EU Digital Services Act (DSA) & DMA: What Businesses Must Know

The EU's new digital regulations, the Digital Services Act (DSA) and the Digital Markets Act (DMA), are set to fundamentally change the online business environment. For any company operating in the Netherlands or across the EU, getting to grips with these rules is no longer just good practice—it's a necessity.

The DSA is all about creating a safer, more transparent online world by regulating content moderation. Meanwhile, the DMA takes aim at the anti-competitive behaviour of major tech platforms, often called “gatekeepers”, to ensure a fairer market for everyone.

Understanding Europe's New Digital Rulebook

The European Union has rolled out a powerful legislative duo that will reshape how companies operate online. These aren't just minor tweaks; they represent a significant shift in digital governance. To find real business leverage in the digital age, you have to understand the playing field, and these laws have just redrawn the boundaries.

Think of the Digital Services Act (DSA) as the new, comprehensive highway code for the internet. Its rules apply to almost every online service, from a small Dutch webshop to a global social media network. The focus is squarely on how these platforms handle illegal content, protect their users, and operate with greater transparency.

In contrast, the Digital Markets Act (DMA) acts as a specialised competition watchdog, but one with its sights set only on the biggest players. Its job is to stop giant tech platforms from using their market dominance to shut out smaller competitors and create an unfair playing field.

Solving Key Digital Challenges

So, why now? These two acts were created to tackle specific, persistent problems that define the modern internet—issues that affect consumers and businesses every single day.

The DSA was designed to address growing concerns around safety and transparency, such as:

• The unchecked spread of illegal goods, services, and harmful content online.
• A lack of clear accountability when platforms make content moderation decisions.
• The "black box" nature of algorithms that decide what we see, with no explanation.

The DMA, on the other hand, is all about levelling the economic playing field. It zeroes in on correcting the power imbalances caused by issues like:

• Gatekeeper platforms giving preferential treatment to their own products and services.
• Businesses being denied access to the data they help generate on a large platform.
• Companies being forced to use a gatekeeper's own services, like app stores or payment systems, just to reach their customers.

A quick way to compare the two is with a side-by-side view.

DSA vs DMA at a Glance

Aspect	Digital Services Act (DSA)	Digital Markets Act (DMA)
Core Mission	To create a safer online environment by regulating illegal content and increasing platform transparency.	To ensure fair and contestable digital markets by preventing anti-competitive practices by "gatekeepers".
Who It Targets	All online intermediaries (e.g., ISPs, hosting services, online marketplaces, social media).	A specific list of large online platforms designated as "gatekeepers" by the European Commission.
Key Impact	Requires clear processes for content removal, user appeals, and transparency in advertising and algorithms.	Imposes a list of "do's and don'ts" on gatekeepers, such as allowing third-party software and fair data access.

Ultimately, this new regulatory framework forces a major shift in how digital business is done in Europe.

The DSA builds a foundation for a safe and accountable online space for everyone, while the DMA ensures that within that space, all businesses have a fair shot at innovation and growth.

For businesses here in the Netherlands and those serving EU customers, ignoring these laws simply isn't an option. They demand proactive changes to your terms of service, internal processes, and even your technology. The first step is to understand what each act is designed to do, so you can build a compliant and resilient strategy for the future.

Meeting Your Obligations Under the Digital Services Act

The Digital Services Act isn't a one-size-fits-all sledgehammer. Instead, it works on a tiered system, carefully scaling its demands based on the size and type of your online service. Think of it like road safety rules: every driver has to obey the speed limit, but heavy goods vehicles have extra regulations about driving hours and securing their cargo.

This layered approach ensures the compliance burden is proportionate. A small Dutch e-commerce shop simply won't be held to the same intense standards as a massive global social media platform. The very first step towards meeting your duties under the EU Digital Services Act (DSA) is figuring out exactly where your business fits into this structure.

The framework sorts online services into several categories, with each level adding more responsibilities.

The Foundational Rules for All Intermediaries

At the very bottom of the pyramid are the intermediary services. This is a broad group that includes everything from internet access providers to domain name registrars and other core network infrastructure services. They all must follow a basic set of rules, which form the bedrock of the DSA.

Key requirements for this group include:

• Establishing Points of Contact: You must set up a single, clear point of contact for government authorities, the European Commission, and your users. These details need to be easy for anyone to find.
• Updating Terms and Conditions: Your terms of service have to be transparent about how you handle content moderation. This means clearly explaining your procedures and any restrictions you might place on user-generated information.
• Annual Transparency Reports: All intermediaries are required to publish an annual report that details their content moderation activities. For smaller companies, this can be a fairly straightforward document.

