Europe's Digital Services Act (DSA) is Approved: What You Need to Know

15 minute read
October.28.2022

The Digital Services Act is now in full effect as of February 2024. Our latest update covers five takeaways for businesses to consider as they navigate the DSA.

The final text of Europe’s (EU) Digital Services Act (“DSA”) was recently approved by the Council of the EU Member States. That means that the final text of the regulation should be published in the Official Journal of the European Union in November, with its provisions will take effect twenty days following publication. Companies subject to the DSA’s requirements will have a fifteen-month grace period to comply, except for specifically designated “Very Large Online Platforms” and “Very Large Online Search Engines”, subject to a shorter compliance timeframe (for more details, see below).

This update provides an explanation of the DSA and explains which organizations must comply with its provisions, and a summary of the key obligations that must be respected, in accordance with how an organization is classified under the DSA.

If your organization has an online presence that targets EU users, it may be subject to the terms of the DSA.

Quick Summary

What Is the DSA?

The DSA updates and builds on the eCommerce Directive 2000/31/EC. Its dual objective is the creation of a EU digital space where the rights of consumers and professional users are protected, and the establishment of a level playing field that will foster growth and innovation.

To achieve these objectives, the DSA imposes new obligations on intermediary service providers and online search engines to identify “illegal online content” and adopt measures to prevent its dissemination. The DSA also contains rules, as described in more detail below, regarding mandatory information to be provided to both consumers and professional users, in the service provider’s terms of use.

Importantly, the DSA is supplemental to and does not replace other EU and national legislation that imposes rules regarding online content, including:

What Businesses Are Impacted?

Online Service Providers: Online service providers that target EU users should assess whether they are a provider of “intermediary services” and if so, which of the DSA obligations will be applicable to their business.
Intermediary Service Providers That Are Online Platforms: Intermediary service providers in the form of “online platforms” are particularly impacted since most of the obligations in the DSA apply to online platforms. Such platforms will need to implement policies, internal processes, and new functionalities, in order to comply. The so-called Very Large Online Platforms (VLOPs) impacted by the DSA are already taking steps to implement their compliance.
Online Search Engines: These are defined as digital services that allow users to input queries in order to perform searches of websites. DSA obligations applicable to the VLOPs also apply to Very Large Online Search Engines (VLOSE).
Advertisers: Advertisers should also take note of the new transparency obligations that apply to intermediaries in relation to the ads displayed on their services.

Many of the obligations require the implementation of policies and internal processes designed to capture information for subsequent use and disclosure. These requirements are complex and could require organizations to redesign back-end systems to comply, so organizations subject to the DSA would be well-advised to begin work on such policies and processes sooner, rather than later.

Deeper Dive – An Overview of the DSA

1. Application

The DSA has a particular structure in terms of the applicability of its obligations as shown in the graphic below (inspired by the European Commission). All the law’s obligations apply to providers “intermediary services,” which include “hosting services, including online platforms” and “online platforms,” which in turn include , “very large online platforms" and “very large online search engines”.

DSA intermediaries

Intermediaries Under the DSA Include:

Mere conduit services such as internet services providers.
Caching services such as cloud services providers offering automatic, intermediate and temporary storage of information, for the sole purpose of making the information's onward transmission more efficient.
Hosting services which are a storage of information services (e.g., cloud services providers, webhosting). Hosting services include:
- Online platforms: Which are hosting services that store and disseminate information to the public, at the request of service users, as their primary activity (e.g., marketplaces, app stores, collaborative economy platforms and social media platforms). Providers of hosting services that disseminate such information as a merely or ancillary service feature will not be considered online platforms (for example, the comments section in an online newspaper).
- VLOPs: The very large online platforms are those online platforms that provide for at least four consecutive months of their services to a number of average monthly active recipients of the service in the Union equal to or higher than 45 million.
Online Search Engines are defined as intermediary services and may also be designated as Very Large Online Search Engines (“VLOSE”) according to the same criteria as the VLOPs.

2. Territorial Scope

The DSA applies to intermediary services that are provided to users that are established or have their residence in Europe, without regard to the where the intermediary is established. Non-EU based intermediaries that have EU-based users will therefore be expected to comply.

3. Intermediary Liability

The eCommerce Directive enshrined the principle that intermediaries shall not be liable for information transmitted through its service, provided it was not actively involved in the transmission and/or it acted to remove or disable access to the information upon receiving notice.

