Regulation (EU) 2022/2065 In force · 16 Nov 2022 Fully applicable · 17 Feb 2024

The Digital Services Act, made visible.

Europe's rewrite of the rules of the open internet. The DSA layers obligations onto online intermediaries by reach and impact: the bigger your platform, the heavier your duties of transparency, accountability and risk control. A guide for founders, counsel, and anyone trying to read the regulation without reading 102 pages of it.

45M
Monthly active recipients · the VLOP / VLOSE designation threshold
6%
Maximum fine, calculated on worldwide annual turnover
4 tiers
Layered obligations from mere conduit up to very large platforms
27 EU
Member states · each designating an independent Digital Services Coordinator
§ 01 · Articles 11–48

One regulation, four layers of duty.

Unlike the AI Act's risk pyramid, the DSA stacks. Every intermediary inherits a baseline of obligations; hosts add more; online platforms add more again; very large platforms shoulder the full weight. Click any layer to see what attaches at that level.

Click any layer to inspect
All intermediary services
The baseline · everyone in scope
Tier 01
Hosting services
Stores user content · cloud, web hosts
Tier 02
Online platforms
Brings sellers / users together · marketplaces, social
Tier 03
VLOPs & VLOSEs
≥ 45M monthly EU users
Tier 04
§ 02 · Article 3 · Definitions

Five kinds of intermediary.

The DSA's obligations attach to defined service types. Get the type wrong and the wrong rulebook applies. The taxonomy borrows from the e-Commerce Directive and refines it for the platform economy.

Mere conduit

The pipe

Transmits information without selection or modification. Internet access providers, content delivery networks, public WiFi.

Article 4 · liability shield strongest here
Caching

The accelerator

Automatic, intermediate, temporary storage performed for the sole purpose of more efficient transmission.

Article 5 · technical-only intervention
Hosting

The shelf

Stores information at the request of a recipient. Cloud and web hosting; everything that holds user content sits on top of this.

Article 6 · safe harbour conditional on action
Online platform

The marketplace

A subset of hosting that disseminates information to the public at the request of users. Marketplaces, app stores, social networks, collaborative-economy platforms.

Articles 19–32 · platform-specific duties
VLOP & VLOSE

The system

Online platforms or search engines reaching at least 45 million monthly active recipients in the Union, roughly 10% of the EU population. Designated by Commission decision.

Article 33 · designation triggers Section 5 regime
◇ Country-of-origin · preserved
The DSA keeps the e-Commerce Directive's country-of-origin principle: providers comply with the law of the Member State where they are established when operating across the EU. The limited-liability regime (no liability for content unless aware of it) and the ban on general-monitoring obligations are also preserved. The DSA layers due-diligence duties on top, it does not replace these foundations.
§ 03 · The Compliance Map

Who must do what.

A single grid that answers most first-order DSA questions: pick your tier across the top, run down the rows, and you can see the obligations that attach. Filled dots mean the duty applies; outlined dots mean it does not. Read this once and the architecture of the regulation becomes legible.

