The Digital Services Act (DSA), approaching enactment at the time of writing, will uniformly govern the activities of providers of digital services within the EU. Alongside the Digital Markets Act (DMA) and other regulatory projects, the DSA is one of the flagship projects of the current European Commission as part of a comprehensive European digital strategy.
The DSA will impose far-reaching obligations on providers of very large online platforms (VLOPs) and very large online search engines (VLOSEs) with more than 45 million average monthly active recipients within the EU. Apart from that, the DSA will also have a significant impact on the entire digital industry.
After a long, intense and, in parts, heated debate following the European Commission’s first draft (dated 15 December 2020), the DSA was approved by the European Parliament on 05 July 2022. The DSA must still be formally adopted by the European Council, a legislative step that is unlikely to result in any major changes.
The DSA is an ambitious undertaking as it aims to encompass a wide range of different regulatory objectives – such as safe harbour principles, detailed consumer protection rules, as well as transparency rules for ‘big tech’ algorithms – in a single regulatory framework. Core novelties in enforcement include EU Member States’ Digital Services Coordinators, enforcement competencies of the European Commission as well as GDPR-style fines of up to 6% of annual global turnover. A number of provisions, including for search engines, online interfaces and users’ remedies, were introduced late in the process. The majority of the DSA’s rules will likely come into effect in the course of 2024. Transparency and reporting obligations for providers of online platforms as well as rules for providers of VLOPs and VLOSEs will, however, become effective four months from their designation as such.
What is the DSA about?
The DSA aims to address the risks and challenges that have emerged from the digital transformation and the related rise of new digital business models. It adapts the regulatory framework applicable to digital services to the current and future state of digitisation. Key elements include:
- providing a safe digital environment that is free from illegal content
- enhancing transparency and accountability for digital intermediary services
- increasing and strengthening the protection of fundamental European rights and consumer rights
- facilitating and promoting competition and innovation within the digital European Single Market
- improving legal certainty for providers of digital services, especially for cross-border activities enhancing enforcement.
The DSA will apply directly in all EU Member States without requiring any further implementation by the EU Member States. The DSA is also supposed to apply in the EEA.
The DSA has been a controversial project. While supporters welcome its aims of tackling illegal content and regulating big tech, critical voices have expressed concerns over, among other things, potential negative chilling effects on the exercise of European fundamental rights including free speech, the DSA’s extensive and complex rules creating unnecessary bureaucracy for innovative digital businesses and stifling innovation, as well as expected issues with the technical feasibility of individual rules of the DSA.
Ultimately, only practical experience with the DSA’s implementation by affected service providers as well as its enforcement will reveal whether the advantages outweigh the disadvantages. Accordingly, the European Commission is obliged to regularly evaluate the effects of the DSA, starting three years after its entry into force.
Who is affected?
The DSA addresses B2B and B2C providers of digital intermediary services (intermediaries), who provide recipients with access to goods, services and content. This includes providers of:
To apply, the DSA further requires that affected intermediary services have a substantial connection to the EU. This can be created where there is an establishment of the service provider within the EU. However, as the DSA is also intended to regulate intermediary services provided to the EU from third countries outside the EU/EEA, this can also result from a significant number of recipients of the intermediary service in one or more EU Member States in relation to their population; or targeting activities towards one or more EU Member States. In this context, indicators to determine a substantial connection include, for instance, language, currency or top-level domain of an EU Member State or the delivery of products or services to the EU. In contrast, the mere accessibility of a website alone does not suffice. See our article on the scope of the DSA for more detail.
Graded approach – tiered system
The DSA predominantly follows a tiered regulatory system, as illustrated below:
- mere conduit services (eg internet exchange points, wireless access points, virtual private networks and DNS services)
- caching services (eg content delivery networks, reverse proxies and content adaptation proxies)
- hosting services (eg cloud computing and web hosting)
- online platforms (eg social networks and online marketplaces),
- online search engines.
Based on this concept, all intermediary services are subject to general obligations which are then supplemented by further additional special obligations depending on the type and classification of the respective intermediary service. Accordingly, additional special obligations apply to hosting services: online platforms have still more additional obligations, and the most extensive and strictest rules under the DSA apply to VLOPs.
The classification of online search engines has been treated in a special way, as online search engines were only added during the trilogue negotiations. In this context, the European legislator unfortunately failed to achieve complete consistency and clarity within the DSA’s structure of tiered regulation. Rather, the subsequent insertion of online search engines results in regrettable ambiguities. It would arguably have been preferable to assign online search engines to a specific type of intermediary services, similar to the classification of online platforms as a subset of hosting services.
Based on the search function of online search engines and pursuant to the European legislator’s considerations, online search engines are likely to qualify as (simple) intermediary services. Where the online search engine reaches the threshold of the classification as a VLOSE (with more than 45 million average monthly active recipients within the EU), most of the additional special obligations specifically applicable to VLOPs apply accordingly.
The terminology and scope of the DSA’s classifications is not sharp-edged, so uncertainties and room for interpretation remain. To add complexity, it is also possible that a digital service may combine several services or functionalities that are subject to different classifications and therefore different rules under the DSA.
