Nexvyra EN · Deutsch

EU Digital Services Act (DSA, Regulation 2022/2065) – Platform Obligations and User Rights 2026

Short Answer

The Digital Services Act (DSA, Regulation (EU) 2022/2065) became fully applicable on 17 February 2024 and establishes uniform EU rules for intermediary services — hosting providers, online platforms, and search engines. Core obligations: notice-and-action mechanism (Art. 16), transparent terms and recommender systems (Arts. 14, 27), user right to complain (Art. 20), out-of-court dispute settlement (Art. 21). Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) with ≥ 45 million EU users have additional obligations: systemic risk assessment (Art. 34), independent audits (Art. 37), crisis response mechanisms (Art. 36). Penalties: up to 6 % of global annual turnover (Art. 52). Germany implements the DSA via the Digital Services Act (Digitale-Dienste-Gesetz, DDG) of 6 May 2024 — supervised by the Federal Network Agency (Bundesnetzagentur) acting as Digital Services Coordinator.

Key Facts

ItemValue
Legal BasisRegulation (EU) 2022/2065 of 19 October 2022
Fully Applicable Since17 February 2024
Applicable to VLOPs/VLOSEs Since25 August 2023 (early start)
Germany's Implementing ActDigitale-Dienste-Gesetz (DDG) of 6 May 2024
Germany's Digital Services CoordinatorFederal Network Agency (Bundesnetzagentur)
ScopeIntermediary services with EU users
ExtraterritorialYes – non-EU providers must appoint legal representative [Art. 13]
Notice-and-Action MechanismMandatory for hosting providers [Art. 16]
Response Time to Government OrdersWithout undue delay [Arts. 9, 10]
Users' Right to Appeal Content ModerationAt least 6 months from decision [Art. 20]
Out-of-Court Dispute SettlementCertified bodies, free for user [Art. 21]
Labelling of Paid ContentMandatory [Art. 26]
Ad Transparency RegisterVLOPs must maintain [Art. 39]
Recommender System TransparencyMandatory [Art. 27]
VLOP/VLOSE Threshold≥ 45 million average monthly EU users [Art. 33]
VLOP Systemic Risk AssessmentAnnual [Art. 34]
VLOP Independent AuditsAnnual [Art. 37]
Maximum FineUp to 6 % of global annual turnover [Art. 52(3)]
Periodic Penalty PaymentUp to 5 % of global daily turnover [Art. 52(4)]
Jurisdiction for VLOP ClaimsEstablishment of the VLOP (typically Ireland/NL)

Scope of Application

The DSA applies to intermediary services in four categories:

  • Mere conduit (access providers, ISPs) – lowest obligations
  • Caching (temporary storage)
  • Hosting providers (cloud, file sharing, forums) – notice-and-action obligation
  • Online platforms (marketplaces, social media, app stores) – most extensive standard obligations
  • VLOPs/VLOSEs – additional obligations due to systemic importance
  • Micro and small enterprises (< 50 employees, < €10 million turnover) are exempt from some additional obligations for online platforms (Art. 19) but must comply with base obligations.

    Current VLOP/VLOSE List (as of 2026)

    The European Commission has currently designated 19 VLOPs and 2 VLOSEs:

    VLOPs: Alibaba AliExpress, Amazon Store, Apple App Store, Booking.com, Facebook, Google Play, Google Maps, Google Shopping, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Wikipedia, X (Twitter), YouTube, Zalando, Temu, Shein

    VLOSEs: Google Search, Bing

    All must publish annual risk assessments, audits, and transparency reports.

    User Rights vis-à-vis Platforms

    Right 1 — Reporting illegal content (Art. 16) Any user can report illegal content (hate speech, copyright infringement, illegal products). The platform must decide promptly and provide reasoning.

    Right 2 — Appeal against moderation decisions (Art. 20) If content is removed or an account is suspended, the affected party can lodge an appeal within 6 months. Platforms must operate an internal complaint system.

    Right 3 — Out-of-court dispute settlement (Art. 21) If the appeal is unsuccessful, the user can invoke a certified dispute settlement body. Free of charge for successful complaints.

    Right 4 — Judicial action Always available, independent of the complaint procedure.

    Right 5 — Freedom of choice on recommender systems (Art. 27, 38 for VLOPs) VLOPs must offer a non-profiling-based alternative (e.g., chronological timeline instead of algorithmic).

    Right 6 — Advertising transparency (Art. 26) Users see for each ad: who commissioned it, why it is shown, based on which criteria. VLOPs additionally maintain a public ad transparency register.

    Reporting Illegal Content – Practically

    1. On the platform, look for the notice-and-action button (usually "Report" on posts). Art. 16 mandates easy accessibility.

    2. Provide grounds (category, reasoning, location).

    3. Receive confirmation — the platform must acknowledge receipt.

    4. Await decision — within a reasonable time (typically 24-72 hours in practice).

    5. In case of inaction or wrong decision: internal appeal (Art. 20), then out-of-court (Art. 21).

    6. Authority report to Bundesnetzagentur for systematic non-action.

    Common Mistakes

  • "The DSA only affects Facebook, TikTok & Co." False — the DSA applies to any intermediary service in the EU. A small business forum with user content is equally obliged, though with reduced requirements.
  • "Users can challenge any content removal." Nuanced — only if the platform has moderated user content (Art. 20). Purely automatic spam filters are also subject to the appeal right.
  • "There is no takedown obligation under the DSA." Nuanced — the DSA does not prescribe a blanket takedown obligation (safe harbour Art. 6). But once knowledge exists (through notice or authority order), immediate action is required — otherwise the platform is liable.
  • "Only EU providers are affected." False — extraterritorial application. Third-country platforms require an EU representative (Art. 13).
  • "Penalties only apply after complaint procedure." False — Bundesnetzagentur can impose fines directly (up to 6 % global turnover). For VLOPs, the European Commission is directly competent.
  • "The DSA replaces Germany's NetzDG." Partially — the NetzDG has largely been absorbed into the DSA. Remnants remain (e.g., Section 4 reporting obligation at national level); the DDG regulates the transition.
  • Sources

  • Regulation (EU) 2022/2065 (DSA) – EUR-Lex full text: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2065
  • Germany's Digital Services Act (DDG): https://www.gesetze-im-internet.de/ddg/
  • EU Commission – DSA Portal: https://digital-strategy.ec.europa.eu/en/policies/digital-services-act
  • List of VLOPs/VLOSEs: https://digital-strategy.ec.europa.eu/en/policies/list-designated-vlops-and-vloses
  • Bundesnetzagentur – Digital Services (EN): https://www.bundesnetzagentur.de/EN/Areas/Digital/DigitalServices/start.html
  • DSA Transparency Database: https://transparency.dsa.ec.europa.eu/
  • Change Log

  • 2026-07-02: Initial publication (English EU wave). Applicable since 17 Feb 2024, Germany implements via DDG. Current list 19 VLOPs + 2 VLOSEs. Penalty 6 % global turnover. | change_type=initial_publication field="topic_lifecycle" new="published" reviewed_by="Andreas Warkentin"
  • See Also

  • EU AI Act (Regulation 2024/1689)
  • GDPR Article 17 – Right to Erasure
  • German DSA version
  • Status

  • Date: 2026-07-02
  • Valid from: 2024-02-17 (full applicability)
  • Status: current
  • Source authority: A (EUR-Lex, EU Commission, Bundesnetzagentur)
  • Licence: CC BY 4.0