These baseline duties establish a new standard of accountability for every link in the digital supply chain. They make sure even the most fundamental online services are part of a more transparent and responsive system. This is a big shift, particularly as these roles can sometimes overlap with data protection duties, which are distinct from the responsibilities outlined in our guide on controller and processor roles under GDPR.

Stepping Up Responsibilities for Hosting Services

The next tier up covers hosting services, like cloud platforms and web hosting providers. These are businesses that store information on behalf of their users. On top of the foundational rules, they have one very important extra job.

They must put a "notice-and-action" mechanism in place. This has to be a simple, user-friendly system that lets anyone report content they believe is illegal. Once a report comes in, the hosting service has to act fast to investigate and, where necessary, take the content down or block access to it. This mechanism is crucial to the DSA's aim of fostering a safer online environment.

Enhanced Duties for Online Platforms

Things get more serious for online platforms. This is a wide-ranging category that captures online marketplaces, app stores, and social media networks. These platforms don't just store content; they actively spread it to the public.

For these businesses, compliance brings several more layers of obligation:

• Internal Complaint-Handling System: They need to offer users an internal process to appeal content moderation decisions. This system must be available for at least six months after the decision was made.
• Out-of-Court Dispute Settlement: Platforms must also give users access to certified bodies for settling disputes out of court.
• Priority for "Trusted Flaggers": Any reports submitted by organisations that have been awarded "trusted flagger" status by national authorities must be dealt with as a priority.
• Measures Against Misuse: They are required to suspend users who repeatedly post illegal content or who constantly file baseless complaints or notices.

This step-up in responsibility reflects the huge influence these platforms have on public debate and commerce. As these rules have come into force, consumer expectations have risen sharply. Although the Digital Services Act officially became enforceable in the Netherlands on 17 February 2024, a survey by the Netherlands Authority for Consumers & Markets (ACM) in June 2023 found that a staggering 66% of Dutch consumers had already run into issues that the DSA aims to solve. Their frustrations ranged from only being able to contact platforms via automated systems to a total lack of clarity in how ranking algorithms work.

This data reveals a clear disconnect between the law's goals and the reality of user experience. It underscores the urgent need for platforms to improve their compliance efforts, especially around user communication and algorithmic transparency.

Finally, the most demanding rules are reserved for the giants of the internet: Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs). These are defined as services with more than 45 million active monthly users in the EU. They face a mountain of obligations, including mandatory risk assessments, independent external audits, and giving the public access to data on their recommender system algorithms.

Navigating the Digital Markets Act and Its Gatekeepers

While the Digital Services Act casts a wide net, the Digital Markets Act (DMA) is a much more focused piece of legislation. It’s not aimed at every business with a website; instead, it has its sights set squarely on the biggest players in the digital world—the so-called "gatekeepers." These are the tech giants whose platforms are so deeply woven into our daily lives that they essentially control the flow of traffic to millions of other businesses and users.

Think of it like this: a massive shopping centre owner doesn't just rent out shops. They also force every store inside to use their own, often pricey, delivery service to reach any customer. The DMA is designed to stop exactly that kind of anti-competitive behaviour. The goal is to make sure the market stays fair and open, allowing smaller businesses to succeed based on merit, not just muscle.

This is a critical distinction to grasp. The DMA isn’t about what your business has to do; it’s about what the gatekeepers must now do for you.

Defining a Digital Gatekeeper

The European Commission doesn't just point fingers. To be officially labelled a gatekeeper, a company has to meet a strict, quantitative checklist. This makes sure the rules only apply to platforms that hold a truly significant and unshakeable position in the market.

In general, a company qualifies if it:

• Operates a "core platform service"—think online search engines, app stores, social networks, or operating systems.
• Has a major impact on the EU’s internal market. This usually means an annual turnover of at least €7.5 billion within the EU or a market capitalisation of €75 billion.
• Acts as a vital gateway, connecting a huge base of users to a large number of businesses. The threshold is typically more than 45 million monthly active end-users in the EU and over 10,000 yearly active business users.

Once a company gets this designation, the clock starts ticking. It has six months to comply with a clear list of obligations—a set of ‘dos and don’ts’ aimed at creating a more contestable and fair digital space. This part of the EU Digital Services Act (DSA) and Digital Markets Act (DMA) framework is all about rebalancing the scales.

A New Set of Rules for Tech Giants

The DMA's obligations aren't friendly suggestions. They are legally binding requirements that will fundamentally change how gatekeepers are allowed to operate. These rules are crafted to tear down unfair advantages and create new opportunities for the businesses that rely on these platforms.

The core idea behind the DMA is to shift the market from one dictated by a gatekeeper’s private rules to one governed by fair competition. It ensures the platform owner can no longer be both the referee and the star player in the same game.

