Practical answers to the most common DSA compliance questions.
Written for implementation teams: product, trust & safety, legal, security and data.
Structured answer sets in this page tree.
Cited legal and guidance references.
This FAQ answers the questions teams ask when they turn DSA obligations into product controls and operating workflows. For deeper implementation guidance, use the linked topic guides (notice & action, transparency reporting, ads/recommenders, systemic risk, marketplace controls).
Yes - the DSA applies to services offered to recipients in the Union, including by providers not established in the EU.
If you offer services in the EU but are not established there, you may need to designate a legal representative in the Union (Article 13).
The DSA is layered: you inherit more obligations as you move from intermediary -> hosting -> online platform.
In practice, hosting is triggered when you store user-provided information at their request; online platform status is often associated with dissemination to the public (or to other recipients).
Hosting services must provide electronic, user-friendly notice mechanisms (Article 16) that capture required elements and allow sufficiently precise, substantiated notices.
Notifiers must receive confirmations and decision notifications (where contact info is available), and processing must be timely and objective.
If you impose restrictions because content is illegal or incompatible with your terms, hosting services must provide affected recipients a clear and specific statement of reasons (Article 17).
It must include key details: what happened, why, whether automation was used, and how to seek redress.
AMAR is the number of average monthly active recipients of the service in the Union, published as an average over the past six months (Article 24(2)).
It matters because VLOP/VLOSE designation thresholds are tied to AMAR and a Commission designation decision (Article 33).
Designation triggers systemic-risk obligations: annual risk assessments (Article 34), risk mitigation (Article 35), independent audits (Article 37), and enhanced transparency reporting (Article 42).
You may also need additional controls for recommender systems and advertising transparency (Articles 38-39).
The major change is Commission Implementing Regulation (EU) 2024/2835, which standardizes the reporting templates, reporting periods, publication timing, and versioning rules for Articles 15, 24, and 42 reports.
That means teams now need a structured reporting pipeline, not just a narrative moderation report.
If you present ads, Article 26 requires per-ad disclosures (ad labeling, beneficiary/payer, and targeting parameters).
If you use recommender systems, Article 27 requires transparency on main parameters and user options; VLOPs/VLOSEs must also offer at least one non-profiling option per recommender system (Article 38) and may need a public ad repository with APIs (Article 39).
Member States must set penalties that are effective, proportionate and dissuasive, with maximum fine ceilings under Article 52.
The Commission can impose fines on VLOPs/VLOSEs under Article 74 as part of its enforcement track.
Start with the controls that unlock multiple obligations: notice & action + statement of reasons + transparency reporting pipeline.
Then add marketplace and VLOP layers as applicable.
Research Copilot can take EU Digital Services Act (DSA) FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on EU Digital Services Act (DSA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.
Start from EU Digital Services Act (DSA) FAQ and answer scope, timing, and interpretation questions with cited outputs.
Review your current process, evidence gaps, and next steps for EU Digital Services Act (DSA) FAQ.