DSA — Regulation (EU) 2022/2065¶
Regulation on a Single Market For Digital Services (Digital Services Act, DSA). It establishes harmonised rules on the provision of intermediary services in the internal market, with the objective of ensuring a safe, predictable and trustworthy online environment in which the fundamental rights enshrined in the Charter are effectively protected. It defines: (a) a conditional liability exemption framework for providers of intermediary services (mere conduit, caching, hosting); (b) tiered due diligence obligations by category of provider (all intermediaries, hosting providers, online platforms, marketplaces, very large online platforms — VLOPs — and very large online search engines — VLOSEs); (c) a supervision and enforcement system centred on national Digital Services Coordinators, on the European Board for Digital Services and on the Commission's enforcement powers over VLOPs and VLOSEs. It replaces and complements the previous framework of Directive 2000/31/EC on electronic commerce (Articles 12-15 of which it deletes) and applies alongside the GDPR, AI Act, Data Act, DGA and PLD.
Identifiers¶
| Field | Value |
|---|---|
| Official title | Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) |
| CELEX | 32022R2065 |
| ELI | http://data.europa.eu/eli/reg/2022/2065/oj |
| Publication | OJ L 277, 27.10.2022, p. 1 |
| Adoption | 19 October 2022 |
| Entry into force | 16 November 2022 |
| Application | 17 February 2024 (general rule); 16 November 2022 for Articles 24(2-3, 6), 33(3-6), 37(7), 40(13), 43 and Chapter IV Sections 4-6; for VLOPs/VLOSEs designated under Article 33: 4 months after notification of designation |
| Amended acts | Directive 2000/31/EC (Articles 12-15 deleted, DSA Article 89); Directive (EU) 2020/1828 (Annex I, DSA Article 90) |
| Legal basis | Article 114 TFEU |
| Type of act | Regulation — directly applicable in all Member States |
Structure¶
5 chapters · 93 articles · 156 recitals · no annex.
| Chapter | Subject | Articles |
|---|---|---|
| I | General provisions | 1 – 3 |
| II | Liability of providers of intermediary services | 4 – 10 |
| III | Due diligence obligations for a transparent and safe online environment (6 sections) | 11 – 48 |
| IV | Implementation, cooperation, penalties and enforcement (6 sections) | 49 – 88 |
| V | Final provisions | 89 – 93 |
Chapter III is organised in 6 sections that translate the principle of graduated obligations: section 1 (all intermediary providers), section 2 (hosting providers), section 3 (online platforms), section 4 (online marketplaces), section 5 (VLOPs and VLOSEs), section 6 (codes of conduct, crisis protocols, accessibility). Chapter IV is organised in 6 sections covering supervision, cross-border cooperation, the European Board for Digital Services, the Commission's specific supervision of VLOPs/VLOSEs, common provisions and delegated/implementing acts.
Scope of application¶
Material (Article 1(1); Article 2(1)): the Regulation applies to intermediary services offered to recipients whose place of establishment is in the Union or who are located in the Union, irrespective of where the providers are established (criterion of substantial connection to the Union, Article 3(d)-(e)). It establishes harmonised rules for a safe, predictable and trustworthy online environment in which the fundamental rights enshrined in the Charter are effectively protected.
Personal (Article 3(g), (i), (j)): the Regulation applies to providers of intermediary services defined as information society services consisting in (i) mere conduit, (ii) caching, (iii) hosting. Further categories: online platforms (a sub-set of hosting that disseminates information to the public), online search engines, online marketplaces (platforms allowing consumers to conclude distance contracts with traders), VLOPs/VLOSEs (≥ 45 million average monthly active recipients in the Union, Article 33).
Exclusions (Article 2(2)-(4)): the Regulation does not apply to non-intermediary services, is without prejudice to Directive 2000/31/EC (except for Articles 12-15 deleted by DSA Article 89) and is without prejudice to: AVMSD (Directive 2010/13/EU), copyright law, Regulation (EU) 2021/784 (terrorist content), Regulation (EU) 2019/1148 (explosives precursors), P2B Regulation (EU) 2019/1150, EU consumer protection and product safety law, GDPR and the e-Privacy Directive, judicial cooperation in civil and criminal matters.
