From 17 February 2024 the EU's Digital Services Act (DSA), which to date applied only to the largest intermediary service providers within its scope (ISPs), will apply to all ISPs.

Background of the DSA

The DSA entered into force on 16 November 2022. ISPs are digital service providers that process third-party content, or otherwise connect businesses, consumers and internet users with third-party content. They fall within the scope of the DSA if they (i) allow users in the EU to access its services; and (ii) have a substantial connection to the EU (i.e. either through being established in the EU, or if such ISPs target individuals located in the EU).

Since 25 August 2023, ISPs designated by the European Commission (EC) as "very large online platforms" (VLOPs) and "very large online search engines" (VLOSEs) have been required to comply with their obligations under the DSA. However, from 17 February 2024, the DSA will apply to all ISPs.

The DSA imposes several obligations, including and various transparency requirements and obligations relating to the detection and removal of illegal third-party content, on ISPs. The full extent of the obligations depends on the size and nature of the ISP, with VLOPs and VLOSEs subject to the most obligations, and micro or small enterprises conversely exempt from certain obligations.

Obligations on non-VLOPs and non-VLOSEs

A summary of the DSA's obligations and ISPs' responsibilities, are as follows:

Obligations that apply to all ISPs

  • The DSA requires ISPs to respond to orders from national authorities, publish and maintain a point of contact for regulators and service recipients, and moderate content and handle complaints.
  • Unless the ISP is a micro or small enterprise (namely, an ISP with fewer than ten employees and with an annual turnover and/or annual balance sheet not exceeding €2 million; and an ISP with fewer than 50 employees with an annual turnover and/or annual balance sheet not exceeding €10 million respectively), all ISPs must also publish annual transparency reports detailing their content moderation activities.
  • If the ISP is not established in the EU, it must also appoint an EU legal representative, publish the representative's contact information, and notify the relevant regulators.

Obligations that apply to hosting providers

  • In addition to the obligations above, hosting providers (i.e. ISPs that store information provided by service recipients at their request, such as cloud and web-hosting services, and other content-sharing services) are required to implement electronic take-down mechanisms to flag and remove illegal content online, and must generally provide a statement of reasons to affected service recipients.
  • Such ISPs are also required to report suspicions of life or safety threatening criminal offences to law enforcement agencies.

Obligations that apply to online platforms and online trading platforms

  • Online platforms are ISPs that both store information and make such information available to the public on behalf of service recipients (i.e. social media, price comparison services, and app stores).
  • Online trading platforms are online platforms that that allow consumers to purchase goods or services online from professional traders (i.e. online marketplaces, ride-hailing services, online travel and accommodation platforms).
  • Unless such online platforms and online trading platforms qualify as micro or small enterprises, they must generally:
    • Implement a complaint and dispute resolution mechanism;
    • Prioritize the removal of illegal content flagged by certain trusted flaggers;
    • Prevent repeat offenders from uploading illegal content;
    • Prevent the use of dark patterns and sensitive profiling; and
    • Implement enhanced transparency measures (including with regards to advertisements).
  • If the service is accessible by minors, such ISPs must also implement appropriate security measures to protect them.
  • Online trading platforms must also maintain information about the traders who use their platform, ensure their online interface is designed in a way that enables traders to comply with their obligations under EU law, and provide certain information to EU consumers if they have been offered illegal products and/or services.


The EC's list of VLOPs and VLOSEs makes it clear whether an organisation is a VLOP or a VLOSE. However, it is less straightforward for other ISPs to determine which obligations under the DSA apply to them as there are no other EC-published lists of ISPs that are within scope of the DSA.

Such lists are also unlikely to be forthcoming as the scope of the DSA is broad and captures a wide range of organisations. The obligations under the DSA are cumulative. As organisations may fall into more than one category of ISP, a careful assessment is required to identify all applicable obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.