Wiki · Law · Last reviewed June 19, 2026

Digital Services Act

The Digital Services Act is Regulation (EU) 2022/2065, the European Union's platform-governance law for online intermediaries, hosting services, online platforms, marketplaces, very large online platforms, and very large online search engines. It creates due-diligence, transparency, redress, researcher-access, advertising, recommender-system, and systemic-risk duties for the services that organize much of public digital life.

Snapshot

Definition

The Digital Services Act, or DSA, is a directly applicable EU regulation for digital intermediary services offered in the Union, including services whose providers are established outside the EU but have a substantial connection to the EU market. It updates the older e-Commerce Directive model by preserving conditional intermediary-liability protections while adding due-diligence duties for modern platform systems.

The DSA is not only a content-removal statute. It is a procedural and risk-governance framework: it requires certain providers to build notice-and-action channels, explain moderation decisions, apply terms with due regard to fundamental rights, offer complaint and out-of-court redress, publish transparency reports, disclose advertising and recommender-system information, protect minors, assess systemic risks, undergo independent audits, and give researchers and regulators access to evidence.

The regulation also preserves an important boundary. It does not make platforms generally liable for every user post, nor does it require general monitoring of all content. Instead, it creates procedural duties and stronger obligations for larger or more systemically important services.

Scope and Structure

The DSA is tiered. Baseline duties apply to intermediary services such as mere conduit, caching, and hosting services. Additional duties apply to online platforms that disseminate user content to the public. More duties apply to online marketplaces. The heaviest obligations apply to very large online platforms and very large online search engines, known as VLOPs and VLOSEs.

The VLOP and VLOSE threshold is at least 45 million average monthly active recipients in the EU, roughly 10 percent of the EU population. The European Commission designates these services and directly supervises their DSA duties. National Digital Services Coordinators supervise and coordinate enforcement for many other services, while the European Board for Digital Services helps coordinate consistent implementation across Member States.

This structure matters for AI and platform governance because the same technology can sit in different legal positions. A small hosting service, a social network, an app store, an online marketplace, a video-sharing service, a search engine, and a chatbot-like discovery surface may raise overlapping risks but different DSA obligations.

Current Context

As of this review on June 19, 2026, the DSA is no longer only in rollout. Its general date of applicability was February 17, 2024, while the first designated VLOPs and VLOSEs were subject to the law four months after their April 25, 2023 designations. The Commission's DSA supervision page, updated May 28, 2026, lists designated services and enforcement actions across major social, search, marketplace, app-store, travel, adult-content, and knowledge platforms.

Enforcement is now an operational regime. The Commission's enforcement page says DSA tools include requests for information, orders for access to data and algorithms, interviews, inspections, interim measures, preliminary findings, binding commitments, non-compliance decisions, and fines. The same page cautions that investigatory steps do not by themselves mean a provider has infringed the DSA.

Transparency infrastructure is also live. The Commission describes the DSA Transparency Database as a public repository of anonymized and aggregated statements of reasons for content moderation decisions. In its public impact page, the Commission reported that platforms submitted more than 9 billion content moderation decisions in the first half of 2025, with most taken proactively under platforms' own terms rather than from illegal-content reports.

Researcher access is moving from principle to mechanism. On July 2, 2025, the Commission adopted a delegated act on data access for qualified researchers and launched a DSA data access portal. The mechanism is meant to support research into systemic risks and mitigation measures on VLOPs and VLOSEs.

Children's protection is a major enforcement frontier. In July 2025, the Commission published guidelines on the protection of minors under DSA Article 28 and presented an age-verification blueprint. The Commission's age-verification page says the solution became feature-ready on April 15, 2026, and can be customized by Member States and market actors while preserving its privacy-oriented design. On May 29, 2026, the Commission sought feedback on draft trusted-flagger guidelines, with the consultation deadline extended to July 10, 2026, and noted that more than 70 trusted flaggers had already been designated.

The first DSA risk landscape report, published in November 2025 by European regulators, the Commission, and the European Board for Digital Services, treated generative AI, protection of minors, mental health, illegal content, intellectual property, and marketplace harms as part of the systemic-risk environment. That is the current governance pattern: platforms are being asked to document not only takedowns, but also the design choices and algorithmic systems that make harms scalable.

Core Obligations

Terms and conditions. Providers must explain content restrictions, moderation policies, algorithmic decision-making, human review, and complaint procedures in clear language. They must apply restrictions diligently, objectively, proportionately, and with regard to users' fundamental rights.

Notice and action. Hosting services must provide ways to notify them of allegedly illegal content. Platforms must process notices and explain certain decisions to affected users.

Statements of reasons and appeals. Platforms must give users clearer reasons for content moderation decisions and provide complaint-handling mechanisms. Users can also turn to certified out-of-court dispute settlement bodies.

Trusted flaggers. Notices from designated trusted flaggers receive priority, while platforms remain responsible for deciding whether content is illegal. The trusted-flagger system is meant to improve detection without turning every notice into automatic removal.

Interface design. Online platforms may not design, organize, or operate interfaces in ways that deceive, manipulate, or materially impair users' ability to make free and informed decisions. This makes deceptive design a platform-governance issue, not only a consumer-design issue.

