The Digital Services Act Explained

• Introduction
• Chapter 1 What is the Digital Services Act and Who Does it Apply To?
• Chapter 2 Understanding Your Obligations: A Tiered Approach
• Chapter 3 The Basics: Obligations for All Intermediary Services
• Chapter 4 Hosting Services: Additional Responsibilities
• Chapter 5 Online Platforms: A Higher Bar for Due Diligence
• Chapter 6 Very Large Online Platforms (VLOPs) and Search Engines (VLOSEs): The Strictest Rules
• Chapter 7 What Constitutes 'Illegal Content'?
• Chapter 8 Notice and Action Mechanisms: Handling Reports of Illegal Content
• Chapter 9 Transparency in Content Moderation: What You Need to Report
• Chapter 10 Terms and Conditions: Clarity and Fairness for Users
• Chapter 11 Internal Complaint-Handling Systems: A User's Right to Appeal
• Chapter 12 Out-of-Court Dispute Settlement: An Alternative to Litigation
• Chapter 13 Trusted Flaggers: Prioritizing Notices from Reliable Sources
• Chapter 14 Combating Misuse of Your Services
• Chapter 15 Traceability of Business Users on Online Marketplaces
• Chapter 16 Designing for Compliance: User Interfaces and Dark Patterns
• Chapter 17 Advertising Transparency: What Users Need to Know
• Chapter 18 Recommender Systems: Explaining the Logic to Users
• Chapter 19 Protecting Minors Online
• Chapter 20 Systemic Risk Assessment for VLOPs and VLOSEs
• Chapter 21 Mitigating Systemic Risks: Measures You Must Take
• Chapter 22 Independent Audits and Compliance for VLOPs and VLOSEs
• Chapter 23 Data Access for Researchers and Authorities
• Chapter 24 Enforcement: The Role of Digital Services Coordinators and the European Commission
• Chapter 25 Penalties for Non-Compliance
• Afterword

It’s hard to imagine a day without them. From the moment you wake up and check the news on your phone, to the social media scroll during your lunch break, to ordering a new pair of headphones from an online marketplace in the evening, digital services are the invisible architecture of modern life. They are our town squares, our shopping malls, our post offices, and our libraries, all rolled into one and accessible from the palm of our hand. Companies that provide these services—search engines, social networks, e-commerce sites, and cloud storage providers—have become some of the most powerful and influential entities in the world, shaping how we communicate, shop, learn, and perceive the world around us.

For two decades, the legal landscape for these services in the European Union was largely governed by the E-Commerce Directive, a piece of legislation from the year 2000. To put that in perspective, in 2000, the dot-com bubble was just beginning to burst, Google was a plucky upstart, and the concepts of a "smartphone" or a "social network" as we know them today belonged to the realm of science fiction. The E-Commerce Directive was revolutionary for its time, establishing a foundational principle: intermediary services generally weren’t liable for the content their users uploaded. This "safe harbor" provision was crucial. It allowed the nascent digital economy to flourish, giving rise to the innovative platforms and services we now use daily without them being crushed by the fear of constant litigation.

However, the digital world of the 2020s is a vastly different place from the one that existed at the turn of the millennium. The sheer scale and influence of these platforms have grown exponentially. While they have brought immense benefits, they have also created new and complex challenges. The same platforms that connect us with loved ones can also be used to spread illegal hate speech. The marketplaces that offer unparalleled choice and convenience can also be exploited to sell dangerous or counterfeit goods. The services that give a voice to the voiceless can be manipulated by coordinated disinformation campaigns that threaten public health and democratic processes.

As these issues became more pronounced, individual EU member states began to act. Germany introduced the NetzDG law to combat hate speech, France passed legislation against the manipulation of information, and other countries began exploring their own rules. While well-intentioned, this created a growing problem: the fragmentation of Europe's digital single market. A service provider operating across the EU might have to navigate a complex patchwork of 27 different sets of rules on issues like content moderation and due diligence. This legal uncertainty was a headache for established players and a significant barrier to entry for smaller startups and innovators. It was clear that a new, harmonized approach was needed.

