Artifact GuideEU

EU Digital Services Act (DSA) Applicability Test

A practical, defensible way to decide whether the DSA applies to you - and which layer applies.

Use this test to create a scope memo and start a compliance program with the right workstreams.

Back to main artifact Review sources

Author

Sorena AI

Published

Feb 21, 2026

Updated

Feb 21, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Feb 21, 2026

Updated Feb 21, 2026

Overview

"Does the DSA apply to us?" is rarely a yes/no question. Most teams need a layered answer: which service type(s) are in scope (hosting/platform/marketplace/search), what obligations attach to each service, and whether VLOP/VLOSE systemic-risk obligations could apply. This applicability test walks you through the questions that produce an audit-ready output.

Section 1

Output you should produce (what "done" looks like)

By the end of this applicability test you should have a 1-2 page scope memo per service, plus an obligation map you can hand to owners.

That output becomes the backbone for your DSA checklist, roadmap, and reporting cadence.

Service list: which products/services you operate and which are offered to recipients in the EU.
Service type classification per service: intermediary service -> hosting -> online platform -> marketplace/search engine.
Tier outcome: whether you are likely to be designated as a VLOP/VLOSE and what that implies (risk assessment, audits, enhanced transparency).
Workstreams and owners: content moderation, user redress, transparency reporting, ad/recommender transparency, marketplace checks.
Evidence pack: where the supporting facts live (product specs, UX screenshots, policies, logs, reporting data).

Section 2

Step 1 - Do you offer the service in the EU?

The DSA applies to services offered to recipients in the Union. For many companies, the "EU offering" determination is practical: can EU users access, use, or be targeted by the service?

Document the facts that show EU offering (or lack thereof).

Access: can EU recipients sign up or access content? Are EU languages or currencies supported?
Targeting: do you market to EU recipients, run ads targeting EU, or ship goods/services to the EU?
Operational footprint: do you have an establishment in the EU or use EU-facing domain/localization?
If you're not established in the EU but offer services in the EU, plan for a legal representative (Article 13).

Section 3

Step 2 - Are you a provider of intermediary services (baseline layer)?

If you transmit, cache, or host information provided by recipients, you're in intermediary service territory and inherit baseline obligations (e.g., terms transparency, points of contact).

If you host user-provided information, you should plan for notice & action mechanisms.

Mere conduit: pass-through transmission (common for access providers).
Caching: temporary storage to improve performance (common in CDNs).
Hosting: storage of information provided by recipients at their request (UGC, listings, repositories, comments, file hosting).

Section 4

Step 3 - Do you host user-provided information? (hosting layer)

Hosting services have a dedicated DSA layer that includes notice & action mechanisms (Article 16) and statements of reasons for restrictions (Article 17).

This is often the first "real engineering work" layer.

If you take notices: design intake that is electronic, user-friendly, and captures required elements (Article 16(2)).
If you restrict content/accounts: plan for statement-of-reasons content and logging (Article 17).
If you become aware of certain serious criminal offence risks: plan notification procedures (Article 18).

Section 5

Step 4 - Is your hosting service an online platform?

Online platforms typically involve dissemination of information to the public (or to other recipients) at the request of the user/recipient who provided it.

Online platform status adds user redress and transparency obligations (e.g., Article 24 for platform transparency reporting).

UGC distribution: can a user post content that others can see/search/share?
Ranking and recommendations: do you prioritize content for recipients (recommender transparency duties can apply)?
Ads: if you present ads, ad transparency duties apply (Article 26).
Interface integrity: avoid dark patterns and manipulative design (Article 25).

Section 6

Step 5 - Are you an online marketplace (distance contracts with traders)?

If consumers can conclude distance contracts with traders on your platform, you likely trigger marketplace obligations: trader traceability, compliance-by-design, and consumer notifications for illegal products/services.

This is a high-risk area for enforcement because it directly affects consumer harm.

Trader onboarding: collect required trader identity info and self-certification (Article 30).
Best-effort verification: assess reliability/completeness using official databases and supporting docs (Article 30(2)).
Consumer-facing disclosures: show trader details and compliance statements on listings (Article 30(7)).
Product compliance interface: enable traders to provide safety/compliance information (Article 31).

Section 7

Step 6 - Could you be designated a VLOP/VLOSE?

VLOP/VLOSE status is a designation outcome tied to average monthly active recipients (AMAR) in the EU and a Commission decision (Article 33).

If you are near the threshold, build the systemic-risk layer early: it's the largest program expansion (risk assessment, mitigation, audit, enhanced transparency).

Threshold: AMAR in the Union >= 45 million (Article 33(1)).
Publication duty: publish AMAR at least every 6 months (Article 24(2)).
Systemic risk: annual risk assessment (Article 34) + mitigation measures (Article 35) + independent audits (Article 37) + enhanced transparency (Article 42).
Recommenders: for VLOPs/VLOSEs using recommender systems, offer at least one non-profiling option (Article 38).

Section 8

Step 7 - Micro/small enterprise exclusions (apply carefully)

Some DSA sections exclude micro and small enterprises, but the exclusions are partial and have overrides for VLOPs/VLOSEs.

Make this a documented legal determination and revisit it annually.

Transparency reporting (Article 15): not applicable to micro/small enterprises unless they are VLOPs/VLOSEs.
Marketplace Section 4: excluded for micro/small enterprises, with transition rules and an override for VLOPs (Article 29).
Exclusions do not remove the need for a scope memo, points of contact, and defensible policies for content moderation and user redress.

Recommended next step

Turn EU Digital Services Act (DSA) Applicability Test into an operational assessment

Assessment Autopilot can take EU Digital Services Act (DSA) Applicability Test from deciding whether these obligations apply in practice to a reusable workflow inside Sorena. Teams working on EU Digital Services Act (DSA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for EU Digital Services Act (DSA) Applicability Test

Start from EU Digital Services Act (DSA) Applicability Test and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through EU Digital Services Act (DSA)

Review your current process, evidence gaps, and next steps for EU Digital Services Act (DSA) Applicability Test.

Explore next step

Primary sources