Key obligations under the DSA
Among the DSA’s extensive rules, the following are particularly worth noting:
A core aspect of the DSA is that service providers must remove illegal content swiftly and efficiently.
- Providers of intermediary services must respond and take the required measures when courts or authorities point out illegal content.
- Providers of hosting services must provide predefined notice-and-action mechanisms for reporting alleged illegal content and follow up on such notices, including taking the necessary measures.
- Whether or not content qualifies as illegal content is not determined by the DSA itself but by the applicable law of the affected EU Member State.
- Providers of online platforms must give special weight to and prioritise notices provided by trusted flaggers, which are certified by authorities due to their expertise.
Liability privileges (safe harbour principles)
The liability privileges of the EU eCommerce Directive have effectively been included in the DSA. Therefore, the notice-and-takedown concept originally introduced and developed under the eCommerce Directive remains largely intact. Service providers do not have to actively check the legality of content.
However, the DSA also provides new features. This includes a welcome clarification (sometimes somewhat misleadingly referred to as a “good-Samaritan” clause) that voluntarily self-initiated investigations or other measures aiming to achieve legal compliance do not exclude the safe harbour principles. Host providers that enable the conclusion of contracts between traders and consumers cannot however rely on the safe harbour principles under consumer protection law where the design of the online platform leads the consumer to believe that the information, product or service that is the subject to the transaction is provided either by the service provider itself or by a trader who is acting under its control. See our article for more.
Single point of contact
Providers of intermediary services must designate a single point of contact as the direct contact for authorities and recipients. Information and contact details of the single point of contact must be easily accessible.
Providers of intermediary services that do not have an establishment in the EU but address recipients in the EU must appoint a legal representative in one of the affected EU Member States, a principle familiar from the EU GDPR. The legal representative must be equipped with sufficient power of representation and resources and has to act, among other things, as a contact for authorities and recipients. The name and contact details of the legal representative must be easily accessible. Notably, the designated legal representative can be held liable for non-compliance with obligations under the DSA, without prejudice to the liability of the provider of the respective intermediary services.
Due diligence obligations for terms and conditions
Providers of intermediary services must provide transparent information on any restrictions in their terms and conditions affecting the provision of information. This includes policies, procedures, measures and tools used for content moderation, including algorithmic decision-making and human review, as well as the rules of procedure for their internal complaint handling system. Providers of intermediary services must apply and enforce such restrictions responsibly, considering the affected European fundamental rights.
Transparency reporting obligations
Based on the classification of the affected service provider, there are various tiered transparency obligations to provide regular reports on content moderation and other measures:
- Providers of intermediary services must, among other things, provide reports on: (a) the number of administrative or court orders received and respective actions taken, (b) the specifics of self-initiated content moderation and (c) applied automated means for purposes of content moderation, including indicators of accuracy, possible error rates and applied safeguards.
- Providers of hosting services must also, among other things, provide reports on the number of notices submitted (via notice-and-action mechanisms) by recipients and trusted flaggers as well as respective actions taken and whether such actions were performed on the basis of automated means.
- Providers of online platforms must also, among other things, provide reports on: (a) the number of complaints received through the internal complaint handling system and respective decisions made, (b) the number of disputes submitted to out-of-court dispute settlement bodies and the outcomes of such disputes, (c) the number of suspensions of recipients and their grounds and (d) the number of the average monthly active recipients within the EU.
The EU Commission may set out requirements as to the form, content and details of such reports.
Complaint handling system
Providers of online platforms must implement an internal complaint handling system, which enables recipients to complain, for instance, about the alleged unauthorised removal of content, the suspension of user accounts and other measures that have detrimental effect. This must be easily accessible. The decision made on a complaint must include a justification by the provider of the online platform, and the decision may not be made purely by automated means. Apart from that, providers of online platforms must provide the possibility of out-of-court dispute resolution.
Exemptions for small companies and micro enterprises
Small companies and micro enterprises (with fewer than 50 employees and less than €10 million in annual sales) are exempt from complying with some of the DSA’s obligations. These include obligations for providers of online platforms as well as transparency reporting obligations of providers of intermediary services. The exemption does not apply if companies – despite their small size – qualify as VLOPs or VLOSEs.
Enhanced protection of minors
Providers of online platforms must take appropriate measures to ensure a high level of data protection and safety for recipients that qualify as minors.
Dark patterns and compliance by design
The DSA stipulates vague requirements for the design of user interfaces on online platforms. Misleading user interfaces (the recitals mention nudging or dark patterns) are prohibited if they hamper the recipient from making a free and informed decision. The EU Commission can provide further specifics within guidelines, including on repeatedly requesting a recipient to make a choice which has already been made, and making the procedure of terminating a service more difficult than to subscribe to it.
Online advertising and transparency
Apart from the common requirement to clearly designate online advertising as such, providers of online platforms must provide information on the principle of the respective online advertisement. In addition, information has to be given as to the main parameters of how target groups are determined and, where applicable, how to change those parameters. In addition VLOPs and VLOSEs must provide a repository, where recipients can access information on online advertising that was displayed within the last year. Such information includes the content of the online advertisement, its principal, period and target groups. These rules may pose a significant challenge to the protection of trade secrets.
