A grounded guide to who enforces the DSA, how Commission investigations of VLOPs and VLOSEs work, and which fine and periodic penalty payment caps are stated in official sources.
Use it to prepare investigation response ownership, evidence retrieval, RFI handling, inspection support, and escalation files before a regulator asks for them.
Structured answer sets in this page tree.
Cited legal and guidance references.
The Digital Services Act enforcement framework is split between national Digital Services Coordinators and the European Commission. National authorities supervise and enforce the DSA for providers of intermediary services established in their territory, while the Commission has direct enforcement tools for designated very large online platforms and very large online search engines. The practical compliance work is therefore not only about knowing the maximum fines; it is about being able to classify the service, identify the competent authority, answer requests for information, support inspections, and produce evidence that matches the obligation under review.
Each Member State must designate and empower a Digital Services Coordinator, and the Commission describes DSCs as responsible for all matters relating to application and enforcement of the DSA in that country. In principle, DSCs supervise and enforce compliance by intermediary-service providers established in their territory, regardless of user numbers.
For designated very large online platforms and very large online search engines, the split changes. The Commission has exclusive competence to supervise and enforce the enhanced due diligence obligations that address systemic risks. For other DSA obligations imposed on VLOPs and VLOSEs, the Commission and national authorities share competence.
The Commission enforcement overview says the Commission may open an investigation when information from monitoring or reliable sources creates a suspicion of infringement. During the investigation, it may use investigatory tools to build a reliable body of evidence on a VLOP or VLOSE's compliance.
If suspicion remains after investigatory steps, the Commission may open proceedings. Before adopting a non-compliance decision, a fine decision, or a periodic penalty payment decision, the provider must have an opportunity to be heard on the Commission's preliminary findings and intended measures.
The Commission enforcement page lists four practical investigatory tools for VLOP and VLOSE supervision: requests for information, orders to access data and algorithms, interviews, and inspections. Interviews are described as consent-based; inspections are described as premises inspections that occur only after consultation with the DSC of the Member State of establishment.
The legal text adds operational detail for inspections: Commission-authorised officials can examine books and records, take or obtain copies, ask for explanations, and record answers. Inspections ordered by Commission decision must identify the subject matter and purpose, state the start date, indicate penalties, and preserve judicial review rights.
For a non-compliance decision against a VLOP or VLOSE, the Commission enforcement overview states that fines are based on the nature, gravity, recurrence, and duration of the infringement and must be proportionate. It states that the fine must not exceed 6% of a provider's global annual turnover.
The same official overview states that fines up to 1% of worldwide annual turnover can apply for investigation failures such as incorrect, misleading, or incomplete replies, non-compliance with data or algorithm access, or refusal to submit to inspection. It also states that periodic penalty payments up to 5% of average daily worldwide turnover can be imposed for each day of delay in replying to an RFI by decision or allowing inspection, and for delays in complying with remedies, interim measures, or commitments.
The Commission describes temporary suspension of access to a service as a last-resort measure when an infringement persists, causes serious harm to users, and entails criminal offences involving threats to life or safety. The route described is procedural: written observations, a Commission request to the DSC of establishment, and an order from a judge in that Member State.
A useful DSA enforcement file should let a reviewer reconstruct the service classification, competent authority, obligation under review, evidence source, response owner, and regulator-facing answer without rebuilding the facts from memory. The file should be organized for retrieval under pressure, not only for annual compliance review.
For VLOPs and VLOSEs, the evidence should also show whether the matter concerns enhanced due diligence duties, because that affects Commission supervision and the expected evidence set.
The Commission has exclusive competence for the enhanced due diligence obligations imposed on designated VLOPs and VLOSEs to address systemic risks. For other DSA obligations that apply to VLOPs and VLOSEs, the Commission and national authorities share competence.
The grounded caps on this page are: fines up to 6% of global annual turnover for non-compliance decisions, fines up to 1% of worldwide annual turnover for specified investigation failures, and periodic penalty payments up to 5% of average daily worldwide turnover for each day of delay in compelled cooperation or compliance.
Sorena can help structure DSA authority mapping, RFI response ownership, inspection preparation, and evidence retrieval for VLOP, VLOSE, and national DSC enforcement scenarios.
Ask source-linked questions about DSA enforcement powers, penalties, Commission proceedings, and Digital Services Coordinator roles using the cited sources on this page.
Assess whether your DSA evidence, RFI process, and authority map are ready for Commission or Digital Services Coordinator scrutiny.
"request access to data, order inspections and impose fines"
"collect a reliable and consistent body of evidence"
"over 45 million users in the EU"
"subject matter and purpose of the inspection"