Industry

What is the Digital Services Act, and who does it impact?

See how the Digital Services Act (DSA) impacts platforms, intermediaries, marketplaces, and consumers — and what you need to know to stay compliant.

An icon of three people thinking about the digital services act.
Last updated:
3/13/2024
Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways
  • The Digital Services Act (DSA) requires online platforms that operate in the EU and connect consumers with goods, services, and content to create safer digital spaces that protect the fundamental rights of all users.
  • Large online platforms and search engines are held to higher accountability standards and obligations than small platforms and SMEs, but many of the DSA’s fundamental principles apply to all platforms, regardless of size.
  • If your platform hosts sellers or traders of goods or services, you are required to collect certain information from them to verify their authenticity and legality before allowing them to list on your platform.

It’s an understatement to say much has changed online in the 23 years since the EU introduced the e-Commerce Directive. The rise of online marketplaces connecting consumers with an array of products, services, and content from individual sellers and businesses around the globe has forever changed how we research and make purchases — as well as how we communicate. These marketplaces have also made it easier to conduct cross-border trades and reach new markets.

But for all their benefits, marketplaces also have become a hotbed for bad actors and scammers to sell or trade illegal goods, services, and content online. Because of the lack of regulations, marketplaces have had few guardrails as to how they should monitor and flag illegal content and to whom, which has made it challenging for them to maintain trust and safety on their platforms. 

The DSA focuses on modernizing the e-Commerce Directive by regulating online platforms, intermediaries, and marketplaces and creating obligations that better protect consumers’ rights and reduce exposure to illegal content. At the same time, the DSA gives platforms a uniform set of rules across the EU, improving the ability of smaller businesses and start-ups to compete across Europe.

What is the Digital Services Act?

The Digital Services Act (DSA) requires online platforms, hosting providers, and other intermediaries that operate in the EU to create safer digital spaces that protect the fundamental rights of all users. In effect since August 25, 2023, the DSA delivers a single transparency and accountability framework across the EU to protect consumers from illegal content, including goods and services. The DSA also requires online platforms to provide a mechanism to allow users to flag illegal content.

Together with the Digital Markets Act (DMA), which aims to level the playing field for innovation and competition in online markets and imposes additional regulations for large conglomerates such as Amazon, Apple, Google, Meta, and Microsoft, the two regulations form a common set of rules that apply across the EU and represent a major step toward protecting consumers from harm while providing greater choice.

What are the requirements of the DSA?

The DSA touches virtually every type of service provider in the online ecosystem that operates in the EU, including:

  • Intermediary services providers, defined as companies offering network infrastructure, including internet access providers and domain name registrars;
  • Hosting services providers, such cloud and web hosting service; and
  • Online platforms that bring together sellers and consumers, such as online marketplaces, app stores, collaborative economy platforms, and social media platforms.  

The requirements for each category become progressively more stringent as they move closer to touching the actual consumer. 

Intermediary service providers must have:

  • A single point of contact for regulators and the public;
  • A designated legal representative in the EU, even if the company is not established in the EU;
  • Fair and transparent terms and conditions that address content moderation; and
  • A mechanism to publish reports on content moderation and the removal of illegal or non-compliant content.

In addition to the above, hosting services must also have:

  • “Notice and action” mechanisms that allow users to flag illegal content along with a sufficient explanation as to the reason it is illegal; and
  • A way to communicate with the reporting user what action was taken against the reported content (e.g., restriction, removal, or termination) and why (or why not).

If hosting service providers become aware of content that could involve a threat to the life or safety of an individual or individuals, they must immediately inform law enforcement.

Finally, online platforms must adhere to all of the above and, in their “notice and action” mechanism, they must create a “trusted flagger” role for certain individuals who meet specific criteria, whose notifications must be acted on without delay.

It’s worth noting that the DSA lays out EU-wide rules that dictate that online service providers must put into place transparent mechanisms to detect, flag, and remove “illegal content” from their platform, but leaves the definition of illegal content to other laws at the EU or national level. 

Tiered requirements based on size

Recognizing that the universe of online platforms and service providers is as large as it is diverse, the DSA takes the size of the organization and the risk it poses to consumers into account and tiers requirements accordingly. Following that principle, very large online platforms and very large online search engines — designated as those reaching at least 45 million active users in the EU — are held to higher accountability standards and obligations than other online platforms. In order to prevent abuse of their systems, these platforms are required to take risk-based action and conduct independent audits of their risk management systems.

On the other hand, small and micro enterprises — platforms with fewer than 50 employees or whose annual revenue does not exceed 10 million euros — are excluded from the most costly and burdensome obligations (e.g., audits) but are free to apply the best practices for a competitive advantage.

