| Scope and covered activity | Online Safety Act: define the exact products, services, processing, claims, entities, assets, or activities that bring this side into scope; record out-of-scope facts separately. | DSA: test whether the service is an intermediary service, hosting service, online platform, marketplace, search engine, or very large platform/search engine serving EU users. | Write two scope findings first: where Online Safety Act applies, where DSA applies, and which facts are outside one side even if evidence can be reused. |
|---|
| Who must act | Online Safety Act: identify the organization, role, provider, manufacturer, operator, controller, processor, gatekeeper, supplier, or public body that owns the duty. | DSA: assign the comparator duty to its own accountable actor and note when counterparties, subsidiaries, importers, providers, or customers differ. | Name each role separately because one entity can hold different obligations in different workflows. |
|---|
| Trigger or threshold | Online Safety Act: state the fact that starts the obligation, such as market placement, processing, designation, incident, reporting period, transfer, data request, supplier change, or public claim. | DSA: start from the service category and EU-user reach, including whether the provider is an intermediary, hosting service, online platform, online marketplace, search engine, or a very large platform/search engine with over 45 million monthly EU users. | Start with the trigger so teams do not apply the wrong regime to the wrong facts. |
|---|
| Core obligations | The Online Safety Act requires UK-regulated services to conduct illegal content risk assessments, implement safety measures for priority illegal content, produce children's access assessments where children may use the service, and follow enforceable Codes of Practice issued by Ofcom. | The DSA requires platforms to provide transparency reports, give users tools to flag illegal content, offer non-profiling-based advertising options for very large platforms, conduct systemic risk assessments annually, and comply with audited risk mitigation measures supervised by the Digital Services Coordinator. | Translate obligations into tickets, notices, records, controls, or contract terms. |
|---|
| Evidence and records | Online Safety Act: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | DSA: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep source links, factual analysis, owner approval, and implementation evidence together. |
|---|
| Timing and cadence | Online Safety Act: capture the application date, commencement date, transition period, reporting clock, review cadence, remediation window, or certification renewal that controls this side. | DSA: track the comparator schedule separately so a later deadline, recurring audit, or incident timer is not hidden by the other workstream. | Use current source dates; do not reuse old project plans after amendments or guidance updates. |
|---|
| Enforcement or assurance route | Online Safety Act: identify the competent authority, regulator, assessor, customer audit, certification body, contractual remedy, penalty, or supervisory process tied to this side. | DSA: identify the comparator enforcement or assurance route and record where supervision, penalties, market access, certification, or contract leverage differs. | Escalate when enforcement routes differ because a regulator, market-surveillance authority, certification body, customer, or contract counterparty may require different proof. |
|---|
| Overlap and reuse | Online Safety Act: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | DSA can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Document overlap explicitly instead of merging both tests into one vague compliance label. |
|---|
| Practical decision rule | Online Safety Act: treat this as the controlling workstream when its scope trigger, deadline, regulator, or required artifact is the immediate blocker. | DSA: run a parallel or follow-on workstream when this side adds separate actors, evidence, timing, penalties, customer assurances, or implementation constraints. | Choose one practical next step: proceed under Online Safety Act, proceed under DSA, run both in parallel, or document why neither side controls the present fact pattern. |
|---|