The Digital Services Act (DSA) is the single piece of EU policy regulation that has reshaped how online marketplaces operate in Europe more than any tariff or tax change of the past decade. It is fully in force across all 27 member states, it applies to any platform serving EU consumers regardless of where the company is headquartered, and it carries fines of up to 6% of global annual turnover. If your marketplace lists third-party sellers and ships to a single buyer in Dublin, Lisbon, or Warsaw, you are inside its scope. This guide lays out the duties that actually bite, the documentation you need on file, and the deadlines that trigger enforcement, with the concrete numbers compliance teams can build a plan against today.
In short
- The DSA applies extraterritorially: any marketplace with EU users must comply, even with no European office or entity.
- Trader traceability (“know your business customer”) is mandatory: you must collect and verify seller identity, address, payment account, and registration before listing their goods.
- A working notice-and-action system plus a statement of reasons for every content or account restriction is non-negotiable, with an internal complaint-handling channel on top.
- Annual transparency reports on moderation actions, notices received, and response times are required of nearly every platform above the micro-enterprise threshold.
- Platforms designated as a Very Large Online Platform (VLOP), meaning 45 million-plus monthly EU users, face systemic-risk audits, recommender-system transparency, and a separate supervisory fee.
- Maximum fines reach 6% of worldwide annual turnover, and repeated non-compliance can lead to a temporary EU access ban.
Who does the DSA actually apply to?
The DSA applies to every intermediary service offered to users in the EU, and it sorts them into four stacked tiers, with each higher tier inheriting the duties of the ones below it. An online marketplace sits in the “online platform” tier, which means it carries the baseline conduit and hosting duties plus a layer of marketplace-specific obligations on top.
The four tiers are: intermediary services (the broadest set), hosting services, online platforms (which store and publicly disseminate user content, including listings), and Very Large Online Platforms or Search Engines. A marketplace that connects third-party sellers with consumers is squarely an online platform, and if it crosses the 45 million EU-user line it also becomes a VLOP. Understanding which tier you sit in is the first compliance decision, because it determines roughly two-thirds of what you owe.
Scope is deliberately broad and territorial rather than nationality-based. If consumers in the EU can use your service, you are covered, full stop. This is the same extraterritorial logic European regulators have leaned into across the board, and it tracks the broader pattern of how regulation now travels across markets, a theme our team unpacks in the explainer on how retail news shapes the global e-commerce industry today. A US-headquartered marketplace with no European subsidiary still has to appoint an EU legal representative and comply in full.
The exemption most teams misread
There is one genuine relief valve: micro and small enterprises (fewer than 50 staff and under 10 million euro annual turnover) are exempt from several of the heavier online-platform duties, including transparency reporting and the internal complaint-handling system. They are not exempt from the core hosting duties or, critically, from trader traceability if they run a marketplace. Teams frequently assume “small business” means “out of scope” and skip the seller-verification build, which is the most common early mistake we see.
| DSA tier | Who it covers | Core added duty | Applies to a marketplace? |
|---|---|---|---|
| Intermediary services | All conduits and hosts | Terms transparency, EU point of contact | Yes (baseline) |
| Hosting services | Services storing user data | Notice-and-action, statement of reasons | Yes |
| Online platforms | Public dissemination of content | Complaint handling, trader traceability, reporting | Yes (main tier) |
| VLOPs and VLOSEs | 45M+ monthly EU users | Risk assessments, audits, recommender transparency | Only if designated |
What is trader traceability and how do you implement it?
Trader traceability, the DSA’s version of “know your business customer,” requires a marketplace to obtain, verify, and keep specific information about every third-party trader before allowing them to offer products or services to EU consumers. The goal is to make sellers of unsafe or illegal goods reachable and accountable, ending the era of anonymous listings.
Under Article 30, before onboarding a trader you must collect their name, address, telephone number, and email; a copy of an identification document or equivalent electronic identification; the trader’s payment account details; where applicable, the trade register entry and a self-certification that they will only offer compliant products. You then have to make best efforts to verify that data through freely available official databases or by requesting supporting documents, and you must suspend a trader who fails to correct unreliable information after a request.
This is operationally heavier than it reads, because verification is ongoing rather than a one-time gate. The same diligence retailers apply when vetting overseas suppliers carries over here, and the verification mindset our coverage describes maps closely to the systems marketplaces now need internally. Concretely, the implementation breaks into a sequence most platforms run as a single onboarding pipeline.
- Collect the full Article 30 data set at registration, blocking listing publication until every required field is present.
- Verify against official sources such as VAT-number validation (VIES), national trade registers, and identity-document checks.
- Store the records securely for the duration of the contract plus a reasonable period, with access controls and an audit trail.
- Re-check periodically and on any signal of unreliability, suspending traders who do not correct flagged data.
- Design listings to show trader identity so consumers can see who they are buying from, as Article 31 requires.
- Log takedown and suspension actions in a format you can pull into the annual transparency report.
The traceability data also feeds a related Article 31 duty: compliance by design. Your interface must let traders provide the product-safety and labeling information EU law requires, and you must make a genuine effort to check whether listed products appear on official lists of illegal or recalled goods. A marketplace that designs its listing flow to suppress or omit this information is non-compliant by construction, not just by omission.
What does notice-and-action require, and how fast must you act?
Every hosting service, including marketplaces, must run a notice-and-action mechanism that lets any individual or entity flag content they consider illegal, and you must process those notices in a timely, diligent, non-arbitrary, and objective manner. The DSA does not impose a fixed deadline in hours, but it does require that notices granting “actual knowledge” be acted on expeditiously, which is the phrase that determines your liability.
