Digital Services Act
The Digital Services Act is Regulation (EU) 2022/2065, the European Union's platform-governance law for online intermediaries, hosting services, online platforms, marketplaces, very large online platforms, and very large online search engines. It creates due-diligence, transparency, redress, researcher-access, advertising, recommender-system, and systemic-risk duties for the services that organize much of public digital life.
Snapshot
- Legal form: Regulation (EU) 2022/2065, directly applicable across the EU.
- Coverage: intermediary services offered in the EU, with obligations increasing from conduit, caching, and hosting services to online platforms, marketplaces, VLOPs, and VLOSEs.
- Threshold: VLOPs and VLOSEs are services with at least 45 million average monthly active recipients in the EU and are designated by the European Commission.
- Core controls: notice and action, statements of reasons, appeals, transparency reporting, ad and recommender-system transparency, trader traceability, systemic-risk assessment, audits, and data access.
- AI relevance: platform-level governance for algorithmic ranking, moderation, advertising, search, recommender systems, and AI-generated activity, distinct from the EU AI Act's AI-system and general-purpose AI model duties.
Definition
The Digital Services Act, or DSA, is a directly applicable EU regulation for digital intermediary services offered in the Union, including services whose providers are established outside the EU but have a substantial connection to the EU market. It updates the older e-Commerce Directive model by preserving conditional intermediary-liability protections while adding due-diligence duties for modern platform systems.
The DSA is not only a content-removal statute. It is a procedural and risk-governance framework: it requires certain providers to build notice-and-action channels, explain moderation decisions, apply terms with due regard to fundamental rights, offer complaint and out-of-court redress, publish transparency reports, disclose advertising and recommender-system information, protect minors, assess systemic risks, undergo independent audits, and give researchers and regulators access to evidence.
The regulation also preserves an important boundary. It does not make platforms generally liable for every user post, nor does it require general monitoring of all content. Instead, it creates procedural duties and stronger obligations for larger or more systemically important services.
Scope and Structure
The DSA is tiered. Baseline duties apply to intermediary services such as mere conduit, caching, and hosting services. Additional duties apply to online platforms that disseminate user content to the public. More duties apply to online marketplaces. The heaviest obligations apply to very large online platforms and very large online search engines, known as VLOPs and VLOSEs.
The VLOP and VLOSE threshold is at least 45 million average monthly active recipients in the EU, roughly 10 percent of the EU population. The European Commission designates these services and directly supervises their DSA duties. National Digital Services Coordinators supervise and coordinate enforcement for many other services, while the European Board for Digital Services helps coordinate consistent implementation across Member States.
This structure matters for AI and platform governance because the same technology can sit in different legal positions. A small hosting service, a social network, an app store, an online marketplace, a video-sharing service, a search engine, and a chatbot-like discovery surface may raise overlapping risks but different DSA obligations.
Current Context
As of this review on June 19, 2026, the DSA is no longer only in rollout. Its general date of applicability was February 17, 2024, while the first designated VLOPs and VLOSEs were subject to the law four months after their April 25, 2023 designations. The Commission's DSA supervision page, updated May 28, 2026, lists designated services and enforcement actions across major social, search, marketplace, app-store, travel, adult-content, and knowledge platforms.
Enforcement is now an operational regime. The Commission's enforcement page says DSA tools include requests for information, orders for access to data and algorithms, interviews, inspections, interim measures, preliminary findings, binding commitments, non-compliance decisions, and fines. The same page cautions that investigatory steps do not by themselves mean a provider has infringed the DSA.
Transparency infrastructure is also live. The Commission describes the DSA Transparency Database as a public repository of anonymized and aggregated statements of reasons for content moderation decisions. In its public impact page, the Commission reported that platforms submitted more than 9 billion content moderation decisions in the first half of 2025, with most taken proactively under platforms' own terms rather than from illegal-content reports.
Researcher access is moving from principle to mechanism. On July 2, 2025, the Commission adopted a delegated act on data access for qualified researchers and launched a DSA data access portal. The mechanism is meant to support research into systemic risks and mitigation measures on VLOPs and VLOSEs.
Children's protection is a major enforcement frontier. In July 2025, the Commission published guidelines on the protection of minors under DSA Article 28 and presented an age-verification blueprint. The Commission's age-verification page says the solution became feature-ready on April 15, 2026, and can be customized by Member States and market actors while preserving its privacy-oriented design. On May 29, 2026, the Commission sought feedback on draft trusted-flagger guidelines, with the consultation deadline extended to July 10, 2026, and noted that more than 70 trusted flaggers had already been designated.
