Introduction and scope
The EU’s Digital Services Act (DSA) establishes a harmonized approach to protecting EU-based users of online communication, e-commerce, hosting and search services across the EU, by granting intermediary service providers (“ISPs”) exemption from certain liability if they perform certain obligations. An ISP will be in scope if it is either based in the EU or has a substantial connection with the EU (a significant number of users as a proportion of the population or by targeting its activities at one or more Member States). There are extra requirements for ISPs with at least 45m average monthly active EU users (designated as ‘very large online’ (VLO) platforms and VLO search engines). There are exemptions for small enterprises and micro-enterprises. A small enterprise employs fewer than 50 persons and has an annual turnover and/or annual balance sheet total which does not exceed €10m. A micro-enterprise employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed €2m.
The DSA applies from 17 February 2024 (4 months after designation as a VLO platform/search engine). However, ISPs will need to begin reporting their average monthly active users by 17 February 2023, and then every six months; and arrangements for the designation of VLO status and supervisory fees will apply from 16 November 2022.
Users can be any natural or legal person actually using or receiving the intermediary service, (particularly those seeking information or making information accessible).
Intermediary services consist of the transmission of data in or the provision of access to a communication network (‘mere conduit’); the automatic, intermediate and temporary storage of information, solely for its more efficient onward transmission to other users on their request (‘caching’); and/or the storage of information provided by, and at the request of, a user (‘hosting’). Online search engines are therefore ISPs, for example.
This note summarises the provisions relating to ISPs and not those relating to the regulatory regime itself. Please get in touch if you have queries or concerns about compliance or your rights.
Chapter II - Liability of ISPs
A ‘mere conduit’ ISP won’t be liable for the information transmitted or accessed, so long as it does not initiate the transmission; does not select the receiver; and does not select or modify the information contained in it. This extends to caching where the information is not stored for any period longer than is reasonably necessary for transmission.
A caching ISP won’t be liable for caching so long as it does not modify the information and is in no way involved with the information transmitted or stored other than for storing it; complies with conditions on access to the information; complies with rules regarding the updating of the information, specified in a manner widely recognised and used by industry; and acts expeditiously to remove or to disable access to the information it has stored upon obtaining actual knowledge of the fact that the information at the initial source has been removed or disabled, or an order for such removal or disablement has been made.
A hosting ISP won’t be liable for the information stored at the request of a user so long as it does not have actual knowledge of illegal activity or illegal content and is not aware of facts or circumstances making it illegal; or acts expeditiously to remove or to disable access to the illegal content on obtaining such knowledge or awareness; and the user is not acting under the authority or the control of the provider (which it would be where the ISP determines the price of products offered by the user, for example).
This immunity does not extend to liability under consumer protection law of online platforms that allow consumers to conclude distance contracts with traders, where the platform presents the specific item of information or otherwise enables the specific transaction at issue in a way that would lead an average consumer to believe that the information, product or service, is provided either by the online platform itself or by a user who is acting under its authority or control.
Voluntary own-initiative investigations and legal compliance
ISPs shall not be deemed ineligible for the exemptions from liability solely because they, in good faith and in a diligent manner, carry out voluntary own-initiative investigations into, or take other measures aimed at detecting, identifying and removing, or disabling access to, illegal content, or take the necessary measures to comply with applicable EU law (or national implementing law). It is not clear whether compliance with non-EU law would disable the exemptions.
No general monitoring or active fact-finding obligations
ISPs have no general obligation to monitor the information which they transmit or store, or to actively seek facts or circumstances indicating illegal activity.
Orders to act against illegal content
Upon the receipt of an order to act against illegal content, ISPs must inform the authorities of any effect given to the order without undue delay. This information is shared with the Digital Services Coordinator from the Member State of the issuing authority who shares it with all other EU Digital Services Coordinators.
The ISP must inform the user concerned of the order received and the effect given to it, including a statement of reasons, the possibilities for redress that exist, and a description of the territorial scope of the order.
