Policy Briefing — EU Digital Services & Markets Acts Proposed

On 15 Dec 2020 the European Commission published twin legislative proposals: the Digital Services Act (DSA) and Digital Markets Act (DMA). The package updates the EU’s e-commerce rules with due diligence duties for very large online platforms, audited risk management, heightened transparency, and ex ante competition obligations on gatekeeper platforms controlling core services. After two years of trilogue negotiations, the DSA became Regulation (EU) 2022/2065 and the DMA became Regulation (EU) 2022/1925, both now enforceable across the single market.

The briefing below consolidates the legislative objectives, scope, core duties, and enforcement timelines that platform operators, marketplaces, cloud providers, app stores, and advertising intermediaries must navigate. It also notes how supervisory authorities, the European Commission, and national Digital Services Coordinators (DSCs) coordinate oversight, creating a layered compliance landscape that reaches well beyond traditional content moderation to encompass systemic risk, recommender systems, and fair competition in core platform services.

DSA obligations and oversight

The DSA preserves the limited liability and notice-and-action framework of the 2000 E-Commerce Directive but introduces graduated duties proportionate to service type and reach. All intermediary services must maintain single points of contact for authorities and users, publish clear terms of service, and comply with orders to act against illegal content or provide information. Hosting providers must offer user-friendly notice mechanisms and report takedown actions. Online platforms (OPs) and very large online platforms (VLOPs) face the most demanding obligations, including the following:

• Due diligence and transparency. Platforms must disclose average monthly active recipients in the EU, publish annual transparency reports on content moderation and recommender system parameters, and ensure terms of service are concise and intelligible. VLOPs and very large online search engines (VLOSEs) must maintain repositories of advertisements and disclose targeting parameters.
• Risk management and mitigation. VLOPs and VLOSEs must perform annual systemic risk assessments covering illegal content dissemination, fundamental rights impacts, manipulation through deceptive design, gender-based violence, and civic discourse risks. Independent audits must evaluate mitigation measures such as recommender adjustments, improved user controls, and crisis response protocols.
• User redress and trader verification. Platforms must offer internal complaint handling, access to out-of-court dispute settlement, and statements of reasons for moderation decisions. Marketplaces must verify trader identity, display traceability information, and notify consumers when illegal products are detected.
• Data access and researcher vetting. VLOPs must provide vetted researchers with access to platform data necessary to monitor systemic risks, subject to confidentiality and security safeguards. Data access decisions are overseen by the Commission and DSCs, with penalties for non-cooperation.
• Advertising and recommender system controls. Users must be informed when content is sponsored, who paid for it, and why they were targeted. Recommender systems require meaningful user choice, including at least one option not based on profiling for VLOPs and VLOSEs.
• Child protection and dark pattern bans. Platforms cannot present manipulative interfaces that distort user decision-making, and VLOPs/VLOSEs must assess specific risks to minors, including impacts of recommender design and targeted advertising practices.

Supervision is shared: national DSCs handle most services, while the Commission directly designates and monitors VLOPs/VLOSEs, can impose interim measures, and may require audits or technical inspections. Penalties can reach up to 6% of global annual turnover, with periodic penalty payments up to 5% of average daily turnover to compel compliance. The DSA also enables cross-border cooperation through a Board of Digital Services Coordinators, ensuring consistent application across Member States.

DMA gatekeepers and conduct rules

The DMA targets structural competition issues in core platform services (CPS) such as online search engines, social networking services, operating systems, cloud services, advertising services, and virtual assistants. Undertakings meeting size, user base, and entrenched intermediation thresholds are designated as gatekeepers. Key obligations and prohibitions include:

• Self-preferencing bans. Gatekeepers may not rank their own services more favourably than rivals or use non-public data generated by business users to compete against them. App store operators cannot prevent business users from promoting offers through other channels.
• Interoperability and access. Messaging gatekeepers must enable interoperability for basic features upon request from other providers. Operating system and virtual assistant gatekeepers must allow third-party software to function and permit users to change defaults easily.
• Data use limitations. Combining personal data across services requires user consent under the GDPR standard. Advertising services must provide advertisers and publishers with free access to performance and pricing data necessary to independently verify ad metrics.
• Anti-tying and uninstall rights. Gatekeepers cannot force use of their payment, identification, or web browser engines, and must allow users to uninstall preloaded apps without degrading core functionality.
• Fair access for business users. App stores must publish transparent ranking and access conditions, while cloud and marketplace gatekeepers must enable business users to access data generated through their activities.

Gatekeepers must notify the Commission of intended acquisitions in digital or data-intensive sectors, even when not subject to EU Merger Regulation thresholds, enabling scrutiny of so-called killer acquisitions. Non-compliance can trigger fines up to 10% of global turnover (20% for repeat infringements) and behavioural or structural remedies, including divestiture, for systematic violations.

