DSA: General Provisions
General Provisions [Articles 4-12]
Rule: The DSA establishes fundamental principles for the internal market in intermediary services, including the freedom to provide services, exclusions from scope, procedures for orders from authorities, contact requirements, and relationships with other EU laws.
Internal Market Clause [Article 4]
Article 4(1): Freedom to Provide Intermediary Services
Principle: Intermediary service providers shall be free to provide their services throughout the Union.
This means:
- Services lawful in one Member State are lawful across EU
- No need for separate authorization in each Member State
- Single market for digital services
Member States cannot:
- Require authorization/license for intermediary services
- Impose additional requirements beyond DSA
- Restrict services lawful under DSA
Article 4(2): Country of Origin Principle
Rule: Intermediary service providers subject to jurisdiction of Member State of establishment.
Establishment determined by:
- Where provider has stable and effective exercise of activity
- Legal form alone not determinative
- Main establishment for multi-country operators
Practical effect:
- Supervised primarily by Digital Services Coordinator of establishment
- Other Member States cooperate through DSA mechanisms
- No “jurisdiction shopping” (substantive requirements apply)
Article 4(3): Restrictions Only in Specific Circumstances
Member States may restrict services ONLY when:
| Condition | Requirement |
|---|---|
| Necessary | Restriction necessary for specified reasons (public policy, security, health) |
| Proportionate | No less restrictive alternative available |
| Procedural compliance | Follow procedures in Arts 9-10 (orders to act) |
| Notification | Inform Commission and other Member States |
Specified reasons for restriction:
- Public policy or public security
- Protection of public health
- Protection of consumers (including investors)
Exclusions [Articles 5-8]
Article 5: Exclusion for Specific Service Types
DSA does not apply to:
| Excluded Service | Reason | Applicable Law |
|---|---|---|
| Electronic communications services | Covered by sector-specific law | Telecom regulations |
| Services of general interest | Public service obligations | National law |
| Audiovisual media services | Specific regulatory framework | AVMSD |
“Electronic communications services” (Art 2 EECC):
- Public telephone networks
- Internet access services
- Interpersonal communications services (voice, messaging)
Rationale: These services have specialized regulatory regimes
Article 6: Exclusion for Certain Activities of Public Authorities
DSA does not apply when public authorities provide services for:
| Purpose | Examples |
|---|---|
| Public security | Emergency services, disaster response |
| Defense | Military communications |
| National security | Intelligence services |
| Public order | Law enforcement coordination |
| Criminal justice | Judicial communications |
Conditions:
- Must be genuinely governmental function
- Not commercial service provision
- Necessary for specified purpose
Example:
- Police database: Excluded (public security)
- Government tourism website: Not excluded (commercial information)
Article 7: No General Monitoring Obligation
Prohibition: Providers shall not be subject to general obligation to:
- Monitor information they transmit or store
- Actively seek facts or circumstances indicating illegal activity
“General obligation” means:
- Systematic monitoring of all content
- Proactive filtering of all user uploads
- Blanket surveillance measures
Permitted:
- Specific monitoring (e.g., following court order for specific content)
- Voluntary content moderation policies
- Automated tools for specific types of illegal content (e.g., child sexual abuse material)
- Trusted flagger cooperation
Relationship to other articles:
- Does not prevent voluntary measures (Art 8)
- Does not prevent specific orders (Arts 9-10)
- Does not prevent due diligence obligations (Chapter III)
Practical impact:
- Platforms not required to pre-screen all user content
- Can use automated tools voluntarily
- Must respond to specific notices and orders
Article 8: Voluntary Own-Initiative Investigations
Providers may conduct voluntary investigations of illegal content or conduct:
Conditions:
- Done in good faith
- With due diligence
- In accordance with applicable law (GDPR, ePrivacy, etc.)
Does not affect:
- Liability exemptions (Arts 14-15)
- Provided investigations are done in good faith
Examples of voluntary measures:
- Content moderation teams reviewing reports
- Automated detection of known illegal content (CSAM hashing)
- User flagging systems
- Trusted flagger cooperation
- Terms of service enforcement
Important: Voluntary investigations do not create liability if done properly
Orders from Authorities [Articles 9-10]
Article 9: Orders to Act Against Illegal Content
Competent authority may issue order requiring provider to:
- Act against one or more specific items of illegal content
- Provide information about specific individual recipients
Order must:
| Requirement | Details |
|---|---|
| Be clear and precise | Identify specific content, specify action required |
| Include statement of reasons | Legal basis, why content illegal, why order necessary/proportionate |
| Indicate redress | How provider can challenge order |
| Specify territorial scope | Where order applies |
| Contain contact information | Authority issuing order |
| Be in official EU language | Language provider understands or English |
Provider must:
- Inform authority of effect given to order
- Specify time when effect given and duration
Provider may challenge order through judicial review
“Illegal content” means:
- Information not in compliance with Union law or Member State law
- Criminal content, civil wrongs, violations of consumer protection law
- Determined under applicable law, not by platform
Examples:
- Court order to remove defamatory content
- Police order to remove terrorist content
- Consumer authority order to remove fraudulent advertisement
Article 10: Orders to Provide Information
Competent authority or Commission may order provider to provide:
- Specific information about specific individual recipients
- Necessary to identify or contact recipients
Order must contain:
- Statement of reasons (why information needed, legal basis)
- Indication that information cannot be obtained otherwise
- Clear specification of information required
- Time limit for providing information
- Indication of redress possibilities
Limits on information requests:
- Must be necessary and proportionate
- Respect fundamental rights
- Comply with GDPR
Provider obligations:
- Provide requested information without undue delay
- Inform authority of difficulties or questions
Example:
- Authority investigating illegal content may request IP addresses, account information
- Limited to what’s necessary for investigation
Article 11: Points of Contact
All providers must designate point of contact:
Requirements:
| Aspect | Details |
|---|---|
| Electronic format | Email address or web form |
| Direct communication | Allow rapid communication with authorities, Commission, Board |
| Single point | Can be same contact for multiple purposes |
| Public | Published and easily accessible |
| Language | At least one official EU language widespread in Member States where most recipients |
Purpose:
- Enable authorities to reach provider quickly
- Facilitate cooperation and information exchange
- Ensure accountability
Must be able to handle:
- Orders under Arts 9-10
- Recommendations from Commission
- Notices from trusted flaggers (Art 22)
- Requests for information
Practical compliance:
- Email address clearly designated
- Or online form on provider’s website
- Monitored regularly
- Responses without undue delay
Article 12: Legal Representatives for Non-EU Providers
Providers not established in EU offering services in EU must designate legal representative in EU.