Orders to provide information
Upon receipt of an order to provide specific information about one or more specific individual users, ISPs must without undue delay inform the authorities of its receipt and of the effect given to it. The Digital Services Coordinator of the Member State concerned shares a copy of the order with all EU Digital Services Coordinators.
Chapter III - Due diligence obligations for a transparent and safe online environment
Section 1 - Provisions applicable to all ISPs
Points of contact
ISPs shall designate a single point of contact to enable them to communicate directly, by electronic means, with Member States’ authorities; and another for users (to communicate directly and rapidly with them, by electronic means and in a user-friendly manner, including by allowing users to choose the means of communication, which must not solely rely on automated tools).
ISPs which are not based in the EU must specify a legal representative in one of the Member States where the provider offers its services, mandated to deal with all issues necessary for the receipt of, compliance with and enforcement of decisions issued in relation to the DSA in an efficient and timely manner. The designated legal representative may be held liable for non-compliance with obligations under the DSA, without prejudice to the liability and legal actions that could be initiated against the ISP. The designation of such a legal representative will not itself constitute an establishment in the EU.
Terms and conditions
ISPs’ terms and conditions (Service Terms) must include information on any restrictions that they impose in relation to the use of their service. The Service Terms must be in clear, plain, intelligible, user-friendly and unambiguous language, and shall be publicly available in an easily accessible and machine-readable format. Users must be informed of any significant changes.
Service Terms for services primarily directed at minors or predominantly used by them, must be such that minors can understand them.
Providers of VLO platforms and of VLO search engines (VLO Providers) shall provide users with a concise, easily-accessible and machine-readable summary of Service Terms and conditions, including the available remedies and redress mechanisms, in clear and unambiguous language; and publish their Service Terms in the official language(s) of each Member State in which they offer their services.
Transparency reporting obligations for ISPs
ISPs (except micro/small enterprises, unless they are VLO platforms) must publish a report at least annually on any content moderation that they engaged in during the relevant period, including the number of orders received in relation to illegal content, by type; voluntary content moderation; the number of complaints received, their basis, decisions taken and median time taken to resolve; any use made of automated means for the purpose of content moderation.
Section 2 - Additional Provisions for Hosting ISPs, including ‘Online Platforms’
Notice and action mechanisms
Hosting ISPs must have mechanisms to allow any individual or entity to notify them electronically of the presence of illegal content on their services, which are easy to access and user-friendly. To give rise to actual knowledge or awareness of the specific item where they allow the hosting ISP to identify the illegality without a detailed legal examination. The ISP must confirm receipt without undue delay and notify that individual or entity of its decision, providing information on the possibilities for redress in respect of that decision. Hosting ISPs must act in a timely, diligent, non-arbitrary and objective manner and specify where they use automated means for processing the notice or decision-making.
Statement of reasons
Where they have a user’s electronic contact details, Hosting ISPs must provide users with a clear and specific statement of reasons for restrictions imposed where the user’s information is illegal content or incompatible with the ISP’s Service Terms (except commercial spam).
Notification of suspicions of criminal offences
Hosting ISPs which become aware of any information giving rise to a suspicion that a criminal offence involving a threat to the life or safety of a person or persons has taken place, is taking place or is likely to take place, must promptly inform the authorities of the Member State(s) where the offence is suspected to take place, where the suspected offender is based or where the victim is based or the authorities in its home Member State and/or Europol.
Section 3 - Additional provisions applicable to Online Platform Providers (Hosting)
The term ‘online platform’ means a hosting service that stores and disseminates information to the public at the user’s request.
This term excludes an activity that is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, so long as that integration of the feature or functionality into the other service is not a means to circumvent the applicability of the DSA.
Exclusion for micro and small enterprises
This Section does not apply to OPPs that qualify as micro or small enterprises or that previously qualified as a micro or small enterprise for 12 months after losing that status (unless they are VLO platforms).