Free guide
Learn about regulations for online marketplaces + platforms

What information do I need to collect to be compliant with DSA?

If you host anyone selling or promoting goods or services, the DSA requires you to collect the following information before allowing them to promote messages or offer products or services on your platform:

  • Name, address, telephone number, and email address
  • Identity documentation
  • Bank account details (for a person)
  • Registration number (for a business)

What’s more, not only must sellers self-certify that they offer only products or services that comply with applicable laws, but you, as the online platform provider, must also make reasonable efforts to confirm the reliability of seller or trader information. If it’s inaccurate or incomplete, you are required to gather the correct information or stop the trader from participating on your platform. You may use official online databases or trustworthy supporting documents to verify traders’ information before reporting to Digital Services Coordinators, who are appointed by the EU and will ensure businesses are compliant. 

Furthermore, if you become aware of an illegal product or service, you are required to inform the consumers who purchased these products or services of their illegality, the identity of the seller, and any means of redress. 

What are the penalties for non-compliance?

The DSA imposes steep penalties for noncompliance: the maximum penalty for a failure to comply with the DSA’s obligations is 6% of a provider’s global annual gross revenues. If you knowingly supply incorrect, incomplete, or misleading information to a regulator, you may be subject to a maximum fine of 1% of global annual gross revenues. In addition, since both the DSA and the DMA have overlapping requirements with the GDPR, you could be hit with multiple violations if you don’t meet the compliance obligations.

Preparing your business for DSA

If your platform operates in the EU, you should evaluate whether your business already has mechanisms and procedures in place to ensure compliance with the DSA — or what changes you need to make to provide a safe, trustworthy, and transparent environment for consumers.

DSA requirements became obligatory for all platforms on February 17, 2024, making it critical to have answers to these questions and factor them into your compliance strategy:

  • Do you already collect and verify the data you need from sellers for other reporting purposes like DAC7? If not, what do you need to do, process- and systems-wise, to collect and verify that data?
  • Do you need to amend any terms and conditions (T&Cs) or posted consent policies to facilitate data collection from sellers and notification requirements?
  • Which new or additional steps do you need to take to protect the data you collect?
  • What is your current process for communicating with buyers and users of products and services available on your platform that are later deemed illegal?
  • Are you subject to other regulations or laws that have similar collection, verification, and reporting requirements with which you can combine efforts?

How Persona can help

To help platform operators comply with the DSA, our no-code platform can be configured to quickly onboard, verify, and reverify any seller, trader, or merchant. You have the freedom to determine the information you’ll collect from sellers and how you’ll verify this data — whether it involves document verification, business verification, bank account verification, or any combination of techniques.

If you do business in the EU but you’re also based in the U.S., you’re also in scope for compliance with the new INFORM Consumers Act that takes aim at online fraud by adding more transparency to online transactions. You can use Persona’s Know Your Seller solution to comply with the INFORM Act, making Persona a valuable partner across your compliance efforts.

Interested in learning more? Start for free or get a custom demo today.

Case study
See how Discogs meets INFORM Act compliance with Persona

Published on:
10/20/2023

Frequently asked questions

No items found.

Continue reading

Continue reading

Identity proofing: what it is and why it matters
Identity proofing: what it is and why it matters
Industry

Identity proofing: what it is and why it matters

Learn what identity proofing entails and how to incorporate it into your business to prevent fraud.

Employment identity verification: what it is and why it matters
Employment identity verification: what it is and why it matters
Industry

Employment identity verification: what it is and why it matters

Find out why you need to verify prospective employees’ identities — and how to actually do it.

How to check if a company is legitimate: a step-by-step guide
How to check if a company is legitimate: a step-by-step guide
Industry

How to check if a company is legitimate: a step-by-step guide

Find out which verification methods to use — and how a KYB tool can streamline the process.

DAC7 compliance: What is it, and who does it impact?
Industry

DAC7 compliance: What is it, and who does it impact?

See how DAC7 impacts businesses, consumers, and governments, and understand what you need to know to stay compliant. Learn how Persona can help.

What is the INFORM Consumers Act?
Industry

What is the INFORM Consumers Act?

The INFORM Consumers Act is a law aimed at restricting online shopping fraud, while the SHOP Safe Act is a bill with the same goal. Learn more.

Top GDPR statistics businesses must know
Industry

Top GDPR statistics businesses must know

GDPR is one of the most extensive regulations governing data collection. Learn who it affects, the types of data it covers, and more.

Ready to get started?

Get in touch or start exploring Persona today.