Conditions triggering requirement:
- Provider not established in any Member State
- Offers services in Union
- Regardless of size
Legal representative must:
| Responsibility | Details |
|---|---|
| Be established | In Member State where provider has substantial number of recipients |
| Receive communications | On provider’s behalf from authorities, Commission, Board |
| Be mandated | Written mandate to be addressed on compliance matters |
| Respond | To communications from authorities |
Representative can be:
- Individual
- Company
- Law firm or compliance service
Scope of mandate:
- Receive and comply with orders (Arts 9-10)
- Receive decisions and requests from authorities
- Cooperate with authorities
- Can be contacted for enforcement proceedings
Representative liability:
- Representative not personally liable for provider’s violations
- Acts on behalf of provider
- Facilitates enforcement against provider
Practical effect:
- Ensures EU authorities can reach non-EU providers
- Enables effective enforcement
- No safe harbor from compliance by being outside EU
Example:
- US-based social media platform operating in EU must designate representative in Member State with most EU users (e.g., Germany, France)
Relationship with Other Legal Acts [Article 13]
Article 13(1): Coordination with Sectoral Legislation
DSA provisions apply UNLESS:
- Sectoral Union law provides corresponding rules
- Aims to achieve same objective
Sectoral laws that may take precedence:
| Area | Relevant Law | Relationship |
|---|---|---|
| Audiovisual media | AVMSD | Specific rules for video-sharing platforms |
| Copyright | DSM Copyright Directive | Content recognition obligations |
| Terrorism content | Terrorism Content Regulation | One-hour removal rule |
| Child sexual abuse material | Proposed CSAM Regulation | Detection obligations |
| Payment services | PSD2 | Payment fraud prevention |
Coordination principle:
- Sector-specific rules apply to specific issues
- DSA provides baseline for other issues
- No double regulation of same issue
Article 13(2): GDPR and ePrivacy Relationship
DSA does not affect:
- GDPR (data protection)
- ePrivacy Directive (electronic communications privacy)
Key points:
| Law | Application | DSA Coordination |
|---|---|---|
| GDPR | Personal data processing | DSA obligations must comply with GDPR |
| ePrivacy | Communications confidentiality | DSA must respect ePrivacy rules |
Practical effect:
- Content moderation must comply with GDPR
- Transparency reporting must protect privacy
- Automated detection systems must meet GDPR standards
- Both frameworks apply concurrently
Example:
- Platform collecting user reports must have GDPR legal basis
- Transparency reports must not disclose personal data inappropriately
- Risk assessments must include data protection impact assessments
Article 13(3): Consumer Protection Law
DSA complements but does not replace:
- Consumer Rights Directive
- Unfair Commercial Practices Directive
- Other consumer protection laws
Platforms must comply with BOTH:
- DSA obligations
- Consumer protection requirements
Overlapping areas:
- Dark patterns prohibition (DSA Art 25 + UCPD)
- Transparency about terms (DSA Art 14 + consumer law)
- Misleading content (both frameworks)
Practical Compliance
For All Intermediary Service Providers
Checklist:
- ✅ Designate point of contact (Art 11)
- ✅ Publish contact information
- ✅ Respond to orders from authorities (Arts 9-10)
- ✅ Comply with GDPR and ePrivacy
- ✅ Respect freedom of expression and information
- ✅ No general monitoring (but voluntary measures allowed)
For Non-EU Providers
Additional requirements:
- ✅ Designate legal representative in EU (Art 12)
- ✅ Publish representative’s contact information
- ✅ Ensure representative has proper mandate
- ✅ Maintain effective communication with representative
Responding to Authority Orders
When receiving Art 9 order:
- ✅ Review order for clarity and legal basis
- ✅ Assess whether content is actually illegal
- ✅ If unclear, seek clarification from authority
- ✅ Execute order or challenge judicially
- ✅ Inform authority of action taken
- ✅ Document compliance
When receiving Art 10 order:
- ✅ Verify authority’s competence
- ✅ Assess proportionality and necessity
- ✅ Comply with GDPR requirements
- ✅ Provide information without undue delay
- ✅ Inform authority of difficulties
Common Mistakes
Assuming single authorization covers all EU:
- No authorization required, but must comply with DSA throughout EU
- Cannot be blocked by Member State for DSA compliance
Ignoring point of contact requirement:
- All providers must designate (Art 11)
- Failure can result in penalties
- Must be actively monitored
Non-EU providers thinking DSA doesn’t apply:
- DSA applies to services “offered in the Union”
- Must designate legal representative
- Full compliance required
Believing general monitoring is required:
- Art 7 prohibits general monitoring obligation
- Voluntary measures permitted
- Specific measures may be required (e.g., trusted flaggers)
Not coordinating with GDPR:
- DSA and GDPR both apply
- Content moderation must have GDPR legal basis
- Data protection by design and default