Six Questions About the EU’s Digital Services Act

hero-image

The European Union’s Digital Services Act (“DSA”) has two primary objectives: to safeguard users online while better protecting their individual rights, and to encourage more innovation and growth among all online businesses — especially small businesses — by levelling the competitive playing field.1

These two objectives are part of a rising trend in the European Union (“EU”) aimed at improving the online experience and promoting accountability by harmonising diverse market regulations.2 While the intentions of the DSA are straightforward, complying with its obligations may be a complex task. That’s because the new law covers significant ground, encompassing a wide range of digital subjects and services.

To achieve compliance, organisations will need a thorough understanding of how the DSA defines certain elements that may apply to them. These include the types of services offered by the organisation, the nature and complexity of its business, and the business size and scale. While no small undertaking, this process is essential for designing appropriate data governance and a cybersecurity risk assessment process that ensures verifiable compliance.

Digital Services Act at a Glance The DSA focuses on the citizen through better protection of fundamental rights, greater choice and competitive pricing. It does so by levelling the playing field for online businesses and reducing exposure to content considered harmful or illegal.3 To meet these goals, businesses face clear rules and a lower bar to entry, allowing for more startup and growth in the digital ecosystem.

An understanding of the rationale and relevant details behind the law is an important first step in determining how the DSA may apply to specific organisations.

What led to the creation of the DSA?

The DSA emerged to address significant issues in the digital markets and offer greater transparency across providers. While there are obvious benefits to an open, collaborative digital ecosystem, it also spawned a range of unlawful activities and cyber crimes, such as illegal trading and the spread of misinformation. It is not a valid approach to leave enforcement and rulemaking to major digital players with financial resources comparable to those of some medium-sized countries to ensure fair market participation and innovation.

What types of providers does the DSA cover?

All digital players in the EU single market fall under the DSA’s regulations with some specific rule variations depending on a business’ size and scale. These players include:

  • Very large online platforms (“VLOPs”): Including very large search engines (“VLSEs”), these are entities that reach more than 10% of the 450 million-plus monthly active users in Europe.4
  • Intermediaries: These entities offer network infrastructure. Examples include internet service providers, registrars, hosting services, online marketplaces, application stores, social media platforms and some VLOPs.5
  • Micro and smaller growth organisations: The DSA’s obligations are proportionate to ability and size. Fast-growing organisations have grace periods of up to 12 months to reach compliance, allowing for transition and planning for implementation.6

It is important to note that any organisation that provides digital services within the EU — not just those headquartered in a member state — must comply with the DSA.

What are some examples of the requirements?

All providers must designate a single point of contact to communicate directly with authorities in EU member states, the European Commission (“EC”) and the European Board for Digital Services. Providers are also required to establish procedures to address illegal activity. Note that national-level legislation, not the DSA, defines what is considered illegal. Upon receiving notification of illegal activity, a provider must promptly inform the issuing authority of the actions it will take to resolve the issue.7

What are the penalties for non-compliance?

The DSA is establishing a network of digital services coordinators which will determine the penalties in their national laws.8 Digital services coordinators are independent authorities responsible for supervising the intermediary services established in their member states. The EC itself has direct supervision and enforcement powers over VLOPs and VLSEs and can impose fines of up to 6 percent of the provider’s global turnover.9 Digital services coordinators and the EC will also have the power to require immediate actions addressing very serious harms.10

The Coordinator and the EC can also ask a court for a temporary suspension of a provider’s service if they do not comply.

What can organisations do to prepare?

Organisations should take steps towards compliance now in advance of the DSA’s arrival. Key considerations include:

  • Determine relevance: Assess whether the DSA applies and, if so, analyse the potential impact on operations and customers/clients.
  • Perform a regulatory gap assessment: Review policies and procedures to identify gaps and make necessary changes to achieve compliance.
  • Evaluate information security: Analyse existing information protection plans for organisational data and stored third-party data. This review should also ensure that existing protections are aligned with the DSA and be updated if not.
  • Establish relationships with regulators: Learn who the key authorities are and open lines of communication. This process can help with reporting and notification obligations and demonstrate a willingness to cooperate that may allow for concessions.
  • Conduct staff training: Empower employees with full knowledge of the DSA, why it matters and best practices for compliance.

What happens on 17 February 2024?

First, it is important to note that some aspects of the law are already live. These relate to systemic issues which include VLOPs and VLSEs, who must inform the EC of the size of their user base at least every six months. Once the EC validates the information, those providers have four months to comply with regulations and to conduct a DSA risk assessment against all relevant parts of the act.11

The DSA is a seismic piece of regulation that is expected to make the lives of digital users and digital society itself more secure. For online businesses big and small, it’s important to know that the EC, member states and coordinators are taking their roles very seriously — making preparation for compliance critical in the months ahead.

Footnotes:

1: “The Digital Services Act: ensuring a safe and accountable online environment.” European Commission. (Accessed: July 6, 2023) https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-services-act-ensuring-safe-and-accountable-online-environment_en

2: Ibid.

3: Ibid.

4: Ibid.

5: Ibid.

6: Ibid.

7: Ibid.

8: Ibid.

9: “Digital Services Act: agreement for a transparent and safe online environment.” European Parliament news. (pub. April 23, 2022). https://www.europarl.europa.eu/news/en/press-room/20220412IPR27111/digital-services-act-agreement-for-a-transparent-and-safe-online-environment

10: Ibid.

11: “The Digital Services Act: ensuring a safe and accountable online environment.”

© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.

About The Journal

The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.

Related Insights

Published

July 19, 2023

temp Key Contacts

David Dunn

Senior Managing Director, Head of EMEA Cybersecurity

Simon Onyons

Managing Director

Nina Bryant

Senior Managing Director

Sign up to get access to FTI Consulting Insights

Subscribe