The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation, the DSA applies directly without the need for transposition into national law. Providers of intermediary services still have time until February 17, 2024, to implement the requirements. Online platforms within the scope of the DSA had to publish their end-user figures and report them to the EU Commission. On this basis, it is being examined whether the platforms and search engines should be classified as “Very Large Online Platform” (“VLOP”) or “Very Large Online Search Engines” (“VLOSE”). The Commission published the first results on April 25, 2023. Some providers affected by this have now filed a lawsuit against their classification as a VLOP. But what exactly does the Digital Services Act actually regulate?

What is the Digital Services Act about?

The DSA is intended to ensure greater legal certainty and transparency in the digital markets. The regulation also aims to strengthen consumers’ rights and combat illegal content on digital services. Therefore, the regulation also provides for additional liabilities. Ultimately, the Commission wants the Digital Services Act to promote competition and innovation.

The scope of the Digital Services Act

The regulation applies to digital service providers that offer goods, services or content to consumers. This covers all online intermediaries and platforms, such as online marketplaces, social networks, content sharing platforms, app stores and search engines, that offer their services in the EU – regardless of where they are based.

These are the obligations that suppliers face

The obligations of online companies vary depending on their role, size and impact in the online environment. The regulation classifies providers into four tiers of increasing regulatory intensity. A distinction is made between pure intermediary services (Level 1), hosting providers (Level 2), online platforms (Level 3) and VLOPs/VLOSEs (Level 4).

An intermediary service provider (Level 1) is any company that provides information society services, such as caching or hosting. In principle, any provider who mediates services on the Internet in return for payment is covered; the scope of application of the DSA is thus very broad. Level 1 providers are subject in particular to new information and transparency obligations. However, the most important point at this stage is the liability relief for intermediary services. They are liable for illegal content only if they had actual knowledge of the illegality.

Hosting providers (Level 2), for example cloud computing services or web hosting services, must establish procedures for reporting and remedying infringements, including copyright or trademark infringements, in addition to Level 1 obligations in the future.

In addition to the obligations of levels 1 and 2, online platforms (level 3) will in future be subject to bans on “dark patterns” and other manipulative practices to influence user behavior. For example, the design of the termination process must not make it more difficult to terminate a service than the process of signing up for that service. Furthermore, the Commission may in the future issue guidelines in dealing with identified “dark patterns.” Furthermore, additional measures must be taken to protect minors.

By far the most intensive regulation concerns VLOPs and VLOSEs (Level 4). These are online platforms and online search engines with an average of more than 45 million users per month. The classification as VLOP or VLOSE is made by decision of the EU Commission. Currently, 17 online platforms are among the VLOPs and two search engines are considered VLOSEs. Among other things, these are subject to stricter transparency requirements. For example, personnel resources used for content moderation must be provided and the average monthly number of users must be published. In addition, increased requirements apply to risk and crisis management. In particular, providers will be required to conduct risk assessments regarding the dissemination of illegal content or, for example, adverse effects on social debate, electoral processes, or public safety before introducing new features. They are also required to undergo an independent audit once a year.

The implementation effort of all regulations of the DSA is immense and poses enormous financial and organizational challenges for the parties concerned.

Violations are subject to enormous fines

Companies that violate the DSA regulations face high fines and penalty payments: These can amount to up to 5 percent of the daily average revenue. Fines are capped at up to 6 percent of total global annual turnover.

Action against classification as a very large online platform

Companies can bring an action against the classification as a Very Large Online Platform or Very Large Search Engine before the Court of Justice of the European Union (EGC). Several online platforms have already made use of this. One of the largest international online retailers justified its action before the EGC on the grounds that it was not the largest retailer in any EU country. If it were still classified as a VLOP, this would put it at a disadvantage compared to national online retailers. Another online retailer justified its complaint against classification as a VLOP by claiming that the EU Commission had misinterpreted its user figures. The relevant number of users would not exceed the threshold of 45 million.

Whether the EU will succeed in banning illegal content from online services remains to be seen. In any case, the resistance of the online giants makes it clear that the implementation of the DSA will not be easy. The changes required are far-reaching and in part likely to significantly impact existing business practices in the online space. For VLOPs and VLOSEs in particular, the Digital Markets Act (DMA) can additionally play a major role, which also imposes numerous additional obligations on large online platforms.

In view of the high fines that could be imposed from February 17, 2024, companies should check as soon as possible whether they fall within the scope of the DSA. If so, they should ensure that they meet the new compliance regulations.