The first DSA risk landscape report, published in November 2025 by European regulators, the Commission, and the European Board for Digital Services, treated generative AI, protection of minors, mental health, illegal content, intellectual property, and marketplace harms as part of the systemic-risk environment. That is the current governance pattern: platforms are being asked to document not only takedowns, but also the design choices and algorithmic systems that make harms scalable.
Core Obligations
Terms and conditions. Providers must explain content restrictions, moderation policies, algorithmic decision-making, human review, and complaint procedures in clear language. They must apply restrictions diligently, objectively, proportionately, and with regard to users' fundamental rights.
Notice and action. Hosting services must provide ways to notify them of allegedly illegal content. Platforms must process notices and explain certain decisions to affected users.
Statements of reasons and appeals. Platforms must give users clearer reasons for content moderation decisions and provide complaint-handling mechanisms. Users can also turn to certified out-of-court dispute settlement bodies.
Trusted flaggers. Notices from designated trusted flaggers receive priority, while platforms remain responsible for deciding whether content is illegal. The trusted-flagger system is meant to improve detection without turning every notice into automatic removal.
Interface design. Online platforms may not design, organize, or operate interfaces in ways that deceive, manipulate, or materially impair users' ability to make free and informed decisions. This makes deceptive design a platform-governance issue, not only a consumer-design issue.
Advertising transparency. Platforms must identify ads, the advertiser, who paid for the ad when different, and meaningful information about why a recipient is seeing the ad. The DSA restricts targeted advertising based on sensitive categories and prohibits targeted advertising to minors based on profiling when the provider knows with reasonable certainty that the user is a minor. VLOPs and VLOSEs that present ads must also maintain searchable ad repositories with campaign-level information and APIs.
Recommender systems. Platforms using recommender systems must explain their main parameters. VLOPs and VLOSEs face additional duties, including at least one recommender option not based on profiling where applicable.
Marketplace traceability and compliance by design. Online marketplaces must collect and assess certain information about traders before allowing them to offer products or services, strengthen product and seller identification, and design interfaces that let traders provide required safety and compliance information.
Systemic-risk management. VLOPs and VLOSEs must assess and mitigate systemic risks involving illegal content, fundamental rights, civic discourse, electoral processes, public security, gender-based violence, public health, minors, and mental and physical well-being. They must also undergo independent audits and provide transparency reports.
Data access and oversight. The DSA creates routes for regulators and vetted researchers to access data needed to study systemic risks and mitigation measures. This is one of the law's most important attempts to pierce the platform evidence barrier.
AI Relevance
AI matters to the DSA because platforms use automated systems for ranking, moderation, advertising delivery, fraud detection, recommender systems, search ranking, age assurance, account integrity, and risk detection. These systems decide what people see, what disappears, which sellers are surfaced, which ads are shown, and which complaints are prioritized.
Generative AI also changes the threat environment. It can produce synthetic media, spam, scams, impersonation, child-safety risks, non-consensual intimate imagery, coordinated manipulation, fake reviews, and adaptive harassment at a scale that platform governance has to absorb.
The DSA does not regulate foundation-model training in the way the EU AI Act regulates AI systems and general-purpose AI models. Its AI relevance is platform-level: it governs the online services that use, distribute, rank, monetize, or mitigate AI-generated and AI-mediated activity.
That distinction is important for AI agents and search-like systems. If an AI product becomes a platform, search engine, marketplace, ad surface, or recommender-mediated distribution layer, the DSA analysis may turn on service role, user scale, and function, not merely on whether the interface looks like a chatbot.
Governance and Safety
The DSA's strongest governance contribution is evidence. It turns platform power into records: statements of reasons, transparency reports, risk assessments, audits, ad repositories, researcher access, complaint statistics, and enforcement files. Those records are not complete public visibility, but they give regulators, researchers, and civil society more handles than ordinary platform trust-and-safety promises.
The law also creates a due-process layer for users. Moderation at platform scale can be arbitrary, automated, language-biased, or politically consequential. Notice, appeal, out-of-court dispute settlement, and transparency databases make it harder for platforms to remove, demote, or restrict accounts with no explanation.
The DSA should not be read as a general online speech code. It does not define every category of illegal content itself, and it does not impose a general monitoring obligation. It mostly builds procedural obligations around illegal content as defined by EU or Member State law, platform terms, recommender and advertising transparency, marketplace traceability, and VLOP/VLOSE systemic-risk governance.
There are real risks. Trusted-flagger systems can be misused if independence and accountability fail. Age assurance can protect children while expanding identity checks. Automated moderation can over-remove lawful speech. Researcher access can expose sensitive data if governance is weak. Strong enforcement can become a tool for state pressure if it is not bounded by rights, proportionality, and judicial review.
For AI safety, the DSA is best understood as platform safety infrastructure. It does not solve model alignment, synthetic media provenance, fraud, recommender addiction, or political manipulation by itself. It requires large services to identify risks, mitigate them, preserve evidence, and answer questions from public authorities and researchers.
