Legal development

The EU Digital Services Act- What do you need to know?

ByDavid FutterandAimi Gold

04 December 2023

The Ashurst Emerging Tech Series is a collection of briefings compiled by our UK and European Digital Economy Transactions team, designed to help businesses understand and prepare for the impacts of new and incoming digital services and emerging tech legislation.

In our second briefing, we consider the EU Digital Services Act (DSA).

Introduction to the DSA

The DSA sits alongside the EU Digital Markets Act (DMA) to form a single set of rules that apply across the EU. The DSA and the DMA have the dual goal of:

creating a safer digital space in which the fundamental rights of all users of digital services are protected (with measures being set out under the DSA); and
establishing a level playing field to foster innovation, growth, and competitiveness in the digital services market, both in the European Single Market and globally (with measures included under the DMA).

We will be publishing an article on the DMA in the forthcoming weeks as part of our Emerging Tech Series.

What does the DSA do?

When does the DSA take effect?

Who does the DSA apply to?

The DSA imposes rules on intermediary service providers i.e. companies that connect EU consumers with goods, services and content at a distance by electronic means. There are five sets of rules under the DSA:

1. rules for all intermediary service providers;

2. rules for hosting intermediary service providers;

3. rules for online platforms;

4. rules for online platforms that facilitate distance selling; and

5. rules for very large online platforms (VLOPs) and very large online search engines (VLOSEs).

These rules are intended to increase transparency and help to prevent illegal or harmful online content, including online scamming activity.

DSA在2022年11月,生效comes fully applicable in February 2024 (although some rules applicable to online platforms and online search engines have applied since February 2023).

The DSA applies to intermediary service providers that provide services in the EU, regardless of where such companies are based - like the GDPR, the DSA has extra-territorial effect.

While the DSA and UK Online Safety Act (OSA) broadly have the same core aim of making online activity safer for users, each of these Acts seeks to do this in materially different ways. This means that businesses providing digital services will have to consider their obligations under both the DSA and the OSA if they provide digital services in the EU and the UK. You can read our article on the OSAhere.

Key points and timeline

What are intermediary services?

Intermediary services are one of the following services when provided at a distance, by electronic means:

a mere conduit service – e.g. an internet service provider, virtual private networks or wireless access points;
a caching service – e.g. content delivery networks, content management or proxy providers;
a hosting service – e.g. cloud computing or web hosting service providers;
an online platform (being a hosting service which, at the request of the user, disseminates information to the public) – e.g. online marketplaces or social media sites; or
online search engines – e.g. Google or virtual assistants.

What rules apply?

1.Provisions applicable to all intermediary service providers

General obligations

所有提供中介服务的哈bob直播软件ve certain obligations under the DSA, regardless of the size of their operations in the EU. Such obligations include:

removing illegal content (and taking other appropriate actions) upon an order of a relevant national authority and advising the national authority what steps have been taken in respect of such illegal content;
making (at a minimum) a yearly report on any content moderation;
ensuring their terms and conditions contain certain information about the restrictions that they impose in relation to the use of their intermediary service;
designating a single point of contact to enable direct communication with relevant national authorities and, for providers established outside the EU, appointing a legal representative in the EU; and
designating a single point of contact to enable service users to communicate 'directly and rapidly' with them and allowing users to choose the means of communication.

Liability safe harbours

While providers of intermediary services are subject to the DSA generally, there are various safe harbours which protect them from liability for information they transmit, give access to or store, where certain conditions are met.

The conditions are broadly similar to those set out in the E-commerce Directive, such as whether the service provider has modified the information, has some other active role in terms of the transmission or conditions for access of the information or has actual knowledge of the illegal activity or illegal content.

2.Due diligence obligations for hosting service providers

While the DSA is clear that companies that provide intermediary services do not have general monitoring or active fact-find obligations, hosting service providers may have certain due diligence obligations, including:

putting mechanisms in place to enable illegal content to be reported to them. These mechanisms must be electronic, easy to access and user-friendly; and
notifying appropriate authorities where they become aware of information that raises suspicion of criminal activity involving a threat to life or safety.

The DSA also requires a hosting service provider that removes or restricts a user's access to content to give its reasons for doing so. These content moderation decisions must be submitted to the DSA Transparency Database, which was launched in September 2023.

3.Rules for providers of online platforms

Online platform providers are subject to additional obligations which are centred around protecting against misuse of their services. Online platform providers must (amongst other obligations):

implement an effective complaints handling system;
escalate warnings made by 'trusted flaggers’ (independent companies which have been appointed by the relevant national authorities to monitor unlawful content);
suspend users for a reasonable period of time after having issued a prior warning where such users have undertaken illegal activity;
report on complaints and suspensions;
ensure that their platform does not attempt to influence user decision making or otherwise deceive or manipulate users; and
not use targeted advertising where they believe with reasonable certainty that the user is a minor. Platforms which are available to minors are also subject to appropriate and proportionate safety, security and privacy measures.

