DSA and DMA: What Online Platforms and Digital Markets Need to Know

The Digital Services Act (Regulation 2022/2065, applied February 2024) and the Digital Markets Act (Regulation 2022/1925, applied May 2023) together form the EU's digital markets regulatory framework. They are related but distinct: the DSA governs how online intermediaries handle content and users; the DMA governs how dominant platforms treat business users and competitors.

Understanding which applies to you — and what it requires — is increasingly important. The Commission has been actively enforcing both, and national Digital Services Coordinators are now operational across Member States.

---

Digital Services Act (DSA)

Scope and Tiered Obligations

The DSA applies to all online intermediary services with users in the EU, regardless of where the provider is established. Obligations are tiered by service type and size — larger platforms face heavier requirements.

| Tier | Who | Examples | |------|-----|---------| | All intermediary services | Any online intermediary | ISPs, DNS providers, transit providers | | Hosting services | Services storing user-provided content | Web hosting, cloud storage | | Online platforms | Hosting services that disseminate to the public | Marketplaces, app stores, social media, review platforms | | Very Large Online Platforms (VLOPs) | Online platforms with ≥45M average monthly EU users | Designated by the Commission | | Very Large Online Search Engines (VLOSEs) | Search engines with ≥45M average monthly EU users | Designated by the Commission |

Key DSA Obligations by Tier

All intermediary services:

• Clear terms of service
• Single point of contact for authorities
• Transparency reporting

Hosting services (adds):

• Mechanism to notify illegal content (notice-and-action)
• Inform users of content removal and provide redress
• Report criminal offences to law enforcement when detected

Online platforms (adds):

• No dark patterns — interface design must not deceive users into choices they would not otherwise make
• Clear labelling of all advertising, with no targeting based on special category data or minors
• Recommender system transparency — at least one recommendation option not based on profiling
• Complaint and redress mechanisms, including out-of-court dispute settlement access
• Transparency on terms and enforcement

VLOPs and VLOSEs (adds):

• Annual systemic risk assessments covering: dissemination of illegal content, fundamental rights impacts, civic discourse and electoral integrity, gender-based violence, protection of minors
• Independent audits of risk assessments and mitigation measures
• Real-time access to data for vetted researchers
• Crisis response protocols (Commission can activate in exceptional circumstances)
• Prohibition on targeting based on profiling for minors, and for sensitive categories of data

DSA Enforcement and Fines

National Digital Services Coordinators (DSCs) are the primary enforcement bodies. The European Commission enforces directly against VLOPs and VLOSEs.

| Violation | Maximum Fine | |-----------|-------------| | Non-compliance with DSA obligations | 6% of global annual turnover | | Non-compliance with Commission interim measures | 5% of average daily global turnover | | Repeated infringement | Temporary restriction of EU market access |

For VLOPs and VLOSEs, the Commission can also impose structural remedies in cases of systematic non-compliance.

---

Digital Markets Act (DMA)

Scope: Gatekeepers Only

The DMA applies exclusively to designated gatekeepers — companies that provide core platform services and meet the designation thresholds. Designation is carried out by the European Commission.

Currently designated gatekeepers (as of April 2026): Alphabet (Google), Amazon, Apple, ByteDance (TikTok), Meta, and Microsoft. Designation can be extended as markets evolve.

Gatekeeper designation criteria (at least one must be met quantitatively or qualitatively):

• Market cap of ≥€75 billion or annual EU turnover ≥€7.5 billion in the last 3 financial years
• ≥45 million monthly active EU end-users of the core platform service
• ≥10,000 annual active business users in the EU in the last financial year

Core platform services covered by the DMA:

• Online intermediation services (marketplaces, app stores)
• Online search engines
• Online social networking services
• Video-sharing platform services
• Number-independent interpersonal communication services (messaging)
• Operating systems
• Web browsers
• Virtual assistants
• Cloud computing services
• Online advertising services (linked to a designated gatekeeper)

DMA Obligations for Gatekeepers

Gatekeepers face a list of do's and don'ts (Articles 5 and 6), including:

• Interoperability — messaging gatekeepers must allow third-party messaging services to interoperate at basic levels (text, images, files)
• Data portability — end-users and business users must be able to port data to other platforms
• Fair ranking — gatekeepers cannot give preferential treatment to their own services in rankings (no self-preferencing in search results, app stores, etc.)
• No combining personal data across services without explicit consent, where the user has not consented
• App store openness — business users must be able to distribute apps via alternative channels; users must be able to set default apps
• No tying — gatekeepers cannot require users to use one core platform service as a condition of accessing another
• Access to data — business users must be given access to data generated through their use of the gatekeeper's platform

DMA Enforcement and Fines

The European Commission has exclusive enforcement jurisdiction for the DMA.

| Violation | Maximum Fine | |-----------|-------------| | Non-compliance with DMA obligations | 10% of global annual turnover | | Repeated infringement | 20% of global annual turnover | | Systematic non-compliance | Structural remedies (e.g. divestiture of business units) | | Failure to notify concentrations | 1–5% of global annual turnover |

The Commission has already opened formal proceedings against multiple designated gatekeepers and imposed interim measures.

---

Who This Actually Affects

Most SMEs face only the basic DSA tier — they must have clear terms of service, a notice-and-action mechanism for illegal content if they host user content, and no dark patterns. These are manageable.

Platforms with growing EU user bases should monitor whether they approach the 45 million user threshold triggering VLOP designation — the compliance burden increases substantially at that point.

The DMA currently only affects the six designated gatekeepers. Unless your company is one of them, DMA obligations do not apply directly. However, if you distribute apps through gatekeeper platforms, publish content through social networks, or advertise via gatekeeper advertising services, you benefit from the DMA's obligations on those gatekeepers — fairer access, data portability, and transparent ranking.

Practical Guidance for Mid-Market Platforms

1. Audit your terms of service and UI for dark patterns — the DSA's prohibition is enforceable at all platform tiers
2. Build a notice-and-action workflow if you host user-generated content — a mechanism to receive, assess, and act on illegal content reports is required
3. Publish a transparency report annually covering content moderation actions — required for online platforms
4. Review advertising practices — if you target advertising, confirm you are not using special category data or profiling minors
5. Monitor user numbers — if you approach 45 million EU monthly active users, VLOP designation triggers significantly more demanding obligations; begin gap analysis before you cross the threshold

---

Last updated: April 2026. For informational purposes only — not legal advice.