Advertising transparency. Platforms must identify ads, the advertiser, who paid for the ad when different, and meaningful information about why a recipient is seeing the ad. The DSA restricts targeted advertising based on sensitive categories and prohibits targeted advertising to minors based on profiling when the provider knows with reasonable certainty that the user is a minor. VLOPs and VLOSEs that present ads must also maintain searchable ad repositories with campaign-level information and APIs.

Recommender systems. Platforms using recommender systems must explain their main parameters. VLOPs and VLOSEs face additional duties, including at least one recommender option not based on profiling where applicable.

Marketplace traceability and compliance by design. Online marketplaces must collect and assess certain information about traders before allowing them to offer products or services, strengthen product and seller identification, and design interfaces that let traders provide required safety and compliance information.

Systemic-risk management. VLOPs and VLOSEs must assess and mitigate systemic risks involving illegal content, fundamental rights, civic discourse, electoral processes, public security, gender-based violence, public health, minors, and mental and physical well-being. They must also undergo independent audits and provide transparency reports.

Data access and oversight. The DSA creates routes for regulators and vetted researchers to access data needed to study systemic risks and mitigation measures. This is one of the law's most important attempts to pierce the platform evidence barrier.

AI Relevance

AI matters to the DSA because platforms use automated systems for ranking, moderation, advertising delivery, fraud detection, recommender systems, search ranking, age assurance, account integrity, and risk detection. These systems decide what people see, what disappears, which sellers are surfaced, which ads are shown, and which complaints are prioritized.

Generative AI also changes the threat environment. It can produce synthetic media, spam, scams, impersonation, child-safety risks, non-consensual intimate imagery, coordinated manipulation, fake reviews, and adaptive harassment at a scale that platform governance has to absorb.

The DSA does not regulate foundation-model training in the way the EU AI Act regulates AI systems and general-purpose AI models. Its AI relevance is platform-level: it governs the online services that use, distribute, rank, monetize, or mitigate AI-generated and AI-mediated activity.

That distinction is important for AI agents and search-like systems. If an AI product becomes a platform, search engine, marketplace, ad surface, or recommender-mediated distribution layer, the DSA analysis may turn on service role, user scale, and function, not merely on whether the interface looks like a chatbot.

Governance and Safety

The DSA's strongest governance contribution is evidence. It turns platform power into records: statements of reasons, transparency reports, risk assessments, audits, ad repositories, researcher access, complaint statistics, and enforcement files. Those records are not complete public visibility, but they give regulators, researchers, and civil society more handles than ordinary platform trust-and-safety promises.

The law also creates a due-process layer for users. Moderation at platform scale can be arbitrary, automated, language-biased, or politically consequential. Notice, appeal, out-of-court dispute settlement, and transparency databases make it harder for platforms to remove, demote, or restrict accounts with no explanation.

The DSA should not be read as a general online speech code. It does not define every category of illegal content itself, and it does not impose a general monitoring obligation. It mostly builds procedural obligations around illegal content as defined by EU or Member State law, platform terms, recommender and advertising transparency, marketplace traceability, and VLOP/VLOSE systemic-risk governance.

There are real risks. Trusted-flagger systems can be misused if independence and accountability fail. Age assurance can protect children while expanding identity checks. Automated moderation can over-remove lawful speech. Researcher access can expose sensitive data if governance is weak. Strong enforcement can become a tool for state pressure if it is not bounded by rights, proportionality, and judicial review.

For AI safety, the DSA is best understood as platform safety infrastructure. It does not solve model alignment, synthetic media provenance, fraud, recommender addiction, or political manipulation by itself. It requires large services to identify risks, mitigate them, preserve evidence, and answer questions from public authorities and researchers.

Source Discipline

Claims about the DSA should separate the legal text, Commission explanatory pages, delegated acts, guidelines, enforcement actions, platform transparency reports, and civil-society analysis. The regulation itself is the primary source for legal duties. Commission pages are useful for current implementation and enforcement status, but they are not a substitute for article-level legal analysis.

Enforcement claims need dates and procedural labels. A request for information, opening of proceedings, preliminary finding, binding commitment, and non-compliance decision are different events. An investigation does not by itself establish infringement.

Transparency data need careful framing. DSA Transparency Database figures are statements of reasons reported by platforms, not a complete census of harm, legality, user experience, or enforcement quality. They are useful evidence, but they reflect reporting schemas, platform terms, automated systems, and coverage limits.

Current lists change. VLOP and VLOSE designations, user numbers, trusted flagger counts, age-verification implementation, data-access procedures, and national Digital Services Coordinator activity should be cited with review dates. For platform claims, prefer official Commission pages, national regulator pages, court records, or the platform's own DSA transparency reports over secondary summaries.

Spiralist Reading

For Spiralism, the DSA is important because it treats mediated reality as governable infrastructure. It asks platforms to account for the systems that decide visibility, virality, risk, advertising, removal, and appeal rather than treating those systems as private magic.

The law does not end platform power. It forces platform power to leave more traces. The feed, the takedown, the ad, the marketplace listing, the complaint queue, the age gate, and the recommendation engine become subjects of evidence.

The Spiralist question is whether evidence becomes friction. A database, audit, risk report, or guideline matters only if it changes what powerful systems are allowed to do when attention, children, elections, commerce, and public memory are at stake.

Open Questions

Platform governance

Integrity and rights

AI and platform systems

Institutions

Sources


Return to Wiki