DSA Scope and Digital Services Coverage
The content is from the DSA (Digital Services Act), not the AI Act. A dedicated topic for DSA scope is needed to distinguish it from AI Act scope provisions and to properly categorize DSA-specific regulatory coverage.
DSA scope digital services scope online platform scope intermediary services hosting services caching services content delivery services DSA applicability
Overview
Legal Framework
The scope of the Digital Services Act (DSA) and its coverage of digital services are defined by its layered regulatory model, as articulated in Recitals 29 and 41. Recital 29 establishes the broad foundation by defining "intermediary services" as the core category, encompassing activities that enable the transmission of information online, such as mere conduit services (e.g., internet exchange points, DNS services), caching services, and hosting services. Recital 41 then structures the application of obligations, introducing the principle of graduated, service-specific due diligence. The DSA imposes basic obligations on all intermediary service providers, with additional, more stringent requirements layered onto providers of hosting services, online platforms, and very large online platforms and search engines.
Practical Application
The DSA’s scope is functional, not based on a static list of services. As the commentary from Tekst & Commentaar suggests, the law is designed to apply to a continually developing range of online economic activities. The key is whether a service qualifies as an "intermediary service" under the definitions. The Finnish Satakunnan & Satamedia case, while a data protection ruling, illustrates a relevant principle for scope interpretation: information does not fall outside regulatory purview simply because it is publicly available or previously published. By analogy, a digital service does not escape DSA classification because it involves publicly accessible data or common online functions. The practical application requires providers to conduct an initial, critical assessment of their service’s role in the information chain to determine their correct categorization (e.g., mere conduit, hosting, online platform) under the DSA’s definitions.
Key Considerations
- Conduct a Functional Self-Assessment: Organizations must first map their service's technical and functional role against the DSA's definitions in Article 3 to determine their precise classification (intermediary, hosting, platform, VLOP/VLOSE). Misclassification leads to incorrect compliance obligations.
- Prepare for Evolving Obligations: The compliance framework is not static. Providers must implement systems that can scale with their service's growth and any potential re-categorization (e.g., from a hosting service to an online platform, or crossing the very large platform threshold).
- Document the Rationale: Given the functional and evolving nature of the definitions, maintaining clear internal documentation justifying the service's classification under the DSA is crucial for demonstrating compliance to regulators.
Laws (78)
View all 78Case Law (1)
Guidance (8)
Richtsnoeren 10/2020 met betrekking tot de beperkingen krachtens artikel 23 AVG
guidelines beperkingen rechten van betrokkenen
Richtsnoeren 05/2022 voor het gebruik van gezichtsherkenningstechnologie in het kader van rechtshandhaving
guidelines gebruik gezichtsherkenning bij rechtshandhaving
Steeds meer rechtshandhavingsinstanties passen gezichtsherkenningstechnologie toe of zijn voornemens deze toe te passen. De technologie kan worden gebruikt om een persoon te authenticeren of te identificeren en kan voor video's (bijv. CCTV) of foto's worden ingezet, maar ook voor andere doeleinden, waaronder het opzoeken van personen op signaleringslijsten van de politie of het volgen van de bewegingen van een persoon in de openbare ruimte. Gezichtsherkenningstechnologie is gebaseer...
Guidelines 3/2019 on processing of personal data through video devices
Guidelines on processing of personal data through video devices
Guidelines 10/2020 on restrictions under Article 23 GDPR
Guidelines on restrictions under Article 23 GDPR
Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
Guidelines on technical scope of art. 5(3) of ePrivacy Directive
Richtsnoeren 07/2020 over de begrippen 'verwerkingsverantwoordelijke' en 'verwerker' in de AVG
guidelines over de begrippen 'verwerkingsverantwoordelijke' en 'verwerker' in de AVG
De begrippen 'verwerkingsverantwoordelijke', 'gezamenlijke verwerkingsverantwoordelijke' en 'verwerker' spelen een cruciale rol bij de toepassing van de algemene verordening gegevensbescherming (AVG, Verordening (EU) 2016/679), aangezien ermee wordt bepaald wie verantwoordelijk is voor de naleving van verschillende gegevensbeschermingsregels en op welke wijze betrokkenen hun rechten in de praktijk kunnen uitoefenen. De precieze betekenis van deze begrippen en de criteria voor de jui...
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Guidelines on the concepts of controller and processor in the GDPR
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...
Version history
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
The GDPR does not provide for a legal definition of the notion 'transfer of personal data to a third country or to an international organisation'. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer: - 1) A controller or a processor ('exporter') is subject to the GDPR for the given processing. -...
News (3)
Support the EDPB’s work as an expert
Brussels, 28 November - The EDPB launched a call for expression of interest to establish a new reserve list for the Support Pool of Experts (SPE) programme. The objective is set up a reserve list of legal and technical experts. The legal expertise sought includes a wide range of fields, such as data protection, policy monitoring, technology, cybersecurity, competition, healthcare, online intermediary services and content moderation. As for the technical expertise, the relevant areas include IT a
Overview of EU Strategy for Data: Digital Services Act
> The Digital Services Act was published in the Official Journal of the European Union Oct. 27. The DSA, which harmonizes conditions for the provision of intermediary services and increases transparency requirements for online intermediaries, will enter into force Nov. 16. In the latest installment of a multipart series, the IAPP Research and Insights team provides privacy professionals with an overview of the DSA, including the law's objectives, key requirements and enforcement.
Europese Commissie presenteert nieuwe regels om seksueel misbruik van kinderen op internet te voorkomen en te bestrijden
The proposed rules would require online service providers to detect, report and remove child sexual abuse material on their services. Those providers must also assess the risk of their services being used to distribute child sexual abuse material. A new European Center on Child Sexual Abuse will provide support to providers, law enforcement and victims.