Internal complaint-handling system and Out-of-court dispute settlement
An OPP must give the user and any other complainant access to its complaint-handling system to lodge a complaint, electronically and free of charge for at least 6 months, where the provider notifies a user of a decision that information provided by the user constitutes illegal content or is incompatible with its Service Terms, so long as that decision affects whether or not to remove or disable access to or restrict visibility of the information; suspend or terminate the provision of all or part of the service; or suspend or terminate the user’s account or ability to monetise the information provided by the user.
Wrongful decisions must be reversed without undue delay.
OPPs must inform complainants without undue delay of their reasoned decision in respect of the information to which the complaint relates and options to resolve any dispute.
These decisions must be under the supervision of appropriately qualified staff, and not solely automated.
Both parties must engage with the selected certified out-of-court dispute settlement process in good faith, but providers may refuse to engage if a dispute has already been resolved concerning the same information and the same grounds. Out of court settlements cannot be imposed as binding settlements, however.
If the out-of-court resolution favours the user, the OPP must pay all the fees charged by the alternative dispute resolution body, and reimburse the user for any reasonable expenses it has paid in relation to the dispute settlement.
If the dispute settlement favours the OPP, the user is not required to reimburse the OPP for any fees or other expenses paid or payable in relation to the dispute settlement, unless the user manifestly acted in bad faith.
Fees charged to OPPs by out-of-court dispute settlement bodies must be reasonable and not exceed the costs incurred by the body.
For users, the dispute settlement shall be available free of charge or at a nominal fee.
The status of ‘trusted flagger’ under the DSA must be awarded by Digital Services Coordinator of the Member State in which the applicant is established where the applicant: has particular expertise and competence for the purposes of detecting, identifying and notifying illegal content; is independent from any OPP; and carries out its activities for the purposes of submitting notices diligently, accurately and objectively.
OPPs shall take the necessary technical and organisational measures to ensure that notices submitted by trusted flaggers, acting within their designated area of expertise are given priority and are processed and decided upon without undue delay.
Trusted flaggers must publish at least once annually easily comprehensible and detailed reports on notices they submitted during the relevant period.
Measures and protection against misuse
Having issued a warning, OPPs must suspend their services to users that frequently provide manifestly illegal content, for a reasonable period of time. This applies also to the processing of notices and complaints by complainants that frequently submit manifestly unfounded notices or complaints that are manifestly unfounded.
Transparency reporting obligations for OPPs
OPPs shall report to the local authorities: the number of disputes submitted to the out-of-court dispute settlement bodies; the outcomes of the dispute settlement; the median time needed for completing the dispute settlement procedure; the share of disputes where the OPP implemented the decisions of the body; the number of suspensions imposed for the provision of manifestly illegal content, the submission of manifestly unfounded notices and the submission of manifestly unfounded complaints.
OPPs must publish for each online platform or online search engine information on the average monthly active users in the EU, calculated as an average over the period of the past six months and in accordance with the any specified methodology. Such up to date information must also be provided to the local Digital Services Coordinator and the Commission, upon their request and without undue delay.
Digital Services Coordinators must inform the Commission when an OPP or online search engine provider meets the threshold of average monthly active users for designation under the DSA.
Online interface design and organisation
OPPs must not design, organise or operate their Online Interfaces in a way that deceives or manipulates users or in a way that otherwise materially distorts or impairs the ability of users to make free and informed decisions. This does not apply to practices covered by GDPR or the Directive on unfair business-to-consumer practices.
Advertising on online platforms
For each specific advertisement presented by an OPP to each individual user on its Online Interface the OPP shall ensure that the user is able to identify, in a clear, concise and unambiguous manner and in real time: that the information is an advertisement; the advertiser (and the person who paid for the ad if different from the advertiser); the main parameters used to determine the user to whom the advertisement is presented and how to change those parameters, if applicable.
OPPs must provide users with a functionality to declare whether the content they provide is or contains commercial communications; and must ensure that other users can identify that content is or contains commercial communications, as described.
OPPs must not present advertisements to users based on ‘profiling’ using ‘special categories’ of personal data, as defined in GDPR.
