---
title: EU Digital Services Act (DSA, Regulation 2022/2065) – Platform Obligations and User Rights 2026
slug: eu-dsa-2022-2065-platform-obligations
topic: data-protection
lang: en
valid_from: 2024-02-17
valid_to: null
last_reviewed: 2026-07-02
status: current
authority_level: A
license: CC-BY-4.0
url: https://nexvyra.de/en/fakten/eu-dsa-2022-2065-platform-obligations.md
wikidata_subjects: [Q112170489]
de_version: https://nexvyra.de/fakten/dsa-verordnung-plattform-nutzerrechte.html
---

# EU Digital Services Act (DSA, Regulation 2022/2065) – Platform Obligations and User Rights 2026

## Short Answer

The **Digital Services Act (DSA, Regulation (EU) 2022/2065)** became fully applicable on **17 February 2024** and establishes uniform EU rules for **intermediary services** — hosting providers, online platforms, and search engines. Core obligations: **notice-and-action mechanism** (Art. 16), **transparent terms and recommender systems** (Arts. 14, 27), **user right to complain** (Art. 20), **out-of-court dispute settlement** (Art. 21). **Very Large Online Platforms (VLOPs)** and **Very Large Online Search Engines (VLOSEs)** with **≥ 45 million EU users** have additional obligations: **systemic risk assessment** (Art. 34), **independent audits** (Art. 37), **crisis response mechanisms** (Art. 36). **Penalties**: up to **6 % of global annual turnover** (Art. 52). Germany implements the DSA via the **Digital Services Act (Digitale-Dienste-Gesetz, DDG)** of 6 May 2024 — supervised by the **Federal Network Agency (Bundesnetzagentur)** acting as Digital Services Coordinator.

## Key Facts

| Item | Value |
|---|---|
| Legal Basis | Regulation (EU) 2022/2065 of 19 October 2022 |
| Fully Applicable Since | 17 February 2024 |
| Applicable to VLOPs/VLOSEs Since | 25 August 2023 (early start) |
| Germany's Implementing Act | Digitale-Dienste-Gesetz (DDG) of 6 May 2024 |
| Germany's Digital Services Coordinator | Federal Network Agency (Bundesnetzagentur) |
| Scope | Intermediary services with EU users |
| Extraterritorial | Yes – non-EU providers must appoint legal representative [Art. 13] |
| Notice-and-Action Mechanism | Mandatory for hosting providers [Art. 16] |
| Response Time to Government Orders | Without undue delay [Arts. 9, 10] |
| Users' Right to Appeal Content Moderation | At least 6 months from decision [Art. 20] |
| Out-of-Court Dispute Settlement | Certified bodies, free for user [Art. 21] |
| Labelling of Paid Content | Mandatory [Art. 26] |
| Ad Transparency Register | VLOPs must maintain [Art. 39] |
| Recommender System Transparency | Mandatory [Art. 27] |
| VLOP/VLOSE Threshold | ≥ 45 million average monthly EU users [Art. 33] |
| VLOP Systemic Risk Assessment | Annual [Art. 34] |
| VLOP Independent Audits | Annual [Art. 37] |
| Maximum Fine | Up to 6 % of global annual turnover [Art. 52(3)] |
| Periodic Penalty Payment | Up to 5 % of global daily turnover [Art. 52(4)] |
| Jurisdiction for VLOP Claims | Establishment of the VLOP (typically Ireland/NL) |

## Scope of Application

The DSA applies to **intermediary services** in four categories:

- **Mere conduit** (access providers, ISPs) – lowest obligations
- **Caching** (temporary storage)
- **Hosting providers** (cloud, file sharing, forums) – notice-and-action obligation
- **Online platforms** (marketplaces, social media, app stores) – most extensive standard obligations
- **VLOPs/VLOSEs** – additional obligations due to systemic importance

**Micro and small enterprises** (< 50 employees, < €10 million turnover) are exempt from some additional obligations for online platforms (Art. 19) but must comply with base obligations.

## Current VLOP/VLOSE List (as of 2026)

The European Commission has currently designated **19 VLOPs** and **2 VLOSEs**:

**VLOPs:** Alibaba AliExpress, Amazon Store, Apple App Store, Booking.com, Facebook, Google Play, Google Maps, Google Shopping, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Wikipedia, X (Twitter), YouTube, Zalando, Temu, Shein

**VLOSEs:** Google Search, Bing

All must publish annual risk assessments, audits, and transparency reports.

