Modern website design on multiple devices

Digital Services Act (DSA) & Digital Markets Act (DMA) Guide

Blog /

The Digital Services Act (DSA) and Digital Markets Act (DMA) are EU regulations that set new, mandatory rules for online service providers and powerful “gatekeeper” platforms to keep users safe and markets fair. Although drafted in Brussels, their reach is global: any company that targets EU users must obey or risk fines of up to 6 %—and, for repeat gatekeepers, 20 %—of worldwide turnover. With full enforcement already ticking for the DSA and the first DMA compliance reports due within months, boards and product teams have little time to figure out what changes are required.

This guide cuts through the legal jargon. You’ll get clear definitions, side-by-side comparisons, key dates, and a step-by-step checklist that translates statutory articles into practical actions for tech, legal, and compliance staff. Scroll on to see how the new rulebook affects your business—and what to do next.

EU’s New Digital Rulebook at a Glance

Brussels did not write the Digital Services Act (DSA) and Digital Markets Act (DMA) in isolation. Together they anchor a wider reform package meant to reboot the EU’s online economy after two decades of runaway platform power and patch-work enforcement.

Why the EU Introduced the DSA & DMA

  • Big Tech’s dominance revealed blind spots in competition law: one-off antitrust cases took years, while gatekeepers kept scaling.
  • Illegal content (terrorist propaganda, counterfeit goods) flows seamlessly across borders, and the 2000 e-Commerce Directive offered little more than notice-and-take-down.
  • Policymakers wanted to reinforce fundamental rights—think freedom of expression and consumer protection—without forcing general monitoring.
  • Politically, the twin regulations are billed as the backbone of a trustworthy Digital Single Market that can rival the US and China.

Position Within the Broader EU Digital Strategy

The DSA and DMA sit next to, not on top of, other flagship acts:

  • GDPR → personal data
  • NIS2 → cybersecurity
  • Data Act → industrial data sharing
  • AI Act → high-risk algorithms
  • Platform Work Directive → gig-worker rights

Each law tackles a different risk area; enforcement is shared between national regulators and the European Commission to avoid overlap while enabling joint investigations.

High-Level Objectives and Principles

Objective Practical Benefit for Users & SMEs
Transparency of systems & ads Less disinformation, informed purchasing
Accountability for illegal content Faster removal of scams and hate speech
Contestable digital markets Lower entry barriers for startups
User safety and fundamental rights Safer browsing, stronger consumer voice

Taken together, the DSA boosts content governance, while the DMA keeps markets contestable—a one-two punch that rebalances the digital playing field.

Digital Services Act (DSA): Scope, Goals & Core Obligations

The DSA rewrites the playbook for anything that carries, hosts, or curates content online. Its guiding aim is blunt: keep users safe while preserving an open marketplace for ideas and goods. To do that, the regulation layers obligations by service type—light-touch for network pipes, heavy for giants whose algorithms shape public debate. Because it applies whenever EU users are “targeted,” the rule hits global SaaS vendors and drop-shipping side hustles as surely as the household names.

Who Must Comply

  • Mere conduit services (ISP, CDN), caching providers, hosting services, and “online platforms” that put user and third-party content in front of others all fall within scope.
  • A special tier—Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs)—kicks in at 45 million monthly EU users.
  • Location is irrelevant: any provider that offers services to the EU or monitors EU user behavior must appoint an EU legal representative.

Baseline Duties for All Intermediaries

  • Set up easy-to-use “notice-and-action” channels so anyone can flag illegal content.
  • Publish annual transparency reports detailing moderation decisions, orders from authorities, and use of automated tools.
  • Maintain a single point of contact for users and regulators.
  • Cooperate swiftly with national courts and Digital Service Coordinators.

Additional Rules for Online Platforms

  • Verify traders—“Know Your Business Customer”—before allowing them to sell to consumers.
  • Offer internal complaint mechanisms and access to certified out-of-court dispute settlement.
  • Label every ad in real time, disclose key targeting parameters, and prohibit ads based on sensitive data or aimed at minors without strict safeguards.

