What is the DSA about?

The DSA aims to provide an EU-wide level playing field for intermediary services offered to users/recipients in the EU. On the one side, this has the purpose to optimize the functioning of the European Single Market and avoid fragmentation by diverging laws in different EU Member States. On the other side, the DSA aims to create a safe, predictable, and trusted online environment in the EU, which is free from illegal content and where European fundamental and consumer rights are respected.

To this end, it reinforces, clarifies, and extends the safe harbor principles for intermediaries, which were originally established under the EU e-Commerce Directive 2000/31 (ECD). It stipulates rules on content moderation and other restrictions, complaint handling, transparency, fair design, e-commerce, and online advertising based on a tiered regulatory system. Apart from that, it also establishes new regulatory structures, stipulating new rules on supervision, enforcement, cooperation, and coordination between competent EU and domestic authorities, so that cross-border cases that are imminent to digital services can be better addressed and managed.

Who is affected?

Business to business (B2B) and business to consumer (B2C) providers of digital intermediary services (intermediaries) who provide users/recipients with access to goods, services, and content. In particular, providers of

• mere conduit services (Article 3(g)(i) of the DSA), such as access services, internet exchange points, wireless access points, VPNs, and DNS services;
• caching services (Article 3(g)(ii) of the DSA), such as CDNs, reverse proxies, and content adaptation proxies;
• hosting services (Article 3(g)(iii) of the DSA), such as cloud computing and web hosting;
• online platforms (Article 3(i) of the DSA), such as social networks, app stores, and online marketplaces; and
• online search engines (Article 3(j) of the DSA).

The DSA affects those service providers if they have an establishment in the EU or otherwise a so-called substantial connection to the EU (Article 3(e) of the DSA). A substantial connection is inter alia given when the service provider has a significant number of users/recipients in one or more EU Member States in relation to their population or targets activities in one or more EU Member States. Indicators can be language, advertising, currency, top-level domain of an EU Member State, or the delivery of products/services to the EU. In contrast, the mere accessibility of a website alone does not suffice.

Certain exemptions apply to Small and medium-sized enterprises (SMEs) (Articles 19 and 29 of the DSA), that have less than 50 employees and an annual turnover below €10 million unless they qualify as very large online platforms (VLOPs) or very large online search engines (VLOSEs) with more than 45 million average monthly active users/recipients in the EU.

Graded approach – tiered regulatory system

The DSA predominantly follows a tiered regulatory system, as illustrated below:

Image 1: Taylor Wessing Germany

Based on this concept, all intermediary services are subject to general duties, such as designating a point of contact for authorities and users/recipients, terms and conditions (T&C) transparency, and regular transparency reporting (Articles 11 - 15 of the DSA). These general duties are then supplemented by further additional special duties depending on the type and classification of the particular service (Recital 41 of the DSA). Accordingly, additional special duties apply to hosting services pertaining to notice-and-takedown mechanisms, a statement of reasons for restrictive measures and adverse decisions, as well as the notification of suspicions of certain criminal offenses (Articles 16 - 18 of the DSA), whereby online platforms, in turn, have more additional special duties, inter alia including the provision of an internal complaint-handling system, cooperating with an out-of-court dispute settlement bodies, prioritizing trusted flagger notices, compliance with further transparency obligations, and ensuring the online protection of minors (Articles 19 - 32 of the DSA). The most comprehensive and strictest rules under the DSA apply to VLOPs and VLOSEs, inter alia including the assessment and mitigation of systemic risks (Articles 33 - 43 of the DSA).

From when must the DSA's rules be observed?

The DSA fully applied from February 17, 2024. However, as mentioned above, for various VLOPs and VLOSEs, the DSA already began to apply at the end of August 2023.

What are the key aspects of the DSA?

Within the tiered regulatory system, the DSA contains a multitude of new rules. The key aspects are as follows.

How to comply with a few specific reporting and transparency requirements?