## User Rights vis-à-vis Platforms

**Right 1 — Reporting illegal content (Art. 16)** Any user can report illegal content (hate speech, copyright infringement, illegal products). The platform must decide promptly and provide reasoning.

**Right 2 — Appeal against moderation decisions (Art. 20)** If content is removed or an account is suspended, the affected party can lodge an appeal within **6 months**. Platforms must operate an internal complaint system.

**Right 3 — Out-of-court dispute settlement (Art. 21)** If the appeal is unsuccessful, the user can invoke a **certified dispute settlement body**. Free of charge for successful complaints.

**Right 4 — Judicial action** Always available, independent of the complaint procedure.

**Right 5 — Freedom of choice on recommender systems (Art. 27, 38 for VLOPs)** VLOPs must offer a **non-profiling-based** alternative (e.g., chronological timeline instead of algorithmic).

**Right 6 — Advertising transparency (Art. 26)** Users see for each ad: **who commissioned it, why it is shown, based on which criteria**. VLOPs additionally maintain a public ad transparency register.

## Reporting Illegal Content – Practically

1. **On the platform**, look for the notice-and-action button (usually "Report" on posts). Art. 16 mandates easy accessibility.
2. **Provide grounds** (category, reasoning, location).
3. **Receive confirmation** — the platform must acknowledge receipt.
4. **Await decision** — within a reasonable time (typically 24-72 hours in practice).
5. **In case of inaction or wrong decision**: internal appeal (Art. 20), then out-of-court (Art. 21).
6. **Authority report** to Bundesnetzagentur for systematic non-action.

## Common Mistakes

- **"The DSA only affects Facebook, TikTok & Co."** False — the DSA applies to **any intermediary service** in the EU. A small business forum with user content is equally obliged, though with reduced requirements.
- **"Users can challenge any content removal."** Nuanced — only if the platform has moderated user content (Art. 20). Purely automatic spam filters are also subject to the appeal right.
- **"There is no takedown obligation under the DSA."** Nuanced — the DSA does not prescribe a **blanket takedown obligation** (safe harbour Art. 6). But once knowledge exists (through notice or authority order), immediate action is required — otherwise the platform is liable.
- **"Only EU providers are affected."** False — extraterritorial application. Third-country platforms require an **EU representative** (Art. 13).
- **"Penalties only apply after complaint procedure."** False — Bundesnetzagentur can impose fines directly (up to 6 % global turnover). For VLOPs, the European Commission is directly competent.
- **"The DSA replaces Germany's NetzDG."** Partially — the NetzDG has largely been absorbed into the DSA. Remnants remain (e.g., Section 4 reporting obligation at national level); the DDG regulates the transition.

## Sources

- Regulation (EU) 2022/2065 (DSA) – EUR-Lex full text: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2065
- Germany's Digital Services Act (DDG): https://www.gesetze-im-internet.de/ddg/
- EU Commission – DSA Portal: https://digital-strategy.ec.europa.eu/en/policies/digital-services-act
- List of VLOPs/VLOSEs: https://digital-strategy.ec.europa.eu/en/policies/list-designated-vlops-and-vloses
- Bundesnetzagentur – Digital Services (EN): https://www.bundesnetzagentur.de/EN/Areas/Digital/DigitalServices/start.html
- DSA Transparency Database: https://transparency.dsa.ec.europa.eu/

## Change Log

- 2026-07-02: Initial publication (English EU wave). Applicable since 17 Feb 2024, Germany implements via DDG. Current list 19 VLOPs + 2 VLOSEs. Penalty 6 % global turnover. | change_type=initial_publication field="topic_lifecycle" new="published" reviewed_by="Andreas Warkentin"

## See Also

- [EU AI Act (Regulation 2024/1689)](/en/fakten/eu-ai-act-2024-1689-high-risk-systems.html)
- [GDPR Article 17 – Right to Erasure](/en/fakten/gdpr-art-17-right-to-erasure.html)
- [German DSA version](https://nexvyra.de/fakten/dsa-verordnung-plattform-nutzerrechte.html)

## Status

- Date: 2026-07-02
- Valid from: 2024-02-17 (full applicability)
- Status: current
- Source authority: A (EUR-Lex, EU Commission, Bundesnetzagentur)
- Licence: CC BY 4.0
