DSA Compliance: Key Obligations for Hosting Providers, Platforms, and Marketplaces Operating in the EU (Part 2)

DSA Compliance: Key Obligations for Hosting Providers, Platforms, and Marketplaces Operating in the EU (Part 2)

Key Takeaways

(Part 2) The Digital Services Act (DSA) has been fully applicable since February 2024. Hosting providers, platforms, and marketplaces must comply with strengthened obligations regarding liability, transparency, and content management.


The Digital Services Act (DSA), which has been fully enforceable since February 17, 2024, establishes a comprehensive set of obligations related to liability, transparency, and risk management for providers of intermediary services, including hosting providers, online platforms, and marketplaces operating within the EU. (1)

A first article provided a summary of the objectives of the DSA. In this article, we focus on its territorial scope and the penalties applicable in case of non-compliance with the DSA.


1. The Territorial Scope of the DSA

The territorial scope of the DSA is based on the market targeted by the services, namely the European Union. Similar to the GDPR, the Digital Services Act adopts an extraterritorial approach, focusing not on the location of the digital service provider, but on the destination of the services.

    1.1 Application Based on the Target Market

The regulation applies to any provider of intermediary services, regardless of their place of establishment, as long as the recipients of the services are located within the European Union (Art. 2 DSA).

This criterion subjects companies established outside the EU to the DSA if they target the European market by providing content, goods, or digital services to users residing in the European Union. Major digital players such as Meta, Google, Amazon, Apple, and TikTok, although based outside the EU, are therefore fully subject to the DSA’s obligations.

    1.2 Covered Services
    
The DSA covers all types of intermediary services accessible within the European Union, including internet access and infrastructure providers, caching services (CDNs), hosting services, online platforms (social networks, marketplaces, content-sharing platforms), and search engines. (For more details, see our previous article on the DSA)

    1.3 Specific Obligations for Providers Established Outside the EU

Providers of intermediary services that are not established in the EU but are subject to the DSA because they target the European market must appoint a legal representative within the Union (Art. 13) and comply with all applicable regulatory obligations based on their service category (hosting providers, platforms, Very Large Online Platforms (VLOPs), and Very Large Online Search Engines (VLOSEs)).

The legal representative acts as the primary point of contact for national authorities for the receipt of orders, information requests, and oversight measures.

    1.4 Cross-Border Cooperation Mechanisms

To ensure consistent and harmonized enforcement across Member States, the DSA provides for (Arts. 50 to 59):

     - The designation of a Digital Services Coordinator in each Member State;
     - An enhanced role for the European Commission regarding VLOPs and VLOSEs, including the authority to conduct investigations, audits, and impose oversight measures; and
     - The creation of a European Board for Digital Services to assist the Commission and coordinate cooperation among national authorities.


2. Sanctions for Violations of the DSA

The Digital Services Act introduces a deterrent and harmonized sanctions framework at the European level to ensure compliance by providers of intermediary services.

    2.1 Competent Authorities for Compliance Oversight

The DSA allocates enforcement powers among several authorities, depending on the nature of the provider concerned.

In each Member State, the Digital Services Coordinator is responsible for overseeing all providers of intermediary services operating within its territory. The Coordinator may conduct investigations into alleged infringements, order the cessation of violations, impose corrective measures, and issue injunctions or monetary penalties (Art. 51). In addition, Digital Services Coordinators from different Member States cooperate with each other.

The European Commission holds exclusive powers to supervise and sanction Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) (Art. 65 et seq.).

The Commission is supported by the European Board for Digital Services, which brings together experts from the digital sector to provide advice and assistance.

    2.2 Types of Sanctions Provided

Several types of sanctions may be imposed for non-compliance with the DSA by providers of intermediary services (Arts. 51 and 74).

These sanctions must be effective, proportionate, and dissuasive.

    a. Administrative Fines: in cases of non-compliance with a regulatory obligation, the Coordinator or the Commission may impose an administrative fine of up to 6% of the provider’s total worldwide annual turnover for the preceding financial year.

    b. Sanctions for Lack of Cooperation or Obstruction: specific sanctions, capped at 1% of the provider’s total worldwide annual turnover for the preceding year, may be imposed for providing incorrect, incomplete, or misleading information, failing to comply with information requests or injunctions, or refusing to submit to an inspection.

    c. Periodic Penalty Payments: periodic penalty payments may be ordered to compel a provider to comply with an injunction. These are limited to 5% of the average daily worldwide revenue or turnover for the preceding year, per day of non-compliance.

    d. Emergency Measures and Temporary Restrictions: the Digital Services Coordinator may order additional measures, such as temporarily restricting access to a service within the relevant territory or blocking certain functionalities, if a provider fails to address a criminal infringement posing a serious threat to life or safety and does not cooperate adequately.

