EU Digital Services Act requirements

Start with the service actually offered in the EU. The DSA covers intermediary services and then adds obligations for hosting services, online platforms, online marketplaces, and designated very large online platforms or very large online search engines. A product can have more than one service surface, so classify each surface separately instead of assigning one global label.

The minimum requirements record should identify the service, EU targeting or establishment facts, service tier, whether the micro or small enterprise exclusions are relevant, average monthly active recipient reporting status for platforms or search engines, and whether the Commission has designated the service as a VLOP or VLOSE.

Hosting services need a notice-and-action mechanism that collects enough information to identify the alleged illegal content without a detailed legal investigation: explanation, exact electronic location, notifier contact details where required, and a good-faith statement. The provider must acknowledge receipt when it has contact details, decide in a timely, diligent, non-arbitrary and objective way, and tell the notifier the decision and redress options.

When a hosting provider restricts content, monetisation, service access or an account because user-provided information is allegedly illegal or incompatible with terms, it must give affected recipients a clear statement of reasons where contact details are known. Online platforms must also send statements of reasons to the Commission's DSA Transparency Database without personal data.

Online platforms need user-facing governance controls beyond hosting. The requirements file should connect terms, moderation, complaints, ads, recommender systems, protection of minors and misuse policies to product surfaces that users actually see.

Marketplace-style platforms have a separate Article 30-32 control set. They should not treat trader onboarding as a purely commercial KYC workflow: the DSA requires specified trader data, best-efforts reliability checks, secure retention for six months after the contractual relationship ends, selected trader information displayed to consumers, and consumer notifications when an illegal product or service is discovered.

DSA transparency reporting is not one report for every provider. All intermediary services in scope publish annual content-moderation reports unless an exclusion applies; hosting services report notice data; online platforms add dispute and misuse-suspension data; and VLOPs/VLOSEs publish enhanced reports at least every six months with additional staffing, linguistic expertise, accuracy, active-recipient and risk/audit information.

The implementing transparency templates make reporting operational. A useful DSA requirements register should therefore maintain the raw counters, report period, service name, Member State order data, notice-and-action data, complaint and dispute data, automated-moderation descriptions, AMAR numbers, staffing and language fields, methodology notes, and links to each published report.

A designated VLOP or VLOSE needs a separate enhanced-obligations workstream. The Commission designation is based on average monthly active recipients in the EU meeting the DSA threshold, and the enhanced duties apply to the designated service rather than every product operated by the same company.

The practical requirement is a traceable risk and assurance system: annual and change-triggered risk assessments, mitigation design, board and compliance-function oversight, independent audit, audit implementation, public reporting, data access for regulators and vetted researchers, recommender options not based on profiling, and a public ad repository where advertising is presented.

DSA enforcement is split between national Digital Services Coordinators and the Commission. Member States designate competent authorities and a Digital Services Coordinator for national supervision and enforcement, while the Commission has exclusive competence for the enhanced VLOP/VLOSE obligations and shares competence for other obligations imposed on those services.

A requirements overview should therefore include an enforcement evidence index. The index should make it possible to answer authority requests quickly without over-collecting personal data: source article, service tier, owner, production system, evidence store, publication URL, last report, complaint route, authority contact point, and escalation owner for Commission or Digital Services Coordinator requests.