Home / Publications / Digital Services Act (DSA): A new legal framework...

Digital Services Act (DSA): A new legal framework for the platform economy

The European Commission has issued the draft proposal for the Regulation on a Single Market for Digital Services (Digital Services Act, the “DSA”), which creates a new legal framework for digital services, amends the e-Commerce Directive, and prepares the EU law for new and innovative information society digital services.

The DSA sets out uniform, harmonised rules for intermediary service providers (the “ISPs”) to foster innovation, growth and competitiveness, to better protect consumers and their fundamental rights online, to ensure a safe, predictable and trusted online environment, to offer more choices for users and less exposure to illegal content, to provide access to business users to EU-wide markets through platforms, and to facilitate the scaling up of smaller platforms, SMEs and start-ups. The new draft rules establish:

  • a framework for the conditional exemption from liability of ISPs;
  • rules on specific due diligence and other obligations tailored to different categories of ISPs;
  • law enforcement rules and a new regime for cooperation of and coordination between the competent authorities.

1. Which digital service providers are covered?

The DSA covers those ISPs, whether established in or outside the EU, that provide intermediary services such as conduit services, caching services, hosting services to recipients (users, business users, consumers, individuals and legal entities using the intermediary services) having an establishment or residence in the EU.

The definitions of conduit, caching and hosting service providers remained the same as in the e-Commerce Directive; the DSA only repeats those e-Commerce Directive definitions word-for-word.

The draft regulation contains special obligations for online platform hosting providers and very large platforms as a special category of online platforms, and defines those hosting services as follows:

  • Online platforms are providers of hosting services which store and make available information to the public at the request of a recipient of the service, e.g. online marketplaces, app stores, collaborative economy platforms and social media platforms. However, if storing or making information available to the public is a minor and ancillary feature of another service, and cannot be used without that other service for objective and technical reasons, the service does not qualify as an online platform. This is the situation with the comment section in an online newspaper or email and private messaging services.
  • Very large online platforms are online platforms which provide their services to a number of average monthly active recipients of the service in the EU equal to or higher than 45 million. The list of very large online platforms is published in the Official Journal of the EU.

2. No change in the liability of ISPs for information stored or transmitted in their services

The DSA does not change the liability regime of ISPs for illegal content. It only repeats the liability provisions of the e-Commerce Directive word-for-word and also maintains the e-commerce rule that ISPs do not have a general obligation to monitor the information they transmit or store, or to actively seek facts or circumstances indicating illegal activity.

As an addition, the draft regulation stipulates that ISPs can still refer to the exemption of liability even if they conduct voluntary self-initiated investigations or other activities aimed at detecting, identifying and removing, or disabling access to, illegal content, or take the necessary measures to comply with the requirements of EU law.

3. What are the new obligations?

The DSA stipulates new obligations on ISPs at different levels. Common obligations apply to all kind of ISPs, including online platforms and very large online platforms. Hosting providers have additional obligations, and the DSA contains special obligations for online platforms compared to other hosting services. In addition, very large online platforms have further obligations to manage systemic risks.

3.1 Common obligations applicable to all ISPs

  • Providing information to authorities based on orders: if an ISP receives an order from an authority to act against illegal content, the ISP must inform the authority without undue delay about the actions it takes and the time of those actions. Furthermore, if the ISP receives an order to provide information about a specific individual recipient of a service, the ISP must confirm the receipt of the order to the authority without undue delay and must provide the requested information with certain limitations.
  • Designating points of contact and legal representatives: ISPs must establish a single point of contact for direct electronic communication with the authorities and publish it. Furthermore, ISPs not established in the EU but offering services in the EU must designate in writing a legal representative (together with its name and contact details) in one of the EU countries where the ISP offers services for receipt, execution and enforcement of authority decisions and for cooperation with the authorities. This designated legal representative can be held liable for non-compliance with obligations under the DSA.
  • Indicating restrictions in terms: all restrictions (including content moderation, algorithmic decision-making, and human review rules) related to the use of ISPs’ services regarding information provided by the recipients must be included in the terms and conditions of the services.
  • Publishing annual transparency reports: ISPs must publish detailed annual reports of any content moderation they engaged in during the relevant period. These reports must include, among others, certain information on the orders from authorities, notices on illegal content and complaints received by the ISP, as well as on content moderation by the ISP.

