Digital Skills is the EPSO test that has changed the most in recent competitions. It is no longer a tick-box check on whether candidates can use a spreadsheet: it is a structured assessment of how confidently you operate inside the EU's own digital-policy frame — GDPR, the AI Act, the Web Accessibility Directive, Creative Commons licensing, and the five competence areas of DigComp 2.2. Your score feeds directly into the ranking, on equal footing with verbal, numerical and abstract reasoning.
What it tests
The Digital Skills test is anchored in the European Commission's DigComp 2.2 framework, the official reference for digital competence of citizens. The framework is organised into five competence areas, and EPSO questions are written to map cleanly onto them. You will rarely see "name the framework" questions; instead, each item asks you to apply one competence to a realistic institutional scenario.
- Area 1 — Information & data literacy: searching with Boolean operators, evaluating sources, recognising algorithmic curation, managing metadata and archives.
- Area 2 — Communication & collaboration: choosing the right channel, sharing securely, netiquette, managing your digital identity, civic participation via EU portals.
- Area 3 — Digital content creation: producing structured content, integrating sources, copyright and Creative Commons, accessibility (WCAG 2.1 AA), algorithmic thinking.
- Area 4 — Safety: protecting devices, GDPR-aligned data protection, digital well-being and the right to disconnect, environmental footprint of digital activity.
- Area 5 — Problem solving: structured technical troubleshooting, matching tools to needs, creative use of digital technologies, identifying competence gaps.
- Cross-cutting AI items: DigComp 2.2 added explicit knowledge items on generative AI — hallucinations, prompt engineering, human verification — that map onto competences 1.2, 2.1 and 3.2.
- Embedded EU law: expect direct references to the GDPR, the EU AI Act, the Web Accessibility Directive (EU) 2016/2102 and the WEEE Directive built into scenarios.
The recurring traps
Across hundreds of practice items, the same trap families recur. Learning to recognise them at a glance is most of the battle:
- Metadata vs telemetry vs structured content. A question about hidden author names in a published Word file is a metadata hygiene issue; one about CPU and bandwidth usage logs is telemetry; one about CSV columns is structured content. EPSO routinely puts all three labels in the options.
- GDPR principle confusion. Candidates mix up purpose limitation (Art. 5(1)(b) — collected for a specified purpose), data minimisation (Art. 5(1)(c) — only what is necessary) and storage limitation (Art. 5(1)(e) — kept no longer than necessary). The distractors weaponise this.
- AI Act risk tier confusion. The Act sets four tiers — unacceptable (banned: social scoring, untargeted facial-image scraping), high-risk (regulated: recruitment, biometric ID, critical infrastructure), limited (transparency obligations: chatbots, deepfakes) and minimal (no specific obligations). Confusing limited with high-risk is the classic mistake.
- Cloud delivery models (IaaS / PaaS / SaaS). The trap is who manages what. IaaS = the provider runs the hardware and you manage the OS up; PaaS = the provider manages the runtime and you only deploy code; SaaS = you only configure the app. Distractors swap responsibilities at one layer.
- CC vs BCC on emails. Putting external addresses in CC leaks every recipient's email address to every other recipient — a routine and entirely preventable GDPR breach. BCC hides recipients from each other. The trap appears in scenarios about multi-stakeholder briefings.
- Lossy vs lossless compression. For irreplaceable institutional records (signed PDFs, master spreadsheets, source video) the answer is lossless (ZIP, PNG, FLAC, ProRes). For citizen-facing thumbnails and previews, lossy (JPEG, MP3, H.264) is fine. The distractor inverts the two contexts.
Train your Digital Skills
Realistic EPSO-style questions on data, security, AI and content creation, with explanations for every answer.
Start practising → First set free · no costHow to prepare
Three canonical references will quietly answer the majority of the questions you will see. Read them once, not as exam crib sheets but to internalise the vocabulary. The first is the DigComp 2.2 framework itself, published by the Joint Research Centre — in particular the five competence areas, the verbs the framework uses ("evaluate", "share", "develop", "protect", "solve") and the AI knowledge items added in the 2.2 revision. The second is the GDPR, focusing on Article 5 (the six processing principles), Article 9 (special categories) and Article 30 (records of processing). The third is the EU AI Act — in particular the risk tiers and the practices the Act explicitly bans.
