EU DSA vs UK Online Safety Act platform duties compared

Covers intermediary services with a substantial connection to the EU, including mere conduit, caching, hosting, online platforms, online marketplaces, and online search engines. Duties increase by service tier and by VLOP/VLOSE designation.

Covers regulated user-to-user services and search services, with additional structures for services likely to be accessed by children, categorised services, and services involving regulated provider pornographic content.

Classify the EU intermediary role and the UK regulated-service type separately before deciding whether the same product surface is in scope under both regimes.

National Digital Services Coordinators supervise many DSA providers, while the European Commission directly supervises and enforces the VLOP and VLOSE obligations.

Ofcom is the independent UK online-safety regulator and sets codes, guidance, transparency expectations, information requests, enforcement notices, and penalties.

Prepare regulator-response playbooks by authority: DSC and Commission for DSA; Ofcom for UK Online Safety Act.

VLOPs and VLOSEs must assess systemic risks in the EU from service design, functioning, algorithmic systems, and use of the service, including illegal content, fundamental rights, civic discourse, public security, public health, minors, gender-based violence, and wellbeing.

Regulated services must work through illegal-content risk, children's access, children's risk, and Ofcom code or guidance expectations where relevant to the service.

Do not collapse DSA systemic-risk work into the UK illegal-content or child-safety assessment; keep the assessment scope, source, reviewer, and mitigation evidence labelled.

The DSA uses illegal content, terms-and-conditions enforcement, notice-and-action mechanisms, statements of reasons, complaint handling, trusted flaggers, out-of-court disputes, and content-moderation transparency.

The UK Act is organised around illegal content duties, child-safety duties, content harmful to children, provider pornographic content, reporting and complaints, and Ofcom codes of practice.

Moderation tooling can share queues and logs, but each action needs the correct legal basis, user notice, appeal path, and reporting category.

Typical DSA evidence owners include legal, compliance, trust and safety, marketplace operations, moderation, advertising, recommender systems, transparency reporting, research-access, audit, and regulator-response teams.

Typical UK evidence owners include legal, regulatory compliance, trust and safety, child safety, search, moderation, recommender systems, age assurance, complaints, transparency reporting, engineering, and policy teams.

Use a shared owner matrix only if each row has a DSA or UK label, a cited source, an accountable delivery team, and the evidence artifact that proves the control is operating.

Online platforms accessible to minors must use appropriate and proportionate privacy, safety, and security measures, and must not present profiling-based ads to minors when aware with reasonable certainty that the recipient is a minor.

In-scope services likely to be accessed by children must address child-safety duties, including measures to prevent children accessing the most harmful content and protect them from harmful or age-inappropriate content.

Use this row to separate the evidence pack: DSA minor-protection measures on one side, UK child-safety evidence on the other, and only mark controls as shared when both sources support the same artifact.

The Commission can investigate VLOPs and VLOSEs, request information and data or algorithm access, impose interim measures, and impose fines for DSA breaches up to 6% of global annual turnover, with separate procedural penalties available.

Ofcom can investigate non-compliance, issue enforcement action, and impose fines up to GBP 18 million or 10% of qualifying worldwide revenue, whichever is greater, according to GOV.UK's Online Safety Act overview.

Escalation records should name the correct authority, response deadline, source request, and penalty framework instead of using a generic platform-regulator risk label.

DSA evidence includes terms-and-conditions explanations, content-moderation transparency reports, statement-of-reasons submissions, advertising disclosures, recommender-system parameters, VLOP/VLOSE ad repositories, and risk or audit reporting where applicable.

UK evidence includes risk-assessment records, terms enforcement, user reporting and complaints processes, transparency reporting for relevant services, Ofcom information responses, and records showing code or alternative-measure compliance.

Maintain one transparency inventory, but tag every disclosure or report by DSA article, UK duty, Ofcom code, or both.

If the product surface is an EU intermediary service, map the DSA tier and obligations first; if it is a VLOP or VLOSE, add the systemic-risk, audit, data-access, and recommender obligations on top.

If the product surface is a UK regulated user-to-user service or search service, map the Ofcom duty set first; if children are likely to access it, add the child-safety and age-assurance pack.

Do not treat the scope rows as the decision itself. Use them to choose the legal track, then attach the control pack that matches that track and its regulator.