--- title: "EU DSA Compliance Guide" canonical_url: "https://www.sorena.io/artifacts/eu/digital-services-act/compliance" source_url: "https://www.sorena.io/artifacts/eu/digital-services-act/compliance" author: "Sorena AI" description: "A practical EU Digital Services Act (DSA) compliance guide for Regulation (EU) 2022/2065: scope memo and tiering." published_at: "2026-02-21" updated_at: "2026-02-21" keywords: - "EU DSA compliance guide" - "Digital Services Act compliance" - "DSA implementation guide" - "DSA compliance program" - "notice and action implementation" - "statement of reasons implementation" - "DSA transparency reporting" - "VLOP compliance program" - "DSA marketplace compliance" - "DSA compliance" - "implementation playbook" - "notice and action" - "statement of reasons" - "transparency reporting" - "marketplace compliance" - "VLOP audit" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU DSA Compliance Guide A practical EU Digital Services Act (DSA) compliance guide for Regulation (EU) 2022/2065: scope memo and tiering. *Implementation Guide* *EU* ## EU Digital Services Act (DSA) Compliance Playbook A practical implementation playbook: controls, workflows, evidence and cadence. Designed for product, legal, security, data and trust & safety teams building DSA compliance together. The fastest way to implement DSA compliance is to build around high-leverage workflows that support multiple obligations at once: (1) notice & action + statement of reasons, and (2) transparency reporting pipelines. This playbook turns the DSA into an operating model with owners, artifacts, and an ongoing cadence. ## Step 1 - Lock scope and tier (write the scope memo) Start by classifying each service you operate. The DSA is layered; the obligations you must ship depend on your service type (hosting/platform/marketplace/search) and whether you may be designated as a VLOP/VLOSE. Treat scope as a living artifact and assign an owner for scope changes. - Inventory each service and map features (UGC, ranking, ads, trading, search). - Classify per service: intermediary -> hosting -> online platform -> marketplace/search engine. - Decide if you are near VLOP/VLOSE thresholds and define AMAR methodology (Article 24) and monitoring cadence. - Create a requirements matrix: Article -> obligation -> control -> owner -> evidence. ## Step 2 - Ship baseline controls (terms, contact points, legal rep) Baseline controls are prerequisites for later workflows: they define how users contact you, what your moderation rules are, and how regulators reach you if you're not established in the EU. Don't treat these as "legal-only" updates - they must be machine-readable and operationally correct. - Implement a recipient point of contact that's user-friendly and not solely automated (Article 12). - If relevant, appoint and publish a legal representative in the EU (Article 13). - Update terms and conditions to describe moderation policies/tools and internal complaint procedures in clear language and machine-readable format (Article 14). - Define change management: how you notify recipients of significant terms updates and how minors-facing explanations are delivered where applicable. ## Step 3 - Build the core compliance workflow: notice & action (Article 16) For hosting services, notice & action is the primary compliance workflow. Build it like a regulated intake system: precise, measurable, and auditable. The workflow should support both legal illegality analysis and terms-and-conditions enforcement - and record which was applied. - Design notice intake forms to capture Article 16(2) elements (reasons, exact location/URLs, identity details, good-faith statement). - Build triage: duplicate detection, queueing, escalation, and SLA tracking; measure timeliness and consistency. - Confirm receipt and communicate decisions with redress options (Article 16(4)-(5)). - If automation is used, record and disclose it in notifications (Article 16(6)). *Recommended next step* *Placement: after the compliance steps* ## Turn EU Digital Services Act (DSA) Compliance Playbook into an operational assessment Assessment Autopilot can take EU Digital Services Act (DSA) Compliance Playbook from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU Digital Services Act (DSA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for EU Digital Services Act (DSA) Compliance Playbook](/solutions/assessment.md): Start from EU Digital Services Act (DSA) Compliance Playbook and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through EU Digital Services Act (DSA)](/contact.md): Review your current process, evidence gaps, and next steps for EU Digital Services Act (DSA) Compliance Playbook. ## Step 4 - Statement of reasons pipeline (Article 17) + public database submissions (Article 24(5)) Statement of reasons is compliance glue: it drives user trust, supports appeals, and supplies transparency reporting datasets. Make it a structured object, not a free-form email. - Create a statement-of-reasons data model: restriction type, content/account scope, duration, territorial scope, grounds (legal/contract), facts, automation use, redress options. - Enforce quality gates: statements must be clear, specific, and complete enough for recipients to exercise redress. - If you are an online platform, implement Article 24(5) submissions to the Commission database while excluding personal data. ## Step 5 - Transparency reporting as a data product (Articles 15 + 24 + 42) Transparency reports should be produced by a stable data pipeline with QA and sign-off, not assembled manually at the end of the year. Build reporting by mapping obligations to metrics and authoritative data sources. - Define metrics for Article 15: orders, notices, complaint counts/outcomes, own-initiative moderation, automated moderation usage, accuracy/error indicators. - If online platform: include Article 24 additions (out-of-court dispute settlement metrics, suspensions) and publish AMAR every 6 months (Article 24(2)). - If VLOP/VLOSE: implement Article 42 cadence (at least every 6 months) and publication of risk, mitigation, audit and implementation reports with confidentiality carve-outs. ## Step 6 - Platform UX duties: ads, recommenders, and interface integrity These obligations are UX-visible. Compliance requires both UI design and instrumentation. Treat them as product requirements with acceptance criteria and testing. - Ad transparency (Article 26): per-ad "this is an ad", beneficiary, payer (if different), and meaningful targeting parameters plus how to change them. - Recommender transparency (Article 27): disclose main parameters in terms and conditions and provide accessible controls to modify ranking options. - Anti-dark-pattern duty (Article 25): ensure flows don't manipulate recipients (e.g., cancellation not harder than subscription). - Minors protections (Article 28): privacy/safety/security measures and restrictions on profiling-based ads to minors. ## Step 7 - Marketplace controls (if applicable): trader traceability + compliance-by-design Marketplace obligations require operational controls and retention/deletion discipline. Build onboarding verification and suspension workflows that are measurable and enforceable. - Implement trader onboarding and verification (Article 30) with best-effort checks via official databases and reliable sources. - Display required trader information to consumers on listings (Article 30(7)). - Ensure UI lets traders provide product safety/compliance information (Article 31) and implement random checks for illegality (Article 31(3)). - Implement consumer notification/redress workflow for illegal products/services (Article 32). ## Step 8 - VLOP/VLOSE systemic-risk and audit readiness (if applicable) VLOP/VLOSE readiness is a risk management program: annual risk assessments, mitigation, independent audits, and publication duties. If you're near the threshold, build the calendar and evidence model early. - Systemic risk assessment process exists and is repeated at least annually (Article 34), including before major feature launches. - Mitigation measures are defined, measured, and governed (Article 35). - Independent audit process and remediation planning are integrated into the annual cycle (Article 37). - Recommender non-profiling option (Article 38) and ad repository (Article 39) are implemented where applicable. ## Step 9 - Governance, RACI, and enforcement evidence DSA programs fail when ownership is unclear or evidence is not retrievable. Build governance that survives staff changes and vendor changes. - RACI per workstream: moderation ops, appeals, reporting, ads/recommenders, marketplace onboarding, risk/audit. - Evidence retention policy for logs, statements of reasons, reporting datasets, and incident records. - Quarterly compliance review and annual "DSA report readiness" tabletop exercise. - Enforcement readiness playbook: how you respond to regulator questions and produce artifacts quickly. ## Primary sources - [Regulation (EU) 2022/2065 (Digital Services Act) - Official Journal](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Primary DSA obligations