The Digital Services Act (DSA) is an EU regulation which came into force in EU law in November 2022 and will be directly applicable across the EU.
This new regulation aims to contribute to the proper functioning of the EU’s internal market for online intermediary services by setting out harmonised rules for a safe, predictable and trusted online environment that facilitates innovation and in which fundamental rights enshrined in the EU Charter of Fundamental Rights, including the principle of consumer protection, are effectively protected.
The DSA is designed to provide greater online safety. Organisations for which the DSA applies are required to:
- provide greater transparency on their services
- adopt procedures for handling take down notices, informing users in certain circumstances and addressing complaints
- refrain from certain practices, such as profiling, and/or improve control for users of their service
Organisations that the DSA applies to
The DSA applies to organisations that provide online intermediary services in the EU, where intermediary services means one of the following information society services:
- A ‘mere conduit’ service, consisting of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network. Examples: internet service providers, direct messaging services, virtual private networks, domain name systems, voice over IP, top level domain name registries.
- A ‘caching’ service, consisting of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making onward transmission more efficient to other recipients upon their request. Examples: content delivery networks, content adaptation proxies or reverse proxies.
- A ‘hosting’ service, consisting of the storage of information provided by, and at the request of, a recipient of the service. Examples: cloud service providers, online marketplaces, social media, app stores, travel and accommodation platforms.
The rules of the DSA apply to all Intermediary Service Providers (ISPs) offering their services in the European Single Market, whether they are established in the EU or outside.
Four categories of ISPs can be identified in the DSA
Category 1: ISP
Relates to organisations for which the intermediary service provided are online services which consist of either a ‘mere conduit‘ service, a ‘caching’ service or a ‘hosting’ service.
Category 2: Hosting services
Hosting services are intermediary service providers who store information provided by, and at the request of, a recipient of the service.
Category 3: Online platforms
‘Online platform’ means a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public (unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of the DSA).
Category 4: VLOPs and VLOSEs
Very Large Online Platforms (VLOPs): VLOPs are online platforms having 45 million or more average monthly active recipients of the service in the EU (representing 10% of the population of the EU).
Very Large Online Search Engines (VLOSEs): VLOSEs are search engines having 45 million or more average monthly active recipients of the service in the EU (representing 10% of the population of the EU).
Obligations for online Intermediary Service Providers (ISPs)
The obligations for ISPs differ according to their role, size and impact in the online ecosystem with the DSA.
To understand the scope of their obligations under the DSA, an ISP will first need to determine which of the four ISP categories they belong to, noting that a given organisation may belong to one or multiple ISP categories.
Micro and small enterprises will have obligations proportionate to their ability and size while ensuring they remain accountable. Even if micro and small companies grow significantly, they will benefit from a targeted exemption from a set of obligations during a transitional 12-month period.
Compliance timelines for online Intermediary Service Providers (ISPs)
Compliance date 1: 17 February 2023
Main establishments or legal representatives of online platforms and search engines providing services in the EU (excluding micro and small enterprises that are not designated as VLOPs or VLOSEs) are obliged to publish information on the average monthly active recipients of their service in the EU by 17 February 2023, and six monthly thereafter.
This information should be published on a publicly available section of their online interface and recital 77 of the DSA provides further guidance on establishing information on the average monthly active recipients of a service.
The simple flow diagram above can be used as a first step to help ISPs determine if they have an obligation to publish information by 17 February 2023. Caveats apply to the information presented in the flow diagram and these caveats should be considered by organisations in reaching a conclusion on their obligation to publish information.
The caveats are:
- organisations have 12 months from the time of losing their status as a micro or small sized enterprise to publish the average monthly active recipients of its service in the EU. However, if at any time before such an organisation is due to publish this information the European Commission designates the organisation as a VLOP or VLOSE, then the organisation will be obliged to publish information on the average monthly active recipients of its service in the EU in accordance with the rules of the DSA for VLOPs and VLOSEs
- if the European Commission designates a micro or small sized enterprise as a VLOP or VLOSE then the organisation will be obliged to publish information on the average monthly active recipients of its service in the EU in accordance with the rules of the DSA for VLOPS and VLOSEs
Providers of online platforms and search engines that are obliged to publish information are invited to share this information with the European Commission directly, and as soon as possible after publication, by submitting the information to CNECT-DIGITAL-SERVICES@ec.europa.eu.
Providers may be required by the European Commission or Digital Services Coordinator (DSC) to provide additional information on the calculation of the average monthly active recipients of the service in the EU, including explanations and substantiation in respect of the data used. That information shall not include personal data.