Partial ban on profiling-based online advertising
Providers of online platforms are prohibited from profiling-based online advertising based on sensitive data (such as health data) and aimed at minors. With the DSA aiming to increase the protection of minors, the European legislator did not want to encourage providers of online platforms to use age verification measures and collect more personal data. Accordingly, it is unclear how providers of online platforms should implement this ban.
To the extent that providers of online platforms use recommender systems (eg for news feeds), they must provide transparent information on: (a) the main parameters of their recommender system, and (b) the possibility of modifying or influencing those parameters. In addition, VLOPs and VLOSEs must provide at least one option for their recommender system that is not based on profiling.
See our article for more on the advertising provisions of the DSA and here for more on duties and obligations under the DSA more generally.
Claims by recipients
Recipients are entitled to make claims against service providers for violations of the DSA, including claims for damages, under EU and EU Member State law.
B2C online marketplaces
Providers of B2C online marketplaces must collect data from traders based on the know-your-business-customer (KYBC) principle. To this end, providers of B2C online marketplaces must collect traders’ contact and payment data as well as proof of identity. If the trader provides inaccurate and/or incomplete information, the service provider must remove the trader from the service. Only businesses are considered traders under the DSA, so that affected service providers are required to differentiate between consumers and businesses to an even greater extent than is already the case under applicable law. See our article for more on the KYBC requirements.
VLOPs and VLOSEs
The DSA requires mandatory regular assessments of systemic risks by providers of VLOPs and VLOSEs. Based on the results, risk mitigation measures must be taken. In addition, providers must conduct regular independent compliance audits and appoint a qualified compliance officer, who is independent from operational functions.
Crisis response mechanism
A newly introduced crisis response mechanism will apply to VLOPs and VLOSEs. In the event of an extraordinary crisis (ie a threat to public safety or health in the EU – the recitals expressly refer to armed conflict and pandemics), the EU Commission can oblige providers to cooperate and take defensive measures, eg adapting content moderation measures.
How is DSA compliance regulated?
The DSA aims to enhance cross-border communication and coordination between authorities in order to adapt it to the innate cross-border characteristics of digital services. Each EU Member State must appoint a Digital Services Coordinator (DSC) as the competent authority to monitor and enforce compliance with the DSA. The competent authority for VLOPs and VLOSEs is primarily the European Commission itself. See our article for more about the role of the DSC.
The authorities have extensive rights of access, to obtain information, to inspect, to order and to sanction service providers.
Violations of the DSA can potentially be subject to fines of up to 6% of annual worldwide turnover of the preceding financial year. If an information obligation under the DSA is violated, the maximum fine is limited to 1% of the previous year’s income or worldwide turnover. See our article on enforcement for more.
What is the relationship between the DSA and other European laws?
The DSA aims to standardise and simplify the legal situation for digital companies. It is supposed to help provide a level playing field. At the same time, the DSA touches on and overlaps with a number of other and more specific EU laws. In principle these remain unaffected. In all likelihood, however, ambiguities will remain or arise, in particular, where such rules cover identical aspects to or are less specific than the DSA. How issues are resolved will need to be defined by future practice and case law as we explore in more detail here.
The DSA also has a substantial influence on other EU Member States’ laws that have similar objectives. In this context, the DSA is expected to render the German Network Enforcement Act (NetzDG) obsolete. Since the liability provisions of the EU eCommerce Directive will be repealed and merged into Articles 3-8 of the DSA, some Members State laws (such as Sections 7-10 of the German Telemedia Act) will be repealed accordingly. Apart from this, the eCommerce Directive will remain unaffected.
When will the DSA apply?
The DSA will enter into force 20 days after its publication in the EU’s Official Journal, which is expected to take place this autumn. Most of the DSA’s rules are therefore likely to be effective 15 months after entry into force, ie in the first quarter of 2024. The earliest possible date was originally set for 01 January 2024.
The DSA’s rules for VLOPs and VLOSEs will however apply earlier, namely four months after the respective service provider has been designated as such by the EU Commission. Certain transparency and reporting obligations for providers of online platforms will apply when the DSA enters into force.
How should providers of digital intermediary services prepare for the DSA?
The DSA introduces a whole range of new rules and obligations. Certain providers – namely VLOPs and VLOSEs – are more in the sightlines of the DSA than others, but virtually all digital businesses are potentially affected. Businesses in the EU/EEA, but also worldwide, should therefore assess as early as possible whether and to what extent the DSA will apply to their business. Individual compliance gaps should be identified by a gap analysis. As a number of the DSA’s obligations imply considerable organisational, technical and legal efforts, tasks and processes should be defined sufficiently in advance and implemented in due time. In addition, companies should assess the impact on the interplay with existing laws (including sector-specific European laws) that must be observed in addition to the DSA. Specific implementation requirements will, of course, vary greatly from company to company, particularly because of the DSA’s tiered regulatory system.