The DSA retains this exemption from liability for intermediaries, with slight modifications, but imposes on hosts (and the subset categories of online platforms and very large online platforms) a set of due diligence requirements in relation to illegal content, as described below. The DSA maintains that intermediary service providers do not have a general monitoring obligation in relation to the information that they transmit or store.

4. Obligations

A. Applicable to All Intermediaries [Article 8 et seq.]

Intermediary service providers will be required to do the following:

Act against items of illegal content (e.g., take them down) and/or provide requested information about individual service recipients upon receipt of a duly issued order by the relevant national authority (the DSA specifies the conditions to be satisfied by such orders).
Identify a single point of contact within the organization who will be the point of contact for national authorities. Intermediaries that do not have an establishment in the EU will have to appoint a legal representative in a Member State where the intermediary offers its services (there may be a possibility of collective representation for micro, small, and medium enterprises).
Comply with specific obligations in relation to the form and content of the intermediary service terms and conditions. For instance, the terms must be fair, non-discriminatory, and transparent, and must include information regarding how to terminate services, restrictions imposed on the delivery of services, and also regarding the use of algorithmic tools for content-moderation. Details of rules of internal complaints handling systems should also be disclosed.
For services provided to minors or pre-dominantly used by them, express the terms in easily understandable language.
Protect that anonymity of users except in relation to traders.
Publish an annual transparency report on any content moderation then engaged in, including specified information such as the number of orders received from Member States’ authorities, response times, and information about the own-initiative content moderation practices of the service, including the use of automated tools and the restrictions applied, and information about the training and assistance provided to moderators. (This obligation does not apply to micro or small enterprises that do not qualify as very large online platforms). These obligations, and others, will require the implementation of specific internal processes in order to capture the required information.

B. Applicable Only to Intermediaries That Are Hosting Services, Including Online Platforms [Article 14 et. seq.]

Hosting services shall have a notification mechanism allowing the signaling of content considered by a user considers to be illegal content. The mechanism must be designed to facilitate sufficiently precise and substantiated notices to permit the identification of the reported content.
‘Illegal content’ means any information or activity, including the sale of products or provision of services which is not in compliance with EU law or the law of a Member State, irrespective of the precise subject matter of that law;
If a notice containing the required information is received, the hosting service will be deemed to have actual awareness of the content and its potential illegality (which has implications for the service’s liability).
Hosting services must provide a statement of reasons to the user if their content is disabled or removed or if services are suspended. This explanation, must contain certain information, including the facts relied upon and a reference to the legal ground relied upon, or other basis for the decision if it was based on the host’s terms and conditions. However, law enforcement authorities may request that no explanation is provided to users.
There is a positive obligation to alert law enforcement or judicial authorities if the host suspects that a serious criminal offence involving a threat to life or safety of persons is taking place or is planned.
The anonymity of the content reporter is to be protected, except in relation to reports involving alleged violation of image rights and intellectual property rights.
The transparency reports prepared by hosting services will have additional information, including the number of reports submitted by trusted flaggers and should be organized by type of illegal content concerned, specifying the action taken, the number processed by automated means and the median response time.

