Digital Services Act – an overview

Philipp Koehler and Gregor Schmid highlight the most important aspects of the new EU Digital Services Act.

In the future, the Digital Services Act (DSA) will uniformly regulate the activities of providers of digital services within the EU. Alongside the Digital Markets Act (DMA) and other regulatory projects, the DSA is one of the flagship projects of the incumbent European Commission as part of a comprehensive European digital strategy.

The DSA will impose far-reaching obligations on providers of very large online platforms (VLOPs) and very large online search engines (VLOSEs) with more than 45 million average monthly active recipients within the EU. Apart from that, the DSA will also have a significant impact on the entire digital industry.

After a long, intense and, in parts, heated debate following the European Commission's first draft (dated 15 December 2020), the DSA was approved by the European Parliament on 5 July 2022 and by the European Council on 4 October 2022. Subsequently, it was published in the EU's Official Journal on 27 October 2022. The DSA will enter into force on 16 November 2022 and will essentially apply as of 17 February 2024. In this respect, there is a certain grace period for affected service providers to prepare for the DSA's extensive new catalogue of rules. However, certain transparency reporting obligations for providers of online platforms and online search engines (Art. 24 para. 2 and 3 DSA) as well as the provisions for providers of VLOPs and VLOSEs (Art. 92 DSA) will apply earlier.

The DSA is an ambitious undertaking as it aims to encompass a wide range of different regulatory objectives – such as safe harbour principles, detailed consumer protection rules and transparency rules for big tech algorithms – in a single regulatory framework. Core novelties in enforcement include EU Member States' Digital Services Coordinators (DSCs), enforcement competencies of the European Commission as well as GDPR-style fines of up to 6% of annual global turnover. Quite late, during the trilogue negotiations, a number of provisions, including for online search engines, online interfaces and recipients' remedies, were introduced into the DSA.

What is the DSA about?

The DSA aims to address the risks and challenges that have emerged from the digital transformation and the related rise of new digital business models. It adapts the regulatory framework applicable to digital services to the current and future state of digitisation. Key elements include:

• Providing a safe digital environment that is free from illegal content.
• Enhancing transparency and accountability for digital intermediary services.
• Increasing and strengthening the protection of fundamental European rights and consumer rights.
• Facilitating and promoting competition and innovation within the digital European Single Market.
• Improving legal certainty for providers of digital services, especially for cross-border activities.
• Enhancing enforcement.

The DSA will apply directly in all EU Member States, without requiring any further implementation by the EU Member States. The DSA is also supposed to apply in the EEA.

The DSA is a controversial project. While supporters welcome its aims of tackling illegal content and regulating big tech, critical voices have inter alia expressed concerns regarding potential negative chilling effects on the exercise of fundamental European rights (including free speech), the DSA's extensive and complex rules creating unnecessary bureaucracy for innovative digital businesses and stifling innovation as well as expected issues with the technical feasibility of individual rules of the DSA.

Ultimately, only practical experience with (a) the DSA's implementation by the affected service providers and (b) its enforcement will reveal whether the advantages outweigh the disadvantages. Against this background, the European Commission is obliged to regularly evaluate the effects of the DSA, which must be done for the first time three years after its entry into force (16 November 2022), hence, on 17 November 2025 (Art. 91 DSA).

Who is affected?

The DSA addresses B2B and B2C providers of digital intermediary services (intermediaries), who provide recipients with access to goods, services and content. This includes providers of

• mere conduit services (Art. 3 lit. g sublit. i DSA), such as internet exchange points, wireless access points, virtual private networks and DNS services;
• caching services (Art. 3 lit. g sublit. ii DSA), such as content delivery networks, reverse proxies and content adaptation proxies;
• hosting services (Art. 3 lit. g sublit. iii DSA), such as cloud computing and web hosting;
• online platforms (Art. 3 lit. i DSA), such as social networks and online marketplaces; and
• online search engines (Art. 3 lit. j DSA).

To apply, the DSA further requires that affected intermediary services have a substantial connection to the EU (Art. 3 lit. e DSA). This can be created where there is an establishment of the service provider in the EU. However, as the DSA is also intended to regulate intermediary services provided to the EU from third countries outside the EU/EEA, this can also result from a significant number of recipients of the intermediary service in one or more EU Member States in relation to their population; or targeting activities towards one or more EU Member States. In this context, indicators to determine a substantial connection include, for instance, language, currency or top-level domain of an EU Member State or the delivery of products or services to the EU (Rec. 8 DSA). In contrast, the mere accessibility of a website alone does not suffice. For further details on the scope of the DSA see our article here.