Conditional liability exemption (Chapter II, Articles 4-6): preserves the regime already provided by Directive 2000/31/EC for mere conduit, caching and hosting, complemented by the principle of no general monitoring obligations (Article 8) and by the "Good Samaritan" clause (Article 7) for voluntary own-initiative investigations.
Sextuple cross-references with the AI Act, GDPR, Data Act, DGA and PLD¶
The DSA interacts with five EU acts published on this site: the AI Act (for the algorithmic systems of online platforms — content moderation, recommender systems, profiling), the GDPR (for the processing of personal data in intermediary services, with specific DSA prohibitions on targeted advertising based on special categories of data and on minors), the Data Act (for the complementarity of the EU data package), the DGA (for the relationship between intermediary services under the DSA and data intermediation services under the DGA, distinct yet terminologically close) and the PLD (for the liability of software employed by intermediary providers, e.g. defective automated moderation systems).
DSA ↔ AI Act axis (algorithmic systems of online platforms)¶
| DSA | AI Act | Nature of the intersection |
|---|---|---|
| Article 3(s), (t) ("recommender system", "content moderation" — autonomous definitions) | AI Act, Article 3(1), (3) (definitions of "AI system" and "provider") | Recommender systems and automated moderation systems are algorithmic systems that may qualify as AI systems under the AI Act; DSA transparency obligations and AI Act requirements (limited risk / high risk) accumulate |
| Article 14 (T&Cs); Article 27 (recommender system transparency); Article 38 (non-profiling option for VLOPs/VLOSEs) | AI Act, Article 50 (transparency obligations); Annex III, point 8 (high-risk AI systems) | Convergence on algorithmic transparency obligations: the DSA imposes disclosure of recommender system parameters and a non-profiling option for VLOPs/VLOSEs (Article 38); the AI Act requires user information for AI system interaction, deepfakes and AI-generated or manipulated content |
| Article 26 (advertising); Article 28 (protection of minors) | AI Act, Article 5 (prohibited AI practices) | DSA prohibitions on advertising based on special categories of data (GDPR Article 9) and on profiling of minors intersect with the AI Act prohibitions on AI practices that exploit vulnerabilities of specific groups (Article 5(1)(b)) |
| Chapter III, section 5 — Articles 33-43 (VLOPs/VLOSEs); Article 34 (systemic risk assessment, including "algorithmic systems") | AI Act, Article 9 (risk management system); Article 27 (FRIA — fundamental rights impact assessment); Article 55 (GPAI obligations with systemic risk) | VLOPs' systemic risk assessments (DSA Article 34) explicitly cover algorithmic systems (paragraph 2(a), (b)) and integrate with the FRIA and with the high-risk AI systems' risk assessment when a platform deploys them |
| Article 40 (vetted researcher data access) | AI Act, Article 60 (sandboxes); Recitals 105 ff. | VLOPs' operational data accessible to vetted researchers (DSA Article 40(4)-(12)) is a relevant source for independent research on systemic risks of platforms incorporating AI |
DSA ↔ GDPR axis (carve-out, specific prohibitions, orders on personal data)¶
| DSA | GDPR | Nature of the intersection |
|---|---|---|
| Article 2(4)(g); Recitals 9, 10 | Whole GDPR | Safeguard clause: the DSA is without prejudice to the GDPR and the e-Privacy Directive; the two regimes operate cumulatively |
| Articles 9 and 10 (orders to act against illegal content / to provide information) | GDPR, Articles 6(1)(c)-(e); 23 | National authorities' orders to intermediary providers require a legal basis under the GDPR for processing personal data; the DSA provides the procedural framework but does not replace the lawfulness conditions |
| Article 26(3) (prohibition of advertising based on profiling using special categories of data) | GDPR, Article 4(4) (profiling); Article 9 (special categories) | Direct definitional cross-reference + autonomous DSA prohibition: profiling-based advertising using GDPR Article 9 special categories is prohibited on all online platforms |
| Article 28(2) (protection of minors — prohibition of advertising based on profiling of minors) | GDPR, Article 4(4); Recital 38 | Autonomous DSA prohibition that strengthens GDPR protections for minors in targeted advertising |
| Article 24 (online platforms transparency reporting); Article 42 (VLOPs reporting) | GDPR, Article 30 (records of processing) | DSA transparency reports include moderation data and automated activities; they do not replace the GDPR records of processing but complement them |
| Article 38 (non-profiling option for VLOPs/VLOSEs) | GDPR, Article 4(4); Article 22 (automated decision-making) | DSA obligation that operationalises the logic of the right not to be subject to automated decisions based on profiling, complementary to GDPR Article 22 |
| Chapter IV — Digital Services Coordinators | GDPR, Chapter VI — supervisory authorities | Digital Services Coordinators (DSCs) and data protection authorities are distinct authorities but cooperate on cross-sectoral dossiers (DSA Recitals 91-92); DSCs consult DPAs before adopting decisions affecting personal data processing |
DSA ↔ Data Act axis (complementarity in the EU data package)¶
The DSA ↔ Data Act intersection is structurally limited: the Data Act regulates access to and portability of IoT/cloud data (B2C, B2B, B2G), the DSA regulates obligations on content and on systemic risks of intermediary services. The two disciplines operate on different planes but share the principle of non-overlap and mutual respect.