C. Applicable Only to Hosting Services That Are Online Platforms [Article 16 et seq.]

The obligations in this section do not apply to micro or small enterprises, except if they qualify as very large online platforms. Intermediary services may apply to be exempted from the requirements of this section of the DSA.
Online platforms shall provide an appeal process against decisions taken by the platform in relation to content that is judged to be illegal or in breach of the platform’s terms and conditions. The relevant user will have six months to appeal the decision. Decisions shall not be fully automated and shall be taken by qualified staff.
Users will be able to refer decisions to an out-of-court dispute settlement body certified by the Digital Services Coordinator of the relevant Member State. Clear information regarding this right shall be provided on the service’s interface.
Content reported by trusted flaggers shall be processed with priority and without delay. An entity may apply to the Digital Services Coordinator to be designated as a trusted flagger, based on criteria set out in the DSA.
The suspension of users, for a reasonable period of time, is permitted if they repeatedly upload illegal content, after issuing a prior warning. Online platforms shall also suspend the processing of notices and complaints from users that repeatedly submit unfounded notices and complaints.
Online platforms are required to ensure that their services meet the accessibility requirements set out in the EU Directive 2019/882, including accessibility for persons with disabilities, and shall explain how the services meet these requirements.
There is a specific prohibition applicable to online platforms in relation to the use of “dark patterns”. The European Commission may issue further guidance in relation to specific design practices. The prohibition does not apply to practices covered by the Directive concerning unfair business-to-consumer practices, or by the GDPR.
To ensure the traceability of traders (i.e. professionals that use online platforms to conduct their business activities), online marketplaces shall only allow traders to use their platform if the trader first provides certain mandatory information to the platform, including: contact details, an identification document, bank account details, details regarding the products that will be offered. Online platforms shall make best efforts to obtain such information from traders that are already using the platform services within 12 months of the date of coming into force of the DSA.
A trader who has been suspended by an online platform may appeal the decision using the online platform’s complaint handling mechanism.
Online platforms that allow consumers to conclude distance contracts with traders through their services shall design their interface so as to enable traders to provide consumers with the required pre-contractual information, compliance and product safety information. Traders should be able to provide clear and unambiguous identification of their products and services, any sign identifying the trader (e.g. a logo or trademark), and information concerning mandatory labelling requirements.
Online platforms shall make reasonable efforts to randomly check whether the goods and services offered through their service have been identified as being illegal. If an online platform becomes aware that an illegal product or service has been offered to consumers it shall, where it has relevant contact details or otherwise by online notice, inform consumers of the illegality and the identity of the trader, and available remedies.
To promote online advertising transparency, online platforms shall ensure that service users receive the following information regarding online ads: that the content presented to users is an advertisement, the identity of the advertiser or person that has financed the advertisement, information regarding the parameters used to display the ad to the user (and information about how a user can change those parameters).
Targeting techniques that involve the personal data of minors or sensitive personal data (as defined under the GDPR) is prohibited.
Online platform providers shall provide users with functionality that allows them to declare that their content is a “commercial communication” (i.e. an advertisement / sponsored content).
Online platforms have transparency obligations regarding any recommender system that is used to promote content. The online platform must disclose the main parameters used, as well as options for the recipient to modify or influence the parameters.

D. Applicable Only to Online Platforms Which Are Very Large Online Platforms and to Very Large Online Search Engines [Articles 25 et seq.]

The obligations in this section apply only to online platforms and online search engines that provide their services to 45 million or more monthly active users, calculated in accordance with a methodology to be set out in further legislation. The European Commission will designate the online platforms and online search engines that qualify and the list will be published.
VLOPs and VLOSE must publish their terms and conditions in the official languages of all Member States where their services are offered (this is often a requirement of national consumer protection law as well).
VLOPs and VLOSE shall carry out (and in any event before launching a new service), an annual risk assessment of their services. The risk assessment shall take into account in particular risks of: dissemination of illegal content, negative effects for the exercise of the fundamental rights, actual or foreseeable negative effects on civic discourse and electoral processes and public security, or in relation to gender-based violence, public health, minors and physical and mental well-being. VLOPs and VLOSE shall consult with user representatives, independent experts and civil society organisations.
VLOPs and VLOSE must implement mitigation measures to deal with these system risks. The DSA lists measures that might be adopted.
VLOPs and VLOSE shall have independent audits carried out at least once a year, by independent firms, to assess their compliance with the DSA requirements and any commitments undertaken pursuant to a code of conduct. The DSA imposes certain conditions on the firms that shall conduct such audits (e.g. they shall be independent and free of conflicts of interest).
VLOPS and VLOSE may be required by the Commission to take certain specified actions in case of a crisis, including conducting an assessment to determine whether the service is contributing to the serious threat and to adopt measures to limit, prevent or eliminate such contribution.
VLOPs that use recommender systems must provide at least one that is not based on profiling and must provide users with functionality to allow them to set their preferred options for content ranking.
Additional advertising transparency obligations are applicable, requiring the publication of information regarding the advertisements that have been displayed on the platform, including whether the advertisement was targeted to a group, the relevant parameters and the total number of recipients reached. The information should be available through a searchable tool that allows multicriteria queries.
VLOPs and VLOSE are required to share data with authorities, where necessary for them to monitor and assess compliance with the DSA. Such information might include explanations of the functioning of the VLOPs algorithms. The regulator may also require that VLOPs allow “vetted researchers” (those that satisfy the DSA’s requirements) to access data, for the sole purpose of conducting research that contributes to the identification and understanding of systemic risks.
VLOPS and VLOSE shall appoint a compliance officer responsible for monitoring their compliance with the DSA.
VLOPS and VLOSE shall pay the Commission an annual supervisory fee to cover the estimated costs of the Commission (to be determined).