VLOP/VLOSE Obligations

  • Perform—and publish—annual systemic risk assessments covering disinformation, election integrity, and children’s safety.
  • Implement mitigation plans overseen by an independent compliance officer and subject to external audits.
  • Maintain public ad repositories with searchable APIs so researchers can scrutinize political and issue-based advertising.
  • Deploy crisis protocols when events such as pandemics or wars spike online risks.

Liability and Safe-Harbor Nuances

The DSA preserves the classic safe harbor: no liability if the provider lacks “actual knowledge” of illegality (Article 4). But the bar rises once a credible notice arrives—stall and you lose immunity. Importantly, the Act rejects blanket monitoring, instead imposing a “duty of care” calibrated to platform size. Example: a marketplace that promptly removes a flagged counterfeit bag keeps its shield; one that ignores repeat notices may face both takedown orders and fines up to 6 % of global turnover.

Digital Markets Act (DMA): Scope, Goals & Core Obligations

Where the DSA polices content, the DMA tackles market power. It is an ex-ante competition rulebook that pre-defines how a handful of “gatekeeper” platforms must behave so that smaller firms can still reach customers, innovate, and monetise their offerings. Fines are eye-watering—up to 10 % of global turnover (20 % for repeat offenders)—so knowing whether you are, or depend on, a gatekeeper is mission-critical.

Defining “Gatekeepers”

A provider is presumed to be a gatekeeper when it offers a core platform service and meets all three quantitative thresholds:

  • €7.5 billion EEA turnover (last three years) or €75 billion market cap
  • At least 45 million monthly active end-users in the EU
  • At least 10 000 yearly active business users

Core platform services include search engines, social networks, operating systems, online marketplaces, app stores, advertising services, web browsers, voice assistants and cloud services.
The Commission can still tag a company as a gatekeeper via a qualitative test—“entrenched and durable” market power—while firms may rebut designation if they prove lack of such power.

Obligations Gatekeepers Must Perform

Gatekeepers must, within six months of designation:

  • Allow end-users to uninstall pre-loaded apps and change defaults easily.
  • Enable real-time data portability and grant business users access to performance metrics.
  • Ensure interoperability of basic messaging functions (text, voice, video).
  • Provide advertisers and publishers with transparent pricing for every ad impression and offer reconciliation tools.
  • Use FRAND-based terms for access to app stores, payment services, and search ranking data.

Practices Strictly Prohibited

  • Self-preferencing their own products or services in rankings or results.
  • Locking in business users through anti-steering clauses or bundling “must-take” services.
  • Re-using personal data collected from one service to another without explicit GDPR consent.
  • Restricting third-party developers from using external payment or identity solutions.

Compliance Process and Reporting

The formal flow is: designation notice → six-month implementation clock → comprehensive compliance report. Gatekeepers must appoint an independent compliance officer, undergo annual audits, run a whistle-blower channel for business users, and keep detailed logs of measures taken. Non-compliance may trigger periodic penalty payments of 5 % daily turnover and, in last resort, structural remedies such as divestiture.

Interaction With Competition Law

The DMA sits alongside Articles 101/102 TFEU. It does not replace case-by-case antitrust actions; instead, it supplies bright-line ex-ante rules enforced centrally by the Commission’s DMA Taskforce, while national competition authorities assist with evidence gathering and monitoring. Together they aim to guarantee contestable and fair digital markets across the EU.

DSA vs. DMA: Side-by-Side Comparison

Both laws spring from the same Brussels playbook, but they tackle different problems. The Digital Services Act (DSA) regulates how content flows and is moderated; the Digital Markets Act (DMA) disciplines the economic power of a handful of “gatekeeper” platforms. The matrix below highlights the key splits you need to know when mapping compliance duties.