Obligation
Article
Intermediary
all in scope
Hosting
+ above
Platform
+ above
VLOP / VLOSE
full regime
Single point of contact for authorities & users Art. 11–12
Legal representative in the Union (non-EU providers) Art. 13
Terms & conditions: clear, machine-readable, fundamental-rights aware Art. 14
Annual transparency reports on content moderation Art. 15
Notice & action mechanism for illegal content Art. 16
Statement of reasons for moderation decisions Art. 17
Internal complaint-handling system & out-of-court dispute settlement Art. 20–21
Priority handling of trusted-flagger notices Art. 22
Ban on deceptive interface design ("dark patterns") Art. 25
Online-ad transparency & ban on targeting minors / sensitive data Art. 26 + 28
Recommender-system transparency in T&Cs Art. 27
Know-your-business-customer for marketplace traders Art. 30–32
Annual systemic-risk assessment Art. 34
Mitigation measures for identified systemic risks Art. 35
Crisis-response mechanism (war, pandemic, terrorism) Art. 36
Independent annual audit of compliance Art. 37
At least one non-profiling recommender option Art. 38
Public ad repository, retained for one year Art. 39
Data access for vetted researchers & authorities Art. 40
Internal compliance function with reporting line to the board Art. 41
Annual supervisory fee paid to the Commission Art. 43
Applies
Applies only to marketplaces / certain subtypes
Does not apply
◇ SME & micro-enterprise carve-out · Article 19
Online platforms qualifying as micro or small enterprises (under the Annex to Recommendation 2003/361/EC) are exempt from the platform-specific obligations in Section 3 of Chapter III, including complaint handling, trusted flaggers, dark-pattern rules, ad transparency and recommender disclosures. The exemption falls away if the platform later qualifies as a VLOP.
§ 04 · Article 33

The number that unlocks the heaviest regime.

A single threshold, average monthly active recipients in the EU, separates the ordinary online platform from the systemic one. Cross it, and a different DSA applies: direct Commission supervision, mandatory risk assessment, audits, data access, the works.

45M
Monthly active recipients · 10% of the EU population

Article 33(1): A platform or search engine is designated a VLOP or VLOSE when it has an average of ≥ 45 million active recipients of the service per month in the Union, calculated over the preceding six months.

Once designated by Commission decision, the provider has four months to comply with Section 5 obligations. The threshold is dynamic: falling below it for a full year removes the designation; the Commission also reviews the figure as the EU population shifts.

Designation
Article 33
Commission identifies platforms by published recipient counts; designates by reasoned decision; designation reviewed at least annually.
Risk regime
Articles 34–35
Annual systemic-risk assessment across four categories; reasonable, proportionate, effective mitigation measures.
Direct supervision
Articles 56 + 64–66
The Commission has exclusive enforcement over Section 5 obligations of designated services. National DSCs handle everything else.
Supervisory fee
Article 43
VLOPs and VLOSEs fund their own oversight: capped at 0.05% of annual worldwide net income; covers Commission costs.
§ 05 · Article 34

The four systemic risks.

VLOPs and VLOSEs must, at least annually, identify, analyse and assess any systemic risks stemming from the design or functioning of their service. The Act enumerates four categories, and the assessment must look at how recommender systems, algorithmic systems, content-moderation systems, applicable T&Cs, and ad systems each contribute.

34(1)(a)

Dissemination of illegal content

Including child sexual abuse material, illegal hate speech, terrorist content, IP-infringing material, illegal goods on marketplaces. Spread is the focus, not isolated occurrence.

Recital 80 · scale & amplification
34(1)(b)

Adverse effects on fundamental rights

Charter rights: human dignity, private and family life, personal-data protection, freedom of expression and information, non-discrimination, child rights, consumer protection.

Recital 81 · Charter cross-reference
34(1)(c)

Civic discourse, electoral processes & public security

Disinformation campaigns, coordinated inauthentic behaviour, manipulation of public debate or election outcomes, threats to public security.

Recital 82 · democracy & security
34(1)(d)

Gender-based violence, public health & minors

Including effects on physical and mental wellbeing of users, particularly minors. Covers serious negative consequences to a person's mental health.

Recital 83 · vulnerable users
⚡ Mitigation must be reasonable, proportionate, effective · Art. 35
Mitigation is the deliverable. Identified risks must be matched with measures: adapting design, recommender systems or moderation; reinforcing internal processes; piloting measures with the European Board for Digital Services; cooperating with trusted flaggers and crisis protocols. The Commission may issue guidelines and the Board publishes annual reports on the most prominent risks.
§ 06 · Articles 49–66

Who watches the watchers.

The DSA's enforcement architecture is dual-track. National regulators handle most of the regulation; the European Commission handles the largest platforms directly. A coordination body sits between them. This is unusual in EU law, and the reason VLOPs negotiate with Brussels rather than capitals.

