While the Digital Services Act (DSA) has been applicable already to providers of very large online platforms (VLOPs) and very large online search engines (VLOSEs) since end of August 2023, other intermediary service providers will now also be subject to it: Since 17 February 2024, the DSA is binding – and enforceable – for all providers within its scope of application. And the scope of application is broader than it might seem at first glance. Companies are well advised - if they have not already done so - to take another close look at the nature of their services and websites to avoid compliance gaps.
Recap: Which services are in scope?
In addition to mere conduit and caching providers, hosting providers, online platforms and B2C online marketplaces are particularly affected by the DSA. A service provider is in-scope if it (i) transmits (mere conduit or caching), (ii) stores (hosting) or (iii) disseminates third party content to the public (online platform). This means that not only content sharing platforms, cloud storage providers, app stores, online sales platforms, and collaborative economy platforms will be affected by the new rules. Does the website contain a community space or chat room? Does it include content from others, even if partner or group companies? As the DSA’s scope is broad, all companies providing intermediary services should closely examine whether and how their services might be covered under the DSA.
The DSA applies to my service. What now?
As we summarized here, the DSA follows the principle “what is illegal offline, must also be illegal online” and aims to protect digital spaces against the spread of hate speech, disinformation, illegal content (which includes goods and services) and other harms while ensuring the protection of free speech and other fundamental rights. To achieve this, the DSA utilizes a toolbox, some say a colourful bouquet, of different obligations.
These new obligations aim to increase transparency and legal protection for users, e.g. (depending on the service category) through mandatory information in the GTC on content moderation, by mandatory internal complaint handling procedures but also through increased transparency on advertisements and recommender systems and the prevention of deceptive and manipulative designs of the online interface. In addition, the DSA contains obligations that will provide insights on how a service is used and that will facilitate the work of the authorities and law enforcement agencies, e.g. by requiring service providers to prepare and publish annual transparency reports, to notify competent authorities of suspicions of certain criminal offences and to provide a single point of contact that authorities and service recipients can use to communicate directly with the provider.
The list of applicable obligations is long, and service providers should see it as guidance for compliance checkpoints: Depending on which category they are in, they need to make sure, inter alia, to provide and update the required information on their online interface (e.g. contact possibilities but also regarding transparency of advertisements), update their GTC in accordance with the DSA’s transparency requirements, set up the required (external and internal) processes e.g. for notice-and-take down procedures as well as complaint handling and collect and publish the information required for transparency reporting.
Not all Member States are ready
Regulatory and media focus has been on VLOPSs and VLOSEs with over 45 million users, which had to demonstrate compliance since end of August 2023. Unlike for VLOPs and VLOSEs, the supervision and enforcement of the rules for other services will be carried out directly in the Member States. To that end, Member States needed to appoint Digital Services Coordinators (DSCs) and, if applicable, further competent authorities, by 17 February 2024.
But not all Member States have done their homework in time. For instance, in Germany the adoption of the necessary implementation law is not expected before the end of March; accordingly, the DSC for Germany (which, after much wrangling, will fall to the Bundesnetzagentur (Federal Network Agency)) has not yet been appointed. It looks like some more time will be needed until all Member State DSCs are operational which may give companies a bit more time until enforcement kicks in for real.
Non-compliance risks in the face of uncertainties
The broad scoping and the lack of guidance on the specifics for various obligations can make it difficult to develop the right compliance approach for the DSA. Still, companies should make sure they are DSA-fit, as fines for non-compliance are high and can reach up to 6% of the annual worldwide turnover. Reach out to us if we can support you to navigate through the DSA.