and workflows referenced (Articles 12-18, 15/24/42 reporting, 25-28, 30-33, 34-39). - [European Commission - The enforcement framework under the Digital Services Act](https://digital-strategy.ec.europa.eu/en/policies/dsa-enforcement?ref=sorena.io) - Commission overview of supervisory and enforcement framework, including VLOP investigations and enforcement actions. ## Related Topic Guides - [DSA Ads & Recommender Systems | Article 26, 27, 38 & 39 Compliance](/artifacts/eu/digital-services-act/ads-and-recommender-systems.md): A deep compliance guide for DSA advertising and recommender system obligations: ad transparency (Article 26), recommender system transparency (Article 27). - [DSA Applicability Test | Is the EU Digital Services Act Applicable to You?](/artifacts/eu/digital-services-act/applicability-test.md): A step-by-step applicability test for the EU Digital Services Act (DSA, Regulation (EU) 2022/2065): EU offering triggers. - [DSA Enforcement & Investigations | DSCs, Commission Powers, Audits & Procedures](/artifacts/eu/digital-services-act/enforcement-penalties-and-investigations.md): A practical guide to DSA enforcement (Regulation (EU) 2022/2065): how Digital Services Coordinators (DSCs) supervise services. - [DSA Notice & Action Workflow | Article 16 Requirements + Templates](/artifacts/eu/digital-services-act/notice-and-action-workflow.md): A deep implementation guide for DSA notice & action (Regulation (EU) 2022/2065, Article 16): intake design, required notice elements. - [DSA Penalties & Fines | Digital Services Act Enforcement Exposure (6% / 1% / 5%)](/artifacts/eu/digital-services-act/penalties-and-fines.md): How DSA penalties work under Regulation (EU) 2022/2065. - [DSA Transparency Report Template | Article 15 + Article 24 + VLOP Article 42](/artifacts/eu/digital-services-act/dsa-transparency-report-template.md): Copy and paste ready DSA transparency report template aligned to Regulation (EU) 2022/2065 and Implementing Regulation (EU) 2024/2835. - [DSA Transparency Reporting | Articles 15, 24 & 42 Reporting Requirements](/artifacts/eu/digital-services-act/transparency-reporting.md): A practical guide to EU Digital Services Act transparency reporting: what to publish for Article 15, what to add for Article 24. - [DSA vs DMA | Digital Services Act vs Digital Markets Act (What's the Difference?)](/artifacts/eu/digital-services-act/dsa-vs-dma.md): A practical comparison of the EU Digital Services Act (DSA, Regulation (EU) 2022/2065) and the EU Digital Markets Act (DMA. - [DSA vs UK Online Safety Act | EU vs UK Online Safety Compliance](/artifacts/eu/digital-services-act/dsa-vs-uk-online-safety-act.md): A practical comparison of the EU Digital Services Act (DSA, Regulation (EU) 2022/2065) and the UK Online Safety Act: scope (EU recipients vs UK users). - [EU Digital Services Act (DSA) Requirements | Obligations by Service Type & Tier](/artifacts/eu/digital-services-act/requirements.md): A practical breakdown of DSA requirements (Regulation (EU) 2022/2065): obligations for intermediary services, hosting services, online platforms. - [EU DSA Checklist | Digital Services Act Compliance Checklist (Audit-Ready)](/artifacts/eu/digital-services-act/checklist.md): An audit-ready EU Digital Services Act (DSA) compliance checklist for Regulation (EU) 2022/2065: scope memo, terms transparency. - [EU DSA Deadlines & Compliance Calendar | Key Dates, Cadence and Milestones](/artifacts/eu/digital-services-act/deadlines-and-compliance-calendar.md): A DSA compliance calendar for Regulation (EU) 2022/2065: entry into force, general applicability, Digital Services Coordinator designation, Article 15, 24. - [EU DSA FAQ | Digital Services Act Questions & Answers (Practical)](/artifacts/eu/digital-services-act/faq.md): Practical answers to the most searched EU Digital Services Act (DSA) questions: who is in scope, what "hosting" and "online platform" mean. - [EU DSA Service Types & Scope | Hosting vs Platform vs Marketplace](/artifacts/eu/digital-services-act/service-types-and-scope.md): How to classify your service under the EU Digital Services Act (DSA, Regulation (EU) 2022/2065): intermediary service types (mere conduit, caching, hosting). - [VLOP/VLOSE Systemic Risk Assessment (DSA) | Articles 34-36 + Mitigation](/artifacts/eu/digital-services-act/risk-assessments-and-mitigation.md): A deep guide to DSA systemic risk management for VLOPs/VLOSEs: how to run the Article 34 systemic risk assessment (risk categories, frequency. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-services-act/compliance