Skip to main content

Legal implications of the Digital Services Act

How to navigate the regulatory landscape of the Digital Age

Navigating the broad landscape of regulations surrounding the digital age can be complex, whilst compliance is key for businesses to survive. In this article we will focus on the legal implications that arise with the introduction of The (EU) Digital Services Act (DSA).

The (EU) Digital Services Act (DSA) harmonizes the rules applicable to intermediary services in the European Union with the objective of ensuring a safe, predictable and trusted online environment, and aims to address the dissemination of illegal content, disinformation or other content online and the societal risks involved.

 

Download the cross-jurisdictional overview on the national implementation of the DSA

 

Enhance your understanding of the Digital Services Act (DSA) - a proposed EU regulation aimed at establishing a safer, more transparent digital ecosystem. Our downloadable overview provides insights into the DSA's implementation across nine jurisdictions. To gain in-depth knowledge, download the PDF via the button on the right.

Please note this report was last updated on 5 February 2024 and does not include developments beyond this date.

With the DSA, the European Commission (“Commission”) wants online platforms to take more responsibility, to implement certain measures, to become more transparent and to cooperate. This is done by, on the one hand, modernizing the (2000) e-Commerce Directive that (among other things) stipulates under which conditions hosting services are not liable for illegal information stored (the so-called "safe harbor" provision). On the other hand, the DSA introduces a new and extensive set of far-reaching obligations for online platforms, where we will focus on in the rest of this article.

The key obligations for online platforms under DSA

 

Most of the (new) obligations apply to online platforms, especially to online platforms allowing consumers to conclude distance contracts with traders ('marketplaces') and to 'very large online platforms' and 'very large online search engines' ('VLOPs' and 'VLOSEs'). VLOPs/VLOSEs are online platforms/search engines with more than (on average) 45 million monthly users and that are designated as such by the European Commission). 

Some of the key obligations for online platforms are:

  • Notices from users.
    The DSA introduces extensive rules on how to deal with notices from users claiming the presence of illegal content. For example, providers of online platforms must put in place notice and action mechanisms that facilitate the submission of sufficiently precise and adequately substantiated notices. As for the response to such notices, providers of online platforms must provide a clear and specific statement of reasons to any affected user by restrictions imposed. Those statement of reasons (along with the decision) must be submitted to the European Commission for inclusion in the publicly accessible Transparency Database, which can be found here. Other obligations related to user complaints are the provisions on trusted flaggers, complaint-handling and out-of-court dispute settlement.
  • Advertising.
    The DSA also introduces rules on how advertising must be presented on online platforms and requires providers of online platforms to explain the parameters used in their recommender systems. In addition, the DSA prohibits 'dark patterns': providers of online platforms are not allowed to design, organize or operate their online interfaces in a way that deceives or manipulates the user or in a way that otherwise materially distorts or impairs the ability of the user to make free and informed decisions. It is also not allowed to present advertisements based on profiling using personal data of the user when the provider is aware with 'reasonable certainty' that the user is a minor.
  • Marketplaces.
    For online platforms that are marketplaces, the DSA introduces additional obligations, such as a Know-Your-Business-User obligation and an obligation to ensure that its online interface is designed and organized in a way that enables traders to comply with their obligations regarding pre-contractual information, compliance and product safety information. In addition, when a marketplace online platform becomes aware that an illegal product or service has been offered (incl. counterfeit products), that provider shall inform consumers who purchased the illegal product.
  • VLOPs/VLOSEs.
    VLOPs/VLOSEs will need to make (systemic) risk assessments, which shall include an assessment of broader societal risks. Based on such assessments, VLOPs/VLOSEs must put in place mechanisms to mitigate the risks identified. In the case of a crisis (e.g. natural disasters/terrorism), the VLOPs/VLOSEs can also be required by the Commission to take certain actions relating to, for example, adapting algorithms and promoting trusted information. In addition, VLOPs/VLOSEs are subject to additional advertising rules, can be required to give access to certain data to authorities and vetted researchers and must perform at least once a year an independent audit
  • Transparency reporting.
    There are transparency reporting obligations for all online platforms. For VLOPs/VLOSEs, additional transparency requirements shall apply. The first transparency reports have been published already (by some of the VLOPs/VLOSEs) and can be found here.

When does the DSA apply?

 

For the VLOPs/VLOSEs, the DSA is applicable per 25 August 2023; for all other intermediary services, the DSA is applicable per February 2024.

The DSA was proposed on 15 December 2020 (as part of a package together with the Digital Markets Act) and adopted in less than two years, on 19 October 2022).

How is the DSA enforced

 

Like the GDPR, the DSA has a global reach and a substantial penalty structure. In case of non-compliance, the Commission can impose fines of up to 6% of the global turnover of a VLOP/VLOSE.

In every EU Member State, there will be one main supervisory authority, the so-called Digital Services Coordinator (“DSC”), but it’s possible that other authorities will be designated to assist or to enforce certain topics. The Commission is the main supervisory authority for the VLOPs/VLOSEs.

In the Netherlands, the Authority for Consumers and Markets (Autoriteit Consument & Market) has been proposed to be designated as the local DSC. The Data Protection Authority (Autoriteit persoonsgegevens) has been appointed as competent authority responsible specifically for enforcement of the provisions on advertising based on profiling.

On EU level, the Commission and Digital Services Coordinators of the Member States will work together under a cooperation mechanism.

Navigate the regulatory landscape of the digital age

 

The DSA strongly interacts with other (EU) laws such as in the field of data protection (GDPR), consumer law (Platform-to-business Regulation and Omnibus Directive), IP law (Digital Single Market Directive), media law (Audiovisual Media services Directive and European Media Freedom Act), specific content regulations (Regulation on Child Sexual Abuse Material and the Regulation on Terrorist Content Online) and possibly even the AI Act. 

We have some tips to cope with the complexity of all these digital regulations. 

  • Take a Programmatic Approach: 
    Approaching the onset of regulations in a programmatic and thematic manner streamlines risk and compliance management across your operations. Focus on a scalable strategy.
  • Asses your Current State:
    Many organizations already have industry leading processes and systems in place to support a safer internet. Understand the effective mechanisms in place and conduct analyses and assessments of these activities to understand where the gaps in your program are and where work is needed to meet these obligations and manage content risk. Evaluate and build.
  • Invest in your Infrastructure:
    Building a scalable program that addresses regulations across multiple jurisdictions in a programmatic manner requires broad foundational risk and compliance components, including a risk taxonomy, control framework, obligation library, technology, right-sized resourcing, a clearly defined governance and operating model, and data management capabilities. Invest now.
  • Functional Integration:
    To respond in a timely manner to these obligations and operate effectively to enable the business, functions from product managers to data scientists to engineers to policy, legal, and compliance need to break down pre-existing silos and work in a harmonized and integrated way that may be a significant change for many organizations. Design and mobilize an interaction model.

More tips on how to approach DSA are shared here in a previous article on the DSA.

Our legal experts stand ready to provide (more) information and advice on any aspect of the DSA and related requirements.
As the DSA does not stand alone but needs to be interpreted in the context of related other legislation, our team of legal specialists, who have a wide range of experience in working with the e-Commerce Directive and interacting EU laws like the GDPR, can offer the necessary holistic approach to the DSA and its set requirements. We also work closely with our colleagues from other functions like Risk Advisory and Consulting and other EU member states, enabling us to be as multidisciplinary and pragmatic as possible. Our proven holistic approach enables the most effective and efficient implementation of the DSA. Please feel free to get in contact with one of our team members to learn more.

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey