Enforcement GuideEU

EU Digital Services Act (DSA) Enforcement & Investigations

How the DSA is supervised and enforced - and how to be ready when questions arrive.

Covers DSCs, Commission powers for VLOPs/VLOSEs, formal proceedings, audits, and evidence.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
8

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

The DSA's enforcement model is split: national authorities (Digital Services Coordinators and other competent authorities) supervise and enforce many obligations, while the Commission has supervisory and enforcement powers over designated VLOPs and VLOSEs. The best enforcement risk reduction strategy is not "better legal arguments" - it's a compliance system that produces evidence quickly: scope memo, decision logs, reporting datasets, and audit-ready controls.

Section 1

DSA enforcement model (two-track supervision)

The DSA combines national supervision (DSCs and competent authorities) with direct Commission enforcement for VLOPs/VLOSEs.

Your enforcement exposure depends on your tier and where you are established/offering services.

  • National layer: DSCs coordinate supervision and handle complaints; Member States set penalties and procedural rules within the DSA framework.
  • Commission layer: for designated VLOPs/VLOSEs, the Commission can run investigations and adopt non-compliance decisions and fines.
  • Practical takeaway: build evidence and reporting discipline for both tracks (DSC interactions and Commission investigations).
Recommended next step

Use EU Digital Services Act (DSA) Enforcement & Investigations as a cited research workflow

Research Copilot can take EU Digital Services Act (DSA) Enforcement & Investigations from understanding exposure and enforcement with cited answers to a reusable workflow inside Sorena. Teams working on EU Digital Services Act (DSA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU Digital Services Act (DSA) Enforcement & Investigations

Start from EU Digital Services Act (DSA) Enforcement & Investigations and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU Digital Services Act (DSA)

Review your current process, evidence gaps, and next steps for EU Digital Services Act (DSA) Enforcement & Investigations.

Explore next step
Section 2

Digital Services Coordinators (DSCs): what to expect operationally

DSCs are the primary national contact and coordination point. They can receive complaints, coordinate cross-border actions, and request information through national procedures.

Most companies experience DSC enforcement as information requests and follow-up questions on published transparency, moderation practices, and marketplace controls.

  • Have an external point of contact ready (Article 12) and, where applicable, a legal representative (Article 13).
  • Maintain a scope memo and requirements matrix that you can share (sanitized) to explain your approach.
  • Keep artifacts ready: transparency reports, notice & action metrics, statements-of-reasons samples, and marketplace onboarding controls.
Section 3

Commission supervision for VLOPs/VLOSEs (designation changes everything)

Once designated as a VLOP/VLOSE, the Commission has a dedicated enforcement role including formal proceedings, interim measures and fines (in line with the DSA's procedural framework).

Designation is tied to AMAR thresholds and a Commission decision (Article 33).

  • Designation trigger: AMAR in the Union >= 45 million + Commission decision (Article 33).
  • Obligations apply from four months after notification of the designation decision (Article 33(6)).
  • Build a VLOP readiness pack early: systemic risk assessment (Article 34), mitigation (Article 35), audit (Article 37), enhanced transparency (Article 42).
Section 4

Formal proceedings and investigation mechanics (Implementing Regulation (EU) 2023/1201)

The DSA is supported by implementing rules that set out practical procedures for Commission proceedings (including inspections, monitoring and hearings).

Even if you are not a VLOP/VLOSE today, understanding these mechanics helps you design a compliance system that can respond quickly.

  • Build an investigation response playbook: who responds, how data is extracted, who signs off, and how confidentiality is handled.
  • Keep data request readiness: metric dictionaries, dataset snapshots, and reproducible queries for transparency metrics and moderation workflows.
  • Maintain a single source of truth for policy versions and product changes affecting risk and moderation behavior.
  • Formal proceedings are not theoretical. The Commission used the DSA framework to open proceedings against TikTok on 17 December 2024 over suspected failures to assess and mitigate election-integrity risks linked to recommender systems and political advertising.
Section 5

Independent audits and how they show up in enforcement (Article 37 + Delegated Regulation (EU) 2024/436)

For VLOPs/VLOSEs, independent audits are a recurring compliance mechanism, and audit outputs are part of transparency and accountability.

The DSA also has delegated rules on audit performance, methodologies and templates.

  • Audit cycle: annual audit of compliance and (where applicable) code-of-conduct commitments; remediate and produce audit implementation report when findings are not fully positive.
  • Publication/transmission: audit report and audit implementation report are included in the Article 42 publication/transmission pack.
  • Evidence: audit readiness depends on your ability to produce control evidence (logs, policies, workflows) and show effectiveness of mitigation measures.
Section 6

Current enforcement signal: the TikTok election-risk proceedings

The Commission opened formal proceedings against TikTok in December 2024 over suspected DSA failures linked to election integrity in Romania. The case focused on recommender-system risks and political advertising or paid political content.

For compliance teams, the lesson is that Article 34 and 35 risk programs are not abstract governance exercises. The Commission expects evidence tied to concrete regional, linguistic, and product-system risks.