Compliance timelines and milestones

The DSA entered into force on 16 November 2022. Most obligations applied from 17 February 2024, but VLOPs and VLOSEs faced accelerated duties four months after designation. The Commission designated the first wave—covering services such as Facebook, Instagram, TikTok, YouTube, Google Search, Amazon Store, and Booking.com—on 25 April 2023, triggering full compliance by 25 August 2023. Subsequent designations continue as platforms report updated user numbers. Crisis response mechanisms and independent audits for VLOPs/VLOSEs are now underway, with the Commission actively investigating recommender systems, advertising repositories, and data access cooperation.

The DMA entered into force on 1 November 2022 and became applicable on 2 May 2023. Potential gatekeepers had to notify the Commission by 3 July 2023; the Commission designated six gatekeepers (Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft) and 22 core platform services on 6 September 2023, setting a compliance deadline of 7 March 2024. The Commission opened non-compliance investigations in March 2024 focusing on self-preferencing, steering restrictions, choice screen design, and messaging interoperability. Additional CPS designations—such as Apple’s iPadOS in April 2024—demonstrate the evolving scope of the regime.

Practical steps for operators

Organisations subject to the DSA or DMA should build integrated compliance programmes that align legal, engineering, and product teams. Priority actions include:

1. Map services against DSA and DMA scope, including monthly active recipient calculations and CPS definitions.
2. Establish governance for systemic risk assessments, audit readiness, and crisis protocols, ensuring data access tooling for vetted researchers and regulators is secure and privacy-preserving.
3. Implement clear user controls for recommender systems, advertising transparency, and choice screens that avoid dark patterns and satisfy interoperability requirements.
4. Document trader verification, traceability, and redress mechanisms for marketplaces, and create repeatable procedures for notices, orders, and cross-border cooperation.
5. Prepare acquisition and CPS notification playbooks under the DMA, including guardrails for data sharing, self-preferencing avoidance, and fair access commitments.

Both regulations reflect a broader shift from reactive content moderation toward proactive systemic governance and contestability. Early engagement with regulators, structured audit evidence, and user-centric design will be decisive for sustained compliance.

Follow-up: The Digital Markets Act and Digital Services Act were adopted in 2022; DMA gatekeeper obligations began in March 2024, and DSA duties extend to all intermediary services from February 2024 onward. Enforcement actions and additional gatekeeper designations are expected through 2024–2025 as the Commission tests the boundaries of systemic risk mitigation and interoperability.

Sources

• Regulation (EU) 2022/2065 on a Single Market for Digital Services (Digital Services Act) — Official Journal of the European Union; sets due diligence duties, risk mitigation, data access for researchers, and oversight mechanisms for online intermediaries and platforms.
• Regulation (EU) 2022/1925 on Contestable and Fair Markets in the Digital Sector (Digital Markets Act) — Official Journal of the European Union; establishes gatekeeper designation criteria, interoperability mandates, data use constraints, and sanctioning powers.

Related briefings

Curated signals from the same pillar or overlapping topics.

Policy · Credibility 40/100 · December 15, 2020

Policy Briefing — European Commission proposes Digital Markets Act

The European Commission unveiled the draft Digital Markets Act on 15 December 2020, introducing ex-ante obligations for large online platforms designated as gatekeepers.

Policy · Credibility 40/100 · December 15, 2020

Policy Briefing — European Commission unveils Digital Services Act proposal

On 15 December 2020 the European Commission proposed the Digital Services Act, introducing due diligence rules for online platforms, risk assessments for very large platforms, and stronger enforcement powers for…

Policy · Credibility 92/100 · December 16, 2020

Policy Briefing — EU NIS2 Directive Proposal

Detailed examination of the European Commission's December 2020 NIS2 proposal, covering scope expansion, governance duties, incident reporting, supervision, and the timeline to full application for critical and important…

Policy · Credibility 92/100 · June 3, 2021

Policy Briefing — EU Proposes European Digital Identity Framework

The European Commission proposed an eIDAS 2.0 regulation to create interoperable digital identity wallets across the EU, expanding trust services obligations for public and private providers.

Policy · Credibility 92/100 · June 4, 2021

Policy Briefing — EU Updates Standard Contractual Clauses

The European Commission adopted new modular Standard Contractual Clauses for GDPR-compliant international data transfers following Schrems II.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Semiconductor Industrial Strategy Policy Guide — Zeph Tech

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

• Digital Markets Compliance Guide — Zeph Tech

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Export Controls and Sanctions Policy Guide — Zeph Tech

  Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…