DSA decoded #1: DSA Enforcement - key points

Our ‘DSA decoded’ blog series assists businesses in navigating the European Union’s Digital Services Act (DSA), the novel EU regulation designed to create a safer and more transparent digital space. Over the coming weeks, we’ll unpack this broad law and provide concise blogs with practical tips on the actions your organization should take to be prepared.  

In this first blog, we explain who can enforce the DSA, the powers of regulators and potential penalties, enforcement priorities and early actions, and the private actions further shaping the enforcement landscape.

The DSA empowers both the European Commission (Commission) and Member State Digital Services Coordinators (DSCs) to take tough enforcement action against non-compliance. Since DSA obligations became fully applicable for most very large online platforms (VLOPs) and very large online search engines (VLOSEs) in August 2023, compliance has been at the top of the Commission’s regulatory agenda. With enforcement action continuing to ramp up over the past year, and obligations for all other intermediary services coming into force in February 2024, it is vital for service providers subject to the DSA to be familiar with the DSA’s different enforcement mechanisms and areas of focus. The enforcement landscape is one that is further complicated by the ability of private parties, such as service users and consumer protection organisations, to bring private actions to facilitate DSA compliance.

Commission enforcement priorities and early actions

Over the past year, the Commission has shown clear signs of an intention to exercise its enforcement powers under the DSA: engaging extensively with VLOPs and VLOSEs on an informal basis, issuing dozens of requests for information (addressed at 23 out of 25 designated services), initiating the opening of nine formal investigations and, in July 2024, announcing its first set of preliminary infringement findings against X (formerly known as Twitter). Additionally, the Commission has also adopted a decision accepting a binding commitment by TikTok to withdraw the “TikTok Lite Rewards programme”.

The Commission’s key areas of focus have so far included:

• the adequacy of risk assessments, including in relation to generative AI risks;
• risk mitigation, especially relating to the online safety of minors, particularly in relation to potentially addictive features;
• platforms handling of the 2024 European Parliament elections and other national elections throughout the EU;
• the operation and transparency of recommender systems, particularly in relation to dark patterns;
• advertisement transparency, including ad repositories; and
• e-commerce and non-compliant goods on online marketplaces.

The Commission has focused in particular on VLOPs and VLOSEs obligations under Articles 34 and 35 to assess and mitigate systemic risks as a means of inquiring about substantive areas of concern such as consumer protection, online safety of minors, harmful or illegal content, and electoral disinformation and misinformation. 

Although the members of the Commission responsible for this enforcement action recently left office following the 2024 EU Parliamentary elections, the designated new members have already publicly vowed to extend the vigorous DSA enforcement approach and to continue to focus in particular on the online safety of minors, elections, and e-commerce.

DSC enforcement action

Many Member State DSCs are still in the process of ramping up their capacity and expertise. However, some have already begun actively enforcing the DSA within their areas of competence and/or cooperating with the Commission on its own investigations. Since many VLOPs/VLOSE providers have their main establishment in Ireland, the Irish DSC (Coimisiún na Meán – CnaM) is taking a leading role in DSA enforcement. While priorities will differ between DSCs, there are already some early parallels emerging between Commission and DSC priorities, including in their focus on the online safety of minors and online marketplaces. 

The recent announcement of a Commission investigation into online marketplace Temu, based in part on information shared by CnaM, highlights how the shared competencies of the Commission and DSCs with respect to VLOPs and VLOSEs may interact in practice.

Regulatory enforcement – principle of shared competencies

As is apparent from the enforcement action to date, the DSA empowers the Commission and Member State DSCs with distinct, but overlapping, powers to enforce the DSA. The authority competent for enforcement depends on (i) the type of service, (ii) the specific obligations in question, and (iii) for the purpose of determining which Member State DSC has competence, the location of the intermediary service provider’s main establishment (Article 56):

• The Commission has exclusive powers to enforce the specific obligations of VLOPs and VLOSEs set out in Articles 33 to 45, regardless of the location of the VLOP’s or the VLOSE’s main establishment within the EU. This includes obligations to conduct a systemic risk assessment, provide additional transparency reporting, and to enable researcher access.
• The DSC of the Member State in which the intermediary service provider has its main establishment is exclusively competent for enforcing the DSA against services which have not been designated as VLOPs or VLOSEs by the Commission. All DSCs are competent to receive a complaint about a service operated in their jurisdiction (Article 53) but must refer that complaint for investigation to the DSC of the Member State in which the intermediary service provider has its main establishment for investigation. Joint proceedings between two or more DSCs may also be conducted where multiple Member States are concerned (Article 60).

For the general obligations of VLOPs and VLOSEs (ie obligations provided for in regulations of the DSA other than Articles 33 to 45), the Commission is primarily competent for enforcement. However, if the Commission does not initiate enforcement proceedings, the DSC of the Member State in which the intermediary service provider has its main establishment is entitled to act.

Commission and DSC powers and penalties 

The investigative and fining powers attributed to the Commission and DSCs aim at effectively ensuring DSA compliance and sanctioning non-compliance. To this end, the Commission is empowered to request information, conduct interviews and onsite inspections, mandate interim measures, and issue monitoring actions. The powers of DSCs are comparable but need to be, within the mandatory guidelines outlined in the DSA, regulated under national law. In this context, it is worth noting that the DSA specifically contemplates that DSCs may apply to national courts for temporary restrictions of access to a given service. 

Depending on the type of infringement, fines range from 1 per cent to 6 per cent of a provider’s annual turnover. Additionally, the Commission and DSCs may issue periodic penalty payments directed to remedying persistent non-compliance.

Private enforcement actions

Member State law in certain jurisdictions may also enable private enforcement of the DSA, including civil claims for seize-and-desist orders, orders for content removal, or damages. Already, there are signs that certain consumer groups are actively monitoring VLOP/VLOSEs with the DSA. For example, the EU consumer protection umbrella group BEUC recently lodged a complaint with the Commission about Chinese online marketplace Temu, which as noted above has recently come under investigation. In Germany, a separate NGO has sued Temu and Etsy before German courts for non-compliance with the DSA seeking orders restraining the alleged violative conduct. In addition to enforcement by consumer groups, ‘indirect’ enforcement by private individuals is gaining momentum. For example, users of the services may refer to provisions of the DSA (such as Article 17) to argue a breach of contract at the pre-litigation stage or in litigation proceedings.

What’s next?

We expect engagement by the Commission and DSCs to continue, and private enforcement actions to increase in prevalence—especially as the transparency regime mandated by the DSA (including publishing of statements of reasons, transparency reports, systemic risk assessment reports, and audit reports) makes available granular information about content moderation and risk mitigation measures undertaken by services. Key open questions remain around how the Commission and DSCs will exercise their remedial and fining powers and how a consistent, balanced uniform application of the DSA can be ensured in light of the shared competencies involving various DSCs across the EU.