The Digital Services Act:
Practical Implications for Online
Services and Platforms
March 2023
Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with
aliated limited liability partnerships conducting the practice in France, Hong Kong, Italy, Singapore, and the United Kingdom and as an
aliated partnership conducting the practice in Japan. Latham & Watkins operates in Israel through a limited liability company. Latham
& Watkins operates in South Korea as a Foreign Legal Consultant Oce. Latham & Watkins works in cooperation with the Law Firm of
Salman M. Al-Sudairi, a limited liability company, in the Kingdom of Saudi Arabia. © Copyright 2023 Latham & Watkins. All Rights Reserved.
Contents
Introduction ............................................................................... 1
Applicability .............................................................................. 2
Timeline ..................................................................................... 4
Obligations and Liability .......................................................... 5
Sanctions ................................................................................. 13
Practical Considerations ....................................................... 14
Contacts .................................................................................. 15
1
Introduction
The Digital Services Act (DSA) is a key part of the European Union’s (EU) digital regulation
strategy, which seeks to modernise legal frameworks and create a safer and more open
digital environment.
The DSA entered into force in the EU on 16 November 2022. Whilst a number of provisions
took eect on this date (including the provisions empowering the European Commission
(Commission) to designate certain entities as “very large online platforms” (VLOPs) and “very
large online search engines” (VLOSEs), as well as the obligation on online platforms to publish
transparency reports), the majority of the operative provisions will not come into force until 17
February 2024.
Designated online platforms and online search engines were required to publish their rst
transparency reports by 17 February 2023, and will be obliged to continue to do so once every six
months thereafter.
The DSA has a broad scope and regulates many aspects of digital services, including liability
for online content and services, targeted advertising, know your business customer (KYBC)
requirements, transparency for users, and managing systemic platform risks. The various
requirements and restrictions of the DSA apply dierently depending on the nature of the digital
service being provided, with VLOPs and VLOSEs subject to the most comprehensive controls.
2
Applicability
The DSA imposes obligations on all information society services that oer an intermediary
service to recipients who are located or established in the EU, regardless of whether that
intermediary service provider is incorporated or located within the EU.
Additionally, the DSA imposes cumulative obligations on intermediary services that fall within the
denition of: (i) hosting services; (ii) online platforms and marketplaces; and (iii) VLOPs and VLOSEs.
The chart below aims to help entities navigate the DSA by identifying the cumulative obligations
applicable to each type of in-scope intermediary service.
Am I an information society service?
Do I oer an intermediary service?
I provide a service, normally for remuneration, at a distance
(i.e., I provide the service without the parties being simultaneously present)
I provide a mere conduit
service
(i.e., I provide access to
a communication network
/ I transmit information
provided by the recipient in
a communication network)
Examples
Direct messaging services
and voice over IP (VoIP)
Internet service providers
Virtual private networks
(VPNs)
Domain name registries
I provide a caching
service
(i.e., my service involves
the automatic, intermediate,
and temporary storage of
information for the sole
purpose of ecient onward
transfer of information
provided by the recipient)
Examples
Web and database caching
Reverse / content adaption
proxies
Content delivery networks
I provide a hosting
service
(i.e., I store information
provided by, and at the
request of, a recipient)
Examples
Cloud hosting
Shared hosting
Virtual private hosting
Obligations for all intermediary services are applicable
Continued
+
Obligations for hosting
services are applicable
3
Am I an online platform or online search engine?
I provide an online
platform
My hosting service
stores and disseminates
information to the public (at
the request of the recipient)
I provide an online search
engine
My hosting service allows
users to input queries in
order to perform searches of
all websites or all websites
in a particular language on
the basis of a query in the
form of a keyword, voice
request, phrase or other input
and returns results in any
format to which the requested
content can be found
+
Obligations for online
platforms are applicable
+
Obligations for online
search engines are
applicable
Obligations on online
search engines not
designated as a VLOSE
are limited to transparency
reporting obligations under
Article 24 (as set out below)
Am I an online marketplace?
I provide an online platform that
allows consumers to conclude
distance contracts with traders
+
Obligations for online
marketplaces are applicable
Am I a VLOP or VLOSE?
I have at least 45 million active users in the EU per month on
average and the Commission has designated my service as a
VLOP or VLOSE
+
Obligations for VLOPS and VLOSEs are applicable
Continued
4
Timeline
16 November 2022
17 February 2023
The following provisions came into force on
16 November 2022:
Designation of VLOPs and VLOSEs: The
Commission may designate providers meeting the
relevant thresholds as VLOPs or VLOSEs, following
the completion of the initial transparency reporting
under Article 24 by 17 February 2023 (though failure
to meet the transparency reporting deadline will not
prevent such a provider from being designated as
such). VLOPs and VLOSEs will then have 10 working
days to submit views on their designation, which
the Commission will take into account in its decision
(Article 33(3) to (6)). Once designated as a VLOP or
VLOSE, the provider must comply with applicable
obligations within four (4) months of designation, or by
17 February 2023 (whichever is earlier).
Supervisory fee: The Commission may set and
adopt an annual supervisory fee to be charged
to VLOPs and VLOSEs for the costs associated
with the Commission’s performance of certain
obligations and powers under the DSA.
Enforcement (VLOPs and VLOSEs): The
Commission may (i) take steps related to the
initial and continued supervision, investigation,
enforcement and monitoring of VLOPs and VLOSEs;
and (ii) impose penalty nes of up to 6% of annual
worldwide turnover against VLOPs and VLOSEs for
failure to comply with the DSA (Articles 73-74)).
Delegated acts: The Commission may adopt
delegated acts relating to (i) the procedural steps,
auditing methodologies and reporting templates
for audits performed under the DSA (Article 37(7));
and (ii) technical conditions under which VLOPs
or VLOSEs are to share data and the purposes for
which the data may be used (Article 40(13).
Transparency reporting: The obligations for
transparency reporting are set out in Article 24(2), (3)
and (6). Online platforms and online search engines
must have published their rst transparency report by
17 February 2023. Once every six months thereafter,
providers must publish information on average monthly
active users.
VLOPs and VLOSEs: The applicable, substantive
provisions of the DSA will apply from the earlier of
four months after a providers designation as a
VLOP or VLOSE, or 17 February 2024.
All other intermediary service providers: The
applicable, substantive provisions of the DSA will
apply to these entities from 17 February 2024.
17 February 2024
5
Obligations and Liability
1. Obligations and liability rules applying to all intermediary services
Mere Conduits,
Caching Services
Hosting
Services
Online
Platforms
Online
Marketplaces
VLOPs /
VLOSEs
An intermediary service refers to any of the following services:
a mere conduit service that consists of the transmission in a communication network
of information provided by a recipient of the service, or the provision of access to a
communication network;
a caching service that consists of the transmission in a communication network of
information provided by a recipient of the service, involving the automatic, intermediate,
and temporary storage of that information, for the sole purpose of making more ecient the
information’s onward transmission to other recipients upon their request; or
a hosting service that consists of the storage of information provided by, and at the request
of, a recipient of the service
In relation to the liability of intermediary service providers for content transmitted or hosted on
their services, the DSA maintains the existing exemptions from liability or “safe harbours” under
the e-Commerce Directive. Under the DSA, providers are not liable for content hosted on their
service so long as they either do not know the content is illegal or infringing, or they promptly
remove or block access to that content once aware that it is illegal or infringing. The DSA claries
that intermediary service providers will not lose the benet of the liability exemptions by virtue of
any own-initiative monitoring they carry out on their platforms. However, if a provider does identify
illegal or infringing content via its own-initiative monitoring, it must promptly remove such content
in order to remain within the liability safe harbour. The DSA maintains the e-Commerce Directive
position that providers are not under any general obligation to conduct own-initiative monitoring
for illegal or infringing content or activity.
The DSA makes one substantive change to the historic e-Commerce Directive position on liability
safe harbours, which is to disapply the liability exemptions in relation to an online marketplace
platform providers liability under consumer protection law if that provider presents the relevant
services, products, or information in a way that would lead consumers to believe that the platform
provider itself is providing those services or products.
The DSA imposes certain key obligations applicable to all intermediary services. The key areas
for consideration are:
6
A. Transparency reporting: Publication of annual reports on content moderation
Under Article 15, all providers are required to make publicly available annual reports on
content moderation that they are engaged in. These reports must include information about the
moderation initiative, including information relating to illegal content, use of automated tools,
training measures, and complaints received under complaints-handling systems.
For VLOPs and VLOSEs only, such reports must be published every six months under Article 42
and the report must specify the human resources dedicated to content moderation, the qualications
and linguistic experience of such persons and the indicators of accuracy and related information.
Guidance
To prepare for the DSA coming into force, providers should assess whether their content moderation
dashboards allow them eectively and eciently to extract and report the relevant information.
B. Appointment of points of contact and legal representatives
All providers are required to establish two points of contact: (i) under Article 11 for communication with
the EU Member State Authorities, the Commission, and the European Board for Digital Services (the
Board); and (ii) under Article 12 for rapid and direct communication with the recipients of their services.
Under Article 13, providers not established in the EU but which provide services into the EU must
designate a legal representative in an EU Member State in which it oers its services for the
receipt of, compliance with, and enforcement of decisions issued under the DSA. Notably, such
legal representatives can be held liable for non-compliance with the DSA, without prejudice to the
liability that could be initiated against the provider.
C. Updates to terms and conditions (T&Cs)
Article 14 requires all providers to ensure their terms of service use clear, plain, intelligible,
user-friendly, and unambiguous language. Further, these T&Cs must be available in an easily
accessible and machine-readable format. Providers are also obligated to inform the recipients of
their services of any signicant changes to such T&Cs and to explain the conditions for, and any
restrictions on, the use of their services that are intended for use by minors in such a way that is
understandable to minors.
Guidance
To facilitate compliance with the DSA as a whole, providers should consider whether their T&Cs need to be
updated to reect or to facilitate other applicable obligations arising under the DSA (e.g., their transparency or
content moderation obligations).
D. Content moderation policies and takedown orders
The majority of obligations relating to content moderation apply only to hosting services, online
platforms, and VLOPS/VLOSEs. However, under Article 14(4), all intermediary services providers
are required to ensure that any restrictions imposed on content moderation should have due
regard to the rights and legitimate interests of all parties. In addition, under Articles 9 and 10, all
intermediary services are required to comply with information orders and takedown orders from
regulators and judicial authorities.
7
2. Additional cumulative obligations for providers of hosting services
Mere Conduits,
Caching Services
Hosting
Services
Online
Platforms
Online
Marketplaces
VLOPs /
VLOSEs
A hosting service refers to a service that consists of the storage of information provided by, and
at the request of, a recipient of the service.
For the purposes of the DSA, hosting services include online platforms, online marketplaces,
and VLOPS.
In addition to the obligations above, the DSA imposes further cumulative obligations on providers
of hosting services. The key areas for consideration are:
A. Notice and takedown procedures
Under Article 16, providers of hosting services are required to – in relation to the Article 15
transparency reporting obligations discussed above -- implement mechanisms to allow recipients
of their services to notify them of the presence of allegedly illegal content. These mechanisms
must allow for suciently precise and detailed notices to be submitted. Under Article 17, providers
of hosting services then have an obligation to provide a statement of reasons to the aected user,
which must include the decision taken, the facts and circumstances relied on in taking such a
decision, information on the use of automated means, reference to the legal or contractual ground
relied on (where the decision concerns allegedly illegal content or a violation of T&Cs), and
information on the redress available.
Guidance
To prepare for the DSA coming into force, providers should appraise their notice and action mechanisms to
ensure they meet the standards set under the DSA, and allow for suciently detailed and complex notices to
be submitted, reviewed, judged, and transparently decided upon.
B. Reporting criminal oences
Under Article 18, providers of hosting services are obligated to inform the national law
enforcement or judicial authorities of the relevant EU Member State of any information that gives
rise to suspicions of criminal oences involving a threat to the life or safety of persons.
8
3. Additional cumulative obligations for providers of online platforms
Mere Conduits,
Caching Services
Hosting
Services
Online
Platforms
Online
Marketplaces
VLOPs /
VLOSEs
An online platform is a hosting service that, at the request of a recipient of the service, stores
and disseminates information to the public, unless that activity is a minor and purely ancillary
feature of another service or a minor functionality of the principal service and, for objective and
technical reasons, cannot be used without that other service, and the integration of the feature or
functionality into the other service is not a means to circumvent the applicability of the DSA.
VLOPs and online marketplaces are types of online platform, for the purposes of the DSA.
In addition to the obligations listed above, providers of online platforms are subject to a number of
additional cumulative obligations set out in A to F below. These obligations do not, however, apply
to online platforms that qualify as micro or small enterprises (as dened in Recommendation
2003/361/EC).
A. Redress mechanism for users
Article 20 requires providers of online platforms to maintain an internal complaints-system that
enables the recipients of their services to lodge complaints against a decision to remove, disable,
suspend, or terminate a users access to information, services, or their account. Under Article 21,
providers of online platforms are obligated to inform complainants of their reasoned decision and
the options available to them, including out of court settlement or other redress options.
B. Prioritising trusted aggers
Article 22 requires providers of online platforms to prioritise trusted agger notices. Trusted
aggers are appointed by the new DSA regulator (known as the Digital Services Coordinator) of
the EU Member State where the trusted agger applicant is established and the Commission will
maintain a publicly available database of trusted aggers.
C. Taking measures against abusive notices and counter-notices
Under Article 23, providers of online platforms must suspend, for a reasonable period of time
and after having issued a prior warning, the provision of their services to recipients of the service
who frequently provide manifestly illegal content. In addition, online platforms must suspend the
processing of abusive notices of complainants who submit unfounded notices. This process must
be clearly set out in the providers’ T&Cs, alongside examples of matters taken into account when
assessing what constitutes misuse of notices.
9
D. Safety by design: Non-deceitful online interface and protection of minors
Under the DSA, providers of online platforms are obligated to ensure that their interfaces meet
certain design and accessibility standards. In particular, Article 25 stipulates that providers must
not design online platforms in a deceitful manner that would impair recipients’ ability to make free
and informed decisions. This prohibition seeks to prevent: platform interfaces from promoting
certain user choices over others; repeated requests to the recipient to make a choice which
has already been made; and termination of the service being made more dicult than initial
subscription or sign-up. Under Article 28, if an online platform is accessible to minors, providers
must implement appropriate and proportionate measures to ensure a high level of security,
privacy, and safety of minors.
Guidance
To prepare for the DSA coming into force, providers should audit their online interfaces to ensure that they are
suciently clear, plain, intelligible, user-friendly, and unambiguous when describing compliance with various
DSA standards, distance contracts with traders, and, as discussed below, advertising and user proling.
E. Transparency obligations: Advertising, user proling, and recommender
systems
Under Article 26, providers of online platforms must supply users with information relating to any
online advertisements on its platform so that the recipients of the services can clearly identify that
such information constitutes an advertisement. Providers of online platforms are prohibited from
presenting targeted advertisements based on proling using either the personal data of minors or
special category data (as dened in the GDPR).
Article 27 requires providers of online platforms that use recommendation systems to set out in
their T&Cs the main parameters they use for such systems, including any available options for
recipients to modify or inuence them. Under Article 38, VLOPs and VLOSEs must provide at
least one option (not based on proling) for users to modify the parameters used.
F. Additional transparency reporting: Disputes, suspensions, and monthly
active users
Article 24 imposes additional transparency reporting obligations on providers of online platforms,
in particular submitting reports to the Commission on the number of disputes submitted and
the number of suspensions imposed. Additionally, such providers must publish information on
average monthly active recipients of the service in a section on the online interface.
10
4. Additional cumulative obligations for providers of online marketplaces
Mere Conduits,
Caching Services
Hosting
Services
Online
Platforms
Online
Marketplaces
VLOPs /
VLOSEs
An online marketplace is an online platform that allows consumers to conclude distance
contracts with traders.
In addition to the obligations listed above, providers of online marketplaces are subject to a
number of additional cumulative obligations.
A. KYBC checks and other obligations
Under Article 30, providers of online marketplaces are required to conduct KYBC checks on
new traders oering products or services to consumers in the EU, including vetting information
provided through reliable services. For any existing traders, providers of online marketplaces are
required to make best eorts to do the same.
In addition, providers of online marketplaces must also, under Article 31, ensure that their interfaces
enable compliance with contractual and product safety information applicable under EU law.
11
5. Additional cumulative obligations for VLOPs and VLOSEs
Mere Conduits,
Caching Services
Hosting
Services
Online
Platforms
Online
Marketplaces
VLOPs /
VLOSEs
A VLOP or VLOSE is an online platform or online search engine that has a number of average
monthly active recipients of the service in the EU equal to or higher than 45 million and that is
designated as a VLOP or VLOSE by the Commission under the DSA.
VLOPs and VLOSEs are subject to the most robust obligations in the DSA, in addition to the
cumulative obligations applicable to all online platforms as set out above. The key areas for
consideration are:
A. Conducting risk assessments and establishing a compliance function
Under Article 34, VLOPs and VLOSEs are required to conduct an annual assessment on any
systemic risks stemming from the functioning and use of their services and mitigate risks identied
in such risk assessment by implementing tailored, reasonable, proportionate, and eective
mitigation measures. Such assessments will cover:
dissemination of illegal content;
any negative eects for the exercise of the fundamental rights for private and family life,
freedom of expression and information, the prohibition of discrimination, and the rights of the
child as set out in the EU’s Charter of Fundamental Rights; and
intentional manipulation of their service with actual or foreseeable negative eects on the
protection of public health, minors, civic discourse, or related to electoral processes and
public security.
Under Article 41, VLOPs and VLOSEs must also establish a compliance function that is
independent from operational functions and comprises one or more compliance ocers including
the head of the compliance function.
B. Pay the supervisory fee
Upon designation as a VLOP or VLOSE, such a provider is required to pay an annual supervisory
fee. The amount will be specied in an implementing act to be published by the Commission.
C. Risk management and crisis response
Under Article 36, the Commission may require VLOPs and VLOSEs to take one or more of the
following actions in case of a crisis:
assess whether the functioning and use of their service contribute to a serious threat;
identify specic, eective, and proportionate measures to eliminate such contribution; and
report to the Commission on these assessments.
12
D. External and independent auditing
Under Article 37, VLOPs and VLOSEs must submit annual independent audits to conrm their
compliance with various obligations under the DSA. If the opinion of the auditor is not positive,
the report must also provide operational recommendations on specic measures to achieve
compliance. Within one month of receiving such recommendations, the platform must adopt
an audit implementation report setting out the remedial measures to be implemented. If those
measures were not implemented, it should provide justications for not doing so and any
alternative measures taken to address the non-compliance.
E. Data sharing with authorities
Under Article 40, VLOPs and VLOSEs must provide access to data necessary to monitor their
compliance with the DSA where requested by the relevant Digital Services Coordinator. Within 15
days of receipt of this request, the providers can ask for an amendment to the request if they are
unable to give access to the data requested.
F. Compile a publicly available database on advertisements
Under Article 39, VLOPs and VLOSEs that present advertisements on their online interfaces have
an additional obligation to make publicly available a repository of information relating to these
practices, including information concerning:
the period and content of the advertisement, including the name of the product, service, or
brand and the subject matter;
the person on whose behalf the advertisement is presented and who paid for it (if dierent);
whether the advertisement was intended to be presented to a particular group;
commercial communications published; and
the number of recipients reached.
No personal data should be included in the repository, and for each advertisement, information
about such advertisement should be displayed for the entire period during which the provider
presents the advertisement and for one year after the last time the advertisement was displayed.
G. Content moderation
Article 42 requires VLOPs and VLOSEs to include in their Article 15 transparency reports the
human resources dedicated to content moderation, the qualications and linguistic expertise of
the persons carrying out the activities, and the indicators of accuracy and related information
referred to in such reports.
Guidance
To prepare for the DSA coming into force, VLOPs and VLOSEs should assess whether their content
moderation practices are suciently transparent and well documented so as to ensure they can meet the
reporting standards set under Article 42.
13
Sanctions
Under Article 52, each EU Member State is permitted to determine the penalties applicable to
infringements of the DSA by providers of intermediary services under their competence, with the
maximum penalty for failure to comply with the DSA to not exceed 6% of that intermediary service
provider’s total annual worldwide turnover.
The Commission is empowered to issue binding orders and nes directly against VLOPs and
VLOSEs, with nes to not exceed 6% of the provider’s total annual worldwide turnover, or, in the
case of periodic penalty payments, 5% of the average daily income or annual worldwide turnover
per day.
Furthermore, Article 54 aords recipients of services the right to seek compensation from
providers in respect of damage or loss suered due to an infringement by the providers to comply
with the DSA.
14
Practical Considerations
Providers of intermediary services to recipients who are located or established in the EU
should consider how the DSA could apply to their specic service(s), and should orientate
their future strategy in order to ensure compliance.
The deadline for initial transparency reporting was on 17 February 2023. Online platforms
should ensure that they are in a position to publish accurate information detailing the number
of average monthly active users by 17 August 2023, and every six months thereafter.
As the majority of the DSA operative provisions will come into force on 17 February 2024,
intermediary service providers should consider prioritising their compliance actions in
the intervening period, based on compliance risk for their business and their practical
implementation timescales.
In the short term, intermediary service providers should review existing notices and
processes that may require uplift, or prepare to implement new notices and processes, to
cover the following DSA requirements: notice and take down, user T&Cs, KYBC for online
marketplaces, and transparency reporting.
Contacts
Deborah J. Kirk
Partner, London
+44.20.7710.1194
deborah.kirk@lw.com
Ben Leigh
Associate, London
+44.20.7866.2715
ben.leigh@lw.com
Victoria Wan
Associate, London
+44.20.7710.4686
victoria.wan@lw.com
Amy Smyth
Knowledge Management
Lawyer, London
+44.20.7710.4772
amy.smyth@lw.com
Gail Crawford
Partner, London
+44.20.7710.3001
gail.crawford@lw.com
Jean-Luc Juhan
Partner, Paris
+33.1.40.62.23.72
jean-luc.juhan@lw.com
Susan Kempe-Mueller
Partner, Frankfurt
+49.69.6062.6580
susan.kempe-mueller@lw.com
Lars Kjølbye
Partner, Brussels
+32.2.788.6252
lars.kjolbye@lw.com
Elisabetta Righini
Partner, Brussels
+32.2.788.623
elisabetta.righini@lw.com
Sven B. Völcker
Partner, Brussels
+32.2.788.6242
sven.voelcker@lw.com