is a structured assessment of how confidently you operate inside the EU's own digital-policy frame — GDPR, the AI Act, the Web Accessibility Directive, Creative Commons licensing, and the five competence areas of DigComp 2.2. Your score feeds directly into the ranking, on equal footing with verbal, numerical and abstract reasoning.

What it tests

The Digital Skills test is anchored in the European Commission's DigComp 2.2 framework, the official reference for digital competence of citizens. The framework is organised into five competence areas, and EPSO questions are written to map cleanly onto them. You will rarely see "name the framework" questions; instead, each item asks you to apply one competence to a realistic institutional scenario.

The golden rule. Digital Skills is a knowledge test disguised as a competence test. Each correct answer is anchored to a specific DigComp sub-competence, a GDPR article, an AI Act risk tier or a CC licence clause. If you cannot name the anchor, you cannot reliably eliminate the distractors.

The recurring traps

Across hundreds of practice items, the same trap families recur. Learning to recognise them at a glance is most of the battle:

Train your Digital Skills

Realistic EPSO-style questions on data, security, AI and content creation, with explanations for every answer.

Start practising → First set free · no cost

How to prepare

Three canonical references will quietly answer the majority of the questions you will see. Read them once, not as exam crib sheets but to internalise the vocabulary. The first is the DigComp 2.2 framework itself, published by the Joint Research Centre — in particular the five competence areas, the verbs the framework uses ("evaluate", "share", "develop", "protect", "solve") and the AI knowledge items added in the 2.2 revision. The second is the GDPR, focusing on Article 5 (the six processing principles), Article 9 (special categories) and Article 30 (records of processing). The third is the EU AI Act — in particular the risk tiers and the practices the Act explicitly bans.

Beyond the references, the most reliable preparation is timed practice with carefully written explanations. Digital Skills questions reward candidates who can name the anchor: when you read a stem about a phishing email, you should immediately register "competence 4.1, protecting devices"; when you read one about an event registration form, "Article 5(1)(c), data minimisation". The anchor tells you which distractor is the trap. Without it, plausible-sounding wrong answers are very hard to rule out under time pressure.

One practical tip: when an option mentions a number, a date or a specific EU instrument by name (WEEE Directive, Directive (EU) 2016/2102, Regulation (EU) 2019/788), it is almost always either the correct answer or a carefully placed honeytrap. Treat them as load-bearing details, not background colour.

Worked examples

Three examples in the actual EPSO format — short institutional scenario, four options, only one fully correct. Read each stem, pick your answer, then reveal the explanation — paying close attention to which trap each distractor is built around.

Example 1 — Metadata vs phishing vs ransomware confusion
Scenario. A report ready for public release still contains hidden track-changes and author names; this risk is called what?
Show answer
Answer: B. Office documents store substantial metadata beyond the visible text — author names, edit history, tracked changes, comments, file paths, even GPS coordinates on embedded photos. Publishing a file without sanitising this is the textbook accidental disclosure failure, anchored in DigComp competence 4.2 Protecting personal data and privacy. The fix is to run the document inspector ("Check for Issues → Inspect Document") before release.

Why each distractor fails:
A — phishing is an inbound social-engineering attack that tricks the user into surrendering credentials; the scenario describes an outbound publication mishap, the opposite direction of risk.
C — ransomware encrypts files to extort payment; track-changes are not a payload and the file in question is being released, not detonated.
D — DDoS floods a service to make it unavailable; it has no document-hygiene dimension at all.

Trap pattern. Three of the four options are real security terms in the wrong category. EPSO routinely tests whether you can place a risk in the correct family (data hygiene vs malware vs network attack) before reaching for the technical label.
Example 2 — GDPR data minimisation on a registration form
Scenario. Under the GDPR principle of data minimisation, which fields should an event-registration form request?
Show answer
Answer: D. Article 5(1)(c) GDPR requires personal data to be "adequate, relevant and limited to what is necessary" for the processing purpose — the data-minimisation principle, central to DigComp competence 4.2 Protecting personal data and privacy. The pre-field test is concrete: could we still run the event without it? If yes, omit the field.

Why each distractor fails:
A — free-text only is an unstructured-data trap: it collects personal information the controller cannot lawfully scope or process, breaching the same Article 5(1)(c).
B — religion and political views are special categories under Article 9 GDPR; they require explicit consent and a separate lawful basis. Collecting them to "complete a profile" is the canonical GDPR overreach.
C — credit-card details for a free event are by definition non-necessary; collecting them increases breach exposure for no purpose and breaches data minimisation directly.

Trap pattern. Each wrong answer is a different GDPR failure mode — unstructured collection, special-category overreach, gratuitous over-collection. Memorise the three so you can pattern-match them under time pressure.
Example 3 — Creative Commons BY-NC-ND on a paid event
Scenario. May a chart licensed CC BY-NC-ND be used in slides for a paid public conference organised by an external partner?
Show answer
Answer: C. DigComp competence 3.3 Copyright and licences requires reading each CC clause separately. BY = attribution; NC = non-commercial use only; ND = no derivatives. A paid conference is a commercial context regardless of whether the EU partner is non-profit — the commerciality test looks at the event, not the licensee — so NC is breached. ND additionally forbids any modification, including cropping, recolouring or translating the labels.

Why each distractor fails:
A — "public-policy exemption" is a fabricated category — charts are protected expressions of data even where the underlying numbers are public.
B — "all CC licences allow unrestricted use" confuses Creative Commons with public domain (CC0); standard CC licences impose real obligations.
D — recolouring does not bypass ND, it triggers it. Any modification is a derivative work, including a colour change.

Trap pattern. Three of the four wrong answers rely on the candidate assuming that "open" or "public" or "minor edit" excuses non-compliance with the licence. Read the four-letter code (BY / NC / ND / SA) literally, every time.

These examples are written in the exact style of our Set 1–4 practice bank — same stem length, same four-option format, same trap classification used in the explanations. They are not official EPSO questions.

Frequently asked questions

How many Digital Skills questions are in the EPSO AD-5 test?

Forty questions in 60 minutes, scored from 0 to 40. The Digital Skills score feeds directly into your ranking alongside the other reasoning and EU-knowledge components.

Does Digital Skills count towards my ranking?

Yes. Digital Skills is fully scored and contributes to your final ranking — it is not a pass/fail gate. Every mark counts towards your position relative to other candidates.

What is the most common mistake?

Confusing metadata with telemetry, or treating an AI tool's output as authoritative without verifying the source. The test repeatedly asks you to distinguish categories of digital information and to apply human verification to machine-generated content.

The fastest way to improve is to practise under realistic, timed conditions. The first set is free.