The Digital Services Act (Regulation 2022/2065)
The Digital Services Act (DSA), formally Regulation (EU) 2022/2065, is the European Union’s comprehensive regulatory framework for intermediary services in the digital economy. Adopted on 19 October 2022 and applicable from 17 February 2024 for most provisions, the DSA updates and replaces the e-Commerce Directive (Directive 2000/31/EC). It establishes a tiered system of obligations for digital intermediaries, introduces robust accountability mechanisms, and creates a new enforcement architecture for the regulation of online platforms. The DSA is paired with the Digital Markets Act (Regulation 2022/1925), which addresses gatekeeper platforms in digital markets.
Scope and Definitions
The DSA applies to a broad range of intermediary services as defined in Articles 3 and 20 of the Regulation. These include mere conduit services (network infrastructure), caching services (content acceleration), hosting services (web hosting, cloud services), online platforms (social media, marketplaces, app stores), and very large online platforms and search engines (VLOPs and VLOSEs) that reach over 45 million monthly active users in the EU. The Regulation applies to intermediary services provided to recipients in the EU, regardless of where the service provider is established.
The DSA establishes a tiered system of obligations that increases with the size, complexity, and societal impact of the intermediary service. All intermediaries must comply with basic transparency and reporting obligations. Hosting services face additional requirements for notice-and-action mechanisms. Online platforms have further obligations concerning transparency, advertising, recommendation systems, and dispute resolution. VLOPs and VLOSEs face the most extensive obligations, including systemic risk assessment and mitigation.
Intermediary Liability Framework
The DSA preserves and clarifies the limited liability regime for intermediaries under Articles 4–6. Mere conduit, caching, and hosting services are not liable for illegal information transmitted or stored, provided they meet specified conditions. Mere conduit services are exempt where they do not initiate, select, or modify the transmission. Caching services are exempt where they comply with conditions on access, updating, and removal. Hosting services are exempt where they lack actual knowledge of illegal activity or content and act expeditiously upon obtaining such knowledge.
The DSA prohibits general monitoring obligations: Article 8 confirms that no intermediary service provider may be required to actively monitor all information transmitted or stored, nor to actively seek facts or circumstances indicating illegal activity. This prohibition reflects the fundamental importance of freedom of expression and the practical impossibility of proactive screening at scale. However, the DSA permits targeted orders to address specific items of illegal content.
Due Diligence Obligations for All Intermediaries
All intermediary service providers must establish single points of contact for communication with authorities and service recipients (Articles 11–12). Providers without an establishment in the EU must designate a legal representative in the EU (Article 13). All providers must publish annual transparency reports (Article 15) detailing content moderation decisions, dispute resolution actions, and referrals to out-of-court dispute settlement bodies.
Enhanced Obligations for Hosting Services
Hosting service providers must implement notice-and-action mechanisms (Article 16) enabling individuals and entities to notify the presence of illegal content. Notices must be sufficiently precise and reasonably substantiated. Providers must process notices in a timely, diligent, and non-arbitrary manner and inform notice submitters and content providers of their decisions. Hosting services must provide a statement of reasons for content moderation decisions (Article 17), including information on the restriction imposed, the facts and legal basis for the decision, and available redress options.
Obligations Specific to Online Platforms
Online platforms — defined broadly to include hosting services that store and disseminate information to the public at the request of a recipient — face additional obligations. Platforms must implement internal complaint-handling systems (Article 20) enabling recipients to lodge complaints against content moderation decisions. They must provide access to out-of-court dispute settlement (Article 21) certified by national Digital Services Coordinators. Platforms must identify and mitigate systemic risks arising from their services, including the misuse of their services for illegal activities or the dissemination of disinformation.
Special provisions address online advertising (Article 26): platforms must present advertisements with clear labeling identifying the advertiser and providing meaningful information about the parameters used to target the advertisement. Recommendation systems (Article 27) must be transparent, with platforms explaining in their terms of service the main parameters determining the information presented to recipients. Large platforms must offer at least one recommendation option not based on profiling.
Obligations for Very Large Online Platforms and Search Engines
VLOPs and VLOSEs — platforms and search engines with over 45 million monthly active users in the EU, designated by the Commission — bear the most extensive obligations under the DSA. They must conduct annual systemic risk assessments (Article 34) evaluating risks related to dissemination of illegal content, negative effects on fundamental rights, manipulation of services through coordinated inauthentic behaviour, and risks to public health, minors, and electoral processes. They must adopt reasonable, proportionate, and effective mitigation measures (Article 35), including adapting content moderation, adjusting terms of service, and implementing crisis response protocols.
VLOPs must undergo annual independent audits (Article 37) of their compliance with the DSA and their risk management practices. They must provide data access to vetted researchers (Article 40) for the purposes of conducting research on systemic risks. They must establish a compliance function (Article 41) with independent senior management oversight. Commission-designated crisis response mechanisms (Article 36) may require VLOPs to take specific actions in response to extraordinary circumstances threatening public security or public health.
Enforcement Structure
The DSA establishes a multi-layered enforcement framework. Each Member State must designate an independent Digital Services Coordinator (Article 49) responsible for supervising intermediary services established in that Member State and for coordinating enforcement. The Commission has exclusive enforcement jurisdiction over VLOPs and VLOSEs (Article 56), exercising direct supervision and enforcement powers including inspections, requests for information, and interim measures.
Enforcement powers include penalties of up to 6 per cent of annual worldwide turnover for failure to comply with DSA obligations. Periodic penalty payments of up to 5 per cent of average daily worldwide turnover may be imposed for non-compliance with enforcement measures. The Commission may impose remedial measures including requiring platforms to take action against illegal content, suspend access to services, or, in cases of serious and repeated infringements, request interim measures pending a full investigation.
The DSA establishes the European Board for Digital Services (Article 61), composed of the Digital Services Coordinators and chaired by the Commission, to ensure consistent application of the Regulation and coordinate enforcement actions. The Board advises the Commission on systemic risk mitigation, guidelines, and emerging issues in the digital ecosystem.