| DSA | Data Act | Nature of the intersection |
|---|---|---|
| Article 2(4); Recital 9 | Whole Data Act | Reciprocal without-prejudice clause: the DSA is without prejudice to EU data law (including, prospectively, the Data Act); conversely the Data Act does not affect DSA obligations |
| Article 40 (vetted researcher data access) | Chapter V — Articles 14-22 (B2G in exceptional need) | Parallel models of access to private data for public-interest purposes: DSA for systemic risk research, Data Act for exceptional public needs; no operational overlap but shared logic of data altruism for institutional purposes |
| Chapter III, section 5 — Articles 33-43 (VLOPs/VLOSEs) | Chapter VI — Articles 23-31 (cloud service switching) | When a VLOP relies on cloud services for delivery, DSA operational resilience obligations interact with Data Act requirements on portability of cloud services |
DSA ↔ DGA axis (intermediary services vs data intermediation services)¶
The DSA and the DGA share the term "intermediary / intermediation" but apply to distinct categories of services: the DSA governs intermediary services of the information society (mere conduit, caching, hosting of content), the DGA governs data intermediation services (mediators between data holders and data users). The same entity may, in specific cases, be subject to both regimes.
| DSA | DGA | Nature of the intersection |
|---|---|---|
| Article 3(g) ("intermediary service" = mere conduit, caching, hosting) | DGA, Article 2(11) ("data intermediation service") | The two categories are distinct: the DSA "intermediary service" operates on content, the DGA "data intermediation service" operates on data (in particular to establish contractual relationships between holders and users); DGA Recital 28 clarifies that the DGA does not apply to services limited to providing technical intermediation |
| Articles 11, 12, 13 (points of contact and legal representative) | DGA, Articles 11, 14 (notification and legal representative of the data intermediation service provider) | Structurally parallel models: both require designation of a point of contact / legal representative for non-EU providers operating in the Union, but for different purposes (content supervision vs data supervision) |
| Article 26(3); Article 38 (targeted advertising prohibitions) | DGA, Chapter IV — Articles 16-25 (data altruism) | Online platforms integrating recognised data altruism organisations (DGA) for collecting data for general-interest purposes operate in a regime where DSA prohibitions on profiling and DGA requirements on the European data altruism consent form coexist |
DSA ↔ PLD axis (liability of moderation software)¶
The DSA ↔ PLD intersection is targeted but significant: the PLD 2024/2853 expressly classifies software as a "product", including automated systems and AI systems. The automated systems for moderation, recommendation and risk assessment used by DSA providers may therefore fall within the PLD scope if they cause damage within the meaning of the directive.
| DSA | PLD | Nature of the intersection |
|---|---|---|
| Article 14(4); Article 16 (notice-and-action mechanisms) | PLD, Article 4(1) ("product" definition, including software); Article 7 (presumption of defectiveness) | Automated moderation systems are software within the meaning of the PLD: systematic erroneous removal of lawful content causing economic damage to the recipient may trigger a PLD action where the elements of liability for a defective product are established |
| Chapter III, section 5 — Article 34 (VLOPs systemic risk assessment); Article 37 (independent audits) | PLD, Recitals 13, 17, 18; Article 7(2) (presumption of defectiveness in complex cases) | DSA documentation produced by VLOPs (risk assessments, independent audits) may constitute relevant evidence in a PLD claim to demonstrate defectiveness or to trigger the simple presumption under PLD Article 7 |
| Articles 5, 6 (conditional liability exemption of the intermediary provider) | PLD, Article 8 (liable operators) | The DSA conditional exemption regime for mere conduit, caching and hosting concerns the content transmitted or stored; the PLD concerns the defectiveness of the provider's product-software: the two regimes do not overlap but may concur in specific cases |
Definitional sextet¶
Six key notions span the DSA and the other five acts, with explicit definitional cross-references or functional parallels. The DSA also introduces its own autonomous vocabulary (intermediary service, online platform, VLOPs/VLOSEs, recommender system, content moderation).
