persona-logo
Published October 19, 2023
Last updated January 12, 2026

What is the Digital Services Act, and who does it impact?

See how the Digital Services Act (DSA) impacts platforms, intermediaries, marketplaces, and consumers — and what you need to know to stay compliant.
Shana Vu
Shana Vu
8 mins
Key takeaways
The Digital Services Act (DSA) created a new, unified legal framework for online intermediaries and platforms that operate in the EU. It’s designed to protect users and combat illegal content online, including the sale of illegal products and services.
The DSA’s requirements vary depending on the types of services a company offers and its size. However, many of the principles apply to all platforms.
If your platform hosts sellers or traders of goods or services, you must collect and verify information about those users to comply with the DSA. 
You may need to implement effective age assurance methods to restrict access to adult or harmful content that may be posted or shared on your platform.

The Digital Services Act (DSA) likely applies to your business if you connect buyers and sellers, host user-generated content, or operate another type of online marketplace in the EU. 

The law’s complex compliance requirements are designed to protect users and combat illegal content. It does this by requiring platforms to implement transparent content moderation, verify seller information, and create safer digital environments. 

The penalties for noncompliance are steep — up to 6% of your global annual revenue, plus additional penalties and temporary suspensions for ongoing noncompliance. So it's worth taking the time to understand what’s required and have a plan for complying with the DSA.  

What is the Digital Services Act?

The Digital Services Act (DSA) created a single framework across the EU that aims to:

  • Stop the spread of disinformation online. 

  • Protect children when they’re online. 

  • Remove illegal content, including illegal products and services, from online marketplaces.

  • Give users more control over their online experience and offer them a mechanism for flagging illegal content. 

  • Create more transparency over content moderation decisions. 

  • Help smaller platforms and companies compete and grow in the EU. 

The EU Parliament and Council passed the DSA in late 2022. Several very large online platforms (VLOPs) and very large online search engines (VLOSEs) had to comply by the summer of 2023, and the law was fully implemented in February 2024.

Guide
Learn about regulations for online marketplaces and platforms
Get the guide

What are the requirements of the DSA?

The DSA applies to several types of organizations that offer online services in the EU, including:

  • Intermediary services providers, defined as companies offering network infrastructure, including internet access providers and domain name registrars;

  • Hosting services providers, such as cloud and web hosting services, and

  • Online platforms that bring together sellers and consumers, such as online marketplaces, app stores, collaborative economy platforms, and social media platforms. 

The law can apply if you’re not based in the EU but have a substantial connection to the EU. For example, if you target users or have a significant number of users in a member state. 

The requirements for each category become progressively more stringent.

Intermediary service providers must have:

  • A single point of contact for regulators and the public;

  • A designated legal representative in the EU, even if the company is not established in the EU;

  • Fair and transparent terms and conditions that address content moderation; and

  • A mechanism to publish reports on content moderation and the removal of illegal or non-compliant content.

In addition to the above, hosting services must also have:

  • “Notice and action” mechanisms that allow users to flag illegal content along with a sufficient explanation as to the reason it is illegal; and

  • A way to communicate with the reporting user what action was taken against the reported content (e.g., restriction, removal, or termination) and why (or why not).

If hosting service providers become aware of content that could involve a threat to the life or safety of an individual or individuals, they must immediately inform law enforcement.

Additional requirements for online platforms include:

  • Providing clear and specific statements explaining why they removed content or restricted access to an account. They also have to report these statements to the public DSA Transparency Database. 

  • Allowing users to dispute content or account moderation decisions via a dispute settlement mechanism that doesn’t involve a court. 

  • Prioritizing notices about illegal activity from designated “DSA Trusted flaggers.”

  • (For online marketplaces) incorporating compliance into their design and vetting third-party suppliers on their platforms with Know Your Customer (KYC) or Know Your Business (KYB) verifications — the law calls these Know Your Business Customer (KYBC) verifications — and random database checks. 

  • Banning advertisements that target children or are based on users’ special characteristics. 

It’s worth noting that the DSA lays out EU-wide rules that dictate that online service providers must put into place transparent mechanisms to detect, flag, and remove “illegal content” from their platform, but leaves the definition of illegal content to other laws at the EU or national level.