3.2 Additional obligations on all hosting providers

  • Managing notices on illegal contents: the hosting provider must introduce easily accessible, user-friendly electronic processes for managing notices on illegal contents. The DSA lists the mandatory elements of such a notice. The hosting provider must confirm the receipt of such notice in a responding email and notify the claimant of its decision without undue delay.
  • Providing reasoning for decisions: if the hosting provider decides to remove or make unavailable any illegal content provided by the recipient, it must inform the recipient of the decision and give clear reasoning for that decision. This reasoning must contain all mandatory elements listed in the DSA. The decision must be published in an anonymised way in the Commission’s public database.

3.4 Special obligations of online platforms

The provisions applicable to online platforms cannot be applied to SME online platforms. The following additional obligations apply to online platforms, including very large online platforms:

  • Complaint management system: online platforms must maintain an internal, user-friendly, easily accessible electronic complaint management system and must grant access to it to the recipients. The recipients can submit complaints electronically here against the online platform’s decisions on their illegal content.
  • Out of court dispute settlement: recipients affected by an online platform’s decision on illegal content are entitled to turn to an out-of-court body certified by the digital service coordinator. The online platforms are bound by the decision of this body. The DSA contains the detailed rules for the proceedings and the decisions of this certified body.
  • Priority for trusted flaggers: online platforms must process the notices on illegal content submitted by trusted flaggers with priority. The digital service coordinators are entitled to qualify an entity as a trusted flagger if all conditions listed in the DSA are met. The list of trusted flaggers is published in the Commission’s publicly available database.
  • Measures against abusive notices and counter-notices: online platforms must suspend their services to recipients that frequently provide manifestly illegal content. Furthermore, online platforms must also suspend the processing of notices and complaints submitted by persons that frequently submit notices or complaints that are manifestly unfounded. The DSA contains detailed rules for the circumstances to be assessed in the case of such suspension.
  • Reporting suspicions of criminal offences: online platforms must promptly inform the member states’ competent law enforcement authorities, or in certain cases Europol, if they become aware of any suspicion of a criminal offence involving a threat to the life or safety of persons has taken place, is taking place or is likely to take place.
  • Know Your Business Customer: online platforms must identify their traders promoting messages or offering products or services to EU consumers, and must obtain information about them listed in the DSA, among others the name, contact details, registration number, copy of the ID card of the trader. 
  • More detailed transparency reports: online platforms must include additional information in their annual transparency report, such as information about out-of-court disputes, suspensions, and automated content moderation. Furthermore, online platforms must publish information at least once every six months on the average monthly active recipients of the service in each EU country.
  • User-facing transparency of online advertising: online platforms must ensure that advertisements displayed in their services contain information that this is an advertisement, who is the advertiser, and the target audience of the advertisements.

3.5 Very large online platforms’ special obligations for managing systemic risks

The draft regulation contains the following special obligations for very large online platforms for managing systemic risks:

  • Risk management obligations: very large online platforms must conduct annual risk assessments on the significant systemic risks stemming from the functioning and use of their services in the EU. Furthermore, based on these risk assessments, they must put in place reasonable, proportionate and effective risk mitigation measures for the systemic risks they identify. The DSA contains a detailed list of those risk-mitigation measures.
  • External risk auditing and public accountability: very large online platforms must conduct annual audits on compliance with the DSA and the code of conduct via an independent, external professional auditor. The auditor must issue a written audit report including the mandatory elements listed in the DSA in writing.
  • Transparency of recommender systems: if a very large online platform uses a recommender system, it must include the main parameters of and certain information about this system in its terms and conditions, and must ensure options for users not involving profiling.
  • More transparency in online advertising: very large online platforms must make publicly available, through APIs, an anonymised repository about the online advertisements displayed on the platform. The repository must contain the content of the advertisements, each advertiser’s name, the period when each advertisement was displayed, and certain information about the target audience of each advertisement.
  • Data sharing with authorities and researchers: very large online platforms must provide access to the data to the digital service coordinator or the Commission for monitoring and assessing compliance with the DSA, and must grant access to the data to vetted academic, independent researchers for conducting research that contributes to the identification and understanding of systemic risks. Data access must be ensured via APIs or online databases.
  • Compliance officer: very large online platforms must appoint at least one professional compliance officer to monitor compliance with the DSA. The compliance officer’s name and contact details must be provided to the digital service coordinator and the Commission.
  • Additional transparency reporting duties: very large online platforms must publish transparency reports every six months and must publish and submit additional reports listed in the DSA to the digital service coordinator and the Commission.