This is the world into which the Digital Services Act, or DSA, was born. Paired with its sibling, the Digital Markets Act (DMA), the DSA represents the EU's landmark effort to update its digital rulebook for the modern age. If the DMA is about the economic power of the largest "gatekeeper" platforms, the DSA is about societal responsibility. Its stated aim is to create a safer, more predictable, and trustworthy online environment. It seeks to protect the fundamental rights of users, establish clear lines of accountability for online platforms, and do so with a single, uniform set of rules that applies across the entire European Union.

So, what does this mean for you? If you are an engineer, a product manager, a business executive, or anyone working for a company that offers digital services to users in the EU, the DSA is not just another piece of legal jargon to be handed off to the lawyers. It is a regulation that will directly impact how you design your products, moderate content, interact with your users, and report on your activities. It introduces new obligations, new processes, and new standards of transparency and accountability that will need to be baked into the very fabric of your services.

This book is designed specifically for you: the non-lawyer who needs to understand the DSA to do your job effectively. If you've ever attempted to read a piece of EU legislation from start to finish, you might have found it a more effective sleep aid than a warm glass of milk. The language is dense, the cross-references are numerous, and it’s often difficult to see the forest for the trees. The goal of this book is to cut through that complexity. We will translate the legal requirements of the DSA into a practical, operational guide that you can use. We will explain not just what the rules are, but why they exist and what they mean for your day-to-day work.

The DSA is built on a clever and proportionate principle: with great power comes great responsibility. The Act doesn't treat every website and app the same. Instead, it creates a tiered system of obligations. The more reach and impact a service has, the more stringent its responsibilities become. This book is structured to mirror that approach. We will start with the foundational rules that apply to all "intermediary services," a broad category that includes everything from your local internet service provider to the largest cloud hosting company. These are the basics of the new digital rulebook.

From there, we will move up the ladder. We'll look at the additional obligations that apply to "hosting services"—companies that store user information. This is where we first encounter one of the DSA's core mechanisms: the requirement to have clear, user-friendly "notice and action" systems for reporting illegal content. This is a critical area for anyone involved in trust and safety, content moderation, or user support.

Next, we'll examine the rules for "online platforms," such as social networks and online marketplaces. This is where the DSA introduces a significant number of new requirements. We'll cover everything from the need for internal complaint-handling systems, giving users a right to appeal moderation decisions, to new rules on advertising transparency and the prohibition of certain "dark patterns" in user interface design. If you're a UX designer, an ad-tech engineer, or a product manager for a consumer-facing platform, these chapters will be essential reading.

Finally, we will dedicate a significant portion of the book to the top tier of the DSA's regulatory pyramid: the "Very Large Online Platforms" (VLOPs) and "Very Large Online Search Engines" (VLOSEs). These are the giants of the internet, platforms with more than 45 million active users in the EU. The DSA subjects these players to the most demanding obligations, rooted in the idea that their scale creates systemic risks for society. We will unpack what these systemic risks are—from the spread of disinformation to the impact on mental well-being—and explore the DSA's requirements for risk assessment, mitigation, independent auditing, and providing data access to researchers and regulators.

Throughout this journey, we will break down key concepts into understandable parts. What exactly does the DSA mean by "illegal content"? How does a "trusted flagger" system work? What are the new traceability requirements for sellers on online marketplaces? We will answer these questions and many more, using clear language and practical examples. We will stick to the facts, explaining what the law requires without getting bogged down in legal theory or political commentary. The goal is to empower you with a working knowledge of the Act.

The digital landscape is at an inflection point. The era of self-regulation and a hands-off approach is giving way to a new paradigm of co-regulation and accountability. The Digital Services Act is at the forefront of this global shift. Understanding it is no longer optional for those building and managing digital services; it is essential. Whether you are part of a small startup hoping to scale in the European market or a team within a global tech giant, this book will provide you with the clear, practical guidance you need to navigate this new terrain with confidence. Let’s begin.

At its heart, the Digital Services Act is the European Union's ambitious attempt to write a new rulebook for the internet. Its primary goal, as stated in the very first article of the legislation, is to contribute to the "proper functioning of the internal market for intermediary services." That’s a very formal way of saying it wants to make sure that the digital economy across all 27 EU member states works smoothly, fairly, and safely for everyone. The law aims to create a harmonized set of rules for a "safe, predictable and trusted online environment" where innovation can thrive and the fundamental rights of users are protected.

To understand the DSA, the first and most crucial question to answer is: who does it actually apply to? The answer lies in that key phrase: "intermediary services." This is a broad legal term, but the DSA helpfully breaks it down into three distinct categories. If your company provides any of these services to users within the European Union, then congratulations—or perhaps commiserations—the DSA applies to you. Think of these categories as nesting dolls, each with its own set of rules that we will explore in later chapters. For now, let's just get to know the dolls themselves.

The first and most basic type of intermediary service is a 'mere conduit' service. This is the fundamental plumbing of the internet. These services are all about transmitting information from point A to point B through a communication network or providing access to that network. The key characteristic here is neutrality; the provider doesn't initiate the transmission, select who receives it, or modify the content passing through its pipes. They are simply the digital couriers.

This category includes the companies that form the bedrock of internet connectivity. Your Internet Service Provider (ISP), whether it’s providing your home broadband or your mobile data, is a classic example of a mere conduit service. Other examples include internet exchange points that route traffic between networks, the provider of the Wi-Fi at your local coffee shop, and Virtual Private Network (VPN) services. Even foundational internet services like the Domain Name System (DNS), which translates human-readable web addresses like www.example.com into the IP addresses that computers understand, fall into this category. The rules for these services are the most basic, as they have the least direct involvement with the content itself.

The second category is 'caching' services. This is a slightly more technical but common type of service. Caching involves the automatic, intermediate, and temporary storage of information for the sole purpose of making its onward transmission more efficient. In simpler terms, it’s about making a temporary copy of data and storing it closer to the user to speed things up. When you watch a popular video online, it’s likely that a copy of that video is stored on a server near you, so it doesn’t have to travel all the way from a server on the other side of the world every single time someone in your city wants to watch it.

The most prominent example of a caching service is a Content Delivery Network, or CDN. These are vast, geographically distributed networks of servers that companies use to deliver web content and videos to users quickly and reliably. By storing copies of content in multiple locations, they reduce latency and improve the user experience. The DSA recognizes that, like mere conduit services, these providers are primarily engaged in a technical process to improve efficiency and therefore have a specific, limited set of obligations reflecting their role.

The third and broadest category is 'hosting' services. This is where the majority of online services that we interact with daily fall. A hosting service is defined simply as a service that consists of the storage of information provided by, and at the request of, a user. If your service allows users to upload, post, or store their own content on your servers, you are a hosting service. This is a massive and diverse category.

It includes infrastructure services like cloud computing providers (think Amazon Web Services or Microsoft Azure) and web hosting companies that rent out server space for people to run their websites. It also includes the consumer-facing services that are built on top of that infrastructure. File storage and sharing services like Dropbox or Google Drive are hosting services. Social media networks where you post updates, photos, and videos are hosting services. Online marketplaces where sellers list their products are hosting services. Video-sharing platforms are hosting services. Even a simple online forum or a blog that allows user comments is, in that capacity, a hosting service. Because these services actively store user content for a potentially indefinite period, the DSA places a greater set of responsibilities on them, which we will detail in the chapters to come.

It's important to grasp that these categories are based purely on technical function. A single company can provide multiple types of intermediary services at the same time. For example, a large tech company might offer a cloud hosting service (hosting), operate a content delivery network (caching), and also run its own massive fiber optic network that acts as an ISP (mere conduit). In such cases, the rules of the DSA apply to each service according to its specific function.

So, you've determined your service falls into one of these three categories. The next question is a geographical one: does it matter where your company is based? The answer is a clear and resounding no. The DSA applies to all intermediary services that are offered to recipients in the Union, "irrespective of where the providers of those intermediary services have their place of establishment." This is a crucial principle designed to ensure a level playing field and prevent companies from sidestepping the rules by setting up their headquarters outside the EU.

The determining factor is whether your service has a "substantial connection to the Union." This connection can be established in a couple of ways. The most straightforward is having an establishment in the EU, such as a head office, a subsidiary, or even a branch office. However, even without a physical presence, a company can still be deemed to have a substantial connection.

This can happen if you have a "significant number of recipients of the service in one or more Member States in relation to its or their population." The DSA doesn't provide a hard number for this, as it's a relative measure. A niche service with one million users in Germany might be considered significant, while a global service with the same number of users spread thinly across the entire EU might not. It is a case-by-case assessment.

The other way to establish a substantial connection is by "the targeting of activities towards one or more Member States." The law provides several clear indicators of what this means in practice. This could include using a language or currency common in an EU country, offering the ability to order products or services to be delivered there, or using a relevant country-code top-level domain, such as .de for Germany or .it for Italy. Other factors could be offering your app in a national app store, running local advertising campaigns, or providing customer service in a language spoken in a Member State. The simple fact that a website is technically accessible from the EU is not, on its own, enough to establish a substantial connection. There must be some demonstrable intent to offer the service to people in the Union.

Having established who the DSA applies to, let's clarify what it applies to. The regulation lays down harmonized rules on due diligence obligations. This means it sets out the responsibilities and standards of care that intermediary services must exercise. It creates a framework for how these companies should deal with illegal content, how transparent they must be about their content moderation practices, and how they should design their systems to protect users.

Crucially, the DSA is a "horizontal" piece of legislation. It doesn't target a single industry but sets a baseline of rules that apply across the board to all intermediary services. Its goal is to stop the fragmentation of the internal market, where a company might have to comply with 27 different national laws on, for example, how to handle hate speech. Under the DSA, there is one set of rules. Member States are generally not allowed to adopt their own, additional national requirements on matters that fall within the scope of the DSA.

It’s also important to understand what the DSA doesn't do. It only applies to the intermediary service itself, not to the underlying goods or services being sold or offered through it. For example, the DSA sets rules for an online platform that allows you to book a ride-sharing service, but it doesn't affect the national laws that regulate the taxi service itself. It regulates the online marketplace, not the safety standards of the toaster being sold on it; those are covered by separate product safety laws.

The DSA also doesn't exist in a legal vacuum. It is designed to work alongside a whole suite of other EU laws. It explicitly states that it is without prejudice to Union law on copyright. So, if you run a video-sharing platform, you still need to comply with the specific rules laid out in the EU Copyright Directive. Most importantly, the DSA is not a replacement for the General Data Protection Regulation (GDPR). Any and all processing of personal data must still comply with the strict requirements of the GDPR. Similarly, the DSA complements, rather than replaces, existing consumer protection laws. It builds a new digital safety layer on top of the legal foundation that already exists.

Finally, to navigate the rest of this book, it's helpful to get acquainted with a few more key definitions right from the start. We’ve already covered "intermediary services," but within that broad family, the DSA singles out two particularly important members: 'online platforms' and 'online search engines'.

An 'online platform' is a specific type of hosting service. What sets it apart is that it doesn't just store information for a user; it also "disseminates that information to the public" at the user's request. This is the key distinction. A cloud storage service where you keep your private files is a hosting service, but it's not an online platform. A social media network where you post a message for your friends and followers to see is an online platform. An online marketplace where a seller lists a product for anyone to buy is an online platform. This act of public dissemination is what gives these services a greater societal impact, and as we'll see, it comes with a greater set of responsibilities under the DSA. The law does carve out an exception for features that are "merely a minor and purely ancillary" part of another service, such as the comments section of an online newspaper.

An 'online search engine' is defined much as you would expect: a service that allows users to search the web based on a query and returns results.

The last crucial definition to introduce here is 'illegal content'. The DSA's definition is exceptionally broad: "any information that, in itself or in relation to an activity... is not in compliance with Union law or the law of any Member State." This doesn't just mean content that is inherently illegal, like terrorist material or child sexual abuse imagery. It also covers information that relates to illegal activities, such as the sale of counterfeit goods, the offering of an unlicensed accommodation service, or the non-authorized use of copyrighted material. It is a catch-all term that is defined by other laws. The DSA doesn't create new categories of what is illegal; it simply provides the framework for how intermediary services must deal with content that is deemed illegal under existing EU or national laws. We will dedicate an entire chapter to unpacking this vital concept, but for now, it's enough to understand its vast scope.

With these foundational concepts in place—the types of intermediary services, the geographic reach of the Act, and the key definitions of 'online platform' and 'illegal content'—we are now equipped to begin our journey into the specific obligations that the Digital Services Act imposes. The central principle to keep in mind is that of proportionality: the rules are tiered, and as a service's potential impact on society grows, so too do its responsibilities.