Compliance with the Digital Services Act: Legal Obligations for Business Owners

If your business operates online and reaches users in the EU, you should be aware of the Digital Services Act (DSA). This law (introduced by the European Union) aims to make the Internet safer, more transparent, and more accountable. It places crucial legal obligations on many digital services – from small hosting providers to large global platforms. The EU adopted the DSA in November 2022, and the law has applied to most online businesses since 17 February 2024. Since its implementation, we have seen enforcement action from the European Commission investigating firms and issuing requests.

Given the significant regulatory concerns around safety online, the scrutiny on businesses is likely to grow, so assessing these laws and whether they apply to your business activities is vital. This article introduces the DSA and examples of key obligations for business owners, considering how your business can understand which steps to take to comply with your specific obligations.

Which Businesses Fall Within the Scope of the DSA

The DSA applies to businesses that offer intermediary services to service recipients established or residing in an EU Member State, regardless of where the provider is based. This includes many companies, including:

• cloud hosting companies;
• social networks;
• online marketplaces;
• messaging services;
• app stores; and
• search engines.

Your business does not need to be based in the EU. The rules apply if you provide intermediary services to users established or located in an EU Member State.

For the DSA to apply, there must be a substantial connection to the EU. This may be shown through having an establishment in the EU, a significant number of users in one or more Member States, or targeting activities towards the EU. You should carefully assess your service’s connection to the EU to determine whether you fall within the scope of the DSA. 

For most providers, the rules have applied since 17 February 2024. However, huge online platforms and very large online search engines (known as VLOPs and VLOSEs) faced earlier compliance deadlines. These are platforms that reach at least 45 million average monthly active users in the EU. Due to their scale and risk profile, these providers must comply with more extensive legal obligations.

Examples of DSA Obligations 

The DSA takes an approach where the extent of your legal duties depends on the kind of services you provide. 

All intermediary services (such as internet access providers or caching tools) must meet essential obligations, whereas very large platforms will have many more obligations. 

If your business only acts as a ‘mere conduit’ (simply transmitting information) or temporarily stores it (caching), you only need to meet the basic duties that apply to all intermediary services. Hosting providers have extra responsibilities.

If your platform allows consumers to buy from traders, for example, an online marketplace, you may also need to check those traders and support legal compliance. Those designated as VLOPs or VLOSEs face the most extensive set of rules, including obligations around systemic risk, transparency, independent audits, and cooperation with regulators.

If your service falls within the scope of this law, then you may need to implement new processes. These include moderation tools, reporting systems, clearer legal terms, or appointing a legal representative within the EU.

Non-compliance carries a heavy risk, too. The Commission and national regulators can impose fines of up to 6% of your global annual turnover. Sometimes, they can also order service restrictions or demand structural changes to the platform’s operations.

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Actions to Ensure DSA Compliance 

Compliance here does not follow a one-size-fits-all approach and will look different for different companies depending on their activities. 

You should begin by assessing your services on a case-by-case basis and whether you offer services to users in the EU. Your business will need to review each product or service on a case-by-case basis and consider how it fits within the DSA’s framework. You should classify your service under one of the DSA categories, such as:

• intermediary;
• hosting provider;
• online platform; or
• online marketplace.

Once you understand your classification, assess what the DSA requires from that type of provider. You should then review your existing processes to identify any gaps. This gap analysis may reveal that some compliance steps are already in place. Where gaps exist, however, you must take steps to address them. This may involve updating your terms of service, changing how users report illegal content, or introducing clearer transparency measures. If your business is not established in the EU, you must appoint a legal representative based in a member state where your users are located.

You should also keep a written record of your compliance with the DSA. This will help demonstrate compliance if regulators ask questions or issue enforcement requests.

Key Takeaways

The DSA is a major step in the EU’s regulation of digital services. Even if you operate outside the EU, the rules may still apply to your business. Whether you provide hosting, marketplace, or platform services, consider whether your business reaches users in the EU and assess whether you fall within the scope of the DSA. If so, you must consider what responsibility level applies to your activities.  The DSA sets different obligations depending on the type of service –  from basic rules for all intermediary services to stricter duties for hosting services, online platforms, and very large platforms or search engines. 

Your business should assess how it operates and which category it falls into, as compliance depends on your activities. As enforcement continues into 2025, regulators expect businesses to take proactive, well-documented steps to comply.

If you need help understanding your DSA obligations, our experienced data, privacy, and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to solicitors to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions