EU DSA 2026 | Compliance

Q: When does the Digital Services Act apply to online sellers?

Regulation (EU) 2022/2065 — the Digital Services Act — entered into force on 16 November 2022 and became fully applicable to all intermediary services in the EU on 17 February 2024. Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) designated by the European Commission have been subject to the heightened obligations since 25 August 2023. Every online marketplace, hosting service or intermediary that targets EU users — regardless of where the provider is established — is in scope from 17 February 2024.

Q: What is a Very Large Online Platform (VLOP) under the DSA?

A Very Large Online Platform (VLOP) is an online platform with more than 45 million average monthly active recipients in the EU, formally designated as such by the European Commission under Article 33 DSA. The first VLOP designation wave (April 2023) included Amazon Store, AliExpress, Booking.com, Zalando, Google Shopping, Apple App Store, Google Play and 11 others. VLOPs face stricter obligations: systemic risk assessments, independent audits, crisis response, data access for researchers and a 0.05% supervisory fee paid to the European Commission.

Q: What does trader transparency (KYC) mean for online marketplaces?

Article 30 DSA — known as the 'Know Your Business Customer' (KYBC) obligation — requires every online marketplace that allows consumers to conclude distance contracts with traders to verify and publish core trader information before allowing the trader to use the platform. Required data includes legal name, trade register number, VAT identifier, address, telephone, email, payment account details and a self-certification of compliance with EU product safety law. Marketplaces must make 'best efforts' to verify this data via reliable sources (VIES, trade registers) and suspend traders who fail to comply.

Q: How fast must illegal content be removed under the DSA?

The DSA does not impose a single statutory removal deadline, but Article 16 requires hosting providers to act 'in a timely, diligent, non-arbitrary and objective manner' upon receipt of a sufficiently substantiated notice. In practice, manifestly illegal content (CSAM, terrorist content, clearly counterfeit goods) is expected to be removed within hours; complex cases (alleged copyright, defamation) require human review within days. Trusted Flaggers (Article 22) have priority — their notices must be processed 'without undue delay' and ahead of regular notices.

Q: What is a notice and action mechanism?

Article 16 DSA requires every hosting provider — including online marketplaces — to operate an easy-to-access, user-friendly electronic notice and action mechanism allowing any individual or entity to flag specific items of allegedly illegal content. The notice must contain an explanation of why the content is illegal, the precise URL/location, the notifier's contact details and a good-faith declaration of accuracy. Providers must confirm receipt without undue delay, take a decision in a timely manner, communicate the decision with reasoning, and inform the user about redress options including internal complaint handling (Article 20) and out-of-court dispute settlement (Article 21).

Q: What dark patterns are banned by the DSA?

Article 25 DSA prohibits online platforms from designing, organising or operating their interfaces in a way that deceives or manipulates recipients or otherwise materially distorts or impairs their ability to make free and informed decisions. Concrete examples called out by the Commission's enforcement guidance include: visually prominent buttons for one option versus tiny links for the opposite, repeated nagging prompts to reconsider an unsubscribe, default opt-ins to data sharing, fake countdown timers and confusing cancellation flows. The DSA complements existing Unfair Commercial Practices Directive (UCPD) rules and applies even when the dark pattern does not breach GDPR.

Q: What advertising transparency does the DSA require?

Article 26 DSA requires every online platform to label each ad clearly, identify the natural or legal person on whose behalf the ad is shown, identify the natural or legal person who paid for the ad (if different), and disclose the meaningful parameters used to target the specific recipient — including whether profiling under GDPR Article 4(4) was used. Article 28 prohibits ads targeted to minors using profiling. Article 39 imposes an additional obligation on VLOPs: a public, machine-readable ad repository kept for at least one year after the ad was last displayed, with API access for researchers.

Q: What is a systemic risk assessment under the DSA?

Article 34 DSA obliges every VLOP and VLOSE to assess, at least annually and before deploying significant new features, the systemic risks stemming from the design, operation and use of their service. Four risk categories are mandatory: (1) dissemination of illegal content; (2) effects on fundamental rights (privacy, freedom of expression, non-discrimination, child rights); (3) effects on civic discourse, electoral processes and public security; (4) effects on gender-based violence, public health, minors and physical/mental well-being. Article 35 requires reasonable, proportionate and effective mitigation measures. Independent auditors (Article 37) verify both the assessment and the mitigation.

Q: How much are DSA fines?

Article 74 DSA empowers the Digital Services Coordinator (or the European Commission for VLOPs) to impose fines of up to 6% of the provider's annual worldwide turnover for breaches of substantive obligations. Periodic penalty payments of up to 5% of average daily worldwide turnover can be imposed for ongoing non-compliance. Failure to supply correct information triggers fines up to 1% of worldwide turnover. The Commission has already opened formal proceedings against several VLOPs including X, TikTok, Meta and AliExpress; X received a preliminary finding in July 2024 for blue-checkmark deception, ad-repository deficiencies and researcher data-access blocks.

Q: Does the DSA apply to small marketplaces and micro-businesses?

Yes — the DSA applies to all intermediaries offering services in the EU, but the obligations are calibrated by size. Article 19 exempts micro and small enterprises (under 50 staff and €10M turnover) from the most burdensome 'online platform' obligations such as internal complaint handling (Article 20), out-of-court dispute settlement (Article 21), Trusted Flaggers (Article 22), measures against misuse (Article 23) and the trader-traceability layer of Article 30. Baseline duties — points of contact (Articles 11–12), legal representatives for non-EU providers (Article 13), terms-of-service transparency (Article 14), notice and action (Article 16) and statements of reasons (Article 17) — still apply to everyone.

17 Feb 2024

DSA fully applicable EU-wide

45M+

Monthly EU users = VLOP

19+

Designated VLOPs / VLOSEs

Max fine of global turnover

DSA in 2026 — Quick Read for E-Commerce Operators

The Digital Services Act (Regulation 2022/2065) is the EU's horizontal rulebook for every online intermediary that targets European users — from a niche WooCommerce hosting partner to Amazon Marketplace. It entered into force 16 November 2022, applied to designated VLOPs from 25 August 2023, and became fully applicable to all intermediaries on 17 February 2024. For online marketplaces the operational headline is Article 30 'Know Your Business Customer' trader verification, Article 16 notice-and-action, Article 25 dark-pattern prohibition and Article 26 ad transparency. For VLOPs add Article 34 systemic-risk assessment, Article 37 independent audit, Article 39 ad repository and Article 40 researcher data access. Fines reach 6% of global annual turnover; enforcement is shared between national Digital Services Coordinators and the European Commission, with the European Board for Digital Services coordinating cross-border cases.

The DSA at a Glance — Ten Obligations Online Sellers Must Map

The DSA is a single regulation, but its obligations stack in layers depending on the role you play. The cards below summarise the ten areas covered in this guide — keep this map nearby as you read each deep-dive.

Regulation 2022/2065 — DSA Overview

EU horizontal regime for intermediaries · effective 17 Feb 2024 for all · OJEU L 277/1, 27.10.2022

All EU-targeted services27 Member States

VLOPs & VLOSEs — Article 33

Platforms above 45M EU MAU · designated by the Commission · 4-month onboarding window

19+ designatedFrom 25 Aug 2023

KYBC Trader Transparency — Article 30

Marketplaces verify legal name, VAT, register number, address · publish before listing

All marketplacesSME exemption: Art. 19

Illegal Content & Notice-and-Action — Articles 16–17

Easy electronic notice mechanism · statement of reasons · timely diligent action

All hosting servicesTrusted Flaggers priority

Dark Patterns & Ad Transparency — Articles 25–28

Manipulative interfaces banned · ad labelling · no profiling-based targeting of minors

All online platformsUCPD overlap

€

Risk, Audit, Fines — Articles 34, 37, 74

Annual systemic-risk assessment · independent audit · fines up to 6% global turnover

VLOPs primaryDSC enforcement EU-wide

Ready to align your marketplace with the DSA?

Zunapro's EU compliance module ships with KYBC trader verification, Article 16 notice handling, statement-of-reasons templates and a transparency-report exporter — all wired into your existing marketplace stack.

🇪🇺 Start DSA Onboarding

1. DSA Regulation 2022/2065 — Effective 17 February 2024 for All Sellers

What the DSA Is — And Why It Replaced the e-Commerce Directive

The Digital Services Act — formally Regulation (EU) 2022/2065 of 19 October 2022, published in OJEU L 277/1 on 27 October 2022 — entered into force on 16 November 2022, applied to designated VLOPs/VLOSEs from 25 August 2023, and became fully applicable to all intermediary services on 17 February 2024. As a regulation (not a directive), it applies directly in every Member State without transposition. The liability-shield logic of e-Commerce Directive 2000/31/EC survives in Articles 4–6, but the DSA adds a layered set of due-diligence obligations calibrated by service type and size.

Who Is Inside the Scope?

Any intermediary service offered to recipients in the Union falls inside scope, regardless of where the provider is established (Article 2(1)). The DSA defines four overlapping categories: intermediary services (mere conduit, caching, hosting), hosting services (storage at user request), online platforms (hosting + public dissemination — every marketplace, social network, app store), and VLOPs/VLOSEs designated by the Commission above the 45M monthly EU user threshold (Article 33).

The Layered Obligation Model

Each layer adds duties on top of the previous one. A small WordPress plugin marketplace serving 10,000 EU users qualifies for the Article 19 SME exemption; Amazon Marketplace, a designated VLOP, sits at the top with the full obligation stack. Non-EU intermediaries must additionally designate a legal representative in one Member State under Article 13 DSA — jointly liable with the provider for DSA decisions, fines and information requests.

📜

Official text: Regulation (EU) 2022/2065 — read the consolidated text on EUR-Lex (ELI link). The Commission's DSA Q&A and enforcement decisions are published on digital-strategy.ec.europa.eu.

💡 Read the full DSA scope-mapping guide

Decision tree for SME vs platform vs VLOP, country-of-establishment rules, legal-representative templates and a self-classification questionnaire.

Map My Scope →

2. Very Large Online Platforms (VLOPs) — The 45M+ Users Threshold

What Makes a Platform "Very Large"?

Article 33 DSA defines a VLOP as an online platform with at least 45 million average monthly active recipients in the Union, calculated as a six-month average. The same threshold applies to VLOSEs. The "active recipient" concept covers any individual who engaged with the service at least once — including unregistered visitors. Article 24(2) requires every online platform to publish active-recipient figures every six months, giving the Commission the data needed for designation.

The First Designation Waves

The Commission published the first VLOP/VLOSE list on 25 April 2023, designating 17 VLOPs and 2 VLOSEs. E-commerce-relevant designations include Amazon Store, AliExpress, Booking.com, Zalando, Google Shopping, Apple App Store, Google Play, and the 2024 wave added Shein and Temu — both under formal DSA investigation in 2025–2026. The total list passed 25+ services by mid-2026. Each new designation gives the platform a four-month onboarding window to comply with the full VLOP obligation set.

Heightened Obligations for VLOPs

VLOPs face a heightened obligation stack on top of the general online-platform duties:

Article 34 — annual systemic-risk assessment (illegal content, fundamental rights, civic discourse, public health and minors)
Article 35 — proportionate, effective and reasonable mitigation measures
Article 36 — crisis-response mechanism (Russian invasion of Ukraine triggered the first crisis protocol)
Article 37 — independent annual audit by an external organisation
Article 38 — option for users to switch off recommender-system profiling
Article 39 — public, machine-readable ad repository for at least 12 months
Article 40 — data access for vetted researchers and Digital Services Coordinators
Article 41 — independent compliance function reporting to the management body
Article 42 — extended transparency reporting every six months
Article 43 — supervisory fee paid to the Commission (capped at 0.05% of net annual income)

⚠️

Cliff-edge for fast-growing marketplaces: if you cross 45M EU monthly active users, the Commission can designate you within months. Building the VLOP control set before designation — transparency report, ad repository, recommender opt-out — is far cheaper than retrofitting under a four-month deadline. Pre-VLOP readiness assessment →

3. Trader Transparency — KYBC for Online Marketplaces

Article 30 — The Heart of Marketplace DSA Compliance

Article 30 DSA introduces what practitioners call KYBC — Know Your Business Customer. Every online platform that allows consumers to conclude distance contracts with traders must obtain, verify and publish core trader information before allowing the trader to offer products. The marketplace, not the trader, carries the obligation. The closed dataset includes the trader's name, address, telephone, email; a copy of the identification document or eIDAS Regulation 910/2014 electronic ID; payment-account details; trade-register entry (HRB in DE, CCI in FR, KRS in PL); and a self-certification of product-safety / consumer-protection compliance.

"Best Efforts" Verification

Article 30(2) requires "best efforts" verification against any freely accessible official online database. The two the Commission expects every European marketplace to hit are VIES — VAT Information Exchange System (real-time EU VAT validation) and national trade registers (Handelsregister DE, Registre du Commerce FR, KRS PL, Registro Mercantil ES, Registro Imprese IT) reachable directly or via the EU's Business Registers Interconnection System (BRIS). If data cannot be verified, the marketplace must request correction; if the trader fails, the marketplace must suspend services (Article 30(3)). Verified data must be published in a "trader profile" page reachable from every product listing (Article 30(7)).

Random Sampling for Counterfeit Detection — Article 31

Article 31 DSA adds that marketplaces must, at random intervals, check whether listings have been flagged in official machine-readable databases — most importantly the Commission's Safety Gate rapid-alert system for dangerous non-food products and national IPR enforcement databases. Matches must be removed and the trader notified.

🔎

VIES and Safety Gate are the two free databases every Article 30/31 workflow must hit: Zunapro auto-queries VIES at trader onboarding and on a 30-day refresh cycle, and runs a daily Safety Gate sweep against catalog SKUs to support Article 31 random-sampling evidence.

📘 Read the full KYBC implementation guide

Article 30 data-collection forms, VIES + BRIS integration patterns, suspension workflows, trader-profile page templates and Article 31 Safety Gate cron design.

Build KYBC Workflow →

4. Illegal Content Removal Procedures

The Liability Shield Survives — With Conditions

Articles 4–6 DSA reproduce the e-Commerce Directive liability shield: hosting providers are not liable for stored content provided they have no actual knowledge of illegal activity and, upon notice, act expeditiously to remove or disable access. The DSA layers a procedural rulebook on top of that shield.

"Manifestly Illegal" vs Complex Cases

Recital 53 distinguishes manifestly illegal content (terrorist content under Regulation 2021/784, CSAM, obvious counterfeits, court-adjudicated illegality) — expectation: removal within hours; the TCO Regulation mandates 1 hour from an authority order — from complex or contested cases (alleged copyright, defamation, contextual hate speech) which require diligent human review.

Orders from Authorities — Articles 9 and 10

National authorities can issue two order types: Article 9 orders to act against illegal content (must specify legal basis, exact URL, reasoned territorial scope, redress info) and Article 10 orders to provide information about specific recipients. The intermediary must respond without undue delay and inform the issuing authority of the action taken. Cross-border orders are served via the DSC network.

Trusted Flaggers — Article 22

National DSCs award Trusted Flagger status to organisations with proven expertise (INHOPE for CSAM, REACT for IP infringement, national consumer-protection bodies for unsafe products). Their notices must be processed with priority and without undue delay (Article 22(1)). Marketplaces that consistently fail Trusted-Flagger notices face escalated DSC scrutiny.

5. Notice and Action Mechanisms

Article 16 — The Operational Workhorse

Article 16 DSA requires every hosting provider to operate easy-to-access, user-friendly electronic mechanisms letting anyone flag specific items of allegedly illegal content. A compliant notice must contain a substantiated explanation of why the content is illegal, the exact URL(s), the notifier's name and email (limited CSAM exceptions), and a good-faith accuracy declaration. The provider must confirm receipt without undue delay, take a timely, diligent, non-arbitrary and objective decision, and disclose where the decision was automated (Article 16(6)).

Statement of Reasons — Article 17

When a provider restricts visibility, demonetises, suspends or terminates a user item or account, Article 17 requires a clear, specific statement of reasons covering: the nature of the restriction; the facts and circumstances relied on; the legal ground or ToS clause invoked; and the redress possibilities (Article 20 internal complaint, Article 21 out-of-court settlement, judicial review). Every statement must also be submitted to the DSA Transparency Database operated by the Commission — a publicly searchable repository that has logged over 30 billion statements of reasons by mid-2026.

Internal Complaint and Out-of-Court Settlement

Article 20 requires online platforms to maintain a free, easy-to-access internal complaint-handling system for at least six months after the decision, decided under human supervision. Article 21 then opens the door to certified out-of-court dispute settlement bodies; the platform must engage in good faith.

📨 Read the full notice-and-action playbook

Article 16 web-form schema, automated triage with Article 22 priority lanes, Article 17 statement-of-reasons templates and Transparency Database submission API patterns.

Wire Up Notice-and-Action →

6. Dark Patterns Banned — Article 25

What Article 25 Prohibits

Article 25 DSA: "Providers of online platforms shall not design, organise or operate their online interfaces in a way that deceives or manipulates the recipients of their service or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions." It is the EU's first horizontal codified ban on dark patterns. Concrete examples from Recital 67: large "Accept all" buttons paired with tiny "Reject" links, repeated nag-prompts on unsubscribe, asymmetric cancel-vs-signup flows, pre-ticked defaults, fake countdown timers and confirmshaming.

Article 25(2) is without prejudice to the Unfair Commercial Practices Directive 2005/29/EC (UCPD) and GDPR. The same dark pattern can trigger three parallel actions: DSC under the DSA, national consumer-protection authority under UCPD, and DPA under GDPR Article 7 for consent-related patterns. EDPB Guidelines 03/2022 on deceptive design remain the reference text for the data-protection overlap.

What Marketplaces Should Audit First

Cookie banner — symmetrical opt-in/opt-out, no pre-ticks
Cancellation flow — same clicks as signup
Marketplace upsells — no fake timers, no unverifiable "X people viewing" claims
Returns and refund — same prominence as order-confirmation
Account closure — reachable in settings without phone or chatbot mazes

7. Online Advertising Transparency — Articles 26 and 39

Article 26 — The Universal Ad-Labelling Duty

Article 26 DSA requires every online platform to ensure that for each ad, the recipient can identify in a clear, concise and unambiguous manner: (a) that the information is an advertisement (prominent label, optionally standardised by Commission act); (b) the natural or legal person on whose behalf the ad is shown; (c) the person who paid for the ad if different; (d) meaningful information about the main parameters used to target the recipient and how those can be changed. Recital 68 makes clear labels must survive every viewport — no hidden "sponsored" tags revealed only after a click.

Article 28 — Protection of Minors

Article 28(2) DSA bars providers from presenting advertisements based on profiling (GDPR Article 4(4)) when they are aware with reasonable certainty that the recipient is a minor. Marketplaces with age-gated accounts (toys, school supplies, gaming) need a clear technical rule that disables profiling for under-18 accounts.

Article 26(3) — No Profiling on Special-Category Data

Article 26(3) bans profiling-based ads using special-category data under GDPR Article 9(1) (race, political opinions, religion, health, sex life, sexual orientation, biometric, trade-union). Applies to all online platforms, not just VLOPs.

Article 39 — VLOP Ad Repository

Article 39 DSA requires every VLOP to maintain a public, searchable, machine-readable ad repository covering the entire display period and up to one year after the ad was last shown — ad content, advertiser identity, display period, total reach by Member State and targeting parameters, with API access for researchers. The Commission's X (Twitter) preliminary finding of July 2024 explicitly cited Article 39 ad-repository deficiencies. For marketplaces with native sponsored-listing products, the Article 39 repository is the most visible piece of VLOP plumbing.

8. Risk Assessment Requirements for VLOPs

Article 34 — The Four Risk Categories

Article 34 DSA obliges every VLOP/VLOSE to diligently identify, analyse and assess systemic risks from the design and functioning of their service, at least annually and before deploying features likely to have critical impact. Four categories are mandatory: (a) dissemination of illegal content; (b) fundamental-rights effects (dignity, privacy, data protection, freedom of expression, non-discrimination, child rights, consumer protection); (c) effects on civic discourse, electoral processes and public security; (d) effects on gender-based violence, public health, minors and physical/mental well-being.

Mitigation Measures — Article 35

Article 35 requires reasonable, proportionate and effective mitigation measures tailored to identified risks — adapting recommenders, demonetising content categories, tightening ad-targeting, reinforcing moderation, deepening Trusted-Flagger cooperation. The mitigation plan must be documented, reviewed annually and shared with the Commission and the DSC of establishment.

Independent Audit — Article 37

Article 37 requires every VLOP/VLOSE to undergo, at their own expense at least annually, independent audits of Chapter III compliance and code-of-conduct commitments (Articles 45–47). The auditor must be conflict-free (no advisory work on the same scope in the prior 12 months) and produce an audit opinion — positive, positive with comments, or negative. Anything other than a clean positive triggers an audit implementation report setting out corrective measures.

Crisis Response — Article 36

The Commission may, on the Board's recommendation, require VLOPs to apply specific crisis-response measures during an extraordinary circumstance threatening EU public security or public health. The first crisis protocol was activated after the Russian invasion of Ukraine in 2022; the Israel–Hamas conflict in October 2023 triggered Commission letters to several VLOPs invoking Articles 34–36.

9. Fines Up to 6% of Global Turnover

The Penalty Framework — Article 74

Article 74 DSA empowers Member States — and the Commission for VLOPs — to impose three types of sanctions: fines up to 6% of annual worldwide turnover for substantive breaches; fines up to 1% for incorrect or misleading information, failure to reply, or refusing inspection; and periodic penalty payments up to 5% of average daily worldwide turnover per day until the infringement ends. For a hyperscaler at $200B+ global turnover, a 5%-daily penalty runs in the tens of millions of euros per day — designed to force fast remediation.

Commission Enforcement Track Record 2024–2026

X (formerly Twitter) — proceedings opened Dec 2023; preliminary findings July 2024 on blue-checkmark deception (Art. 25), ad-repository (Art. 39), researcher access (Art. 40)
TikTok — proceedings opened Feb 2024 on minors protection (Art. 28), ad-repository, researcher access, risk assessment
Meta (Facebook, Instagram) — proceedings opened April 2024 on deceptive advertising, political-ad transparency, complaint-mechanism gaps
AliExpress — proceedings opened March 2024 on illegal-product risk (Art. 34), ad transparency, researcher access, product traceability
Temu, Shein — proceedings opened 2024–2025 on illegal products, addictive design, consumer-protection risk

National DSC Enforcement

National DSCs handle day-to-day enforcement against non-VLOPs: ARCOM (France) on Article 16 notice failings, BNetzA (Germany) on Article 30 KYBC gaps, AGCOM (Italy) on Article 17 statement quality, Coimisiún na Meán (Ireland) coordinating VLOP-adjacent cases for US-headquartered Dublin-established providers.

🛡️ Read the DSA enforcement watch-list

Quarterly tracker of every formal proceeding, preliminary finding and fine — with the obligations cited and the corrective measures imposed. Plus a self-assessment checklist for SME platforms.

Read Enforcement Tracker →

10. E-Commerce DSA Practical Checklist 2026

The Universal Baseline (Every Intermediary, Articles 11–17)

Art. 11 authority contact + Art. 12 recipient contact — separate published channels
Art. 13 EU legal representative — non-EU providers only; named on website
Art. 14 ToS transparency — plain language; child-friendly summary if minors can access
Art. 15 transparency report — annual machine-readable; orders, notices, own-initiative moderation, complaints
Art. 16 notice-and-action — easy electronic form; acknowledgement; automated-decision disclosure
Art. 17 statement of reasons — covers visibility, monetisation, account/content restrictions; Transparency DB submission

Online Platform Layer (Add Articles 19–28 unless SME-exempt)

Art. 19 SME self-classification; Art. 20 internal complaint-handling (6 months, free, human-supervised)
Art. 21 out-of-court dispute settlement; Art. 22 Trusted Flaggers priority queue
Art. 23 measures against misuse — published suspension policy for repeat infringers and abusive notifiers
Art. 24 six-monthly transparency reports with active-recipient metric
Art. 25 dark-pattern audit; Art. 26 ad labelling and parameters; Art. 28 minors protection (no profiling-based ads)

Marketplace-Specific Layer (Articles 30–32)

Art. 30 KYBC — collect, verify (VIES + register), publish, suspend non-compliant traders
Art. 31 — random Safety Gate + IPR sampling; Art. 32 — direct buyer notification when an unsafe product reached customers in the last 6 months

VLOP Layer (Articles 33–43, only above 45M EU MAU)

Art. 34 risk assessment + Art. 35 mitigation + Art. 37 independent annual audit
Art. 38 recommender opt-out; Art. 39 ad repository (12-month retention); Art. 40 researcher data access
Art. 41 independent compliance function; Art. 42 enhanced 6-monthly reports; Art. 43 supervisory fee (≤ 0.05% net income)

Legal Framework 2026 — Regulation 2022/2065 in Context

DSA, DMA and the Brussels Effect

The DSA does not stand alone. The Digital Markets Act — Regulation (EU) 2022/1925 — published in OJEU L 265/1 on 12 October 2022 — entered into application on 2 May 2023 and complements the DSA by targeting gatekeepers with ex ante obligations on core platform services. As of 2026 the designated gatekeepers are Alphabet, Amazon, Apple, Booking, ByteDance, Meta and Microsoft; each was designated with specific core platform services in scope (e.g. Amazon Marketplace, Apple App Store, Google Search). The two regulations together form the EU's "digital constitution" for online services.

Adjacent Regulations Marketplaces Must Cross-Reference

GDPR — Regulation (EU) 2016/679 — supervised by national DPAs and coordinated by the EDPB; overlaps with Articles 26–28 DSA on profiling and consent
e-Privacy Directive 2002/58/EC — cookies and electronic communications; still applies pending the e-Privacy Regulation
UCPD — Directive 2005/29/EC — unfair commercial practices; primary tool for misleading commercial communications, overlaps with Article 25 dark patterns
Consumer Rights Directive 2011/83/EU — 14-day withdrawal right, pre-contractual information, withdrawal-form template
Omnibus Directive 2019/2161 — modernised consumer protection, transparency of marketplaces, paid-ranking disclosure (relevant to Article 27 DSA recommender transparency)
Product Safety Regulation 2023/988 — applies from 13 December 2024; online marketplaces have specific traceability and notification duties
TCO Regulation 2021/784 — terrorist content online; 1-hour removal upon authority order
eIDAS Regulation 910/2014 (revised by 2024/1183) — electronic identification; the source of the identification document reference in Article 30 DSA

Member State Authorities

Each Member State has designated a Digital Services Coordinator. Examples encountered by online marketplaces in 2026 include:

Country	DSC Authority	Reach in 2026 Enforcement
Germany	Bundesnetzagentur (BNetzA)	KYBC, e-commerce marketplaces
France	ARCOM	Notice-and-action, minors protection
Italy	AGCOM	Statement of reasons, ad transparency
Spain	CNMC	Marketplace KYBC, recommender transparency
Ireland	Coimisiún na Meán	VLOP-adjacent coordination (many US providers)
Netherlands	ACM	Cross-border marketplace cases
Poland	UKE (Office of Electronic Communications)	National DSC; Allegro adjacent

⚖️

Compliance is not optional in 2026. The Commission has moved from preparatory dialogue (2023) to formal proceedings (2024) to preliminary findings (2024–2025) and now to first fines (2026). Zunapro bundles a DSA compliance pack — KYBC engine, Article 16 notice handler, Article 17 statement-of-reasons templates and Transparency Database exporter — alongside marketplace integrations. See DSA compliance bundle →

How to Become DSA-Compliant — 2026 Step-by-Step

1. Classify Your Service

Intermediary / hosting / online platform / VLOP — work through Article 3 definitions
Art. 19 SME exemption — < 50 staff and < €10M turnover, and not VLOP-designated
Near 45M EU MAU? — pre-VLOP readiness becomes urgent

2. Appoint Mandatory Contacts

Art. 11 authority contact + Art. 12 recipient contact — separate published channels
Art. 13 EU legal representative — non-EU providers only; binding contract; named on website

3. Publish the Transparency Layer

Art. 14 ToS disclosures (moderation rules, redress, algorithmic-decision use)
Art. 15 annual transparency report; Art. 24(2) active-recipients figure refreshed every six months

4. Wire Up Notice-and-Action and Statement-of-Reasons

Deploy an Art. 16 web form with the four-field schema; triage (manifestly illegal vs complex; Trusted Flagger priority)
Generate Art. 17 statements for every restrictive decision; submit to the Commission Transparency Database via public API

