EU Digital Services Act: are you in scope?

The majority of the EU Digital Services Act provisions will apply from 17 February 2024. It’s important for all online intermediary service providers to ensure they’re compliant.  

16 February 2024

Hands typing on keyboard

Background

The EU Digital Services Act (DSA) came into force on 16 November 2022 and aims to create a safer and more transparent online environment by regulating a wide range of online intermediaries and platforms. The extra-territorial nature of the DSA applies in a similar way to the EU GDPR, and will apply to service providers based in the UK who provide services to users in the EU. 

The majority of the provisions contained in the DSA will apply to service providers in all EU Member States from 17 February 2024. 

The legislation aims to provide:

  • better protection of fundamental rights;
  • more control and choice for users; 
  • stronger protection of children online; and 
  • less exposure to illegal content. 

It includes rules on content moderation, online targeted advertising, the settings of online interfaces, recommender systems, and online marketplaces, among other things.  

The DSA sits alongside the UK Online Safety Act which came into force on 26 October 2023.

Who is in scope? 

The DSA applies to a wide range of online “intermediary service providers”, including marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. It applies to both large and small online platforms across the EU. 

These intermediary service providers are inclusive of:

  • mere conduit services that consist of the transmission of information provided by a recipient of the service in a communication network or the provision of access to a communication network (such as internet service providers, direct messaging services, virtual private networks, domain name systems, voice over IP, and top-level domain name registries);
  • caching services that consist of the transmission of information provided by a recipient of the service in a communication network, involving the automatic, intermediate, and temporary storage of that information for the sole purpose of making the information’s onward transmission to other recipients more efficient upon their request (such as content delivery networks, content adaptation proxies, or reverse proxies); and
  • hosting services that consist of the storage of information provided by, and at the request of, a recipient of the service (such as cloud service providers, online marketplaces, social media, and app stores).

There are certain service providers to which a higher level of regulation will apply. In April 2023, the European Commission established which service providers should be designated as "very large online platforms" (VLOPs) and "very large online search engines" (VLOSEs). Reporting obligations in the DSA will ensure that every six months, online platforms must report on their average monthly active service recipients to enable assessment of whether they should be designated a VLOP or VLOSE.

Your obligations

The DSA imposes requirements that increase depending on the breadth of a service provider's activities. These have been categorised as below. 

  • Mere conduit and caching providers have the fewest obligations and must comply with the obligations applicable to intermediary service providers, such as designation of legal points of contact; terms and conditions describing service use restrictions; and transparency reporting obligations.
  • Hosting service providers have some additional obligations such as notices of illegal content and complaints.
  • Online platforms have additional transparency obligations regarding complaint handling, but there are exclusions for micro and small businesses. 
  • Online consumer marketplaces have obligations related to their functions such as traceability of traders, compliance by design, and to provide information to consumers about illegal products on the platform. 
  • VLOPs and VLOSEs who have on average 45 million+ users, or monthly active service recipients, must comply with a number of additional requirements including the accessibility of their terms and conditions; conducting systematic risk assessments and mitigating identified risks; publishing annual reports; and appointment of independent compliance officers. 

Enforcement and penalties

Enforcement will be conducted by National “Digital Services Coordinators” in EU member states. They will have the power (with respect to providers within their jurisdiction) to investigate suspected infringements (including by on-site inspections); accept compliance commitments and make them binding; order the cessation of infringements; and impose fines for non-compliance. These fines are calculated as follows:

  • for non-compliance generally, the cap is 6% of the intermediary service provider's annual worldwide turnover in the preceding financial year;
  • for non-co-operation with investigations, the cap is 1% of the intermediary service provider's annual worldwide turnover in the preceding financial year; and
  • Periodic penalty payments, capped at 5% of the intermediary service provider's average daily turnover.

Where fines are ineffective, the Digital Services Coordinator can request the competent judicial authority to temporarily restrict access to the service for an extendable period of four weeks. Enforcement against VLOPs and VLOSEs will be led directly by the European Commission. 

 

If you have any questions about whether you fall within the scope of the DSA or need any assistance implementing steps to comply with the requirements of the DSA, please contact Joseph Fitzgibbon to discuss. 

 

Author(s):
Joseph Fitzgibbon