Beyond the references, the most reliable preparation is timed practice with carefully written explanations. Digital Skills questions reward candidates who can name the anchor: when you read a stem about a phishing email, you should immediately register "competence 4.1, protecting devices"; when you read one about an event registration form, "Article 5(1)(c), data minimisation". The anchor tells you which distractor is the trap. Without it, plausible-sounding wrong answers are very hard to rule out under time pressure.
One practical tip: when an option mentions a number, a date or a specific EU instrument by name (WEEE Directive, Directive (EU) 2016/2102, Regulation (EU) 2019/788), it is almost always either the correct answer or a carefully placed honeytrap. Treat them as load-bearing details, not background colour.
Worked examples
Three examples in the actual EPSO format — short institutional scenario, four options, only one fully correct. Read each stem, pick your answer, then reveal the explanation — paying close attention to which trap each distractor is built around.
- Phishing credential harvesting.
- Accidental exposure of sensitive metadata.
- Ransomware payload injection.
- Distributed denial-of-service exposure.
Show answer
Why each distractor fails:
• A — phishing is an inbound social-engineering attack that tricks the user into surrendering credentials; the scenario describes an outbound publication mishap, the opposite direction of risk.
• C — ransomware encrypts files to extort payment; track-changes are not a payload and the file in question is being released, not detonated.
• D — DDoS floods a service to make it unavailable; it has no document-hygiene dimension at all.
Trap pattern. Three of the four options are real security terms in the wrong category. EPSO routinely tests whether you can place a risk in the correct family (data hygiene vs malware vs network attack) before reaching for the technical label.
- No structured fields — just a free-text box.
- Name, email, home address, religion and political views.
- Full credit-card details even though the event is free.
- Only the details needed to run the event, such as name, email and organisation.
Show answer
Why each distractor fails:
• A — free-text only is an unstructured-data trap: it collects personal information the controller cannot lawfully scope or process, breaching the same Article 5(1)(c).
• B — religion and political views are special categories under Article 9 GDPR; they require explicit consent and a separate lawful basis. Collecting them to "complete a profile" is the canonical GDPR overreach.
• C — credit-card details for a free event are by definition non-necessary; collecting them increases breach exposure for no purpose and breaches data minimisation directly.
Trap pattern. Each wrong answer is a different GDPR failure mode — unstructured collection, special-category overreach, gratuitous over-collection. Memorise the three so you can pattern-match them under time pressure.
- Yes — public-policy charts are exempt from copyright worldwide.
- Yes — all Creative Commons licences allow unrestricted use.
- No — "NC" bars commercial contexts and "ND" bars modifications.
- Yes, provided the background colours are changed.
Show answer
Why each distractor fails:
• A — "public-policy exemption" is a fabricated category — charts are protected expressions of data even where the underlying numbers are public.
• B — "all CC licences allow unrestricted use" confuses Creative Commons with public domain (CC0); standard CC licences impose real obligations.
• D — recolouring does not bypass ND, it triggers it. Any modification is a derivative work, including a colour change.
Trap pattern. Three of the four wrong answers rely on the candidate assuming that "open" or "public" or "minor edit" excuses non-compliance with the licence. Read the four-letter code (BY / NC / ND / SA) literally, every time.
These examples are written in the exact style of our Set 1–4 practice bank — same stem length, same four-option format, same trap classification used in the explanations. They are not official EPSO questions.
Frequently asked questions
How many Digital Skills questions are in the EPSO AD-5 test?
Forty questions in 60 minutes, scored from 0 to 40. The Digital Skills score feeds directly into your ranking alongside the other reasoning and EU-knowledge components.
Does Digital Skills count towards my ranking?
Yes. Digital Skills is fully scored and contributes to your final ranking — it is not a pass/fail gate. Every mark counts towards your position relative to other candidates.
What is the most common mistake?
Confusing metadata with telemetry, or treating an AI tool's output as authoritative without verifying the source. The test repeatedly asks you to distinguish categories of digital information and to apply human verification to machine-generated content.
The fastest way to improve is to practise under realistic, timed conditions. The first set is free.