  • Date opened: 17 December 2024.
  • Focus areas identified by the Commission: recommender systems, coordinated manipulation risk, and policies on political advertising and paid political content.
  • Operational takeaway: keep risk-assessment files, mitigation decisions, product-change logs, and election-event escalation records organized by reporting period.
Section 7

What regulators ask first (and how to answer with evidence)

Regulators and auditors often start with a small set of high-leverage questions that reveal whether your compliance system is real.

Prepare evidence bundles for each question category.

  • Scope: which services are in scope and why; where do obligations attach per service?
  • Workflow: how do you process notices (Article 16) and issue statements of reasons (Article 17)? What are your SLAs and QA checks?
  • Reporting: how do you produce Article 15/24/42 transparency outputs? Can you reproduce metrics exactly?
  • Tier readiness: how do you monitor AMAR and plan for VLOP/VLOSE designation and systemic-risk obligations?
  • Governance: who owns each workstream and how do you handle change management and incidents?
Section 8

Enforcement risk reduction checklist (practical controls)

Most enforcement risk is operational: inconsistent workflows, missing evidence, or inability to reproduce reporting.

Use this checklist to reduce exposure before you receive formal questions.

  • Implement structured statement-of-reasons objects and store them with audit logs (supports Article 24(5) database submissions).
  • Build transparency reporting as a pipeline with QA and sign-off; archive datasets used for each publication period.
  • Maintain a VLOP readiness calendar even if you are below threshold: it reduces scramble risk.
  • Run annual enforcement tabletop exercises: simulate regulator questions and measure time-to-evidence.
  • Ensure privacy discipline: remove prohibited personal data from public submissions and publications where required.
  • Request-for-information readiness: keep designated owners, preservation steps, and response-review rules for Commission RFIs and inspection support, because incomplete or misleading responses can themselves trigger fines.
Primary sources

References and citations

Related guides

Explore more topics

DSA Ads & Recommender Systems | Article 26, 27, 38 & 39 Compliance
A deep compliance guide for DSA advertising and recommender system obligations: ad transparency (Article 26), recommender system transparency (Article 27).
DSA Applicability Test | Is the EU Digital Services Act Applicable to You?
A step-by-step applicability test for the EU Digital Services Act (DSA, Regulation (EU) 2022/2065): EU offering triggers.
DSA Notice & Action Workflow | Article 16 Requirements + Templates
A deep implementation guide for DSA notice & action (Regulation (EU) 2022/2065, Article 16): intake design, required notice elements.
DSA Penalties & Fines | Digital Services Act Enforcement Exposure (6% / 1% / 5%)
How DSA penalties work under Regulation (EU) 2022/2065.
DSA Transparency Report Template | Article 15 + Article 24 + VLOP Article 42
Copy and paste ready DSA transparency report template aligned to Regulation (EU) 2022/2065 and Implementing Regulation (EU) 2024/2835.
DSA Transparency Reporting | Articles 15, 24 & 42 Reporting Requirements
A practical guide to EU Digital Services Act transparency reporting: what to publish for Article 15, what to add for Article 24.
DSA vs DMA | Digital Services Act vs Digital Markets Act (What's the Difference?)
A practical comparison of the EU Digital Services Act (DSA, Regulation (EU) 2022/2065) and the EU Digital Markets Act (DMA.
DSA vs UK Online Safety Act | EU vs UK Online Safety Compliance
A practical comparison of the EU Digital Services Act (DSA, Regulation (EU) 2022/2065) and the UK Online Safety Act: scope (EU recipients vs UK users).
EU Digital Services Act (DSA) Requirements | Obligations by Service Type & Tier
A practical breakdown of DSA requirements (Regulation (EU) 2022/2065): obligations for intermediary services, hosting services, online platforms.
EU DSA Checklist | Digital Services Act Compliance Checklist (Audit-Ready)
An audit-ready EU Digital Services Act (DSA) compliance checklist for Regulation (EU) 2022/2065: scope memo, terms transparency.
EU DSA Compliance Guide | Digital Services Act Implementation Playbook
A practical EU Digital Services Act (DSA) compliance guide for Regulation (EU) 2022/2065: scope memo and tiering.
EU DSA Deadlines & Compliance Calendar | Key Dates, Cadence and Milestones
A DSA compliance calendar for Regulation (EU) 2022/2065: entry into force, general applicability, Digital Services Coordinator designation, Article 15, 24.
EU DSA FAQ | Digital Services Act Questions & Answers (Practical)
Practical answers to the most searched EU Digital Services Act (DSA) questions: who is in scope, what "hosting" and "online platform" mean.
EU DSA Service Types & Scope | Hosting vs Platform vs Marketplace
How to classify your service under the EU Digital Services Act (DSA, Regulation (EU) 2022/2065): intermediary service types (mere conduit, caching, hosting).
VLOP/VLOSE Systemic Risk Assessment (DSA) | Articles 34-36 + Mitigation
A deep guide to DSA systemic risk management for VLOPs/VLOSEs: how to run the Article 34 systemic risk assessment (risk categories, frequency.