Home / Publications / Digital Services Act (DSA): A new legal framework...

Digital Services Act (DSA): A new legal framework for the platform economy

The European Commission has issued the draft proposal for the Regulation on a Single Market for Digital Services (Digital Services Act, the “DSA”), which creates a new legal framework for digital services, amends the e-Commerce Directive, and prepares the EU law for new and innovative information society digital services.

The DSA sets out uniform, harmonised rules for intermediary service providers (the “ISPs”) to foster innovation, growth and competitiveness, to better protect consumers and their fundamental rights online, to ensure a safe, predictable and trusted online environment, to offer more choices for users and less exposure to illegal content, to provide access to business users to EU-wide markets through platforms, and to facilitate the scaling up of smaller platforms, SMEs and start-ups. The new draft rules establish:

  • a framework for the conditional exemption from liability of ISPs;
  • rules on specific due diligence and other obligations tailored to different categories of ISPs;
  • law enforcement rules and a new regime for cooperation of and coordination between the competent authorities.

1. Which digital service providers are covered?

The DSA covers those ISPs, whether established in or outside the EU, that provide intermediary services such as conduit services, caching services, hosting services to recipients (users, business users, consumers, individuals and legal entities using the intermediary services) having an establishment or residence in the EU.

The definitions of conduit, caching and hosting service providers remained the same as in the e-Commerce Directive; the DSA only repeats those e-Commerce Directive definitions word-for-word.

The draft regulation contains special obligations for online platform hosting providers and very large platforms as a special category of online platforms, and defines those hosting services as follows:

  • Online platforms are providers of hosting services which store and make available information to the public at the request of a recipient of the service, e.g. online marketplaces, app stores, collaborative economy platforms and social media platforms. However, if storing or making information available to the public is a minor and ancillary feature of another service, and cannot be used without that other service for objective and technical reasons, the service does not qualify as an online platform. This is the situation with the comment section in an online newspaper or email and private messaging services.
  • Very large online platforms are online platforms which provide their services to a number of average monthly active recipients of the service in the EU equal to or higher than 45 million. The list of very large online platforms is published in the Official Journal of the EU.

2. No change in the liability of ISPs for information stored or transmitted in their services

The DSA does not change the liability regime of ISPs for illegal content. It only repeats the liability provisions of the e-Commerce Directive word-for-word and also maintains the e-commerce rule that ISPs do not have a general obligation to monitor the information they transmit or store, or to actively seek facts or circumstances indicating illegal activity.

As an addition, the draft regulation stipulates that ISPs can still refer to the exemption of liability even if they conduct voluntary self-initiated investigations or other activities aimed at detecting, identifying and removing, or disabling access to, illegal content, or take the necessary measures to comply with the requirements of EU law.

3. What are the new obligations?

The DSA stipulates new obligations on ISPs at different levels. Common obligations apply to all kind of ISPs, including online platforms and very large online platforms. Hosting providers have additional obligations, and the DSA contains special obligations for online platforms compared to other hosting services. In addition, very large online platforms have further obligations to manage systemic risks.

3.1 Common obligations applicable to all ISPs

  • Providing information to authorities based on orders: if an ISP receives an order from an authority to act against illegal content, the ISP must inform the authority without undue delay about the actions it takes and the time of those actions. Furthermore, if the ISP receives an order to provide information about a specific individual recipient of a service, the ISP must confirm the receipt of the order to the authority without undue delay and must provide the requested information with certain limitations.
  • Designating points of contactand legal representatives: ISPs must establish a single point of contact for direct electronic communication with the authorities and publish it. Furthermore, ISPs not established in the EU but offering services in the EU must designate in writing a legal representative (together with its name and contact details) in one of the EU countries where the ISP offers services for receipt, execution and enforcement of authority decisions and for cooperation with the authorities. This designated legal representative can be held liable for non-compliance with obligations under the DSA.
  • Indicating restrictions in terms: all restrictions (including content moderation, algorithmic decision-making, and human review rules) related to the use of ISPs’ services regarding information provided by the recipients must be included in the terms and conditions of the services.
  • Publishing annual transparency reports: ISPs must publish detailed annual reports of any content moderation they engaged in during the relevant period. These reports must include, among others, certain information on the orders from authorities, notices on illegal content and complaints received by the ISP, as well as on content moderation by the ISP.

3.2 Additional obligations on all hosting providers

  • Managing notices on illegal contents: the hosting provider must introduce easily accessible, user-friendly electronic processes for managing notices on illegal contents. The DSA lists the mandatory elements of such a notice. The hosting provider must confirm the receipt of such notice in a responding email and notify the claimant of its decision without undue delay.
  • Providing reasoning for decisions: if the hosting provider decides to remove or make unavailable any illegal content provided by the recipient, it must inform the recipient of the decision and give clear reasoning for that decision. This reasoning must contain all mandatory elements listed in the DSA. The decision must be published in an anonymised way in the Commission’s public database.