According to the DSA, providers of hosting services (including online platforms) must submit decisions and statements of reasons regarding user/recipient content restrictions to the European Commission for inclusion in a publicly accessible database, i.e., the EU Transparency Database (Articles 17 and 24(5) of the DSA). The transmission process involves onboarding with the competent domestic Digital Services Coordinator (DSC), who assigns a dedicated token to the service using the application programming interference (API) for submitting information to the database after completing a test phase.

Further, the DSA requires all service providers to publish annual transparency reports on content moderation, covering areas like takedowns and moderation accuracy (Articles 15 and 24(1) of the DSA). VLOPs and VLOSE are subject to shorter deadlines as they must publish those reports semi-annually (Article 42 of the DSA). To ensure consistency and clarity as well as to provide guidance to service providers on how to design such transparency reports, the European Commission has recently adopted the Implementing Regulation EU 2024/2835 to standardize the form, content, and reporting periods for all service providers. Providers will have to start collecting data according to the Implementing Regulation as of July 1, 2025, with the first harmonized reports due in the beginning of 2026. To this end, the Implementing Regulation provides templates for such reports.

What should online platforms watch out for next?

As mentioned above, providers of online platforms are required to cooperate with certain designated out-of-court dispute settlement bodies in cases of disputes regarding illegal content or content incompatible with their T&C (Article 21 of the DSA). The certification process for designated bodies by the competent DSCs is in its early stages. Currently, there are only a few certified out-of-court dispute settlement bodies, with one in Malta, Germany, Hungary, and Ireland, but it is expected that many more will be certified in the future. For an overview, please see here.

Additionally, providers of online platforms must also prioritize notices from so-called trusted flaggers (such as Europol or NGOs) within their notice-and-action mechanisms and handle them without undue delay (Article 22 of the DSA). To this end, only qualified and trustworthy individuals or entities are appointed by the competent DSCs, provided that they meet specific requirements, such as expertise in handling illegal content (Article 22(2) of the DSA). Currently, there are eleven certified organizations and more certifications are expected to follow. The list of certified entities can be found here.

What is the supervision structure and which powers do competent authorities have?

Below the VLOP/VLOSE threshold, the competent authorities for the DSA's supervision and enforcement are in principle the DSCs in each EU Member State (Article 56(1) of the DSA). The competent authority for VLOPs and VLOSEs is primarily the European Commission (Articles 56(2) and (3) of the DSA).

The competent authorities have extensive rights to access, obtain information, inspect, order, and sanction service providers (Articles 51, and 67 - 69 of the DSA). Violations of the DSA can potentially be subject to fines of up to 6% of the worldwide turnover of the preceding financial year (Articles 52(3) and 74(1) of the DSA).

Outlook

Although the DSA as a very young European legislative act is still in its infancy, the 'grace period' granted to those service providers below the VLOP and VLOSE threshold has ended with the DSA's full applicability on February 17, 2024. If this is not yet the case, it is strongly advised to start taking a diligent look at and (where necessary) implementing the DSA's extensive and versatile requirements. This also comprises a beneficial check of whether the exemptions for SMEs outside of VLOPs/VLOSEs apply. Apart from that, it should be further considered that the implementation of the DSA's new requirements likely involves considerable efforts, which cannot be realized overnight. It should also be kept in mind that the DSA's domestic regulatory structures have considerably progressed in recent months. Inter alia, all DSCs as the main competent authorities in the EU Member States have been appointed and are gradually taking up their supervision and enforcement activities. In particular, a few DSCs have already submitted requests for information (RFIs) to some service providers. Hence, the practical risk of becoming subject to regulatory measures has increased, which will continue to intensify in the future.

In any case, it will be very interesting to see how enforcement actions will progress.

Philipp Koehler Salary Partner
[email protected]
Nathalie Koch Senior Associate
[email protected]
Taylor Wessing Germany, Munich and Berlin