DIGITAL SERVICES ACT - A new round of EU online space regulation

Sergei Makarchuk, LL.M.


On 19 October 2022, the European Parliament and the Council of the European Union adopted Regulation (EU) 2022/2065 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) (the “DSA”).

The DSA sets out the harmonized legal framework for the EU internal digital services market in order to safeguard it from negative effects caused by national laws that impose different local requirements for providers of intermediary services. The DSA is aimed at preventing fragmentation of the EU digital services market, ensuring legal certainty for its stakeholders, and providing conditions for innovative digital services to emerge and scale up.

In particular, the DSA establishes:

  1. a framework for the conditional exemption from liability of providers of intermediary services;
  2. rules on specific due diligence obligations tailored to certain specific categories of providers of intermediary services;
  3. rules on the implementation and enforcement of the DSA, including rules on the cooperation of and coordination between the competent authorities.

The DSA does not replace but rather complements the Directive on Electronic Commerce (Directive 2000/31/EC) that has regulated the digital services environment in the Union for the past two decades as well as the EU legal acts regulating other aspects of the provision of intermediary services in the European internal market.

Who and what falls within its scope?

The DSA applies to all intermediary services offered to users within the EU, irrespective of where the providers of those intermediary services have their place of establishment. This means that not only EU providers of digital services but also providers from third countries offering their digital services in the Union fall within the scope of the DSA.

Intermediary services cover a broad range of economic online activities that provide for the transmission of information. The following categories of online activities qualify as ‘intermediary services’:

  1. ‘Mere conduit’ services. This includes, for example, internet exchange points, Wi-Fi access points, VPN, DNS services and resolvers, top-level domain name registries, registrars, certificate authorities that issue digital certificates, voice-over IP (VoIP), and other interpersonal communication services.
  2. ‘Caching’ services. This includes, for example, the sole provision of content delivery networks, reverse proxies or content adaptation proxies.
  3. ‘Hosting’ services. This includes, for example, online platforms, cloud computing, web hosting, paid referencing services or services enabling the sharing of information and content online, including file storage and sharing.

The requirements imposed by the DSA on intermediary services vary depending on the type, size, and nature of the services provided. Thus, the obligations to which providers of intermediary services are subject are split into the following categories:

  • basic obligations applicable to all providers of intermediary services;
  • additional obligations for:
    1. providers of hosting services, including online platforms;
    2. providers of online platforms;
    3. providers of online platforms allowing consumers to conclude distance contracts with traders;
    4. providers of a very large online platform (“VLOP”) and of a very large online search engine (“VLOSE”), which are understood to be online platforms or online search engines with at least 45 million active users in the EU on a monthly basis.

Micro or small enterprises are excluded from a number of requirements under the DSA unless they qualify as a VLOP or VLOSE. With respect to some other requirements, micro or small enterprises are provided with an extended timeline to ensure compliance.

What are the key provisions?

Liability of providers of intermediary services

The DSA defines when providers are not liable for the content of the information transmitted or stored by users. Providers are exempt from the general obligation to monitor the information that users transmit or store, as well as from the obligation to actively seek facts or circumstances indicating illegal activity.

Due diligence obligations

All providers are obliged to designate single points of contact for communication with (i) the supervisory authorities and (ii) users. In addition, providers from third countries have to designate a legal representative in the EU. The terms and conditions of providers must clearly indicate any policies, procedures, measures, and tools used for the purpose of content moderation. To ensure transparency, providers are obliged to publicly report any content moderation they engage in.  

Requirements for providers of hosting services, including online platforms

Providers of hosting services are obliged to set up ‘notice and action’ mechanisms that would enable users to report illegal content online so it can be removed quickly by the provider. In addition, providers of hosting services are obliged to report to law enforcement authorities any information that might potentially be related to a criminal offence involving a threat to the life or safety of people.

Requirements for providers of online platforms

Providers of online platforms must provide their users with access to the internal free-of-charge complaint-handling system that can be used to file complaints against the decisions made by such online platforms that allege that information provided by the user contains illegal content or violates the provider’s terms and conditions. For those disputes that cannot be resolved by means of the internal complaint-handling system, the DSA establishes an out-of-court dispute settlement procedure. The DSA also introduces a new mechanism for users to flag illegal content and for platforms to cooperate with 'trusted flaggers'. Providers of online platforms are entitled to suspend the provision of their services to users who frequently provide manifestly illegal content.

It is prohibited for providers to use the online interfaces of their online platforms to affect the ability of users to make autonomous and informed choices, so-called ‘dark patterns’.

The DSA also sets forth the transparency requirements for online advertising and recommender systems, as well as restrictions on the use of minors' personal data or sensitive data for targeted advertising.

Requirements for providers of online platforms allowing consumers to conclude distance contracts with traders

Providers of online platforms that allow consumers to conclude distance contracts with traders must ensure the traceability of traders. Thus, traders are only entitled to make use of the online platform’s services if they provide the required information regarding their corporate identity, contact details, and account details. Providers must do their utmost to verify the information obtained.

Requirements for VLOP and VLOSE to manage systemic risks

VLOP and VLOSE are obliged to identify, assess, and mitigate the systemic risks related to the dissemination of illegal content, negative effects on fundamental rights, electoral processes, public security, gender-based violence, protection of public health and minors, and the person’s physical and mental well-being. In addition, VLOP and VLOSE have to take certain urgent actions in response to crisis situations upon the request of the Commission. The compliance of VLOP and VLOSE with the requirements imposed by the DSA is subject to an annual independent audit.

What is the enforcement mechanism?

The supervision and enforcement powers of the DSA are shared by the national competent authorities and the Commission. The Commission has exclusive powers with respect to VLOP and VLOSE, while the national authorities have competence over the smaller providers of intermediary services. By 17 February 2024, Member States must designate one of the competent authorities as the Digital Services Coordinator that will be responsible, on the one hand, for supervising providers of intermediary services established in the relevant local jurisdiction and, on the other hand, for coordinating with the competent authorities in other Members States and at the Union level.

To ensure the DSA is consistently applied across the Union, the DSA establishes a European Board for Digital Services. It will serve as an independent advisory group at the EU level providing support to the Commission and helping coordinate the actions of all Digital Services Coordinators.

Compliance with the DSA is enforceable by means of fines (up to 6% of the infringer’s annual worldwide turnover) and periodic penalty payments (up to 5% of the infringer’s average daily worldwide turnover per day).

In addition to this, users are entitled to seek redress for any damage they suffer that is caused by an infringement of the obligations set out in the DSA by the provider of intermediary services. This right is independent of other possibilities for redress available under consumer protection rules.

What is the implementation timeline?

The DSA was published in the Official Journal on 27 October 2022 and entered into force on 16 November 2022. It will apply in full from 17 February 2024; however, a number of provisions have been applicable since 16 November 2022. VLOP and VLOSE will have to comply with the DSA approximately from mid-2023.