Key obligations for designated gatekeepers include:

• Ending Self-Preferencing: They are no longer allowed to rank their own products or services more favourably than those of their competitors. A search engine, for instance, can’t just put its own shopping service at the top of every relevant search.
• Allowing Data Access: Business users (like a small shop on a major marketplace) must be given access to the data they generate through their own activities on the gatekeeper's platform.
• Enabling App Sideloading: Gatekeepers that control operating systems have to allow users to install apps from third-party sources and alternative app stores. This breaks the monopoly of a single, central marketplace.
• Permitting Unlinking of Services: They can't force a user to sign into or register with another one of their services just to use a core platform.
• Banning Unfair Contract Terms: Gatekeepers are forbidden from stopping business users from offering the same products or services at different prices on other platforms or their own websites.

For smaller businesses, these changes are a big deal. Fairer app store policies can lower costs, better access to advertising data can lead to more effective marketing, and an end to self-preferencing means your superior product actually has a fighting chance of being discovered. Ultimately, the DMA is about giving you the power to compete on a more level playing field.

How the DSA and DMA Are Enforced in the Netherlands

While the Digital Services Act and Digital Markets Act are EU-wide regulations, their real teeth are in local enforcement. In the Netherlands, the primary body tasked with putting these rules into practice is the Netherlands Authority for Consumers & Markets (ACM). The ACM has been officially named the national Digital Services Coordinator, giving it serious authority to oversee compliance.

This isn't just a title. The ACM has the power to launch investigations into businesses it suspects are breaching DSA rules. If a company is found to be non-compliant, the consequences can be severe. This includes the power to levy substantial fines that can reach up to 6% of a company's global annual turnover.

This enforcement role places the ACM right at the heart of the Dutch digital economy. It's their job to ensure online platforms, hosting services, and marketplaces all stick to the new standards for safety and transparency. Their actions will directly shape how businesses must operate in the country.

The ACM's Enforcement Priorities

The ACM hasn't been secretive about its focus. It has clearly outlined where it will be directing its attention, which gives businesses a valuable roadmap for their own compliance efforts. For 2025, the authority has several key priorities.

First, it's homing in on the basics of platform accountability. The ACM will be closely checking whether online platforms have set up user-friendly reporting systems and clear, easy-to-find points of contact for both users and authorities. This gets back to a core goal of the DSA: making platforms more responsive and less of a black box.

The ACM is also putting web hosting services under the microscope. This makes sense, given that the Netherlands is a major European hub for this industry. Hosting providers will need to prove their "notice-and-action" systems for illegal content are both robust and efficient.

A significant priority for the ACM is the protection of minors online. The authority has announced a focused study into this area, signalling that platforms targeting or widely used by younger audiences will face heightened scrutiny over their safety measures.

Addressing the Business Awareness Gap

Despite the DSA's huge impact, there’s a surprising disconnect within the Dutch business community. Recent research from the ACM uncovered a significant information gap, showing just how much education is still needed.

A May 2024 report revealed that half of all Dutch business users had never even heard of the DSA. Only a quarter recognised the law by name. Thankfully, the compliance picture is brighter, as three-quarters of these business users said they hadn't run into issues with their providers failing to meet DSA duties.

To close this awareness gap, the ACM is taking a proactive approach. It's currently developing a DSA compliance check tool designed specifically to help businesses navigate their new obligations. This tool will allow companies to figure out which rules apply to them, offering a practical path to compliance tailored to the Dutch digital ecosystem.

Broader Regulatory Context in the Netherlands

It’s crucial to understand that the ACM's enforcement of the DSA doesn't happen in a vacuum. It fits within a much wider framework of Dutch digital regulation. The Netherlands has a robust legal system that already addresses various aspects of online activity, creating a multi-layered compliance environment.

This means that following the DSA is just one piece of the puzzle. Companies must also think about how these new EU rules interact with existing national laws. Understanding the broader legal requirements is essential for a complete compliance strategy, as highlighted by the ongoing legislative efforts described in our article about the Dutch Cybercrime III Bill.

This mix of proactive education, targeted enforcement, and a strong national regulator shows the Netherlands is serious about implementing the EU's new digital rulebook. For businesses operating here, the message is clear: getting to grips with the ACM's role and priorities is the first step toward successful, long-term compliance.

Connecting the Dots with Other EU Digital Laws

It's a huge mistake to see the EU Digital Services Act (DSA) and Digital Markets Act (DMA) as just another checklist for your business to tick off. These laws don't operate in a legislative bubble. For any business in the Netherlands, true compliance means understanding how they fit into a much bigger picture of European digital regulation—a web of rules all aimed at creating a safer, fairer, and more accessible online world.

This interconnectedness demands a holistic strategy. Platform safety under the DSA and market fairness under the DMA are really just two pillars of a much larger structure. A third, equally vital pillar is digital inclusion, a principle now being driven home by other key laws that work in tandem with these new acts.