Recommender system transparency
A ‘recommender system’ is a fully or partially automated system used by an online platform to suggest specific information to users or prioritise that information in its Online Interface, including as a result of a user’s search or otherwise determining the relative order or prominence of the information.
OPPs that use recommender systems must set out in their Service Terms in plain and intelligible language the main parameters used and any options for the users to modify or influence those parameters, including at least: the criteria which are most significant in determining the information suggested to the user; and the reasons for the relative importance of those parameters.
Where several options are available to determine the relative order of information presented to users, the user must be allowed to select and modify their preferred option at any time in the specific section where the information is being prioritised.
Online protection of minors
OPPs accessible to minors must have appropriate and proportionate measures to ensure ‘a high level’ of privacy, safety, and security of minors; and must not present ads based on profiling users’ personal data when they are reasonably certain that the user is a minor (without having to process additional personal data to assess whether the user is a minor).
Section 4 - Additional provisions applicable to E-commerce Platforms
Exclusion for micro and small enterprises
This Section applies to OPPs that allow consumers to conclude distance contracts with traders (“E-commerce Platform Provider” or “EPP”), including those that have been designated as VLO platforms. But it does not apply to EPPs that qualify as micro or small enterprises or that previously qualified as a micro or small enterprise for 12 months after losing that status (unless the traders are VLO platforms).
Traceability of traders
EPPs shall ensure that traders can only use those online platforms to promote messages or offer products or services to EU-based consumers if the EPP has first obtained the trader’s contact details, identity document, payment details, membership of any trade body and self-certification by the trader committing to only offer products or services that comply with the applicable rules of EU law.
EPPs must use best efforts to assess whether the information is reliable and complete, through the use of any freely accessible official online database or Online Interface made available by a Member State or the EU or by requesting the trader to provide supporting documents, but traders are liable for the accuracy of the information provided. If the trader fails to provide the required information, the OPP must suspend service to the trader until it does. The trader must have the right to lodge a complaint (without prejudice to the requirements for restriction, suspension or termination under the Regulation on fairness and transparency for online traders).
EPPs must store the information for six months after the end of the contractual relationship with the trader concerned, then must delete the information. The EPP may only disclose the information to third parties where so required in accordance with the applicable law, but must make certain information available on its online platform to users in a clear, easily accessible and comprehensible manner, at least where information on the product or service is presented.
Compliance by design
EPPs shall ensure that their Online Interfaces are designed and rganized in a way that enables traders to comply with their obligations regarding pre-contractual information, compliance and product safety information under applicable EU law, including contact and labelling information.
EPPs must also make reasonable efforts to randomly check in any official, freely accessible and machine-readable online database or Online Interface whether the products or services offered have been identified as illegal.
Right to information
Where an EPP becomes aware that an illegal product or service has been offered by a trader to EU-based consumers through its services, that provider must inform consumers who purchased the illegal product or service (if the EPP has their details) within the preceding six months that the product or service is illegal; the identity of the trader; and any relevant means of redress. If the EPP does not have the contact details of all consumers concerned, it must publish the information in a way that is easily accessible on its Online Interface.
Section 5 - Additional obligations for providers of VLO platforms and of VLO search engines
Risk assessment and mitigation
VLO Providers must diligently identify, analyse and assess any systemic risks in the EU stemming from the design, functioning or use of their service and its related systems at least annually and prior to deploying functionalities that are likely to have a critical impact on those risks. The risk assessment must be specific to their services and proportionate to the systemic risks, taking into consideration their severity and probability. The supporting documents must be held for at least three years and be provided on request to the Commission and local Digital Services Coordinator.
VLO providers must have reasonable, proportionate and effective mitigation measures, tailored to the specific systemic risks identified, with particular consideration to the impacts of such measures on fundamental rights.
Crisis response mechanism
Where extraordinary circumstances lead to a serious threat to public security or public health in the EU (‘crisis’), the Commission can require VLO providers to assess whether, and if so to what extent and how, the functioning and use of their services significantly contribute to a serious threat; identify and apply specific, effective and proportionate measures to prevent, eliminate or limit any such contribution; and report to the Commission on the assessments, on the measures taken.