Graded approach – tiered regulatory system

The DSA predominantly follows a tiered regulatory system, as illustrated below:

Based on this concept, all intermediary services are subject to general obligations (Art. 11 to 15 DSA), which are then supplemented by further additional obligations depending on the type and classification of the respective intermediary service (Rec. 41 DSA). Accordingly, additional special obligations apply to hosting services (Art. 16 to 18 DSA), whereby online platforms, in turn, have more additional special obligations (Art. 19 to 32). The most comprehensive and strictest rules under the DSA apply to VLOPs, with more than 45 million average monthly active recipients in the EU (Art. 33 to 43 DSA).

The classification of online search engines had been treated in a special way, as online search engines were only added during the trilogue negotiations. In this context, the European legislator unfortunately failed to achieve complete consistency and clarity within the DSA's structure of tiered regulation. Rather, the subsequent insertion of online search engines resulted in regrettable (and unnecessary) ambiguities. It would arguably have been preferable to clearly attribute online search engines to a specific type of intermediary services, similar to the classification of online platforms as a subset of hosting services. In fact, this was recognised in principle as a part of the set of largely linguistic changes made via a corrigendum by the European Parliament, which inter alia clarified (within the DSA's definition of online search engines) that online search engines qualify as intermediary services (Art. 3 lit. j DSA). However, the corrigendum unfortunately did not address the systematic subsequent step of an attribution to a specific type of intermediary services. Where the online search engine reaches the threshold of the classification as a VLOSE (with more than 45 million average monthly active recipients within the EU), most of the additional special obligations specifically applicable to VLOPs apply accordingly.

The terminology and scope of the DSA's classifications is not sharp-edged, so uncertainties and room for interpretation remain. To add complexity, it is also possible that a digital service may combine several services or functionalities that are subject to different classifications and therefore different rules under the DSA (Rec. 15 DSA).

Key obligations under the DSA

Among the DSA's extensive rules, the following are particularly worth noting:

Handling illegal content

A core aspect of the DSA is that service providers must remove illegal content swiftly and efficiently.

• Providers of intermediary services must respond and take the required measures, when courts or authorities point out illegal content (Art. 9 and 10 DSA).
• Providers of hosting services must provide pre-defined notice-and-action mechanisms for reporting alleged illegal content and follow up on such notices, including taking the necessary measures (Art. 16 DSA).
• Whether or not content qualifies as illegal content is not determined by the DSA itself but by the applicable law of the affected EU Member State (Art. 3 lit. h DSA).
• Providers of online platforms must give special weight to and prioritise notices provided by trusted flaggers, which are certified by authorities due to their expertise (Art. 22 DSA).)

Liability privileges (Art. 4 to 8 DSA

The liability privileges of the EU eCommerce Directive (Directive 2000/31/EC) were included in the DSA. Therefore, the notice-and-takedown concept originally introduced and developed under the EU eCommerce Directive remains largely intact. Service providers do not have to actively check the legality of content (Art. 8 DSA).

However, the DSA also provides new features. This includes a positive clarification (sometimes somewhat misleadingly referred to as a "good-Samaritan" clause) that voluntarily self-initiated investigations or other measures aiming to achieve legal compliance do not exclude the safe harbour principles. Host providers that enable the conclusion of contracts between traders and consumers cannot, however, rely on the safe harbour principles under consumer protection law, where the design of the online platform leads the average consumer to believe that the information, product or service that is subject to the transaction is provided either by the service provider itself or by a trader who is acting under its control (Art. 6 para. 3 DSA). More on the liability rules can be found here.

Single point of contact (Art. 11 and 12 DSA)

Providers of intermediary services must designate a single point of contact as the direct contact for authorities and recipients. Information and contact details of the single point of contact must be easily accessible.

Legal representative (Art. 13 DSA)

Providers of intermediary services that do not have an establishment in the EU but address recipients in the EU must designate a legal representative in one of the affected EU Member States – a principle already well-known under the GDPR. The legal representative must be equipped with sufficient power of representation and resources and must, among other things, act as a contact person for authorities and recipients. The name and contact details of the legal representative must be easily accessible. In particular, the legal representative may be held liable for failure to comply with the obligations under the DSA. The liability of the provider of intermediary service remains unaffected (Art. 13 para. 3 DSA).

Due diligence obligations for terms and conditions (Art. 14 DSA)

Providers of intermediary services must provide transparent information on any restrictions in their terms and conditions affecting the provision of information. This includes policies, procedures, measures and tools used for the purpose of content moderation, including algorithmic decision-making and human review, as well as the rules of procedure for their internal complaint-handling system. Providers of intermediary services must apply and enforce such restrictions responsibly, considering the affected fundamental European rights (Art. 14 para. 4 DSA).