Purpose and Core Focus

  • DSA: User safety, transparency, and accountability in content governance.
  • DMA: Contestable and fair digital markets by curbing gatekeeper self-dealing.

Entities Covered

  • DSA: Every online intermediary—from a hobby forum to a CDN—with extra layers for VLOPs/VLOSEs.
  • DMA: Only companies designated as gatekeepers that provide core platform services.

Supervisory Bodies and Powers

  • DSA: National Digital Service Coordinators plus an EU Board; power to order take-downs and audits.
  • DMA: European Commission’s DMA Taskforce; can run dawn raids and impose structural remedies.

Timelines and Deadlines

  • DSA: Fully applicable since 17 Feb 2024; ongoing annual duties for VLOPs.
  • DMA: Gatekeeper designation triggers a six-month clock to comply and file the first report.

Penalties and Enforcement Tools

  • DSA: Fines up to 6 % of global turnover, 1 % per day for delays, service suspension for systemic risk.
  • DMA: Fines up to 10 % (20 % repeat) and, ultimately, forced divestiture.

Expected Impact on SMEs & Consumers

  • SMEs: More access to platform data and fairer ranking, yet new paperwork for seller verification under the DSA.
  • Consumers: Fewer scams and opaque rankings, greater control over data and default apps—a win-win when both acts work in tandem.

Who Needs to Comply and How to Get Ready

Even if your logo has never graced Brussels, the digital services act (DSA) and digital markets act (DMA) can still land on your desk. Both rules hinge on what you do online, not where you are incorporated. A clear-eyed exposure check, followed by a short, iterative project plan, keeps the workload manageable and auditors happy.

Mapping Exposure by Business Model

Business Model DSA Layer DMA Relevance Typical “Trigger”
ISP / CDN Mere conduit None Network traffic into EU
SaaS / Cloud hosting Hosting None Stores or processes user files
Marketplace / App store Online platform → VLOP at 45 m users Possible gatekeeper Uses third-party sellers
Social media, Search Online platform / VLOP Core platform service Curates user-generated content
Fintech / Bank API Hosting + data processor Low Provides account aggregation

Non-EU firms targeting EU users must also appoint an EU legal representative—no exceptions.

Step-by-Step Compliance Roadmap

  1. Inventory every service, data flow, and user touchpoint.
  2. Assign an executive owner, allocate budget, set a six-month timeline.
  3. Run a gap analysis against DSA baseline duties and, if relevant, DMA gatekeeper annexes.
  4. Draft or update T&Cs, ad labels, internal complaint policies.
  5. Train staff, deploy tech tooling, and schedule the first transparency report.

Governance, Documentation & Reporting

Keep a live dossier containing:

  • Annual transparency reports and systemic-risk assessments
  • Notices received and action timestamps
  • Algorithm change logs and audit certificates
  • Gatekeeper compliance reports (if designated)

Technical & Organizational Controls Checklist

  • User flagging dashboard with 24-hour SLA
  • Age and seller verification modules
  • API for data portability (JSON/CSV export)
  • Separate ad repository with public search endpoint
  • Crisis-response playbook tied to on-call engineers

Budgeting and Resource Planning

SMEs typically set aside €20k–€60k for legal drafting and tooling; designated gatekeepers should expect low-seven-figure spends, mainly on audits and interoperability builds. Evaluate “build vs. buy” early—outsourced moderation or compliance SaaS can halve ongoing costs while keeping teams lean.

Enforcement, Penalties & Redress Mechanisms

Regulations only work when violators feel the sting. That’s why the EU paired the DSA and DMA with a layered watchdog network and fines big enough to make even trillion-dollar firms blink.

Supervisory Architecture

Digital Service Coordinators police most DSA duties at national level, backed by an EU Board for cross-border cases and policy coherence. The Commission leads every DMA investigation and all VLOP/VLOSE oversight, wielding dawn-raid powers, interview mandates, and real-time data-access orders.