Compliance date 2: DSA compliance dates for VLOPs and VLOSEs
Organisations designated by the European Commission as a VLOP or VLOSE will need to comply with their full set of obligations under the DSA 4 months from their time of designation.
Compliance date 3: 17 February 2024
All other ISPs need to comply with their full set of obligations under the DSA by 17 February 2024.
The DSA is an EU Regulation and so has direct effect.
New legislation, however, will need to be passed in Ireland to provide for the implementation of the DSA, including to designate competent authorities and to provide necessary powers in relation to the enforcement of the DSA.
The DSA is based on the country-of-origin principle, so member states will have powers to supervise and enforce the DSA in relation to ISPs which have their main establishment in that member state, or in the member state in which their legal representative resides except:
- the European Commission shall have powers to supervise and enforce the DSA in relation to online platforms and online search engines which are designated as VLOPs or VLOSEs
- where the European Commission has not initiated proceedings for the same infringement, the member state in which the main establishment of the provider of a VLOPs or VLOSE is located shall have powers to supervise and enforce obligations under the DSA, with respect to those providers
Where an ISP provides services in the EU that fall under the DSA but does not have a main establishment in the EU and has failed to designate a legal representative, all member states and in case of a provider of a VLOP or VLOSE, the European Commission, shall have powers to supervise and enforce the DSA.
Each member state shall designate a competent authority as their Digital Services Coordinator (DSC). The DCS in each member state will be responsible for:
- all matters relating to supervision and enforcement of the DSA in that member state unless the member state concerned has assigned certain specific tasks or sectors to other competent authorities
- co-ordinating and co-operating with: all national authorities in its member state, whether designated as competent authorities for the DSA or not, that have a role in regulating online content (for example, market surveillance bodies that issue take down notices, the courts in their role as issuers of take down orders); DSCs and other national competent authorities in other member states; the European Board for Digital Services (which will be composed of representatives of high-level officials of the Digital Services Coordinators) and the European Commission
Where needed to carry out their tasks under the DSA, the DSC (and any other competence authorities within member states designated to enforce the DSA) shall have powers of investigation and enforcement in respect of conduct by ISPs within the competence of their member state.
Member states shall also lay down the rules on penalties applicable to infringements of the DSA by ISPs and shall take all the necessary measures to ensure that they are implemented in accordance with the DSA.
All member states are required to have designated their DSC by 17 February 2024.
For Ireland, the DSC will be Comisiún na Meán (Media Commission). Coimisúin na Meán is being established by the Minister for Tourism, Culture, Arts, Gaeltacht, Sport and Media, and it is expected that it will be formally established in Quarter 1 2023.
Legislation will be progressed in Ireland in 2023 to designate:
- Comisiún na Meán as the DSC and invest it with the necessary powers to carry out its functions under the DSA
- other bodies in Ireland identified to be competent authorities for implementation of the DSA and invest them with the necessary powers to carry out their functions under the DSA
Users and recipients of the service (business users, consumers, other users)
The DSA will contribute to the creation of a safer and more open digital space for all users, where their fundamental rights are protected and where they have access to quality digital services at lower prices.
The DSA will contribute to the creation of a level playing field that will allow innovative digital businesses to grow within the single market and compete globally.
The DSA (together with the Digital Markets Act (DMA), which aims to ensure that large online platforms behave in a fair way online) sets a high global benchmark for regulating digital services with clear obligations tailored to the importance of the online platforms.
Further information and queries
Further information on the DSA can be found on Questions and Answers: Digital Services Act and Digital Services Act package.
Guidance by the European Commission on the requirement to publish user numbers can be found at Guidance on requirement to publish user numbers.
Queries can be directed to the Department of Enterprise, Trade and Employment at email@example.com.
Active recipient of an online platform: A recipient of the service that has engaged with an online platform by either requesting the online platform to host information or being exposed to information hosted by the online platform and disseminated through its online interface.
Active recipient of an online search engine: A recipient of the service that has submitted a query to an online search engine and been exposed to information indexed and presented on its online interface.
Online interface: Any software, including a website or a part thereof, and applications, including mobile applications.
Micro and small sized enterprises: As defined in the European Commission Recommendation 2003/361/EC.
Main establishment: Where the provider has its head office or registered office within which the principal financial functions and operational control are exercised- in respect of providers that are not established in the EU, but that offer services in the EU and therefore fall within the scope of the DSA, the member state where those providers appointed their legal representative should have competence, considering the function of legal representatives under the DSA.
Information society services: Means any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
For the purposes of this definition:
- ‘at a distance’ means that the service is provided without the parties being simultaneously present
- ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means
- ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request