Guide
For online marketplaces: The identity professional’s guide to getting (and staying) compliant
Download now

Tiered requirements based on size

Recognizing that the universe of online platforms and service providers is as large as it is diverse, the DSA takes the size of the organization and the risk it poses to consumers into account and tiers requirements accordingly. Following that principle, very large online platforms and very large online search engines — designated as those reaching at least 45 million active users in the EU — are held to higher accountability standards and obligations than other online platforms. In order to prevent abuse of their systems, these platforms are required to take risk-based action and conduct independent audits of their risk management systems.

On the other hand, small and micro enterprises — platforms with fewer than 50 employees or whose annual revenue does not exceed 10 million euros — are excluded from the most costly and burdensome obligations (e.g., audits) but are free to apply the best practices for a competitive advantage.

What do you need to collect from sellers on your platform?

If you host anyone selling or promoting goods or services, the DSA requires you to collect the following information before allowing them to promote messages or offer products or services on your platform:

  • Name, address, telephone number, and email address

  • Identity documentation

  • Bank account details (for a person)

  • Registration number (for a business)

What’s more, not only must sellers self-certify that they offer only products or services that comply with applicable laws, but you, as the online platform provider, must also make reasonable efforts to confirm the reliability of seller or trader information. If it’s inaccurate or incomplete, you are required to gather the correct information or stop the trader from participating on your platform. You may use official online databases or trustworthy supporting documents to verify traders’ information before reporting to Digital Services Coordinators, who are appointed by the EU and will ensure businesses are compliant. 

Furthermore, if you become aware of an illegal product or service, you are required to inform the consumers who purchased these products or services of their illegality, the identity of the seller, and any means of redress. 

Guidelines for protecting minors under the DSA

On July 14, 2025, the European Commission published guidelines with recommendations for online platforms accessible to minors. The guidelines offer various suggestions, such as:

  • Limiting access to harmful or excessive content by modifying what recommendation systems suggest to minors, allowing minors to block or mute users, and disabling features that can increase user engagement. 

  • Protecting minors by setting their accounts to private by default and prohibiting other accounts from downloading or taking screenshots of the minor’s content.

  • Using effective age assurance methods to restrict access to adult content and comply with national minimum age requirements for certain services, such as social media platforms

  • Having a risk-based approach based on the platform’s nature, size, purpose, and user base. 

Although the guidelines aren’t strict requirements, the European Commission will use them to help assess whether an organization is complying with the DSA.

Blog post
Building your age verification strategy: how to navigate global regulations
Read now

What are the penalties for non-compliance?

The maximum penalty for a failure to comply with the DSA’s obligations is 6% of a provider’s global annual gross revenue. 

If you knowingly supply incorrect, incomplete, or misleading information to a regulator — or you refuse to submit information — you may be subject to a maximum fine of 1% of your global annual gross revenue. 

Delaying compliance could also lead to periodic penalties of up to 5% of your average daily global revenue. Ongoing failure to comply could also lead to a temporary suspension of your service in the EU if noncompliance could cause serious harm to your users.

Preparing your business for DSA

If your platform operates in the EU, you should evaluate whether your business already has mechanisms and procedures in place to ensure compliance with the DSA — or what changes you need to make to provide a safe, trustworthy, and transparent environment for consumers.

DSA requirements became obligatory for all platforms on February 17, 2024, making it critical to have answers to these questions and factor them into your compliance strategy:

  • Do you already collect and verify the data you need from sellers for other reporting purposes like DAC7? If not, what do you need to do, process- and systems-wise, to collect and verify that data?

  • Do you need to amend any terms and conditions (T&Cs) or posted consent policies to facilitate data collection from sellers and notification requirements?

  • Which new or additional steps do you need to take to protect the data you collect?

  • What is your current process for communicating with buyers and users of products and services available on your platform that are later deemed illegal?

  • Are you subject to other regulations or laws that have similar collection, verification, and reporting requirements with which you can combine efforts?

How Persona can help

Persona’s platform makes it easy to collect and verify the information you need to protect your platform and comply with the DSA:

With no-code UI builders, link analysis tools, a case management hub, and third-party integrations, Persona’s platform helps you stay compliant without piecing together solutions. 

Interested in learning more? Start for free or get a custom demo today.

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Shana Vu
Shana Vu
Shana is a product marketing manager focused on the Persona platform and marketplaces. You can usually find her running around San Francisco with a coffee in hand.
Continue reading