VLO Providers must be independently audited at least once annually at their own expense to assess compliance with the above obligations; any commitments undertaken pursuant to codes of conduct adopted under the DSA and the crisis protocols for extraordinary circumstances affecting public health and security.
The auditors must be independent and not have any conflicts of interest with the VLO Provider or any legal person connected to that provider (no non-audit services related to the matters audited or any legal person connected to that provider in the 12 months prior to the beginning of the audit and no commitment to providing them with such services in the 12 months’ after; not provide the auditing services for longer than 10 consecutive years; fees cannot be contingent on the result of the audit; must have proven expertise in the area of risk management, technical competence and capabilities, as well as having proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards.
An audit reports must be substantiated, in writing, and shall include certain specified information, including an opinion that is either ‘positive’, ‘positive with comments’ or ‘negative’; with operational recommendations on specific measures to achieve compliance and the recommended timeframe to achieve compliance. The VLO Provider then has a month to adopt a report setting out the measures necessary to implement recommendations or justify not doing so.
VLO Providers must provide at least one option for each of their recommender systems which is not based on profiling as defined in GDPR.
Additional online advertising transparency
VLO Providers who present advertisements on their Online Interfaces shall compile and make publicly available in a specific section of their Online Interface (through a searchable and reliable tool that allows multicriteria queries) and APIs, a repository containing certain information about the ads for the entire period during which the ad is presented until one year afterwards, making reasonable efforts to ensure that the information is accurate and complete, including whether the advertisement was intended to be presented specifically to one or more particular groups of users and if so, the main parameters used for that purpose including where applicable the main parameters used to exclude one or more of such particular groups; and the total number of users reached, broken down by Member State; and where a specific advertisement was taken down for illegality or incompatibility with the VLO Provider’s terms and conditions, the repository shall instead include the information required for statements of reasons or the legal basis for take-down orders.
Data access and scrutiny
VLO Providers must provide their home Digital Services Coordinator with access to data necessary to monitor and assess compliance with the DSA within a reasonable period specified in any request, which may only be accessed for the purpose of monitoring and assessing compliance with the DSA and the DSC must take due account of the rights and interests of the VLO Providers and the users concerned, including the protection of personal data, confidentiality, trade secrets, and security of the VLO service. VLO Providers must explain the design, logic the functioning and the testing of their algorithmic systems, including their recommender systems; and provide access to ‘vetted researchers’ conducting research that contributes to the detection, identification and understanding of systemic risks in the EU and assessment of the adequacy, efficiency and impacts of the risk mitigation measures.
VLO Providers must have a compliance function that is independent from their operational functions and composed of one or more compliance officers with sufficient authority, stature, qualifications, knowledge, experience, ability, resources and access to the management/board to monitor the VLO Provider’s compliance with the DSA and carry out certain specified functions. The head of compliance must report directly to the management body and cannot be removed without prior approval of the management body.
The management body of the VLO Provider shall: define, oversee and be accountable for the implementation of the provider's governance arrangements that ensure the independence of the compliance function, including the division of responsibilities within the organisation of VLO Provider, the prevention of conflicts of interest, and sound management of systemic risks; approve and review at least annually, the strategies and policies for taking up, managing, monitoring and mitigating the risks; and devote sufficient time to the consideration of mitigation measures and ensure that adequate resources are allocated to risk management.
Transparency reporting obligations
VLO Providers must publish their transparency reports at least every six months (rather than annually) with certain additional information, including the human resources that the provider of VLO platforms dedicates to content moderation; the qualifications and linguistic expertise of moderators; and indicators of accuracy and related information on the use of automated content moderation, each broken down by each official language of the Member State(s) where its services are offered.
Each VLO Provider will be charged an annual supervisory fee that takes into account the costs incurred in the previous year; is proportionate to the VLO Provider’s number of average monthly active users in the EU; but must not exceed 0,05 % of its worldwide annual net income in the preceding financial year.