Source Discipline
Claims about the DSA should separate the legal text, Commission explanatory pages, delegated acts, guidelines, enforcement actions, platform transparency reports, and civil-society analysis. The regulation itself is the primary source for legal duties. Commission pages are useful for current implementation and enforcement status, but they are not a substitute for article-level legal analysis.
Enforcement claims need dates and procedural labels. A request for information, opening of proceedings, preliminary finding, binding commitment, and non-compliance decision are different events. An investigation does not by itself establish infringement.
Transparency data need careful framing. DSA Transparency Database figures are statements of reasons reported by platforms, not a complete census of harm, legality, user experience, or enforcement quality. They are useful evidence, but they reflect reporting schemas, platform terms, automated systems, and coverage limits.
Current lists change. VLOP and VLOSE designations, user numbers, trusted flagger counts, age-verification implementation, data-access procedures, and national Digital Services Coordinator activity should be cited with review dates. For platform claims, prefer official Commission pages, national regulator pages, court records, or the platform's own DSA transparency reports over secondary summaries.
Spiralist Reading
For Spiralism, the DSA is important because it treats mediated reality as governable infrastructure. It asks platforms to account for the systems that decide visibility, virality, risk, advertising, removal, and appeal rather than treating those systems as private magic.
The law does not end platform power. It forces platform power to leave more traces. The feed, the takedown, the ad, the marketplace listing, the complaint queue, the age gate, and the recommendation engine become subjects of evidence.
The Spiralist question is whether evidence becomes friction. A database, audit, risk report, or guideline matters only if it changes what powerful systems are allowed to do when attention, children, elections, commerce, and public memory are at stake.
Open Questions
- Will DSA transparency tools give researchers enough access to test platform risk claims, or will access remain too slow, narrow, and contested?
- Can trusted-flagger systems improve illegal-content reporting without becoming privatized speech-policing channels?
- How should DSA duties apply to AI search, agentic commerce, chat-based discovery, and AI assistants that mediate access to content or sellers?
- Can age assurance under the DSA remain privacy-preserving, or will child-safety compliance become a general identity checkpoint?
- Will annual risk assessments and audits change recommender-system design, or become formal reports that follow decisions already made?
Related Pages
Platform governance
- Platform Governance
- Content Moderation
- Notice and Appeal
- Recommender Systems
- Algorithmic Transparency
- Trust and Safety
- Vendor and Platform Governance
- Transparency and Public Registers
Integrity and rights
- Information Disorder
- Synthetic Media and Deepfakes
- Content Provenance and Watermarking
- Election Integrity and AI
- Age Assurance
- Digital Identity
- Data Minimization
- AI Data Retention
- Right to Explanation
AI and platform systems
- AI Search and Answer Engines
- AI Browsers and Computer Use
- Agent-Native Internet
- AI Agents
- AI Companions
- AI Data Provenance
Institutions
- AI Governance
- Algorithmic Impact Assessments
- AI Audits and Third-Party Assurance
- AI Liability and Accountability
- Duty of Care for AI Platforms
- Electronic Frontier Foundation
- Center for Democracy and Technology
- EU AI Act
Sources
- European Union, Regulation (EU) 2022/2065, Digital Services Act, Official Journal version.
- European Commission, The Digital Services Act, reviewed June 19, 2026.
- European Commission, The enforcement framework under the Digital Services Act, reviewed June 19, 2026.
- European Commission, Supervision of the designated very large online platforms and search engines under DSA, information updated May 28, 2026; reviewed June 19, 2026.
- European Commission, European Board for Digital Services, reviewed June 19, 2026.
- European Commission, How the Digital Services Act enhances transparency online, reviewed June 19, 2026.
- European Commission, The impact of the Digital Services Act on digital platforms, reviewed June 19, 2026.
- European Commission, DSA Transparency Database, reviewed June 19, 2026.
- European Commission, Delegated act on data access under the Digital Services Act, July 2, 2025; reviewed June 19, 2026.
- European Commission, DSA data access portal, reviewed June 19, 2026.
- European Commission, Guidelines on the protection of minors under the DSA, July 14, 2025; reviewed June 19, 2026.
- European Commission, The EU approach to age verification, reviewed June 19, 2026.
- European Commission, Commission seeks feedback on draft trusted flaggers guidelines under the Digital Services Act, May 29, 2026; updated June 19, 2026.
- European Commission, Targeted consultation: draft guidelines on trusted flaggers under the DSA, May 29, 2026; reviewed June 19, 2026.
- European Commission, Digital Services Act report lays out landscape of systemic risks online, November 20, 2025; reviewed June 19, 2026.