These exceptional measures are subject to strict conditions, including judicial oversight.

    2.3 Procedural Safeguards for Decisions and Sanctions

The DSA provides for remedies against decisions issued by authorities.

Users may challenge decisions taken by a service provider to restrict or remove content affecting them, either by appealing through the service's internal complaint-handling mechanism, by engaging a mediation service, or by bringing the matter before the competent court (Art. 17).

The service provider under compliance investigation must be given an opportunity to be heard by the Digital Services Coordinators or the European Commission.

Decisions and safeguard measures taken against providers of intermediary services may be challenged before the competent national courts. Decisions issued by the European Commission can be contested before the Court of Justice of the European Union (CJEU) (Arts. 51 and 80).

    2.4 Implementation in France

In France, the SREN Law of May 21, 2024, organizes the allocation of responsibilities among different authorities (2):

     - The ARCOM (Regulatory Authority for Audiovisual and Digital Communication) serves as the Digital Services Coordinator and is responsible for monitoring the application of the DSA by providers of intermediary services;

 The ARCOM shares its competencies with:
     - The CNIL which oversees compliance with data protection regulations, particularly regarding advertising targeting obligations (Arts. 28 and 38); and
     - The DGCCRF, responsible for enforcing commercial regulations, specifically the control of professional identification requirements, compliance of sign-up interfaces, and consumer information obligations (Arts. 30 to 32).

A cooperation agreement was signed on June 27, 2024, between these authorities to coordinate the effective enforcement of the DSA in France.


    The Digital Services Act reforms European digital law to reflect the evolution of services and online usage, ensuring a higher level of security and transparency for internet users. By overhauling the regulatory framework for intermediary services, the DSA significantly strengthens the transparency, due diligence, and accountability obligations imposed on providers of intermediary services, whether hosting services, platforms, or search engines.

Its effective implementation will now require heightened vigilance from regulatory authorities and sustained efforts from operators to achieve and maintain compliance in a continually evolving legal environment.

* * * * * * * * * * *


(1) Regulation (EU) 2022/2065 of the European Parliament and of the Council of October 19, 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act – DSA).

(2) Law No. 2024-449 of May 21, 2024, aimed at securing and regulating the digital space (SREN Law).

Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

April 2024 (updated in July 2024)

Retourner à la page des Actualités et Publications

Mots clés :

accessibilité numérique (7) adwords (1) ai (19) arcep (3) arcom (11) audiovisuel (3) base de données (3) bitcoin (1) blockchain (5) cbpr (3) cgv (1) chine (1) cloud computing (2) cnil (15) commerce (2) communication (8) compliance (23) confidentialité (2) conformité (13) consommateurs (3) contrat (8) contrefaçon (9) cookies (4) copyright (3) csa (1) cybercriminalité (5) data (1) data privacy framework (2) dma (4) données à caractère personnel (16) données personnelles (29) dpf (2) droit d'auteur (9) dsa (6) e-commerce (13) e-consommateurs (1) enfance (4) etats-unis (4) eu (12) europe (10) formation (1) fraude (2) gdpr (26) google (4) hébergeur (5) ia (13) ico (1) informatique (10) informatique et libertés (4) intelligence artificielle (12) internet (31) jeu vidéo (2) liberté d'expression (3) logiciel (7) loi informatique et libertés (5) loi sren (5) marque (3) métavers (2) méthode agile (2) monnaie électronique (1) moteur de recherche (7) nft (3) nom de domaine (1) numérique (8) originalité (4) privacy shield (2) propriété intellectuelle (11) protection des données (7) publicité (6) référencement (4) réglementation (12) réseau (1) réseaux sociaux (10) responsabilité (8) responsable du traitement (10) rgpd (20) robotique (7) rpa (6) salariés (4) santé publique (1) sécurité (7) singapour (3) site web (1) us (2) vie privée (19)