The European Accessibility Act Joins the Fray

A perfect example of this synergy is the European Accessibility Act (EAA). This act adds another crucial layer of compliance, forcing Dutch businesses to make their digital products and services accessible to people with disabilities. It’s not a separate task but a parallel requirement that directly overlaps with the digital world governed by the DSA and DMA.

This convergence creates a powerful trifecta of obligations:

• DSA: Governs how you manage content and maintain transparency.
• DMA: Dictates how you compete with or operate on major 'gatekeeper' platforms.
• EAA: Mandates that your digital services are actually usable by everyone.

Drop the ball on any one of these, and your business is exposed. Having a transparent, fairly marketed e-commerce site is great, but it’s still non-compliant if it’s impossible for a visually impaired user to navigate.

How the Netherlands Integrates These Laws

The Netherlands has taken a unique approach to implementing these EU directives. Instead of creating a brand-new enforcement body, it has woven the rules into existing national laws, spreading the oversight across various sector-specific regulators. This integrated—yet fragmented—approach shows just how deeply these principles are being embedded into the Dutch legal system.

For example, the Dutch digital sector, one of Europe's most advanced, will face strict accessibility rules under the EAA from 28 June 2025. The ACM (Authority for Consumers and Markets) will be the enforcer, making sure e-commerce platforms and apps are accessible. At the same time, accessibility in electronic communications falls under the Telecommunications Act, while general e-commerce compliance is governed by the Dutch Civil Code. This regulatory patchwork means businesses must track multiple legal touchpoints, not just one new law.

This convergence of platform accountability (DSA), market fairness (DMA), and digital inclusion (EAA) illustrates the complex but vital compliance environment faced by Dutch businesses. Proactive oversight is the new norm.

Building a Future-Proof Compliance Strategy

This intricate legal network also rests on foundational regulations like the GDPR. For any business operating in the EU, getting to grips with the DSA and DMA is often built upon a solid foundation of GDPR mastery for website compliance and data protection.

What’s more, this push for digital responsibility bleeds into cybersecurity. Regulations like the NIS2 Directive require businesses in critical sectors to seriously beef up their digital defences—a theme that fits hand-in-glove with the DSA's goal of creating a safer online space. You can get ahead of this by reading our guide on NIS2 legal advice for businesses in the Netherlands.

Ultimately, a resilient digital operation is one that sees these laws not as separate headaches, but as connected parts of a single, coordinated push towards a more responsible and equitable digital future.

Your Questions About the DSA and DMA Answered

New regulations always kick up a lot of questions. Let’s cut through the noise and get straight to what the EU Digital Services Act (DSA) and Digital Markets Act (DMA) really mean for your day-to-day business.

What Is the Main Difference for a Small Business?

For a small business, telling these two laws apart is vital. The easiest way to remember the difference is to think about who is responsible for what.

• The DSA sets the rules you have to follow on your own platforms. This is all about how you run your digital shop—your content moderation policies, how people can report illegal content, and keeping your terms and conditions transparent.

• The DMA sets the rules that massive 'gatekeeper' platforms must follow when they deal with you. It’s there to level the playing field, making sure giants like major app stores or search engines can’t use their market power to squeeze out smaller businesses. This law gives you rights, not obligations.

So, the DSA is about your direct responsibilities online. The DMA is about protecting your rights when you’re interacting with the biggest names in tech.

Think of it like this: The DSA is your company’s highway code for driving online. The DMA is there to stop the biggest lorries from unfairly hogging all the lanes and blocking everyone else.

Do These Laws Apply if My Business Is Not in the EU?

Yes, they absolutely do. This is a crucial detail for any international business. The reach of the DSA and DMA isn’t determined by where your company is based, but by where your users are.

If you offer any products or services to people inside an EU member state, like the Netherlands, you must comply. Your headquarters could be anywhere in the world, but if you have European customers, these rules apply to you.

What Are the First Steps to Become Compliant?

Getting started doesn't need to be a huge headache. A simple, actionable checklist is the best way to make real progress.

Here are your immediate priorities:

1. Determine Your DSA Category: First, figure out where your business fits. The DSA has different tiers: are you a simple intermediary, a hosting service, or an online platform? Your obligations will scale depending on your classification.
2. Update Your Terms and Conditions: Go through your terms and spell out your content moderation process clearly. Explain any restrictions you place on user-generated content.
3. Create a Single Point of Contact: You need to designate and publish a single, official contact point. This is for both authorities and users to get in touch about any DSA-related matters.
4. Review Gatekeeper Agreements: Take a close look at any agreements you have with platforms designated as 'gatekeepers'. It's important to understand the new rights you have under the DMA when it comes to data sharing and service terms.