Implementation GuideEU

EU Digital Services Act (DSA) Compliance Playbook

A practical implementation playbook: controls, workflows, evidence and cadence.

Designed for product, legal, security, data and trust & safety teams building DSA compliance together.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
9

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

The fastest way to implement DSA compliance is to build around high-leverage workflows that support multiple obligations at once: (1) notice & action + statement of reasons, and (2) transparency reporting pipelines. This playbook turns the DSA into an operating model with owners, artifacts, and an ongoing cadence.

Section 1

Step 1 - Lock scope and tier (write the scope memo)

Start by classifying each service you operate. The DSA is layered; the obligations you must ship depend on your service type (hosting/platform/marketplace/search) and whether you may be designated as a VLOP/VLOSE.

Treat scope as a living artifact and assign an owner for scope changes.

  • Inventory each service and map features (UGC, ranking, ads, trading, search).
  • Classify per service: intermediary -> hosting -> online platform -> marketplace/search engine.
  • Decide if you are near VLOP/VLOSE thresholds and define AMAR methodology (Article 24) and monitoring cadence.
  • Create a requirements matrix: Article -> obligation -> control -> owner -> evidence.
Section 2

Step 2 - Ship baseline controls (terms, contact points, legal rep)

Baseline controls are prerequisites for later workflows: they define how users contact you, what your moderation rules are, and how regulators reach you if you're not established in the EU.

Don't treat these as "legal-only" updates - they must be machine-readable and operationally correct.

  • Implement a recipient point of contact that's user-friendly and not solely automated (Article 12).
  • If relevant, appoint and publish a legal representative in the EU (Article 13).
  • Update terms and conditions to describe moderation policies/tools and internal complaint procedures in clear language and machine-readable format (Article 14).
  • Define change management: how you notify recipients of significant terms updates and how minors-facing explanations are delivered where applicable.
Section 3

Step 3 - Build the core compliance workflow: notice & action (Article 16)

For hosting services, notice & action is the primary compliance workflow. Build it like a regulated intake system: precise, measurable, and auditable.

The workflow should support both legal illegality analysis and terms-and-conditions enforcement - and record which was applied.

  • Design notice intake forms to capture Article 16(2) elements (reasons, exact location/URLs, identity details, good-faith statement).
  • Build triage: duplicate detection, queueing, escalation, and SLA tracking; measure timeliness and consistency.
  • Confirm receipt and communicate decisions with redress options (Article 16(4)-(5)).
  • If automation is used, record and disclose it in notifications (Article 16(6)).
Recommended next step

Turn EU Digital Services Act (DSA) Compliance Playbook into an operational assessment

Assessment Autopilot can take EU Digital Services Act (DSA) Compliance Playbook from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU Digital Services Act (DSA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU Digital Services Act (DSA) Compliance Playbook

Start from EU Digital Services Act (DSA) Compliance Playbook and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU Digital Services Act (DSA)

Review your current process, evidence gaps, and next steps for EU Digital Services Act (DSA) Compliance Playbook.

Explore next step
Section 4

Step 4 - Statement of reasons pipeline (Article 17) + public database submissions (Article 24(5))

Statement of reasons is compliance glue: it drives user trust, supports appeals, and supplies transparency reporting datasets.

Make it a structured object, not a free-form email.

  • Create a statement-of-reasons data model: restriction type, content/account scope, duration, territorial scope, grounds (legal/contract), facts, automation use, redress options.
  • Enforce quality gates: statements must be clear, specific, and complete enough for recipients to exercise redress.
  • If you are an online platform, implement Article 24(5) submissions to the Commission database while excluding personal data.
Section 5

Step 5 - Transparency reporting as a data product (Articles 15 + 24 + 42)

Transparency reports should be produced by a stable data pipeline with QA and sign-off, not assembled manually at the end of the year.

Build reporting by mapping obligations to metrics and authoritative data sources.

  • Define metrics for Article 15: orders, notices, complaint counts/outcomes, own-initiative moderation, automated moderation usage, accuracy/error indicators.
  • If online platform: include Article 24 additions (out-of-court dispute settlement metrics, suspensions) and publish AMAR every 6 months (Article 24(2)).
  • If VLOP/VLOSE: implement Article 42 cadence (at least every 6 months) and publication of risk, mitigation, audit and implementation reports with confidentiality carve-outs.
Section 6

Step 6 - Platform UX duties: ads, recommenders, and interface integrity

These obligations are UX-visible. Compliance requires both UI design and instrumentation.

Treat them as product requirements with acceptance criteria and testing.

  • Ad transparency (Article 26): per-ad "this is an ad", beneficiary, payer (if different), and meaningful targeting parameters plus how to change them.
  • Recommender transparency (Article 27): disclose main parameters in terms and conditions and provide accessible controls to modify ranking options.
  • Anti-dark-pattern duty (Article 25): ensure flows don't manipulate recipients (e.g., cancellation not harder than subscription).
  • Minors protections (Article 28): privacy/safety/security measures and restrictions on profiling-based ads to minors.
Section 7

Step 7 - Marketplace controls (if applicable): trader traceability + compliance-by-design

Marketplace obligations require operational controls and retention/deletion discipline.

