EU Digital Services Act gives new legal framework for platform economy


The European Commission has issued the draft proposal for the Regulation on a Single Market for Digital Services (Digital Services Act or DSA), which creates a new legal framework for digital services, amends the e-Commerce Directive, and prepares EU law for new and innovative information society digital services.

The DSA sets out uniform and harmonised rules for intermediary service providers (ISPs) to foster innovation, growth and competitiveness. The new draft rules create the following:

  • a framework for the conditional exemption from liability of ISPs;

  • rules on specific due diligence and other obligations tailored to different categories of ISPs;

  • law enforcement rules and a new regime for cooperation of and coordination between the competent authorities.

Digital providers covered

The DSA covers ISPs established in or outside the EU that provide intermediary services such as conduit services, caching services, and hosting services to recipients (i.e. users, business users, consumers, individuals and legal entities using the intermediary services) who have an establishment or residence in the EU.

The definitions of conduit, caching and hosting service providers have remained the same as stated in the e-Commerce Directive. (The DSA repeats the e-Commerce Directive definitions word-for-word).

The draft regulation contains special obligations for online platform hosting providers and for 'very large' platforms as a special category of online platforms, and provides the following definitions for those hosting services:

  • Online platforms are providers of hosting services, which store and make available information to the public at the request of a recipient of the service (e.g. online marketplaces, App stores, collaborative economy platforms and social media platforms). However, if storing or making information available to the public is a minor and ancillary feature of another service, and cannot be used without that other service for objective and technical reasons, the service does not qualify as an online platform. This situation applies to the comment section in online newspapers or email and private messaging services.

  • Very large online platforms are online platforms, which provide services to average monthly active recipients of the service in the EU numbering 45 million or more. The list of very large online platforms is published in the Official Journal of the EU.

No change in liability for ISPs for stored or transmitted information

The DSA does not change the liability regime of ISPs for illegal content. It only repeats the liability provisions of the e-Commerce Directive word-for-word and also maintains the e-commerce rule that ISPs do not have a general obligation to monitor the information they transmit or store, or to actively seek facts or circumstances indicating illegal activity.

As an addition, the draft regulation stipulates that ISPs can still refer to the exemption of liability even if they conduct voluntary self-initiated investigations or other activities aimed at detecting, identifying and removing, or disabling access to illegal content, or taking the necessary measures to comply with the requirements of EU law.

What are the new obligations?

The DSA stipulates new obligations on ISPs at different levels. Common obligations apply to all kind of ISPs, including online platforms and very large online platforms. Hosting providers have additional obligations, and the DSA contains special obligations for online platforms compared to other hosting services. In addition, very large online platforms have further obligations to manage systemic risks.

Common obligations applicable to all ISPs

  • Providing information to authorities based on orders: if an ISP receives an order from an authority to act against illegal content, the ISP must inform the authority without undue delay about the actions it takes and the time of those actions. Furthermore, if the ISP receives an order to provide information about a specific individual recipient of a service, the ISP must confirm the receipt of the order to the authority without undue delay and must provide the requested information with certain limitations.

  • Designating points of contact and legal representatives: ISPs must establish a single point of contact for direct electronic communication with the authorities and publish this contact. Furthermore, ISPs not established in the EU but offering services in the EU must designate in writing a legal representative (together with a name and contact details) in one of the EU countries where the ISP offers services for receipt, execution and enforcement of authority decisions and for cooperation with the authorities. This designated legal representative can be held liable for non-compliance with obligations under the DSA.

  • Indicating restrictions in terms: all restrictions (e.g. content moderation, algorithmic decision-making, and human review rules) related to the use of ISP services for information provided by the recipients must be included in the terms and conditions of the services.

  • Publishing annual transparency reports: ISPs must publish detailed annual reports of any content moderation they engaged in during the relevant period. These reports must include certain information on the orders from authorities, notices on illegal content and complaints received by the ISP, and on content moderation by the ISP.

Additional obligations on all hosting providers

  • Managing notices on illegal content: the hosting provider must introduce easily accessible, user-friendly electronic processes for managing notices on illegal content. The DSA lists the mandatory elements of such a notice. The hosting provider must confirm the receipt of this notice in an email response and notify the claimant of its decision without undue delay.

  • Providing reasons for decisions: if the hosting provider decides to remove or make unavailable any illegal content provided by the recipient, it must inform the recipient of the decision and give clear reasoning for that decision. This reasoning must contain all mandatory elements listed in the DSA. The decision must be published in an anonymised way in the Commission’s public database.

Special obligations of online platforms

The provisions applicable to online platforms cannot be applied to SME online platforms. The following additional obligations apply to online platforms, including very large online platforms:

  • Complaint management system: online platforms must maintain an internal, user-friendly, easily accessible electronic complaint management system, which recipients must have access to for submitting complaints electronically against the online platform’s decisions on illegal content.

  • Out of court dispute settlement: recipients affected by an online platform’s decision on illegal content are entitled to turn to an out-of-court body certified by the digital service coordinator. Online platforms are bound by the decision of this body. The DSA contains detailed rules for the proceedings and decision-making of this certified body.

  • Priority for trusted flaggers: online platforms must process notices with priority on illegal content submitted by trusted flaggers. The digital service coordinators are entitled to qualify an entity as a trusted flagger if the flagger meets all the conditions listed in the DSA. The list of trusted flaggers is published in the Commission’s publicly available database.

