The Digital Services Act (DSA), Regulation (EU) 2022/2065, is the European Union's horizontal rulebook for online intermediary services. It sets harmonised obligations for how providers handle illegal content, moderate user material, and disclose how their services work. The DSA entered into force on 16 November 2022 and became generally applicable across the EU on 17 February 2024.
The DSA follows an asymmetric, tiered model: the smallest providers face the lightest duties, while the largest services carry the most obligations. Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) — those reaching 45 million or more average monthly EU users (10% of the EU population) — face the strictest requirements and are supervised directly by the European Commission.
Who does the DSA apply to?
The DSA applies to providers of intermediary services offered to users in the EU, regardless of where the provider is established. Obligations are layered by service type:
- Intermediary services (e.g. internet access, domain registrars) — baseline transparency and points of contact.
- Hosting services — notice-and-action mechanisms and statements of reasons.
- Online platforms (e.g. marketplaces, social networks, app stores, content-sharing and travel/accommodation sites) — additional duties such as complaint handling, trusted flaggers, and advertising transparency.
- VLOPs and VLOSEs — services reaching 45 million+ average monthly EU users, with the most stringent obligations.
Micro and small enterprises are exempt from several of the heavier platform-specific obligations.
How does notice-and-action work?
Hosting providers must offer easy-to-use mechanisms allowing any person or entity to notify them of content they consider illegal. A sufficiently substantiated notice can give the provider actual knowledge of illegality.
When a provider removes or restricts content, it must give the affected user a clear and specific statement of reasons, explaining the decision and the legal or terms-of-service basis for it. Users can challenge moderation decisions through free internal complaint-handling, certified out-of-court dispute settlement, or judicial redress.
What are trusted flaggers?
Trusted flaggers are entities whose notices of illegal content must be given priority and processed without undue delay.
The status is awarded by the Digital Services Coordinator of the Member State where the applicant is established. Eligibility requires demonstrated expertise in detecting illegal content, independence from any platform provider, and diligent, accurate, and objective operation. Platforms must report periodically on the notices they receive from trusted flaggers.
What transparency and advertising rules apply?
Providers must publish transparency reports on their content moderation activity; online platforms report at least annually, and VLOPs/VLOSEs at least every six months. Content moderation decisions also feed the EU's public DSA Transparency Database.
On advertising, online platforms must clearly label ads and disclose who paid for them and the main parameters used to target them. The DSA prohibits advertising based on profiling that uses special categories of personal data (such as ethnicity, religion, or sexual orientation), and bans advertising based on profiling of minors. Platforms must also disclose the main parameters of their recommender systems.
What extra obligations do VLOPs and VLOSEs face?
Beyond standard platform duties, VLOPs and VLOSEs must:
- Conduct annual systemic risk assessments covering risks from the design, functioning, and use of their services — including illegal content, effects on fundamental rights, civic discourse and electoral processes, and public health and safety.
- Put in place reasonable risk-mitigation measures.
- Undergo independent annual audits of their compliance.
- Provide data access to vetted researchers and authorities.
- Offer at least one recommender option not based on profiling.
VLOPs/VLOSEs also pay an annual supervisory fee to the Commission.
How is the DSA enforced and what are the penalties?
Enforcement is shared. Each Member State designates a Digital Services Coordinator to oversee providers established in its territory. The European Commission has primary, exclusive supervisory powers over VLOPs and VLOSEs.
Fines for infringement may not exceed 6% of the provider's total worldwide annual turnover. Periodic penalty payments of up to 5% of average daily worldwide turnover can also be imposed. For supplying incorrect or misleading information, fines may reach up to 1% of annual income or turnover.
What are the key dates?
- 16 November 2022 — DSA entered into force.
- 17 February 2023 — deadline for platforms and search engines to publish their average monthly active EU user numbers.
- 25 April 2023 — Commission designated the first 17 VLOPs and 2 VLOSEs; designated services had ~4 months (until late August 2023) to comply.
- 17 February 2024 — DSA became fully applicable to all in-scope providers across the EU; Member States' Digital Services Coordinators operational.
Frequently asked questions
When did the DSA take effect?
The DSA entered into force on 16 November 2022 and became generally applicable on 17 February 2024. The first designated VLOPs and VLOSEs had to comply earlier — by around late August 2023, four months after their 25 April 2023 designation.
What is a VLOP or VLOSE?
A Very Large Online Platform (VLOP) or Very Large Online Search Engine (VLOSE) is a service with 45 million or more average monthly active users in the EU — equivalent to 10% of the EU population. These services are designated by the European Commission and face the DSA's strictest obligations.
What are the maximum penalties under the DSA?
Fines may not exceed 6% of a provider's total worldwide annual turnover. The Commission and national authorities can also impose periodic penalty payments of up to 5% of average daily worldwide turnover to compel compliance.
Does the DSA apply to companies based outside the EU?
Yes. The DSA applies to intermediary services offered to users located in the EU regardless of where the provider is established. Providers without an EU establishment must designate a legal representative in a Member State.
What is a statement of reasons?
When a provider removes, demotes, or otherwise restricts user content, it must give the affected user a clear, specific statement of reasons explaining the decision and the legal or terms-of-service basis for it. These statements are also published in the public DSA Transparency Database.
Who enforces the DSA?
Enforcement is shared. The European Commission directly supervises VLOPs and VLOSEs. Each EU Member State designates a Digital Services Coordinator responsible for providers established in its territory and for coordinating enforcement nationally.