21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation, the DSA applies directly without the need for transposition into national law. Providers of intermediary services still have time until February 17, 2024, to implement the requirements. Online platforms within the scope of the DSA had to publish their end-user figures and report them to the EU Commission. On this basis, it is being examined whether the platforms and search engines should be classified as “Very Large Online Platform” (“VLOP”) or “Very Large Online Search Engines” (“VLOSE”). The Commission published the first results on April 25, 2023. Some providers affected by this have now filed a lawsuit against their classification as a VLOP. But what exactly does the Digital Services Act actually regulate?

What is the Digital Services Act about?

The DSA is intended to ensure greater legal certainty and transparency in the digital markets. The regulation also aims to strengthen consumers’ rights and combat illegal content on digital services. Therefore, the regulation also provides for additional liabilities. Ultimately, the Commission wants the Digital Services Act to promote competition and innovation.

The scope of the Digital Services Act

The regulation applies to digital service providers that offer goods, services or content to consumers. This covers all online intermediaries and platforms, such as online marketplaces, social networks, content sharing platforms, app stores and search engines, that offer their services in the EU – regardless of where they are based.

These are the obligations that suppliers face

The obligations of online companies vary depending on their role, size and impact in the online environment. The regulation classifies providers into four tiers of increasing regulatory intensity. A distinction is made between pure intermediary services (Level 1), hosting providers (Level 2), online platforms (Level 3) and VLOPs/VLOSEs (Level 4).

An intermediary service provider (Level 1) is any company that provides information society services, such as caching or hosting. In principle, any provider who mediates services on the Internet in return for payment is covered; the scope of application of the DSA is thus very broad. Level 1 providers are subject in particular to new information and transparency obligations. However, the most important point at this stage is the liability relief for intermediary services. They are liable for illegal content only if they had actual knowledge of the illegality.

Hosting providers (Level 2), for example cloud computing services or web hosting services, must establish procedures for reporting and remedying infringements, including copyright or trademark infringements, in addition to Level 1 obligations in the future.

In addition to the obligations of levels 1 and 2, online platforms (level 3) will in future be subject to bans on “dark patterns” and other manipulative practices to influence user behavior. For example, the design of the termination process must not make it more difficult to terminate a service than the process of signing up for that service. Furthermore, the Commission may in the future issue guidelines in dealing with identified “dark patterns.” Furthermore, additional measures must be taken to protect minors.

By far the most intensive regulation concerns VLOPs and VLOSEs (Level 4). These are online platforms and online search engines with an average of more than 45 million users per month. The classification as VLOP or VLOSE is made by decision of the EU Commission. Currently, 17 online platforms are among the VLOPs and two search engines are considered VLOSEs. Among other things, these are subject to stricter transparency requirements. For example, personnel resources used for content moderation must be provided and the average monthly number of users must be published. In addition, increased requirements apply to risk and crisis management. In particular, providers will be required to conduct risk assessments regarding the dissemination of illegal content or, for example, adverse effects on social debate, electoral processes, or public safety before introducing new features. They are also required to undergo an independent audit once a year.

The implementation effort of all regulations of the DSA is immense and poses enormous financial and organizational challenges for the parties concerned.

Violations are subject to enormous fines

Companies that violate the DSA regulations face high fines and penalty payments: These can amount to up to 5 percent of the daily average revenue. Fines are capped at up to 6 percent of total global annual turnover.

Action against classification as a very large online platform

Companies can bring an action against the classification as a Very Large Online Platform or Very Large Search Engine before the Court of Justice of the European Union (EGC). Several online platforms have already made use of this. One of the largest international online retailers justified its action before the EGC on the grounds that it was not the largest retailer in any EU country. If it were still classified as a VLOP, this would put it at a disadvantage compared to national online retailers. Another online retailer justified its complaint against classification as a VLOP by claiming that the EU Commission had misinterpreted its user figures. The relevant number of users would not exceed the threshold of 45 million.

Whether the EU will succeed in banning illegal content from online services remains to be seen. In any case, the resistance of the online giants makes it clear that the implementation of the DSA will not be easy. The changes required are far-reaching and in part likely to significantly impact existing business practices in the online space. For VLOPs and VLOSEs in particular, the Digital Markets Act (DMA) can additionally play a major role, which also imposes numerous additional obligations on large online platforms.

In view of the high fines that could be imposed from February 17, 2024, companies should check as soon as possible whether they fall within the scope of the DSA. If so, they should ensure that they meet the new compliance regulations.

Explore #more

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

19.03.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…

09.02.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: The employment law function

In almost all German companies, the employment law function is located in the HR department and not in the legal department. One of the reasons…

24.01.2024 | KPMG Law Insights

How the new unitary patent works – ten facts

The new unitary patent can be applied for at the European Patent Office (EPO) from June 1, 2023. The Implementing Regulations and the Schedule of

22.01.2024 | PR Publications

Guest article in the Börsen-Zeitung on the subject of EU antitrust regulations

Agreements with competitors on sustainability efforts may violate antitrust law. Which legal interest should then take precedence? KPMG Law expert Jonas Brueckner discusses this question…

18.01.2024 | KPMG Law Insights

AI and copyright – what is permitted when using LLMs?

A few months ago, new players entered the legal scene and have since caused numerous legal discussions: Large Language Models (LLM), better known as…

17.01.2024 | PR Publications

Geopolitical challenges mean new tasks for legal departments

Dealing with geopolitical and geo-economic risks entails many new tasks for the legal department and even changes its fundamental role. More and more, it is…


Francois Heynike, LL.M. (Stellenbosch)

Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49-69-951195770

Dr. Anna-Kristine Wipper

Head of Technology Law

Heidestraße 58
10557 Berlin

tel: +49 30 530199731

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.