Clifford Chance

The Digital Services Act (DSA), which creates harmonised EU rules for the regulation of intermediary services and illegal online content, has been published in the Official Journal of the European Union on 27 October.  The DSA will enter into force on 16 November 2022, 20 days after its publication.

The majority of the DSA's provisions will apply from 17 February 2024, although there are exceptions notably for (i) reporting obligations for online platforms and search engines and (ii) providers that are designated as a “Very Large Online Platform” (VLOP) or “Very Large Online Search Engine” (VLOSE) where requirements can start applying earlier.

The DSA in a nutshell

The DSA applies to providers of digital “intermediary services” offered in the EU. This represents a broad range of businesses which store or transmit the content of third parties, including internet service providers, providers of web-based messaging services or email services, providers of cloud computing or web hosting services, social media networks, app stores, online marketplaces and online search engines.

The DSA has extra-territorial reach.  The service provider itself doesn't have to be established in the EU for the DSA to apply to its services, provided there is another form of “substantial connection” to the EU.

While the DSA largely incorporates the conditional liability “safe harbour” of the 2000 e-Commerce Directive, it elaborates the liability landscape and raises the compliance bar through the important requirements it imposes on providers of intermediary services.

The DSA's rules are “tiered”, with baseline obligations applying to all providers of intermediary services (e.g., rules relating to terms and conditions and information in the terms and conditions on content moderation tools and policies, transparency reporting), hosting service providers being subject to additional rules (e.g., relating to notice and action mechanisms), and hosting service providers which qualify as online platforms being subject to yet more requirements (e.g., in relation to complaints handling, online advertising, recommender systems, online interface design and, in some cases, trader traceability).  The strictest rules are reserved for VLOPs and VLOSEs.  This refers to online platforms and online search engines that have at least 45 million average monthly active recipients of the service in the EU and are designated as VLOPs or VLOSEs in accordance with a process described in the DSA.  Additional requirements for VLOPs and VLOSEs include such things as reinforced duties on a number of issues as well as obligations relating to systemic risk assessments and mitigation of risks including for instance as posed by the intentional manipulation of their services.

Strong oversight and enforcement mechanisms and dissuasive sanctions are aimed at ensuring the DSA's effective application.

Early application

A limited number of provisions will start applying from 16 November 2022. In particular:

• Reporting obligations for online platforms and online search engines:

Providers of online platforms and online search engines will need to ensure that, by 17 February 2023, they publish, on a publicly available section of their online interface, information on the average monthly active recipients of their service in the EU. This information will then need to be published at least once every six months thereafter. Online platforms and online search engines will also have to provide that information to the Digital Services Coordinator or the European Commission (EC) upon request and without undue delay, as updated to the moment of the request. 

The EC will be able to adopt implementing acts aimed at defining templates to specify the form, content and other details of the transparency reports for online platforms from the date the DSA enters into force.

• VLOPs and VLOSEs:

The EC will be able to adopt delegated acts to supplement the DSA and specify the methodology to calculate the number of average monthly active recipients of the service in the EU for the purpose of designating VLOPs and VLOSEs, from the date of the DSA's entry into force. The adoption of such delegated acts is a possibility under the DSA but not a requirement as such.

The provisions on the procedure for designating and notifying VLOPs and VLOSEs also start applying from the date of entry into force of the DSA, and the DSA may apply by anticipation to service providers thus designated as VLOPs or VLOSEs.  Indeed, the DSA will apply to a service provider designated as a VLOP or VLOSE from four months after the relevant service provider is notified by the EC that it has been so designated where that date is earlier than 17 February 2024.

The EC will be able to adopt other delegated acts specifying certain key practical aspects relevant to VLOPs and VLOSEs, such as the rules for audits of VLOPs and VLOSEs and how VLOPs and VLOSEs are to share data with vetted researchers, or with the relevant Digital Services Coordinator or the EC to allow them to monitor and assess compliance with the DSA in accordance with its data access and scrutiny provisions. Some of these delegated acts are optional, others are required under the DSA.

The provisions relating to the annual supervisory fee for VLOPs and VLOSEs will become effective, and the EC may start adopting the implementing acts and delegated acts required in relation to this fee.

Provisions to enable the supervision, investigation, enforcement and monitoring of VLOPs and VLOSEs will also be applicable, including the power to impose fines not exceeding 6% of the total worldwide annual turnover for intentional or negligent (i) infringement of the DSA or (ii) failures to comply with measures or commitments arising from certain decisions under the DSA.