In recent years, risk has become a proxy and a parameter characterizing EU regulation of digital technologies. Nonetheless, EU risk-based regulation in the digital age is multi-faceted in the approaches it takes. This article considers three examples: the General Data Protection Regulation; the proposal for the Digital Services Act; and the proposal for the Artificial Intelligence Act. These three instruments move across a spectrum, from a bottom-up approach (the GDPR) to a top-down architecture (the AI Act), going through an intermediate stage (the DSA). It is argued, however, that despite the different methods, the three instruments share a common objective and project: they all seek to guarantee an optimal balance between innovation and the protection of rights, in line with the developing features of European (digital) constitutionalism. Through this lens, it is thus possible to grasp the “fil rouge” behind the GDPR, the DSA and the AI Act as they express a common constitutional aspiration and direction.