The clock is ticking: In a little less than 3 months (on 17 February 2024), the comprehensive catalog of obligations under the Digital Services Act (DSA) will have to be observed by all affected service providers. In this article, we provide a suggested checklist for getting DSA-ready. It comprises basic items to get going and needs to be adapted to your organization’s individual needs. For any questions, reach out to our team.
1. Check whether the DSA applies to you
- Is your business / service in scope of the DSA?
- Even if your establishment is outside of the European Union (EU), the DSA will still apply if you have a substantial connection to the EU. For instance, if you have a significant number of recipients or target activities in the EU.
2. Check what type of intermediary you are
- Access provider.
- Caching provider.
- Hosting provider.
- Provider of an online platform.
- Provider of a B2C online marketplace (i.e. an online platform that allows consumers to conclude distance contracts with traders).
- Online search engine.
3. Check what types of obligations apply to you
- This will be the core of the compliance project and depend on the type of intermediary you are. Below is a rough overview from the European Commission that needs individual adaptation, depending on the type of intermediary service you are.
| New obligations |
Intermediary services
(cumulative obligations) |
Hosting
services
(cumulative obligations) |
Online
platforms
(cumulative obligations) |
Very large
platforms
(cumulative obligations) |
| Transparency reporting |
X |
X |
X |
X |
| Requirements on terms of service due account of fundamental rights |
X |
X |
X |
X |
| Cooperation with national authorities following orders |
X |
X |
X |
X |
| Points of contact and, where necessary, legal representative |
X |
X |
X |
X |
| Notice and action and obligation to provide information to users |
|
X |
X |
X |
| Reporting criminal offences |
|
X |
X |
X |
| Complaint and redress mechanism and out of court dispute settlement |
|
|
X |
X |
| Trusted flaggers |
|
|
X |
X |
| Measures against abusive notices and counter-notices |
|
|
X |
X |
| Special obligations for marketplaces, e.g. vetting credentials of third party suppliers ('KYBC'), compliance by design, random checks |
|
|
X |
X |
| Bans on targeted adverts to children and those based on special characteristics of users |
|
|
X |
X |
| Transparency of recommender systems |
|
|
X |
X |
| User-facing transparency of online advertising |
|
|
X |
X |
| Risk management obligations and crisis response |
|
|
|
X |
| External & independent auditing, internal compliance function and public accountability |
|
|
|
X |
| User choice not to have recommendations based on profiling |
|
|
|
X |
| Data sharing with authorities and researchers |
|
|
|
X |
| Codes of conduct |
|
|
|
X |
| Crisis response cooperation |
|
|
|
X |
Quelle: European Commission
4. Planning your DSA implementation project
Many of the DSA’s obligations cannot be realized overnight and need time to be set up and get going within your organization.
- Scoping of the service. In cases where the service’s classification lies in the legal grey area, a robust and defensible assessment of the classification should be made.
- Gap analysis.
- Risk analysis.
- Project plan (project planning, engaging all stakeholders and defining priorities).
- Implementation of a DSA’s compliance structure. The DSA includes numerous requirements that have not yet existed or at least not to that extent under EU law and need proper implementation in your organization.
- Watch out and regularly monitor for delegated acts of the European Commission. They will eventually come and provide further clarification.
- Regular checks and updates with respect to the measures taken.
