The Digital Services Act (DSA) – who does it apply to?

⟨⟨ Back

For a long time, digital services provided to consumers across borders could not wait for a compact and comprehensive legal regulation. A regulation known as the Digital Services Act is about to enter into force to fill this gap and ensure legal consistency across the Community. We look at the scope of the new regulation. Who does it affect and what does it actually change?

To what purpose was the DSA developed?

The reasons for implementing the DSA Regulation are many. As indicated by the EU legislator, it aims primarily to:

  • unify the rules for the provision of digital services;
  • provide transparency on the content of advertisements placed online and eliminate selected types of advertisements;
  • strengthen the position of those claiming protection from online abuse;
  • simplifying the assertion of rights through new complaint mechanisms.

Who is affected by the digital services regulation?

The new rules apply to indirect service providers. This term is understood as entities that provide at least one of the following services:

  • ordinary transmission, i.e. the transmission over a telecommunications network of information transmitted by a service provider or on the mere provision of access to a telecommunications network;
  • caching, meaning the transmission of information transmitted by a recipient of a service, involving the automatic, intermediate and short-term storage of this information for retransmission at the request of the recipient;
  • hosting, understood as the storage of information provided by the recipient and at the recipient’s request.

All of the above services are provided at the individual request of the recipient, for remuneration and at a distance using electronic means and are collectively referred to as information society services. Businesses providing online platforms are also covered by the DSA obligations.

At the same time, the EU legislator has introduced additional obligations for entities operating on a particularly large scale, classified as VLOPs (Very Large Online Platforms) and VLOSEs (Very Large Online Search Engines). These terms refer to platforms whose number of users reaches or exceeds 10% of the total population of the European Union. Examples of VLOP include LinkedIn, Google Play or Twitter. In contrast, Google Search and Bing are classified as VLOSE.

Importantly, considering the potential difficulties of implementing DSA, micro and small businesses will be exempted from some of the obligations. The concessionary tariff applies to companies with a maximum of 50 employees or an annual balance sheet of less than €10 million (the small business limit).

The definition of an indirect service is quite hermetic. What then is the scope of the DSA in practice? It covers, among others, online shopping platforms, streaming services, online travel agencies, social media platforms and app shops.

For the coverage of the DSA to be decisive, the location of the indirect service provider is irrelevant. The mere fact that the content is made available in at least one EU member state and thus enters the European Union is sufficient, provided that the service provider has a close connection to the Union. This close connection can mean being established in an EU country, but also targeting one or more member states.

What obligations for businesses do the entry into force of the DSA entail?

The entry into force of the DSA Regulation imposes a whole series of new obligations on intermediary service providers. It is worth pointing out that the scope of these obligations depends on the type of service provided, which may be more than one. Which obligations are being referred to? They include, for example

  • designation of a contact point for direct communication with the competent authorities of the Member States, the Commission and the Council;
  • designation of a legal representative in one of the EU countries if the provider is not established in the EU but provides services within its territory;
  • clarification in the terms and conditions provided of the restrictions related to the use of the services provided;
  • annual publication of reports on content moderation;
  • implementation of a mechanism allowing users to report content they consider to be illegal;
  • introduction of an internal complaint handling system;
  • introducing a mechanism to suspend users who regularly publish illegal content;
  • ensuring transparency of advertisements published.

What additional obligations for VLOPs and VLOSEs does the DSA Regulation provide for?

Designating a supply as a VLOP or VLOSE triggers additional obligations that do not apply to smaller entities. These include, among others:

  • carrying out identification, analysis and risk assessment of the performance of their services and related systems;
  • taking reasonable, proportionate and effective risk mitigation actions;
  • putting in place crisis response mechanisms;
  • undergo an independent audit once a year at its own expense;
  • maintaining a repository of displayed advertisements;
  • providing access to the data necessary to monitor compliance with the Regulation upon request of the digital services coordinator.

Of course, irrespective of the ‘special’ obligations, platforms classified as VLOP or VLOSE must comply with the general requirements. It is worth mentioning that, for these major providers, the time to implement the relevant solutions is short, at four months from the date of their specific status.

Does the DSA regulation increase the liability of intermediate service providers?

Intermediate service providers can be held liable for users posting content deemed to be illegal. While there is a possibility of exemption from liability, it is necessary to demonstrate two prerequisites for this.

Firstly, the provider must prove that, despite the exercise of due diligence, it was not aware of the posting of illegal content. The second condition is the implementation of a procedure known as notice and takedown, i.e. removing the content or at least preventing others from accessing it.

What penalties apply in the event of a breach of the DSA?

The penalties indicated in Article 42 of the Regulation are sufficiently severe that they should make most businesses audit their compliance with the new rules.

  • The maximum penalties for a given failure can reach 6% of the annual revenue or turnover of the intermediary service provider;
  • the penalty for providing false information, failing to provide explanations or evading audit is 1% of the intermediary service provider’s annual revenue or turnover;
  • periodic penalties may not exceed 5% of the average daily turnover in the previous financial year on a year-on-year basis.

It is interesting to note that Meta Platforms (responsible for the Facebook platform, among other things) had revenues of $32 billion in 2023, which illustrates well the scale of potential penalties.

How does the DSA Regulation apply?

It is worth remembering that the DSA is a regulation which means that it applies directly throughout the Community and to all Member States. There is no need to implement it into the national legal order and those who have to apply the DSA provisions, as well as the courts, can do so directly.

When do the DSA regulations come into force?

Although some of the provisions of the DSA Regulation are already in force, most of them will come into effect in less than a month – on 17 February 2024. For businesses, this is the last call to carry out compliance and assess whether the company meets the new requirements. Linke Kulicki Law Firm offers comprehensive support in ensuring that business conditions comply with the current regulation. Our specialists will conduct an audit of the company, develop the necessary documentation and suggest changes, and, if necessary, conduct training among employees.