A guide to the Digital Services Act, the EU’s new law to rein in Big Tech

Everything you need to know about the Digital Services Act (DSA), Europe’s new law to make powerful tech platforms like YouTube, TikTok, Facebook, and Twitter more transparent and accountable for the risks they pose to society.


21 September 2022 (update: 22 August 2023)

Auf Deutsch lesen

#dsa #eu #explainer #guide #publicsphere

What is the DSA, and why do we need it?

The Digital Services Act (DSA) is a new set of regulations that aims to force major internet platforms like Facebook, YouTube, TikTok, Twitter and others to do more to tackle the spread of illegal content and other societal risks on their services in the EU—or else risk billions of Euros in fines. Together with its sister legislation, the Digital Markets Act, it establishes a single set of rules that will apply across the whole EU and sets a potential global standard in platform governance.

The DSA aims to end an era of in which tech companies have essentially regulated themselves – setting their own policies on how to moderate content, and issuing “transparency reports” about their efforts to combat harms like disinformation that have been practically impossible for third parties to scrutinize. The DSA promises to change this status quo by forcing platforms to be more transparent about how their algorithmic systems work, and holding them to account for the societal risks stemming from the use of their services.

The DSA was published in the official journal of the European Union in October 2022 and entered into force shortly thereafter. The law will become applicable across the EU in February of 2024—but the new rules already kick in on 25 August 2023 for the largest platforms and search engines operating in Europe (19 of which were officially designated by the European Commission in April). These so-called Very Large Online Platforms (VLOPs) and Very Large Search Engines (VLOSEs) meet the threshold of having over 45 million active EU users.

How does the DSA change the status quo?

The final version of the DSA is an over 300-page long legal document with complex rules detailing tech companies’ new legal obligations, as well as the responsibilities of the EU and member states with regard to its enforcement. It includes:

DSA’s next steps: Compliance for VLOPs and VLOSEs

The 25 August 2023 was the date when VLOPs and VLOSEs were obligated to submit their first systemic risk assessments to the European Commission's regulators and independent auditors as well as to implement new rules on content moderation. Many of these new features should therefore become visible and/or accessible to users of the relevant platforms in the short-term, such as an option to use a reverse-chronological recommender feed instead of the current standard algorithmically-curated feed.

However, the systemic risk assessments which are lynchpins of the DSA’s accountability structure are being produced without official guidance from the European Commission and will remain largely beyond public view. This raises the concerning possibility that social media platforms adopt risk assessment metrics and methodologies that serve to protect their bottom line rather than the public interest. That’s why AlgorithmWatch has advocated for a meaningful data access for public interest scrutiny and a formal advisory mechanism for civil society to contribute independent expertise and act as a check on audit-washing.

DSA’s next steps: Empowering Digital Services Coordinators (DSCs) and enforcement

On 17 February 2024, the DSA will become fully applicable across the EU for all entities in its scope. By that time, each EU Member state will need to appoint its own Digital Services Coordinator (DSC) — an independent regulator responsible for enforcing the rules on smaller platforms established in their country as well as liaising with the Commission and other DSCs in broader enforcement efforts. With this timeline closing in, EU countries and the Commission must continue to build up the necessary capacities and human resources to adequately enforce the law (the Commission has, for example, launched a European Centre for Algorithmic Transparency to aid in its enforcement efforts).

The enforcement battles ahead are not an abstraction, as the turmoil at Twitter under new owner Elon Musk may present a major early test for EU watchdogs looking to enforce the DSA. The company’s haphazard rollout of a paid verification scheme, for example, flooded the platform with misinformation causing real-world damage—such a move in the future could trigger an investigation and the possibility of fines under the DSA given that the law forbids VLOPs from implementing any major design change without conducting a prior risk assessment.

Meanwhile, because the DSA establishes one set of platform regulations for the entire EU, regulators across the union are now in the process of revising or adopting laws to prepare for national implementation. In Germany, the legal predecessor for platform regulation (which focused on social media platforms), the Netzwerkdurchsetzungsgesetz, will likely be replaced by a new piece of legislation, the so-called Digitale-Dienste-Gesetz. While the law is still in the drafting phase, it seems likely to designate the Bundesnetzagentur as Germany’s future DSC, while also providing for a designated research budget and appointing an advisory body that is meant to consult the DSC on research efforts and enforcement measures.

Beyond the open questions on enforcement and national-level implementation, there are a slew of delegated acts, implementing acts, potential codes of conduct, and voluntary standards referenced in the DSA, some of which have yet to be fully developed. These will eventually clarify certain aspects of the law, such as the technical conditions for data sharing between platforms and external researchers who may serve as a check on platforms' systemic risk assessments and audit reports.

Read more on our policy & advocacy work on the Digital Services Act.

Sign up for our Community Newsletter

For more detailed information, please refer to our privacy policy.