Transparency reporting obligations (Art. 15, 24 and 42 DSA)

Depending on the classification of the affected service provider, there are various tiered transparency obligations to provide regular reports on content moderation and other measures:

• Providers of intermediary services must inter alia provide reports on (a) the number of administrative or court orders received and respective actions taken, (b) the specifics of self-initiated content moderation and (c) applied automated means for purposes of content moderation, including indicators of accuracy, possible error rates and applied safeguards.
• Providers of hosting services must also inter alia provide reports on the number of notices submitted (via notice-and-action mechanisms) by recipients and trusted flaggers as well as respective actions taken and whether such actions were performed on the basis of automated means.
• Providers of online platforms must also inter alia provide reports on (a) the number of complaints received through the internal complaint-handling system and respective decisions made, (b) the number of disputes submitted to out-of-court dispute settlement bodies and the outcomes of such disputes, (c) the number of suspensions of recipients and their grounds and (d) the number of the average monthly active recipients within the EU.

The European Commission may set out requirements as to the form, content and details of such reports (Art. 15 para. 3 DSA).

Internal complaint-handling system (Art. 20 DSA)

Providers of online platforms must implement an internal complaint-handling system, which enables recipients to complain, for instance, about the alleged unauthorised removal of content, the suspension of user accounts and other measures that have detrimental effect. This complaint-handling system must be easily accessible. The decision made on a complaint must include a justification by the provider of the online platform and may not be made purely by automated means. Apart from that, providers of online platforms must inform about the possibility of an out-of-court dispute settlement (Art. 21 DSA).

Exclusions for small and micro enterprises (Art. 19 and 29 DSA)

Small and micro enterprises (with fewer than 50 employees and less than €10 million in annual turnover) are exempt from complying with some of the DSA's obligations. These include obligations for providers of online platforms as well as transparency reporting obligations of providers of intermediary services. Such exclusions do not apply if companies – despite their small size – qualify as VLOPs or VLOSEs (Art. 19 para. 2 and Art. 29 para. 2 DSA).

The European Commission will evaluate and report on the DSA's impact on the development and economic growth of small and medium-sized enterprises by 18 February 2027 (Art. 91 para. 1 DSA).

Enhanced protection of minors (Art. 28 DSA)

Providers of online platforms must put in place appropriate and proportionate measures to ensure a high level of data protection and safety for recipients that qualify as minors.

Dark patterns and compliance by design (Art. 25 and 31 DSA)

The DSA stipulates vague requirements for the design of user interfaces on online platforms. Misleading user interfaces (the recitals mention nudging or dark patterns) are prohibited if they hamper the recipient from making a free and informed decision. The European Commission is entitled to provide specifying guidelines (Art. 25 para. 3 DSA), including on repeatedly requesting a recipient to make a choice that has already been made and making the procedure for terminating a service more difficult than to subscribing to it.

Online advertising and transparency (Art. 26 and 39 DSA)

Next to the basic requirement to clearly designate online advertising as such, providers of online platforms must provide information on the principle of the respective online advertisement. In addition, information on the main parameters of how target groups are determined must be provided and, where applicable, how to change those parameters. In addition, VLOPs and VLOSEs must provide a repository, where recipients can access information on online advertising that was displayed within the last year. Such information includes the content of the online advertisement, its principal, period and target groups. These rules may pose a significant challenge to the protection of trade secrets.

Partial ban on profiling-based online advertising (Art. 26 para. 3 and Art. 28 para. 2 DSA)

Providers of online platforms are prohibited from profiling-based online advertising based on sensitive data (such as health data) and aimed at minors. In this context, it unfortunately remains unclear how providers of online platforms are to implement the ban on profiling-based online advertising vis-à-vis minors. The reason is that in view of the motif of the European legislator to improve the protection of minors, this cannot be realized with additional age verification measures and the collection of more personal data.

Recommender systems (Art. 27 and 38 DSA)

To the extent that providers of online platforms use recommender systems (e.g. for news feeds), they must provide transparent information on (a) the main parameters of their recommender system and (b) the possibility of modifying or influencing those parameters. In addition, VLOPs and VLOSEs must provide at least one option for their recommender system that is not based on profiling (Art. 38 DSA).

More information on the DSA's advertising provisions can be found here. More information on duties and obligations under the DSA in general can be found here.

Claims and remedies by recipients (Art. 54 DSA)

Recipients are entitled to file claims against service providers for violations of the DSA, including claims for damages under EU and EU Member State law (Art. 54 DSA).

B2C online marketplaces (Art. 30 DSA)

Providers of B2C online marketplaces must collect data from traders based on the know-your-business-customer (KYBC) principle. To this end, providers of B2C online marketplaces must collect traders' contact and payment data as well as proof of identity. In case that a trader provides inaccurate and/or incomplete information, the service provider must remove the trader from the service. Only businesses are considered traders under the DSA, so that affected service providers are required to differentiate between consumers and businesses to an even greater extent than already the case under current applicable law. More information on such requirements can be found here.

