The DSA applies to all online intermediaries that offer their digital services in the EU, including those established outside of the EU. Intermediaries established outside of the EU will have to appoint a legal representative, as they do for other EU obligations.

All intermediary providers that store, transmit, or disseminate user-generated content, and have a substantial connection to the EU, are subject to the DSA. Providers’ specific obligations depend on their size and type of service.

All intermediaries must specify any restrictions imposed on the use of their service, including information on the policies, procedures, tools, and algorithms used for content moderation and internal complaint handling. Any content restrictions must be enforced in an objective and proportionate manner, with due regard for fundamental rights.

All intermediaries must produce annual reports that include (1) information on the number of orders issued to provide information and/or take down illegal content; and (2) information on content moderation undertaken, including on the use of account suspension, content removal, automation, downranking, and visibility filtering, categorized by the type of illegal content or terms and conditions violation.

Hosting providers must provide a clear and specific statement of reasons for any visibility filtering, downranking, content removal, demonetization, or account suspension. The statement should include the basis for the decision and, where applicable, information on the use of automation.

In their terms and conditions, online platforms must describe any parameters used to suggest information to users, and they must disclose options to modify those parameters. They must also maintain an appeals system allowing decisions taken against allegedly illegal content or terms and conditions violations to be challenged and reversed. For issues that are not satisfactorily resolved by their internal system, platforms must participate in out-of-court dispute settlement proceedings.

All intermediaries must comply with orders from EU member state authorities to provide information or to act against illegal content.

Hosting providers must enable (1) anyone to submit notices containing a substantiated explanation as to why specific content is allegedly illegal under EU or member state law (along with additional transparency reporting on these mechanisms); and (2) adjudication of notices in a timely, diligent, nonarbitrary, and objective manner, along with notification to the submitting party of the decision made.

Ad transparency. Online platforms must ensure that users are able to obtain specified information for each advertisement displayed, including the person or entity on whose behalf the ad is presented and information about the parameters used to determine the recipients of the ad.

Bans on targeted advertising. Online platforms may not present advertisements based on profiling children or based on special categories of personal data such as ethnicity, political views, or sexual orientation.

Online marketplace transparency. Online platforms offering a marketplace must obtain identifying information from traders and make it available to users. Platforms must also periodically check for availability of illegal products or services and notify users when such products or services are detected.

Protection of minors. Online platforms must put in place appropriate and proportionate measures to protect the privacy, safety, and security of minors. Platforms are prohibited from serving ads based on profiling of minors.

Dark patterns. Online platforms may not design, organize, or operate their service in a way that deceives, manipulates, materially distorts, or impairs users’ ability to make free and informed decisions.

Hosting providers that become aware of any information giving rise to a suspicion that a serious criminal offense involving a threat to life or safety of persons has taken place must promptly inform law enforcement or judicial authorities in the relevant EU member state and provide all information available.

Risk governance. VLOPs must undertake annual assessments of the severity and probability of the following on their platforms: (1) dissemination of illegal content; (2) negative effects on fundamental rights, including human dignity, privacy, freedom of expression and information, freedom and pluralism of the media, nondiscrimination, rights of the child, and consumer protection; (3) negative effects on civil discourse, electoral processes, or public security; and (4) negative effects on gender-based violence, public health, minors, and serious negative consequences to a person’s physical and mental well-being.

VLOPs must also put in place reasonable, proportionate, and effective risk mitigation measures tailored to the specific systemic risks identified.

Crisis response. Where the European Commission determines that a threat to public security or public health exists, VLOPs may be required to assess how their platforms contribute to the threat and implement mitigation measures.

Independent audits. VLOPs must undergo annual independent audits to assess compliance with certain DSA obligations and establish an internal compliance function dedicated to monitoring DSA compliance.

Data access. VLOPs must provide member state authorities and vetted researchers with access to certain types of data, including on the design, functioning, and testing of algorithmic systems.

Additional transparency obligations. VLOPs’ additional obligations include reporting on content moderation every six months and the creation of an anonymized repository for advertising information.

The DSA imposes steep penalties for noncompliance. The maximum penalty for a failure to comply with the DSA’s substantive obligations is 6% of a provider’s global annual gross revenues. A “periodic penalty” for noncompliance may also be imposed, not to exceed 5% of a provider’s global annual daily gross revenues. Where a provider supplies incorrect, incomplete, or misleading information to a regulator, the provider may be subject to a maximum fine of 1% of global annual gross revenues.