5. Build the KYBC Workflow (Marketplaces)

Collect the closed Art. 30(1) dataset at trader onboarding; validate VAT via VIES and register via BRIS
30-day re-verification cycle; publish a trader-profile page from every listing; activate Art. 31 Safety Gate + IPR sampling

6. Connect via Zunapro (10-Minute Integration)

Sign in to Zunapro and open the Europe / DSA module
Pick your role profile — SME, online platform, marketplace, pre-VLOP
Connect identity sources — VIES, BRIS, eIDAS, Safety Gate
Enable notice ingest and ad metadata — single toggles per channel
Go live — first transparency-report run renders within one cycle

Centralize your DSA compliance in one EU panel

Articles 11–43 mapped to ready-to-deploy modules — KYBC, notice ingest, statement-of-reasons templates, Transparency Database submission, ad repository (VLOP) and researcher API (VLOP). One panel, one audit trail, every Member State.

Activate DSA Compliance →

Digital Services Act FAQ 2026

When does the Digital Services Act apply to online sellers?

Regulation (EU) 2022/2065 — the Digital Services Act — entered into force on 16 November 2022 and became fully applicable to all intermediary services in the EU on 17 February 2024. Designated Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) have been subject to the heightened obligations since 25 August 2023.

Every online marketplace, hosting service or intermediary that targets EU users — regardless of where the provider is established — is in scope from 17 February 2024. Non-EU providers must appoint an Article 13 legal representative in one Member State.

What is a Very Large Online Platform (VLOP) under the DSA?

A Very Large Online Platform (VLOP) is an online platform with more than 45 million average monthly active recipients in the EU, formally designated as such by the European Commission under Article 33 DSA. The first wave (April 2023) designated 17 VLOPs and 2 VLOSEs including Amazon Store, AliExpress, Booking.com, Zalando, Google Shopping, Apple App Store and Google Play.

VLOPs face stricter obligations: annual systemic-risk assessments (Article 34), independent audits (Article 37), crisis response (Article 36), data access for researchers (Article 40), public ad repository (Article 39) and a 0.05% supervisory fee paid to the European Commission.

What does trader transparency (KYC) mean for online marketplaces?

Article 30 DSA — known as the 'Know Your Business Customer' (KYBC) obligation — requires every online marketplace that allows consumers to conclude distance contracts with traders to verify and publish core trader information before allowing the trader to use the platform.

Required data includes legal name, trade-register number, VAT identifier, address, telephone, email, payment account details and a self-certification of compliance with EU product-safety law. Marketplaces must make 'best efforts' to verify this data via reliable sources (VIES, national trade registers via BRIS) and suspend traders who fail to comply.

How fast must illegal content be removed under the DSA?

The DSA does not impose a single statutory removal deadline, but Article 16 requires hosting providers to act 'in a timely, diligent, non-arbitrary and objective manner' upon receipt of a sufficiently substantiated notice. The TCO Regulation 2021/784 separately requires action within 1 hour for terrorist content upon an authority order.

In practice, manifestly illegal content (CSAM, terrorist content, clearly counterfeit goods) is expected to be removed within hours; complex cases (alleged copyright, defamation) require human review within days. Trusted Flaggers (Article 22) have priority — their notices must be processed without undue delay and ahead of regular notices.

What is a notice and action mechanism?

Article 16 DSA requires every hosting provider — including online marketplaces — to operate an easy-to-access, user-friendly electronic notice and action mechanism allowing any individual or entity to flag specific items of allegedly illegal content. The notice must contain an explanation of why the content is illegal, the precise URL/location, the notifier's contact details and a good-faith declaration of accuracy.

Providers must confirm receipt without undue delay, take a decision in a timely manner, communicate the decision with reasoning under Article 17 (statement of reasons), and inform the user about redress options including internal complaint handling (Article 20) and out-of-court dispute settlement (Article 21).

What dark patterns are banned by the DSA?

Article 25 DSA prohibits online platforms from designing, organising or operating their interfaces in a way that deceives or manipulates recipients or otherwise materially distorts or impairs their ability to make free and informed decisions.

Examples called out by the Commission and the EDPB Guidelines 03/2022 include: visually prominent buttons for one option versus tiny links for the opposite, repeated nagging prompts to reconsider an unsubscribe, default opt-ins to data sharing, fake countdown timers, and confusing cancellation flows. The DSA complements existing Unfair Commercial Practices Directive (UCPD) rules and applies even when the dark pattern does not breach GDPR.

What advertising transparency does the DSA require?

Article 26 DSA requires every online platform to label each ad clearly, identify the natural or legal person on whose behalf the ad is shown, identify the natural or legal person who paid for the ad (if different), and disclose the meaningful parameters used to target the specific recipient — including whether profiling under GDPR Article 4(4) was used.

Article 28 prohibits ads targeted to minors using profiling. Article 39 imposes an additional obligation on VLOPs: a public, machine-readable ad repository kept for at least one year after the ad was last displayed, with API access for researchers.

