What Online Heavy Hitters Need to Know About New EU Rules

This year, the European Union’s Digital Services Act (DSA) requirements came into effect, adding new regulations for all very large online platforms (VLOPs) and very large online search engines (VLOSEs) — the “very large” designation meaning those with more than 45 million average monthly users. Platforms and search engines subject to the new rules, which also apply to some U.S.-based companies, could face massive penalties if they don’t comply.

What is the Digital Services Act, who is subject to it and how can companies get their risk management practices in line with DSA requirements?

What is the DSA, and why was it passed?

Passed in April 2022, the DSA was designed to create safe online ecosystems in which the fundamental rights of all EU users are protected while rebalancing the responsibilities of users, platforms and public authorities. The aim is to do so without unfairly harming businesses or growth, so the DSA’s new rules are “proportionate, foster innovation, growth and competitiveness, and facilitate the scaling up of smaller platforms, SMEs and startups,” the European Commission says.

Even if your company is based in the U.S., these rules could apply to you. Any company that provides services to any users in the EU is subject to these new rules.

The EU has promoted the DSA by touting a number of benefits for different groups. For EU citizens, the DSA is primarily focused on ensuring effective safeguards, providing choice and content moderation, including less exposure to illegal content and cybersecurity risks, at affordable prices. Similarly, for business users, increased access to various choices across EU-wide markets should keep costs down while also providing a level playing field against providers of illegal content.

For the providers themselves, the EU has pointed to the benefits of harmonization of the rules across digital ecosystems — being able to have legal certainty into what is needed for compliance will make it easier to both begin a business and scale one up. And the broad benefits of this act for society at large, says the EU, will be greater oversight, which allows for better mitigation of systemic risks like manipulation and disinformation.

These are ambitious and admirable goals, to be sure. In more practical terms, the DSA, along with the Digital Markets Act (DMA) that was also passed in 2022 by the European Parliament in Brussels, add new rules to the EU’s e-Commerce Directive of 2000 to help it address the new ways the internet has shaped our world and how we have come to live and work with it 20-plus years later — and all the modern challenges that come with the internet in 2023.

Note that the EU’s main regulation for data protection, the GDPR, isn’t going anywhere. DSA isn’t replacing it; they will both exist, and companies must comply with each if they meet the eligibility criteria.

What are the DSA’s requirements for VLOPs and VLOSEs?

While intermediary services and hosting services, and to an extent smaller online platforms, have a more limited number of new obligations under the DSA, very large platforms have a lot of work to do to meet these new requirements.

The DSA regulations on VLOPs and VLOSEs have the goal of reducing four key areas of systemic risk. This is due to the size of those organizations and their outsized impact; unlike the risks found in smaller organizations or most other industries, these risks at VLOPs/VLOSEs could apply well beyond the borders of a company or platform and have a negative impact across the globe. Those four risks are:

1. Impacting or curtailing of fundamental rights like dignity, freedom of expression, privacy, nondiscrimination, consumer protections and more
2. Damaging healthy democratic and electoral processes, whether in the EU or abroad
3. Adversely affecting measures that are in place to protect public health, minors, physical and mental well-being, or to prevent gender-based violence and discrimination
4. Disseminating illegal content or facilitating illegal activities, such as trade in prohibited goods

Among other obligations for VLOPs and VLOSEs, these large platforms must “prevent abuse of their systems by taking risk-based action.” These risk management obligations largely boil down to the following requirements:

• Conducting risk assessments for the four systemic risks numbered above; these should be incorporated into any existing compliance programs
• Designing proactive plans and crisis responses to actively mitigate risks and react if they are realized
• Providing independent audits into risk management systems
• All actions taken to mitigate risk must not restrict the fundamental rights of EU citizens

Meeting DSA compliance requirements

It’s clear that the DSA will have wide-ranging implications for the online ecosystem. Users will expect more accountability and transparency from large platforms that previously answered to no one, and a company clearly acting in good faith to comply should enjoy a positive bump in how customers view their brand. Given these obligations for risk management laid out by the DSA, what do companies need to have in place to meet them?

• Comprehensive risk assessments: Using the four systemic risks laid out by the DSA as a framework, the ability to undertake comprehensive risk assessments is crucial for companies. Each of these risks are complex and require assessment from multiple angles, whether they be financial, security-related, operational, or any other risk dimension, in order to be properly accounted for.
• Automated workflows: Risk management teams should consider building automated workflows into risk control processes. Automation allows companies to quickly adapt to changing regulations or world developments that could increase risk without IT bottlenecks. It also allows for risk-based due diligence — enhancing the actions taken based on the level of risk identified — with little delay. Systems, automated or not, should also be capable of generating monthly DSA compliance reports.
• Maintain a central repository for resources: Any risk management systems that companies can rely on for DSA compliance will also allow trusted flaggers to generate intelligence on any notices that arise. Terms and conditions and explanations for how it all fits into DSA compliance should be maintained in a central repository of the risk management system for easy publishing and access as needed — DSA compliance itself is important, but so is transparency on how that compliance is being achieved.

The clock is ticking

The penalties from the EU for noncompliance can be significant, enough to potentially pull a company off its projected path for growth and hamper operations. Failure to comply with any of the DSA’s obligations could incur a fine of up to 6% of a company’s annual revenue. If submitted reports include inaccurate, incomplete or misleading information, that could cost the company 1% of revenue as well. And if penalties recur, fines could be levied every day of up to 5% of daily revenue. VLOPs and VLOSEs can’t afford to wait to meet DSA regulations. The quicker these risk management capabilities are put in place, the less exposure they’ll have, and the potential fines could be lessened.