These obligations broadly do not apply to 'micro' and 'small' business enterprises (as defined in the DSA).

4.Provisions applicable to online platforms that offer distance selling

Online platforms which operate as online consumer marketplaces have additional rules to comply with, including:

ensuring relevant traders on their platform are verified and can be traced by obtaining certain information before allowing such traders to trade;
designing their platform so that it enables traders to comply with relevant EU consumer laws, including trader obligations to provide consumers with pre-contractual information; and
informing a consumer where they find that a trader has undertaken illegal activity in respect of goods or services the consumer purchased from the trader.

'Micro' and 'small' business enterprises (as defined in the DSA) are excluded from the specific additional distance selling obligations in certain circumstances.

5.Rules for Very Large Online Platforms and Very Large Online Search Engines

VLOPs and VLOSEs are designated by the EU Commission. Currently 17 platforms have been designated as VLOPs and two search engines as VLOSEs (details of such designations are below).

Where a designated VLOP or VLOSE has an average of 45 million or more active users in a month, it will be subject to certain additional obligations and separate rules on supervision, investigation or enforcement.

These additional obligations and restrictions, broadly fall within the following categories:

Managing and auditing risk/compliance	Advertising transparency and fairness	Data use and access
Assessing the systemic risks that their platforms create and implementing proportionate and effective mitigation measures Establishing an independent compliance function (reporting directly to management) Ensuring enhanced transparency reporting on content moderation Conducting independent annual audits	提供一个广告“库”,它集s out prescribed details for all adverts displayed on their platform in previous 12 months	Providing at least one option not based on profiling in any recommender systems (i.e. a system that makes targeted recommendations for a user) Giving regulators access to data necessary to facilitate regulatory compliance monitoring

Companies Designated as VLOPs and VLOSEs by the EU Commission on 25 April 2023

Very Large Online Platforms (VLOPs)

Alibaba AliExpress
Amazon Store
Apple AppStore
Booking.com
Facebook
Google Play
Google Maps
Google Shopping
Instagram
LinkedIn
Pinterest
Snapchat
TikTok
Twitter
Wikipedia
YouTube
Zalando

Very Large Online Search Engines (VLOSEs)

Bing
Google Search

VLOPs/VLOSEs: non-compliance

01	02	03
A VLOP or a VLOSE that intentionally or negligently infringes the DSA or fails to comply with a decision or commitment made under the DSA may be subject to fines of up to 6% of its total worldwide annual turnover in the preceding financial year.	Periodic penalty payments of up to 5% of the average daily income or worldwide annual turnover in the preceding financial year per day may be levied on a VLOP or a VLOSE where it fails to comply with its obligations to supply information, allow for an inspection or otherwise comply with an obligation placed on it, or a commitment it has made under the DSA.	The EU Commission may undertake enhanced supervision of VLOPs and VLOSEs, requiring them to draft an action plan to remedy any DSA infringements.

Supervisory responsibilities

Digital Services Coordinators

Member States are required to designate one or more competent authorities (known as Digital Services Coordinators) to be responsible for the supervision of providers of intermediary services and enforcement of the DSA.

European Board for Digital Services

DSA建立一个独立的咨询小组of Digital Services Coordinators to supervise providers of intermediary services. This group advises the Digital Services Coordinators to assist with certain objectives, such as consistent application of the DSA.

Considerations and consequences

Companies which provide services over the internet to EU consumers should consider the following steps to help prepare for the DSA:

Service assessment:Consider the potential classification of their online service(s) against the DSA’s definitions for intermediary services;
Applicable points of contact:Consider whether they need to designate specific contact points, legal representatives or responsible persons (e.g. compliance officers) to meet the requirements applicable to their intermediary service classification;
Wider business review:Consider which processes, documents and/or systems they will need to review and/or modify to meet the DSA’s various obligations around the content, format and accessibility of their customer documentation and information, as well as the enhanced monitoring and reporting requirements; and
Applicability of other related legislation:Where they provide services to the UK market, consider whether they are subject to theOSA.

Authors: David Futter, Partner; Aimi Gold, Senior Associate; Siân Deighan, Associate; Hana Byrne, Trainee Solicitor

The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.

Key Contacts

Stay ahead with our business insights, updates and podcasts

Sign-up to select your areas of interest

Sign-up