4. Competent authorities, forum shopping

All EU member states must designate a competent national enforcement authority for the DSA and the same or another authority as the digital service coordinator. Each digital service coordinator has the power of investigation and is entitled to demand information from the ISPs and any other person on suspected infringements of the DSA, to carry out on-site inspections, to ask staff of the ISPs to give explanations, to order the cessation of an infringement, to impose fines, and to adopt interim measures.

The EU member state in which the main establishment of the ISP is located will have jurisdiction over the ISP. If an ISP does not have an establishment in the EU but offers services in the EU, it will be deemed to be under the jurisdiction of the EU member state where its legal representative resides or is established, which enables foreign ISPs to choose the EU jurisdiction by designating its legal representative. If the ISP fails to appoint a legal representative, all EU member states will have jurisdiction over that ISP.

The DSA establishes the European Board for Digital Services, an independent advisory group of digital service coordinators on the supervision of ISPs with advisory tasks for digital service coordinators and the Commission.

The DSA introduces enhanced supervision for very large platforms. In this case, the digital services coordinator will consider all opinions and recommendations of the European Board for Digital Services and the Commission. The Commission and the Board is entitled to recommend that the digital service coordinator investigates the infringing activity. The Commission is entitled to initiate its own proceedings against a very large online platform in cases defined in the DSA. The DSA contains special rules for proceedings initiated by the Commission against a very large platform, with special procedural rights and obligations.

5. Sanctions

The DSA does not contain an exhaustive list of sanctions for an infringement of the regulation; the Member States will set out the rules on sanctions. The draft regulation defines the following maximum amount of penalties:

  • 6% of the annual income or turnover of the ISP for infringing the obligations in the DSA;
  • 1% of the annual income or turnover of the ISP for supplying incorrect, incomplete or misleading information, failing to reply or rectify incorrect, incomplete or misleading information, and failing to submit to an on-site inspection;
  • 5% of the average daily turnover in the preceding financial year per day, calculated from the date appointed by the decision in the case of daily, periodic penalty payments.

6. Next steps

The European Parliament and Member States will discuss the Commission’s proposal according to the ordinary legislative procedure, which will take at least 18 months. Once adopted, the DSA will directly apply across the EU and ISPs will have three months to prepare for the new legal regime.

We will continuously monitor the status of the legislative process and keep you updated on any changes to the draft text of the DSA.


Dóra Petrányi
Dóra Petrányi
CEE Managing Director, Global Co-Head of the Technology, Media and Communications Group
Katalin Horváth
Katalin Horváth
Senior Counsel
Márton Domokos
Márton Domokos
Co-ordinator of the CEE Data Protection Practice, CMNO