Direct enforcement · VLOPs & VLOSEs

European Commission

Exclusive competence over Section 5 obligations of designated very large platforms and search engines. Investigations, requests for information, on-site inspections, interviews, interim measures, binding commitments, non-compliance decisions, periodic penalty payments.

Coordination · Article 61

European Board for Digital Services (EBDS)

Independent advisory group composed of all national Digital Services Coordinators, chaired by the Commission. Advises on consistent application; coordinates joint investigations; issues opinions, recommendations and guidance; supports cross-border dispute resolution.

National level · Article 49

Digital Services Coordinator (DSC)

One independent authority per Member State. Receives complaints, coordinates with sectoral regulators, supervises providers established in its territory, designates trusted flaggers and out-of-court dispute bodies, has investigative and enforcement powers.

National level · sector specialists

Other competent authorities

Member States may designate additional authorities (data protection, audiovisual, consumer) under DSC coordination. Cross-border cooperation, mutual assistance, and joint investigations are required by the regulation.

Jurisdiction · ordinary providers
DSC of the country of establishment
If the provider has no EU establishment, jurisdiction follows the legal representative; failing that, the DSC of any Member State where the service is offered.
Jurisdiction · VLOPs & VLOSEs
European Commission · exclusive on Section 5
National DSCs retain competence for non-Section-5 obligations of VLOPs and may request the Commission act when concerns cross borders.
§ 07 · Article 93

The phased switch-on.

The DSA was adopted faster than the AI Act and applied earlier. VLOPs felt the regime first, in 2023; the rest of the platform economy followed in early 2024.

27 OCT 2022
Published in OJ
Regulation 2022/2065 in the Official Journal of the European Union, L 277.
16 NOV 2022
Entry into force
20 days after publication. Member States begin designating Digital Services Coordinators.
25 APR 2023
First VLOP / VLOSE list
Commission's first wave of designations: 17 VLOPs and 2 VLOSEs. Four-month compliance clock starts.
25 AUG 2023
VLOP regime live
First-wave designated services must comply with the full Section 5 regime: risk assessment, audit, ad repository, recommender disclosures.
17 FEB 2024
General application
DSA fully applicable to all in-scope intermediaries across the EU. National DSC powers active.
§ 08 · Articles 52 + 74

Three tiers of fine.

Penalties are calibrated to the seriousness of the breach. As with the GDPR and the AI Act, percentages of worldwide annual turnover make the DSA materially significant for global businesses, not merely those headquartered in Europe.

Tier 01 · Most severe
6%of worldwide annual turnover · maximum
Breach of DSA obligations
Maximum fine for substantive infringements of the regulation: failure to comply with due-diligence obligations, risk-assessment duties, ad-targeting prohibitions, content-moderation rules.
Relative severity
Tier 02 · Information failure
1%of worldwide annual income · maximum
Incorrect, incomplete or misleading information; failure to reply or rectify
Applies to information requests during investigations; failures to submit to inspections; non-compliance with Commission information requests under Section 5.
Relative severity
Tier 03 · Daily compulsion
5%of average daily worldwide turnover · per day
Periodic penalty payments
Daily-rate fines to compel compliance with information requests, inspections, interim measures, binding commitments, or non-compliance decisions adopted by the Commission against VLOPs / VLOSEs.
Relative severity
⚡ Right to compensation · Article 54
Beyond regulator fines, recipients of the service have a direct civil right to seek compensation from providers for damage or loss suffered due to infringements of the DSA. This is a private enforcement layer running parallel to the public one. It does not require the Commission or a DSC to have first acted.
§ 09 · Self-Assessment

Where does your service land?

A guided walk through the DSA's logic. Up to five questions to identify which tier applies and surface the obligations that follow. A heuristic, not legal advice. Articles 3, 19 and 33 govern the actual classification.