What is a systemic risk assessment under the DSA?

Article 34 DSA obliges every VLOP and VLOSE to assess, at least annually and before deploying significant new features, the systemic risks stemming from the design, operation and use of their service.

Four risk categories are mandatory: (1) dissemination of illegal content; (2) effects on fundamental rights (privacy, freedom of expression, non-discrimination, child rights); (3) effects on civic discourse, electoral processes and public security; (4) effects on gender-based violence, public health, minors and physical/mental well-being. Article 35 requires reasonable, proportionate and effective mitigation measures. Independent auditors under Article 37 verify both the assessment and the mitigation.

How much are DSA fines?

Article 74 DSA empowers the Digital Services Coordinator (or the European Commission for VLOPs) to impose fines of up to 6% of the provider's annual worldwide turnover for breaches of substantive obligations. Periodic penalty payments of up to 5% of average daily worldwide turnover can be imposed for ongoing non-compliance. Failure to supply correct information triggers fines up to 1% of worldwide turnover.

The Commission has already opened formal proceedings against several VLOPs including X, TikTok, Meta, AliExpress, Temu and Shein; X received a preliminary finding in July 2024 for blue-checkmark deception, ad-repository deficiencies and researcher data-access blocks.

Does the DSA apply to small marketplaces and micro-businesses?

Yes — the DSA applies to all intermediaries offering services in the EU, but the obligations are calibrated by size. Article 19 exempts micro and small enterprises (under 50 staff and €10M turnover) from the most burdensome 'online platform' obligations such as internal complaint handling (Article 20), out-of-court dispute settlement (Article 21), Trusted Flaggers (Article 22), measures against misuse (Article 23) and the trader-traceability layer of Article 30.

Baseline duties — points of contact (Articles 11–12), legal representatives for non-EU providers (Article 13), terms-of-service transparency (Article 14), notice and action (Article 16) and statements of reasons (Article 17) — still apply to everyone.

How does the DSA interact with the Digital Markets Act (DMA)?

The Digital Services Act (Regulation 2022/2065) and the Digital Markets Act (Regulation 2022/1925) form a complementary regulatory package. The DSA governs how all intermediaries handle content, transparency and user rights regardless of market power. The DMA imposes ex ante competition rules on a narrower set of 'gatekeepers' — currently Alphabet, Amazon, Apple, Booking, ByteDance, Meta and Microsoft — controlling 'core platform services' such as marketplaces, app stores, browsers, search engines and ad services.

An e-commerce marketplace can be both a DSA VLOP and a DMA gatekeeper (Amazon Marketplace is both); compliance teams typically run a single integrated programme covering both regulations and their overlap with GDPR.

Who enforces the DSA in each Member State?

Each EU Member State must designate one or more Digital Services Coordinators (DSCs) — independent regulators responsible for DSA supervision on their territory. Examples include ARCOM (France), Bundesnetzagentur (Germany), AGCOM (Italy), CNMC (Spain), Coimisiún na Meán (Ireland) and UKE (Poland).

The European Commission supervises VLOPs and VLOSEs directly. The European Board for Digital Services — composed of all DSCs and chaired by the Commission — coordinates cross-border enforcement and resolves jurisdictional disputes. For data-protection overlap, the European Data Protection Board (EDPB) and national DPAs cooperate via Article 60 GDPR procedures.

Do I need a legal representative in the EU?

If your service is established outside the EU but offered to EU recipients, yes — Article 13 DSA requires you to designate a legal representative established in one of the Member States where you offer services. The representative receives DSA decisions, fines and information requests on behalf of the provider and is jointly liable for non-compliance.

The DSA representative is conceptually similar to the GDPR Article 27 representative but the two roles are not interchangeable. Most non-EU sellers appoint two separate representatives or a single specialised provider offering both services under one contract.

How long does DSA integration take with Zunapro?

Roughly 10 minutes for a baseline SME / online-platform setup — including Article 11/12 contact pages, Article 14 ToS audit, Article 16 notice form and Article 17 statement-of-reasons templates. The full marketplace stack with Article 30 KYBC, VIES + BRIS verification and Article 31 Safety Gate sampling typically completes within one business day.

For platforms approaching the 45M EU MAU threshold, Zunapro pre-stages the VLOP modules — ad repository, recommender opt-out, researcher API, audit-ready risk-assessment templates — so a Commission designation can be onboarded inside the 4-month statutory window without emergency engineering.

Make your marketplace DSA-compliant in one panel

Regulation 2022/2065 mapped end-to-end — KYBC verification, notice-and-action, statement-of-reasons, ad transparency, risk-assessment templates and Transparency Database submission. EU blue and gold standard. Activate today.

🇪🇺 Activate DSA Compliance →

Besoin d'aide ?

Service associé: Marketplace

Marketplace →Consultation gratuite

← Retour au blog

Digital Services Act (DSA) Impact on EU E-Commerce 2026: Compliance Guide for Online Sellers & Marketplaces