| Concept | DSA | AI Act | GDPR (source) | Data Act | DGA | PLD |
|---|---|---|---|---|---|---|
| Personal data | (implicit cross-reference to GDPR) | art. 3(50) | art. 4(1) | art. 2(3) | art. 2(3) | art. 4(6) (cross-refers to DGA) |
| Profiling | art. 26(3); art. 28(2) (cross-refers to GDPR) | (referenced in several chapters) | art. 4(4) | n/a | n/a | n/a |
| Consumer | art. 3(c) | n/a | n/a | art. 2(12) | n/a | art. 4(1) (natural person) |
| Information society service | art. 3(a) (refers to Dir. (EU) 2015/1535) | n/a | n/a | n/a | n/a | n/a |
| Intermediary / intermediation service | art. 3(g) (content intermediary) | art. 3(3), (4) (provider, deployer) | art. 4(8) (processor) | art. 2(13), (14) (data holder/recipient) | art. 2(11) (data intermediary) | art. 4(10) (manufacturer) |
| Algorithmic / recommender system | art. 3(s); art. 27 | art. 3(1) (AI system) | n/a | n/a | n/a | n/a |
Amendments and corrigenda¶
The original text of 19 October 2022 has been in force since 16 November 2022 and applies in full from 17 February 2024. Corrigenda published: no significant corrigenda published in the OJEU as of the publication date of this fact sheet. Delegated and implementing acts: the Commission has adopted a growing number of delegated and implementing acts envisaged by the Regulation (in particular for VLOPs independent audits, transparency reporting templates, vetted researcher data access under Article 40, monetary penalties under Article 74). VLOPs/VLOSEs designations: first round 25 April 2023, with successive expansions in 2023-2024.
Status of applicability¶
The DSA entered into force on 16 November 2022 (twentieth day following publication on 27 October 2022, Article 93). It applies in full to all intermediary service providers as of 17 February 2024 (Article 93(2)). Provisions applicable from the earlier date (16 November 2022): Article 24, paragraphs 2, 3 and 6 (information on average monthly active recipients); Article 33, paragraphs 3 to 6 (VLOPs/VLOSEs designation procedure); Article 37(7) (independent audits — delegated acts); Article 40(13) (vetted researcher data access — delegated acts); Article 43 (supervisory fee); Chapter IV, Sections 4, 5 and 6 (Commission supervision of VLOPs/VLOSEs, common enforcement provisions, delegated and implementing acts). For already-designated VLOPs/VLOSEs: full application 4 months after notification of designation. The Regulation is directly applicable in all Member States; Member States designate the Digital Services Coordinator (DSC, Article 49) by 17 February 2024.
Related glossary terms¶
Entries from the AI-centric glossary relevant to this act:
- Very Large Online Platform (VLOP)
- Very Large Online Search Engine (VLOSE)
- Profiling
- Special categories of personal data
- Deep fake
- AI system
- General-purpose AI model
- Systemic risk
Official sources¶
- EUR-Lex — Italian version (CELEX 32022R2065)
- EUR-Lex — English version (CELEX 32022R2065)
- EUR-Lex — European Legislation Identifier (ELI)
- European Commission — Digital Services Act page
- European Commission — DSA: a safer online environment (overview)
- List of designated VLOPs and VLOSEs (European Commission)
- DSA Transparency Database
- European Board for Digital Services
Section index¶
- Recitals — full bilingual text of the 156 recitals
- Text of the regulation — all articles organised by chapter:
- Chapter I — General provisions (Articles 1-3)
- Chapter II — Liability of providers of intermediary services (Articles 4-10)
- Chapter III — Due diligence obligations for a transparent and safe online environment (Articles 11-48) — 6 sections
- Chapter IV — Implementation, cooperation, penalties and enforcement (Articles 49-88) — 6 sections
- Chapter V — Final provisions (Articles 89-93)