3.4 Special obligations of online platforms

The provisions applicable to online platforms cannot be applied to SME online platforms. The following additional obligations apply to online platforms, including very large online platforms:

  • Complaint management system: online platforms must maintain an internal, user-friendly, easily accessible electronic complaint management system and must grant access to it to the recipients. The recipients can submit complaints electronically here against the online platform’s decisions on their illegal content.
  • Out of court dispute settlement: recipients affected by an online platform’s decision on illegal content are entitled to turn to an out-of-court body certified by the digital service coordinator. The online platforms are bound by the decision of this body. The DSA contains the detailed rules for the proceedings and the decisions of this certified body.
  • Priority for trusted flaggers: online platforms must processthe notices on illegal content submitted by trusted flaggers with priority. The digital service coordinators are entitled to qualify an entity as a trusted flagger if all conditions listed in the DSA are met. The list of trusted flaggers is published in the Commission’s publicly available database.
  • Measures against abusive notices and counter-notices: online platforms must suspend their services to recipients that frequently provide manifestly illegal content. Furthermore, online platforms must also suspend the processing of notices and complaints submitted by persons that frequently submit notices or complaints that are manifestly unfounded. The DSA contains detailed rules for the circumstances to be assessed in the case of such suspension.
  • Reporting suspicions of criminal offences: online platforms must promptly inform the member states’ competent law enforcement authorities, or in certain cases Europol, if they become aware of any suspicion of a criminal offence involving a threat to the life or safety of persons has taken place, is taking place or is likely to take place.
  • Know Your Business Customer: online platforms must identify their traders promoting messages or offering products or services to EU consumers, and must obtain information about them listed in the DSA, among others the name, contact details, registration number, copy of the ID card of the trader. 
  • More detailed transparency reports: online platforms must include additional information in their annual transparency report, such as information about out-of-court disputes, suspensions, and automated content moderation. Furthermore, online platforms must publish information at least once every six months on the average monthly active recipients of the service in each EU country.
  • User-facing transparency of online advertising: online platforms must ensure that advertisements displayed in theirservices contain information that this is an advertisement, who is the advertiser, and the target audience of the advertisements.

3.5 Very large online platforms’ special obligations for managing systemic risks

The draft regulation contains the following special obligations for very large online platforms for managing systemic risks:

  • Risk management obligations: very large online platforms must conduct annual risk assessments on the significant systemic risks stemming from the functioning and use of their services in the EU. Furthermore, based on these risk assessments, they must put in place reasonable, proportionate and effective risk mitigation measures for the systemic risks they identify. The DSA contains a detailed list of those risk-mitigation measures.
  • External risk auditing and public accountability: very large online platforms must conduct annual audits on compliance with the DSA and the code of conduct via an independent, external professional auditor. The auditor must issue a written audit report including the mandatory elements listed in the DSA in writing.
  • Transparency of recommender systems: if a very large online platform uses a recommender system, it must include the main parameters of and certain information about this system in its terms and conditions, and must ensure options for users not involving profiling.
  • More transparency in online advertising: very large online platforms must make publicly available, through APIs, an anonymised repository about the online advertisements displayed on the platform. The repository must contain the content of the advertisements, each advertiser’s name, the period when each advertisement was displayed, and certain information about the target audience of each advertisement.
  • Data sharing with authorities and researchers: very large online platforms must provide access to the data to the digital service coordinator or the Commission for monitoring and assessing compliance with the DSA, and must grant access to the data to vetted academic, independent researchers for conducting research that contributes to the identification and understanding of systemic risks. Data access must be ensured via APIs or online databases.
  • Compliance officer: very large online platforms must appoint at least one professional compliance officer to monitor compliance with the DSA. The compliance officer’s name and contact details must be provided to the digital service coordinator and the Commission.
  • Additional transparency reporting duties: very large online platforms must publish transparency reports every six months and must publish and submit additional reports listed in the DSA to the digital service coordinator and the Commission.

4. Competent authorities, forum shopping

All EU member states must designate a competent national enforcement authority for the DSA and the same or another authority as the digital service coordinator. Each digital service coordinator has the power of investigation and is entitled to demand information from the ISPs and any other person on suspected infringements of the DSA, to carry out on-site inspections, to ask staff of the ISPs to give explanations, to order the cessation of an infringement, to impose fines, and to adopt interim measures.

The EU member state in which the main establishment of the ISP is located will have jurisdiction over the ISP. If an ISP does not have an establishment in the EU but offers services in the EU, it will be deemed to be under the jurisdiction of the EU member state where its legal representative resides or is established, which enables foreign ISPs to choose the EU jurisdiction by designating its legal representative. If the ISP fails to appoint a legal representative, all EU member states will have jurisdiction over that ISP.

The DSA establishes the European Board for Digital Services, an independent advisory group of digital service coordinators on the supervision of ISPs with advisory tasks for digital service coordinators and the Commission.

The DSA introduces enhanced supervision for very large platforms. In this case, the digital services coordinator will consider all opinions and recommendations of the European Board for Digital Services and the Commission. The Commission and the Board is entitled to recommend that the digital service coordinator investigates the infringing activity. The Commission is entitled to initiate its own proceedings against a very large online platform in cases defined in the DSA. The DSA contains special rules for proceedings initiated by the Commission against a very large platform, with special procedural rights and obligations.

5. Sanctions

The DSA does not contain an exhaustive list of sanctions for an infringement of the regulation; the Member States will set out the rules on sanctions. The draft regulation defines the following maximum amount of penalties:

  • 6% of the annual income or turnover of the ISP for infringing the obligations in the DSA;
  • 1% of the annual income or turnover of the ISP for supplying incorrect, incomplete or misleading information, failing to reply or rectify incorrect, incomplete or misleading information, and failing to submit to an on-site inspection;
  • 5% of the average daily turnover in the preceding financial year per day, calculated from the date appointed by the decision in the case of daily, periodic penalty payments.

6. Next steps

The European Parliament and Member States will discuss the Commission’s proposal according to the ordinary legislative procedure, which will take at least 18 months. Once adopted, the DSA will directly apply across the EU and ISPs will have three months to prepare for the new legal regime.

We will continuously monitor the status of the legislative process and keep you updated on any changes to the draft text of the DSA.


Dóra Petrányi
Dóra Petrányi
CEE Managing Director, CMNO
Katalin Horváth
Katalin Horváth
Senior Counsel
Márton Domokos
Márton Domokos
Co-ordinator of the CEE Data Protection Practice, CMNO