DSA Fines & Penalties

  • Up to 6 % of global turnover per breach
  • Recurring penalties capped at 1 % of daily revenue
  • Service suspension or access blocking for persistent, systemic risks
  • Mandatory five-year record retention, enabling future audits

DMA Fines & Structural Remedies

Gatekeepers risk 10 %—and 20 % for repeat offenders—of worldwide turnover. If monetary sticks prove useless, the Commission may impose behavioural codes, demand interoperability APIs, or, as hammer-blow, order structural separation of business lines.

Complaints and User Redress

Users, traders, and whistle-blowers may file complaints through platform dashboards, certified ADR bodies, or straight to regulators. Platforms must respond quickly and at no cost to the complainant. Consumer groups can bundle claims under the EU Collective Redress Directive.

Litigation Outlook

Expect more DSA/DMA lawsuits in Dutch courts, including collective actions over faulty takedowns or self-preferencing. Detailed moderation logs and audit trails will make—or break—the defense. Early legal review therefore saves both reputation and balance sheet.

Key Dates, Milestones and Future Updates

The rulebook is already in force, but many operational details are still landing. Mark the following checkpoints so budget, tech sprints, and board briefings hit the right week.

Legislative Timeline Snapshot

Proposal unveiled 15 Dec 2020 → political deal 23 Apr 2022 → texts published in the Official Journal 27 Oct 2022 → both acts entered into force 16 Nov 2022.

Compliance Deadlines

VLOP/VLOSE designations took effect 25 Apr 2023; DSA applies to everyone since 17 Feb 2024. Gatekeepers have six months post-designation; first DMA compliance reports are due 6 Sep 2024.

Upcoming Delegated Acts & Guidance

Expect Commission templates on systemic-risk assessments, ad-repository APIs, and certified ADR standards by Q4 2025, plus regular Q&A batches from the EU Board.

Review Clauses and Possible Expansions

A formal three-year review in 2026 may widen coverage to metaverse hubs, voice assistants, and generative-AI services if systemic risks persist.

Quick Answers to Common Questions

Pressed for time? The bite-size explanations below cover the queries we hear most often from clients trying to decode the digital services act (DSA) and digital markets act (DMA).

What Is the Digital Services Act in Plain English?

A transparency and user-safety rulebook that obliges every website, app, or hosting provider to let people flag illegal content easily, act on those flags quickly, and publish annual moderation stats.

What Is the Digital Markets Act in Plain English?

An ex-ante competition law that tells “gatekeeper” platforms—think app stores, search engines, social networks—what they must do (open APIs, allow uninstalls) and must not do (self-prefer, tie services).

Main Difference Between DSA and DMA?

DSA governs how content is handled for user protection; DMA governs how market power is used for fair competition. One targets conduct, the other targets dominance.

Does the DSA/DMA Apply Outside the EU?

Yes. If you target EU users or monitor their behavior, you must comply and appoint an EU legal representative—even when headquartered in Silicon Valley or Singapore.

What Happens If My Company Ignores the Rules?

Regulators can levy fines up to 6 % (DSA) or 10 %/20 % (DMA) of global turnover, impose daily penalty payments, and in extreme cases block access to the EU market.

Are Banking and Financial Services Covered?

Only when they act as online intermediaries—e.g., operate a marketplace or API layer. Sector-specific rules like PSD2 still apply in parallel.

Next Steps

The DSA and DMA are already enforceable, and ignorance carries headline-grabbing fines. Treat compliance like any other product launch—structured, budgeted, and documented:

  • Map every digital service and identify which act—and tier—applies.
  • Run a rapid risk scan, then deepen analysis where exposure is high.
  • Allocate budget, owners, and a six-month timeline before regulators ask.
  • Log every decision and get external legal review early, not after a complaint.

Need tailored help? Contact Law & More to turn these bullets into an actionable plan.

Related Posts

Law & More