A service-tier guide to DSA controls for intermediary services, hosting providers, online platforms, online marketplaces, and designated VLOPs or VLOSEs.
Use it to assign notice-and-action, complaint handling, statement-of-reasons, transparency reporting, advertising, recommender, trader traceability, risk, audit, and evidence responsibilities.
Structured answer sets in this page tree.
Cited legal and guidance references.
DSA compliance starts with service classification. The same product can contain several covered services, so teams should classify each service surface before assigning controls: intermediary service, hosting service, online platform, online marketplace that lets consumers conclude distance contracts with traders, online search engine, or a Commission-designated very large online platform or very large online search engine. For most services, the main supervisor is the relevant national Digital Services Coordinator, but for designated VLOPs and VLOSEs the European Commission has exclusive supervision and enforcement for systemic-risk obligations. If obligations are missed, the Commission and national authorities can investigate, require changes, and impose sanctions; Commission fines for VLOPs and VLOSEs can reach 6% of the provider's total worldwide annual turnover.
Build a service inventory around what the product does for recipients in the EU. Intermediary services need baseline governance such as points of contact, terms-and-conditions transparency, and content moderation transparency where moderation occurs. Hosting services add notice-and-action and statements of reasons. Online platforms add user complaint and dispute routes, misuse controls, transparency reporting, advertising and recommender disclosures, and protections for minors where relevant.
Marketplace-style online platforms that let consumers conclude distance contracts with traders need a separate trader file and product-listing control set. VLOPs and VLOSEs are a different tier: the 45 million average-monthly-active-recipient threshold and Commission designation trigger systemic-risk, audit, data-access, compliance-function, ad-repository, and enhanced transparency obligations.
Hosting services need a notice-and-action mechanism that lets people notify specific items they consider illegal. The compliance record should show where the mechanism appears in the product, what information the notice form requests, how notices are routed, how trusted-flagger notices are prioritised when applicable, and how the team decides whether to remove, disable access to, restrict visibility of, or leave content available.
When a hosting provider restricts content or an account because content is illegal or violates terms, the DSA statement-of-reasons process should produce a user notice and, for online platforms, a submission record for the Commission's DSA Transparency Database without personal data. The evidence should connect the moderation decision, legal or terms basis, restriction type, redress route, decision owner, automation status, and database submission status.
Online platforms need an internal complaint-handling system for users and notice submitters to challenge moderation decisions covered by Article 20. Access must last at least six months after the decision notice, complaints must be electronic and free of charge, and final complaint decisions must not be made solely by automated means.
The complaint workflow should also surface out-of-court dispute settlement information. Certified bodies can handle disputes about content moderation decisions, including rejected illegal-content notices. Transparency evidence should capture complaint outcomes, reversals, median handling time, out-of-court disputes, and suspensions for manifestly illegal content or manifestly unfounded notices and complaints.
Online platforms that show ads need real-time ad labels and disclosures for the person on whose behalf the ad is presented, the payer if different, and meaningful targeting parameters. Platforms with recommender systems need plain-language terms describing main parameters and any user options to modify or influence them. Platforms accessible to minors need proportionate privacy, safety, and security measures and must not use profiling-based advertising to minors when they know with reasonable certainty that the recipient is a minor.
Marketplaces that let EU consumers conclude distance contracts with traders should treat trader traceability as an onboarding gate. Before a trader can offer products or services, the platform should collect and assess trader identity, contact, payment account, register details where applicable, and a self-certification to offer only products or services compliant with EU law. Listing interfaces should let traders provide required pre-contractual, product-safety, compliance, labelling, and marking information.
A platform or search engine at or above 45 million average monthly active recipients in the EU can be designated by the Commission as a VLOP or VLOSE. Once designated, the service must treat DSA compliance as a systemic-risk governance programme, not only a content moderation process. Risk assessments must cover illegal content, fundamental-rights effects, civic discourse and elections, public security, public health, minors, gender-based violence, and physical or mental wellbeing where relevant.
VLOP/VLOSE evidence should be ready for regulator requests, independent audits, public reporting, and vetted researcher access. The record should include risk assessments, mitigation measures, management-body review, independent compliance function materials, annual audit reports, audit implementation reports, ad repository controls, non-profiling recommender options, data-access procedures, and Article 42 transparency report inputs.
A useful DSA evidence pack should be organised by service tier, not by department. Legal can own interpretation, but product, trust and safety, marketplace operations, ads, data science, engineering, support, and compliance teams need retrievable records for the controls they run.
Do not keep only policy text. Keep operational proof: live interface captures, form schemas, moderation samples, complaint outcomes, database submission logs, report workpapers, trader files, recommender and ad configuration records, risk registers, audit materials, and management approvals.
Classify each service surface by DSA tier before assigning controls. A hosting service, online platform, marketplace, search engine, and designated VLOP or VLOSE have different obligations, and a single product can contain more than one covered service.
Keep the notice, content identifier, allegation, submitter type, trusted-flagger status if applicable, triage timestamp, reviewer, decision, measure taken or not taken, user notice, statement of reasons, redress information, and Transparency Database submission status for online platforms.
They become a separate workstream when an online platform or search engine reaches the 45 million average monthly active recipient threshold in the EU and is designated by the Commission, after which systemic-risk, audit, data-access, compliance-function, ad-repository, and enhanced reporting duties apply.
Sorena can help classify EU-facing service surfaces, map the DSA controls that apply, and turn moderation, marketplace, advertising, recommender, reporting, and VLOP/VLOSE evidence into reusable records.
Ask source-linked questions about DSA service tiers, notice-and-action workflows, transparency reports, trader traceability, and VLOP/VLOSE obligations using the cited sources on this page.
Check whether your DSA controls produce the records needed for independent review, public transparency, regulator questions, audit, and product change.
"independent audits"
"Users can contest moderation decisions"
"all providers of hosting services"
"be audited by an independent auditor"
"Transparency reports"
"safer online experience"
"marketplaces, social media networks, app stores"
"transparency reporting templates"
"Transparency reporting obligations"