Read other related content

Di­git­al Mar­kets Act: a new and fair busi­ness frame­work for large plat­forms
The European Com­mis­sion has pub­lished the draft pro­pos­al for a new com­pet­i­tion law frame­work for large on­line plat­forms, called the Di­git­al Mar­kets Act (the “DMA”). The reas­on the Com­mis­sion pro­posed the DMA is that a small num­ber of large on­line plat­forms cap­ture the biggest share of over­all value gen­er­ated in Europe’s di­git­al eco­nomy, and these plat­forms have emerged by be­ne­fit­ting from sec­tor char­ac­ter­ist­ics such as strong net­work ef­fects, of­ten em­bed­ded in their own plat­form eco­sys­tems. These plat­forms rep­res­ent the key struc­tur­ing ele­ments in today’s di­git­al eco­nomy, in­ter­me­di­at­ing the ma­jor­ity of trans­ac­tions between end users and busi­ness users. A few large plat­forms in­creas­ingly act as gate­ways or gate­keep­ers between busi­ness users and end users, and en­joy a long-term, en­trenched po­s­i­tion, of­ten as a res­ult of the cre­ation of con­glom­er­ate eco­sys­tems around their core plat­form ser­vices, which re­in­forces ex­ist­ing entry bar­ri­ers.The DMA deals with those large on­line plat­forms act­ing as gate­keep­ers in di­git­al mar­kets. The DMA aims to en­sure that:these plat­forms be­have fairly on­line;in­nov­at­ors and tech­no­logy start-ups will have new op­por­tun­it­ies to com­pete and in­nov­ate in the on­line plat­form en­vir­on­ment without hav­ing to com­ply with un­fair terms and con­di­tions that lim­it their de­vel­op­ment;con­sumers will have more and bet­ter ser­vices to choose from, more op­por­tun­it­ies to switch their pro­vider if they so wish, dir­ect ac­cess to ser­vices, and fairer prices. Who are the gate­keep­ers? Gate­keep­ers are core plat­form ser­vices which meet the qual­it­at­ive and quant­it­at­ive cri­ter­ia set out in the DMA. Core plat­form ser­vices in­clude on­line in­ter­me­di­ation ser­vices, search en­gines, so­cial net­work­ing ser­vices, video-shar­ing plat­form ser­vices, num­ber-in­de­pend­ent in­ter­per­son­al com­mu­nic­a­tion ser­vices, op­er­at­ing sys­tems, cloud com­put­ing ser­vices, ad­vert­ising ser­vices in­clud­ing any ad­vert­ising net­works, ad­vert­ising ex­changes and any oth­er ad­vert­ising in­ter­me­di­ation ser­vices, provided by a pro­vider of any of the core plat­form ser­vices lis­ted above.A core plat­form ser­vice qual­i­fies as a gate­keep­er, if:it has a sig­ni­fic­ant im­pact on the in­tern­al mar­ket, which is pre­sumed if it achieves an an­nu­al EEA turnover equal to or above EUR 6.5 bil­lion in the three pre­ced­ing fin­an­cial years, or where the av­er­age mar­ket cap­it­al­isa­tion or the equi­val­ent fair mar­ket value of the un­der­tak­ing to which it be­longs amoun­ted to at least EUR 65 bil­lion in the pre­ced­ing fin­an­cial year, and it provides a core plat­form ser­vice in at least three Mem­ber States;it op­er­ates a core plat­form ser­vice which serves as an im­port­ant gate­way for busi­ness users to reach end users, which is pre­sumed if it has more than 45 mil­lion monthly act­ive end users es­tab­lished or loc­ated in the Uni­on and more than 10,000 yearly act­ive busi­ness users es­tab­lished in the EU in the pre­ced­ing fin­an­cial year;it en­joys a long-term, en­trenched po­s­i­tion in its op­er­a­tions or it is fore­see­able that it will en­joy such po­s­i­tion in the near fu­ture, which is pre­sumed if the thresholds in point b) were met in each of the three pre­ced­ing fin­an­cial years.   