  • Measures against abusive notices and counter-notices: online platforms must suspend their services to recipients that frequently provide manifestly illegal content. Furthermore, online platforms must also suspend the processing of notices and complaints submitted by persons that frequently submit notices or complaints that are manifestly unfounded. The DSA contains detailed rules for the circumstances to be assessed in the case of such suspensions.

  • Reporting suspicions of criminal offences: online platforms must promptly inform the local competent law enforcement authorities, or in certain cases Europol, of any suspicion of a criminal offence involving a threat to the life or safety of persons.

  • Know your business customer: online platforms must identify their traders promoting messages or offering products or services to EU consumers, and must obtain information about them listed in the DSA, including the name, contact details, registration number, copy of the ID card of the trader. 

  • More detailed transparency reports: online platforms must include additional information in their annual transparency report, such as information about out-of-court disputes, suspensions, and automated content moderation. Furthermore, online platforms must publish information at least once every six months on the average monthly active recipients of the service in each EU country.

  • Transparency of online advertising: online platforms must ensure that advertisements displayed in their services contain information that clearly identifies an advertisement, the advertiser, and the target audience of the advertisements.

Very large online platforms’ special obligations for managing systemic risks

The draft regulation contains the following special obligations for very large online platforms for managing systemic risks:

  • Risk management obligations: very large online platforms must conduct annual risk assessments on the significant systemic risks stemming from the functioning and use of their services in the EU. Furthermore, based on these risk assessments, they must put in place reasonable, proportionate and effective risk-mitigation measures for the systemic risks they identify. The DSA contains a detailed list of those risk-mitigation measures.

  • External risk auditing and public accountability: very large online platforms must conduct annual audits on compliance with the DSA and the code of conduct via an independent, external professional auditor. The auditor must issue a written audit report in writing that includes the mandatory elements listed in the DSA.

  • Transparency of recommender systems: if a very large online platform uses a recommender system, it must include the main parameters of and certain information about this system in its terms and conditions, and must ensure options for users not involving profiling.

  • More transparency in online advertising: very large online platforms must make an anonymised repository about the online advertisements displayed on the platform publicly available through APIs. The repository must contain the content of the advertisements, each advertiser’s name, the period when each advertisement was displayed, and certain information about the target audience of each advertisement.

  • Data sharing with authorities and researchers: very large online platforms must provide access to the data to the digital service coordinator or the Commission for monitoring and assessing compliance with the DSA, and must grant access to the data to vetted academic, independent researchers for conducting research that contributes to the identification and understanding of systemic risks. Data access must be ensured via APIs or online databases.

  • Compliance officer: each very large online platform must appoint at least one professional compliance officer to monitor compliance with the DSA. The compliance officer’s name and contact details must be provided to the digital service coordinator and the Commission.

  • Additional transparency reporting duties: very large online platforms must publish transparency reports every six months and must publish and submit additional reports listed in the DSA to the digital service coordinator and the Commission.

Competent authorities, forum shopping

All EU member states must designate a competent national enforcement authority for the DSA and the same or another authority as the digital-service coordinator. Each digital-service coordinator has the power of investigation and is entitled to demand information from the ISPs and any other person on suspected infringements of the DSA, to carry out on-site inspections, to request explanations from ISP staff, to order the cessation of an infringement, to impose fines, and to adopt interim measures.

The EU member state in which the main establishment of the ISP is located will have jurisdiction over the ISP. If an ISP does not have an establishment in the EU but offers services in the EU, it will be deemed to be under the jurisdiction of the EU member state where its legal representative resides or is established, which enables foreign ISPs to choose the EU jurisdiction by designating its legal representative. If the ISP fails to appoint a legal representative, all EU member states will have jurisdiction over that ISP.

The DSA establishes the European Board for Digital Services, an independent advisory group of digital service coordinators on the supervision of ISPs with advisory tasks for digital service coordinators and the Commission.

The DSA introduces enhanced supervision for very large platforms. In this case, the digital services coordinator will consider all opinions and recommendations of the European Board for Digital Services and the Commission. The Commission and the Board is entitled to recommend that the digital service coordinator investigate the infringing activity. The Commission is entitled to initiate its own proceedings against a very large online platform in cases defined in the DSA. The DSA contains special rules for proceedings initiated by the Commission against a very large platform, with special procedural rights and obligations.


The DSA does not contain an exhaustive list of sanctions for an infringement of the regulation; member states will set out the rules on sanctions. The draft regulation defines the following maximum penalties:

  • 6% of the annual income or turnover of the ISP for infringing the obligations in the DSA;

  • 1% of the annual income or turnover of the ISP for supplying incorrect, incomplete or misleading information, failing to reply or rectify incorrect, incomplete or misleading information, and failing to submit to an on-site inspection;

  • 5% of the average daily turnover in the preceding financial year per day, calculated from the date appointed by the decision in the case of daily, periodic penalty payments.

Next steps

The European parliament and member states will discuss the Commission’s proposal according to the ordinary legislative procedure, which will take at least 18 months. Once adopted, the DSA will directly apply across the EU and ISPs will have three months to prepare for the new legal regime.

For more information on the DSA, contact your CMS client partner or local CMS experts: Dr. Dóra Petrányi, Dr. Katalin Horváth, Dr. Márton Domokos.