Very large online platforms (VLOPs) and very large online search engines (VLOSEs)

The DSA requires that providers of VLOPs and VLOSEs (Art. 33 para. 1 DSA) asses their systemic risks regularly (Art. 34 DSA). Based on the findings, risk mitigation measures must be taken (Art. 35 DSA). Additionally, providers of VLOPs and VLOSEs must conduct independent compliance audits regularly (Art. 37 DSA) and establish a qualified compliance function that is independent from their operational functions (Art. 41 DSA).

Crises response mechanism (Art. 36 DSA)

A newly introduced crisis response mechanism will apply to VLOPs and VLOSEs. In case of an extraordinary crisis (i.e. a serious threat to public safety or health in the EU, such as armed conflicts, terrorist acts and pandemics), the European Commission may oblige service providers to cooperate and take defensive measures, such as adapting content moderation measures.

How is the DSA's compliance and enforcement designed?

The DSA aims to improve cross-border communication and coordination between authorities in order to adapt it to the intrinsic cross-border characteristics of digital services. Each EU Member State must designate a Digital Services Coordinator (DSC) by 17 February 2024 as the competent authority to monitor and enforce compliance with the DSA (Art. 49 para. 3 DSA). The competent authority for VLOPs and VLOSEs is primarily the European Commission (Art. 56 para. 2 DSA).

The authorities have extensive rights of access, to obtain information, to inspect, to order and to sanction service providers (inter alia, Art. 51, 67, 68 and 69 DSA).

Violations of the DSA can potentially be subject to fines of up to 6% of annual worldwide turnover of the preceding financial year (Art. 52 para. 3 and Art. 74 para. 1 DSA). If an information obligation under the DSA is violated, the maximum fine is limited to 1% of the previous year's income or worldwide turnover (Art. 52 para. 3 and Art. 74 para. 2 DSA). More information on enforcement can be found here.

What is the relationship between the DSA and other European laws?

The DSA aims to standardise and simplify the legal situation for digital companies (Rec. 4 DSA). It is supposed to help providing a level playing field. At the same time, the DSA touches on and overlaps with a number of other and more specific EU laws. In principle, these remain unaffected (Art. 2 para. 4 DSA). However, in all likelihood, ambiguities will remain or arise here, in particular, where such rules cover identical aspects to or are less specific than the DSA (Rec. 10 para. 3 DSA). How such issues are resolved will need to be clarified by future practice and case law. More information on the DSA's scope can be found here.

The DSA also has a substantial impact on other EU Member State laws that have similar objectives. In this context, the DSA is expected to render the German Network Enforcement Act (NetzDG) obsolete. Since the liability provisions of the EU eCommerce Directive will be repealed and merged to the DSA (Art. 89 DSA), some EU Member State laws (such as Sec. 7 to 10 German Telemedia Act) will be repealed accordingly. Apart from that, the EU eCommerce Directive will remain unaffected (Art. 2 para. 3 DSA).

When will the DSA apply?

The DSA will enter into force on 16 November 2022. Most of the DSA's provisions will apply as of 17 February 2024 (Art. 93 para. 2 DSA).

However, the provisions of the DSA on VLOPs and VLOSEs will apply earlier, namely four months after the respective service provider has been designated as such by the European Commission (Art. 92 DSA).

Certain transparency reporting obligations for providers of online platforms and online search engines also already apply with the effective date of the DSA on 16 November 2022. Accordingly, such service providers must inter alia make publicly available information on the average monthly active recipients in the EU for each online platform or online search engine for the first time by 17 February 2023 (Art. 24 para. 2 DSA) and thereafter regularly every six months. Further, they are obliged to communicate such information (in an up-to-date form) to the DSC – as the competent authority – and/or the European Commission upon request (Art. 24 para. 3 DSA).

How should providers of digital intermediary services prepare for the DSA?

The DSA introduces a whole range of new rules and obligations. Certain providers – especially VLOPs and VLOSEs – are more in the focus of the DSA than others, but virtually all digital businesses are potentially affected. Businesses in the EU/EEA, but also worldwide, should therefore assess as early as possible whether and to what extent the DSA will apply to their business. Individual compliance gaps should be identified by a gap analysis. As a number of obligations imply considerable organisational, technical and legal efforts, tasks and processes should be defined sufficiently in advance and implemented in due time. In addition, companies should assess the impact on the interplay with existing laws (including sector-specific European laws) that must be observed in addition to the DSA. Specific implementation requirements will, of course, vary greatly from company to company, particularly because of the DSA's tiered regulatory system.