Build onboarding verification and suspension workflows that are measurable and enforceable.

  • Implement trader onboarding and verification (Article 30) with best-effort checks via official databases and reliable sources.
  • Display required trader information to consumers on listings (Article 30(7)).
  • Ensure UI lets traders provide product safety/compliance information (Article 31) and implement random checks for illegality (Article 31(3)).
  • Implement consumer notification/redress workflow for illegal products/services (Article 32).
Section 8

Step 8 - VLOP/VLOSE systemic-risk and audit readiness (if applicable)

VLOP/VLOSE readiness is a risk management program: annual risk assessments, mitigation, independent audits, and publication duties.

If you're near the threshold, build the calendar and evidence model early.

  • Systemic risk assessment process exists and is repeated at least annually (Article 34), including before major feature launches.
  • Mitigation measures are defined, measured, and governed (Article 35).
  • Independent audit process and remediation planning are integrated into the annual cycle (Article 37).
  • Recommender non-profiling option (Article 38) and ad repository (Article 39) are implemented where applicable.
Section 9

Step 9 - Governance, RACI, and enforcement evidence

DSA programs fail when ownership is unclear or evidence is not retrievable.

Build governance that survives staff changes and vendor changes.

  • RACI per workstream: moderation ops, appeals, reporting, ads/recommenders, marketplace onboarding, risk/audit.
  • Evidence retention policy for logs, statements of reasons, reporting datasets, and incident records.
  • Quarterly compliance review and annual "DSA report readiness" tabletop exercise.
  • Enforcement readiness playbook: how you respond to regulator questions and produce artifacts quickly.
Primary sources

References and citations

Related guides

Explore more topics

DSA Ads & Recommender Systems | Article 26, 27, 38 & 39 Compliance
A deep compliance guide for DSA advertising and recommender system obligations: ad transparency (Article 26), recommender system transparency (Article 27).
DSA Applicability Test | Is the EU Digital Services Act Applicable to You?
A step-by-step applicability test for the EU Digital Services Act (DSA, Regulation (EU) 2022/2065): EU offering triggers.
DSA Enforcement & Investigations | DSCs, Commission Powers, Audits & Procedures
A practical guide to DSA enforcement (Regulation (EU) 2022/2065): how Digital Services Coordinators (DSCs) supervise services.
DSA Notice & Action Workflow | Article 16 Requirements + Templates
A deep implementation guide for DSA notice & action (Regulation (EU) 2022/2065, Article 16): intake design, required notice elements.
DSA Penalties & Fines | Digital Services Act Enforcement Exposure (6% / 1% / 5%)
How DSA penalties work under Regulation (EU) 2022/2065.
DSA Transparency Report Template | Article 15 + Article 24 + VLOP Article 42
Copy and paste ready DSA transparency report template aligned to Regulation (EU) 2022/2065 and Implementing Regulation (EU) 2024/2835.
DSA Transparency Reporting | Articles 15, 24 & 42 Reporting Requirements
A practical guide to EU Digital Services Act transparency reporting: what to publish for Article 15, what to add for Article 24.
DSA vs DMA | Digital Services Act vs Digital Markets Act (What's the Difference?)
A practical comparison of the EU Digital Services Act (DSA, Regulation (EU) 2022/2065) and the EU Digital Markets Act (DMA.
DSA vs UK Online Safety Act | EU vs UK Online Safety Compliance
A practical comparison of the EU Digital Services Act (DSA, Regulation (EU) 2022/2065) and the UK Online Safety Act: scope (EU recipients vs UK users).
EU Digital Services Act (DSA) Requirements | Obligations by Service Type & Tier
A practical breakdown of DSA requirements (Regulation (EU) 2022/2065): obligations for intermediary services, hosting services, online platforms.
EU DSA Checklist | Digital Services Act Compliance Checklist (Audit-Ready)
An audit-ready EU Digital Services Act (DSA) compliance checklist for Regulation (EU) 2022/2065: scope memo, terms transparency.
EU DSA Deadlines & Compliance Calendar | Key Dates, Cadence and Milestones
A DSA compliance calendar for Regulation (EU) 2022/2065: entry into force, general applicability, Digital Services Coordinator designation, Article 15, 24.
EU DSA FAQ | Digital Services Act Questions & Answers (Practical)
Practical answers to the most searched EU Digital Services Act (DSA) questions: who is in scope, what "hosting" and "online platform" mean.
EU DSA Service Types & Scope | Hosting vs Platform vs Marketplace
How to classify your service under the EU Digital Services Act (DSA, Regulation (EU) 2022/2065): intermediary service types (mere conduit, caching, hosting).
VLOP/VLOSE Systemic Risk Assessment (DSA) | Articles 34-36 + Mitigation
A deep guide to DSA systemic risk management for VLOPs/VLOSEs: how to run the Article 34 systemic risk assessment (risk categories, frequency.