5. Enforcement and Sanctions [Articles 38 et seq.]

A. Digital Services Coordinator - Designation and Powers

Each Member State shall designate one or more competent authorities as responsible for the application and enforcement of the DSA, and one of these authorities shall be appointed by the Member State as its Digital Services Coordinator. This Digital Services Coordinator will be the main enforcement authority. For non-EU based intermediaries, the competent Digital Services Coordinator will be located in the Member State where these intermediaries have appointed their legal representative. If no legal representative has been designated, then all Digital Services Coordinators will be competent.
Digital Services Coordinators are granted investigation and enforcement powers—in particular the power to accept intermediary services’ commitments to comply with the DSA, order cessation of infringements, impose remedies, fines, and periodic penalty payment.
Users have the right to lodge a complaint against providers of intermediary services alleging an infringement of the DSA with the Digital Services Coordinator of the Member State where the recipient resides or is established.

B. Sanctions

Temporary access restrictions. Where enforcement measures are exhausted, and in case of persistent and serious harm, the Digital Services Coordinator may request that the competent judicial authority of the Member State order the temporary restriction of access to the infringing service or to the relevant online interface.
Fines. Sanctions shall be “effective, proportionate and dissuasive”. Member States shall ensure that the maximum number of penalties imposed for a failure to comply with the provisions of the DSA shall be 6% of the annual worldwide turnover of the intermediary or other person concerned. The maximum amount of a periodic penalty payment shall not exceed 5% of the average daily turnover of the provider in the preceding financial year per day.

What's Should Companies Be Doing Now

Online service providers should be making the assessment as to whether they are subject to the DSA, based on the nature of their services and taking into account both the categories of intermediary covered by the regulation and the markets in which their services are available. Once a service provider has determined that the DSA is applicable to their business, it will be necessary to determine which of the DSA obligations are applicable.

If you have any questions, please do not hesitate to contact our team.

Authors

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.

Kelly Hagedorn Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

London

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Fintech
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kelly Hagedorn Partner

London

Kelly provides comprehensive regulatory advisory services to clients, including counseling on the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. She has designed and implemented data protection compliance programmes for clients in a range of sectors, including technology, gaming, manufacturing, and private equity.

Kelly has worked with companies to respond to data incidents that range from small-scale issues that do not attract regulatory attention to large, multi-jurisdictional breaches requiring coordination across numerous different regulatory regimes. She has also advised extensively on litigation matters involving allegations of fraud and financial crime, and in connection with securities laws.

During her career, Kelly has undertaken secondments to the Serious Fraud Office and a major telecommunications company. At the Serious Fraud Office, she worked on a number of cases dealing with restraint and confiscation matters. During her time with the telecommunications company, she helped develop and implement the company’s group-wide anti-bribery compliance programme security associated with data retention, processing, and transfer.

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU Artificial Intelligence Act
EU e-Privacy Directive
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Shannon also helps clients undertake comprehensive privacy, cybersecurity and artificial intelligence risk assessments, evaluates privacy, security and artificial intelligence risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and artificial intelligence compliance programs.

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Technology & Innovation
Fintech
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Rami Kawkabani Senior Associate, Technology & Innovation, Technology Transactions

Paris

See my bio

D:+33 1 5353 8157
E: [email protected]

Practice:

Technology & Innovation Sector
Technology & Innovation
Technology Transactions
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Rami Kawkabani Senior Associate

Paris

Rami advises clients in drafting and negotiating their contractual terms and in the context of strategic transactions covering significant and complex technological issues including in terms of liability and intellectual property.

He also regularly advises clients on compliance with tech and data European and French regulations (Digital Services Act, RGPD, Data Act, LCEN) and in the context of their commercial practices towards consumers.

Rami has spent time in-house with major tech companies, and is able to quickly understand his client’s requirements and priorities.

Europe's Digital Services Act (DSA) is Approved: What You Need to Know

Quick Summary

Deeper Dive – An Overview of the DSA

What's Should Companies Be Doing Now

Also of Interest

The Digital Services Act Is Here – And So Are Its Implications for...

The Digital Services Act Takes Full Effect: 5 Takeaways for Businesses

The Four “W”s and One “H” of Europe's Digital Services Act