What are the gate­keep­ers’ main ob­lig­a­tions? Do’s and Don’ts     What kind of tools and powers do the Com­mis­sion and oth­er bod­ies have? The DMA grants powers and dif­fer­ent pro­ced­ur­al rights to the European Com­mis­sion and es­tab­lishes the Di­git­al Mar­kets Ad­vis­ory Com­mit­tee for is­su­ing opin­ions in is­sues re­lated to the DMA.The DMA gives the Com­mis­sion the fol­low­ing powers:to des­ig­nate core plat­form ser­vices that meet the DMA cri­ter­ia as gate­keep­ers;to re­view ad-hoc the status of gate­keep­ers on re­quest or on its own;to re­view at two-year in­ter­vals the status of gate­keep­ers;to spe­cify meas­ures to be taken by gate­keep­er to com­ply with the DMA;to sus­pend cer­tain gate­keep­er ob­lig­a­tions un­der the DMA at a gate­keep­er’s re­quest, if the gate­keep­er demon­strates that com­pli­ance with that spe­cif­ic ob­lig­a­tion would en­danger its eco­nom­ic vi­ab­il­ity;to ex­empt a gate­keep­er from cer­tain ob­lig­a­tions un­der the DMA on the grounds of pub­lic mor­al­ity, pub­lic health or pub­lic se­cur­ity;to ini­ti­ate mar­ket in­vest­ig­a­tions:lower-ro­manto ex­am­ine wheth­er a pro­vider of core plat­form ser­vices should be des­ig­nated as a gate­keep­er;in­to sys­tem­at­ic non-com­pli­ance by a gate­keep­er;to ex­am­ine wheth­er cer­tain ser­vices in the di­git­al sec­tor should be ad­ded to the list of core plat­form ser­vices and identi­fy prac­tices that might lim­it the con­test­abil­ity of core plat­form ser­vices or might be un­fair.The DMA grants in­vest­ig­at­ive, en­force­ment and mon­it­or­ing powers to the Com­mis­sion dur­ing its pro­ceed­ings, based on which the Com­mis­sion is en­titled to:re­quest in­form­a­tion from any un­der­tak­ings and from the gov­ern­ments and au­thor­it­ies of EU mem­ber states;ac­cess data bases and al­gorithms;in­ter­view any private per­son or leg­al en­tity to col­lect in­form­a­tion re­lat­ing to the sub­ject-mat­ter of an in­vest­ig­a­tion;con­duct on-site in­spec­tions at the premises of any un­der­tak­ings, in­clud­ing to­geth­er with aud­it­ors and ex­perts;or­der in­ter­im meas­ures against a gate­keep­er on the basis of a prima facie find­ing of an in­fringe­ment of ob­lig­a­tions un­der the DMA;mon­it­or the ef­fect­ive im­ple­ment­a­tion and com­pli­ance with the ob­lig­a­tions un­der the DMA.   What will the sanc­tions for non-com­pli­ance be? If the Com­mis­sion ad­opts a non-com­pli­ance de­cision in which it finds that a gate­keep­er does not com­ply with one or more ob­lig­a­tions un­der the DMA, the Com­mis­sion may fine a gate­keep­er.The max­im­um amount of a fine is 10% of the total world­wide an­nu­al turnover of the gate­keep­er in the case of a ma­ter­i­al breach of the ob­lig­a­tions un­der the DMA, and a max­im­um 1% in the case of a less ser­i­ous breach of ob­lig­a­tions un­der the DMA.The Com­mis­sion is also en­titled to or­der peri­od­ic pen­alty pay­ments of up to 5% of the av­er­age daily turnover in cer­tain cases defined in the DMA.In the case of sys­tem­at­ic breaches of the DMA ob­lig­a­tions by gate­keep­ers, ad­di­tion­al rem­ed­ies may be im­posed after a mar­ket in­vest­ig­a­tion. Such rem­ed­ies will need to be pro­por­tion­ate to the of­fence com­mit­ted. If ne­ces­sary and as a last re­sort, non-fin­an­cial rem­ed­ies can be im­posed. These can in­clude be­ha­vi­our­al and struc­tur­al rem­ed­ies, e.g. the di­vestit­ure of (parts of) a busi­ness.   What are the next steps? The European Par­lia­ment and Mem­ber States will dis­cuss the Com­mis­sion’s pro­pos­al ac­cord­ing to the or­din­ary le­gis­lat­ive pro­ced­ure, which will take at least 18 months. Once ad­op­ted, the Act will dir­ectly ap­ply across the EU and the core plat­form ser­vice pro­viders will have six months to pre­pare for the new leg­al re­gime.We will con­tinu­ously mon­it­or the status of the le­gis­lat­ive pro­cess and keep you up­dated on any changes to the draft text of the DMA.