The liability mechanics matter. A hosting provider is shielded from liability for illegal user content only as long as it lacks actual knowledge and acts expeditiously once it gains that knowledge. A properly detailed notice is precisely what triggers actual knowledge, so a slow or sloppy notice queue is not just a compliance gap, it is a direct liability exposure. This is why mature platforms staff moderation as a real-time function, the same operational urgency newsrooms apply when a story breaks, an approach detailed in our walkthrough of the 2026 retail breaking news playbook for PR teams.
The statement of reasons obligation
Whenever you restrict content or an account, whether by removal, demotion, disabling access, or suspension, you must give the affected user a clear and specific statement of reasons. It has to explain the legal or contractual ground, whether automated means were used, and the redress options available. These statements also have to be submitted to the EU’s public Transparency Database, which means your moderation decisions become inspectable at scale.
On top of that, online platforms must operate an internal complaint-handling system free of charge, letting users contest moderation decisions for at least six months, and must inform users about access to certified out-of-court dispute settlement bodies. The full chain runs: notice received, action taken, statement of reasons issued, complaint channel offered, and external dispute settlement available. Skipping any link breaks compliance.
| Obligation | What it requires | Timing expectation | Who must do it |
|---|---|---|---|
| Notice-and-action | Easy mechanism to flag illegal content | Act “expeditiously” on valid notices | All hosting services |
| Statement of reasons | Specific explanation of any restriction | At the time of the action | All hosting services |
| Internal complaints | Free channel to contest decisions | Available for 6+ months | Online platforms (non-micro) |
| Trusted-flagger priority | Process designated flaggers first | Without undue delay | Online platforms |
| Transparency reporting | Annual public moderation report | At least once a year | Online platforms (non-micro) |
What goes in a DSA transparency report?
A DSA transparency report is a public, machine-readable annual disclosure of how your platform moderated content over the reporting period, and for most online platforms it is the single most visible proof of compliance regulators and journalists will check. It is not a marketing document; it is an accountability filing with a defined data schema.
At minimum the report covers: the number of orders received from member-state authorities, the notices submitted through your notice-and-action system (broken down by type of illegal content), the content moderation you did on your own initiative, the use of automated tools and their accuracy, complaints received through the internal system and how you resolved them, and any out-of-court disputes. VLOPs report twice a year and add far more detail, including the human resources dedicated to moderation per EU language.
The strategic point retailers miss is that these reports are competitive intelligence. Because they are public, a marketplace’s moderation volume, automation reliance, and dispute rates are now legible to rivals, regulators, and the press. Industry analysts already fold this into platform assessments, and the kind of cross-platform comparison surfaced at sector gatherings, like those covered in our roundup of which retail industry conferences worth attending dig into compliance benchmarking, increasingly leans on DSA disclosures as raw material.
When does a marketplace become a VLOP, and what changes?
A marketplace becomes a Very Large Online Platform when it reaches an average of 45 million monthly active recipients in the EU, a threshold the Commission recalculates and which represents roughly 10% of the EU population. Designation is by formal Commission decision, and once designated you have four months to comply with the heaviest layer of the DSA.
VLOP status triggers a different category of obligation built around systemic risk. You must run annual risk assessments covering the dissemination of illegal goods and content, effects on fundamental rights, civic discourse, and consumer protection, then put proportionate mitigation measures in place. You submit to independent annual audits, give regulators and vetted researchers data access, maintain an ad repository, and offer at least one recommender-system option not based on profiling. There is also a supervisory fee capped at 0.05% of annual worldwide net income to fund the Commission’s oversight.
| VLOP obligation | What it adds beyond the platform tier | Frequency |
|---|---|---|
| Systemic risk assessment | Formal analysis of platform-level harms | Annual |
| Risk mitigation | Proportionate measures tied to identified risks | Ongoing |
| Independent audit | Third-party compliance audit | Annual |
| Recommender transparency | Non-profiling option, explained parameters | Ongoing |
| Ad repository | Public searchable archive of ads | Continuous |
| Supervisory fee | Up to 0.05% of worldwide net income | Annual |
For most marketplaces this tier is academic, but for the platforms that cross the line the cost step-change is dramatic, easily an order of magnitude more compliance overhead than the base online-platform tier. If your growth trajectory points toward 45 million EU users, the smart move is to build VLOP-grade documentation early rather than scramble inside the four-month designation window.
How is the DSA enforced, and what do violations cost?
Enforcement is split: national Digital Services Coordinators (DSCs) supervise most platforms in their member state, while the European Commission directly supervises VLOPs and VLOSEs. Penalties for non-compliance reach up to 6% of the provider’s total worldwide annual turnover, with periodic penalty payments of up to 5% of average daily worldwide turnover for ongoing breaches, and up to 1% of turnover for supplying incorrect or misleading information.
The Commission has shown it will use these powers. It has opened formal proceedings against several VLOPs over illegal-content handling, advertising transparency, and recommender-system risks, and it can impose interim measures and even seek a temporary restriction of access to a service in the most serious cases. For a marketplace, the practical enforcement risk is concentrated in two areas: failing trader traceability (which produces a traceable trail of unsafe goods) and a deficient notice-and-action system (which converts user complaints directly into liability).
- Designate an EU legal representative and a single point of contact before anything else; absence of one is itself an infringement.
- Map every duty to your tier and assign an owner for each, because the DSCs check the full set, not the headline ones.
- Instrument your moderation pipeline so notices, actions, statements of reasons, and complaints are logged in report-ready form.
- Run a trader-data audit to confirm every active seller has complete, verified Article 30 records.
- File the transparency report on schedule, in the required format, and submit statements of reasons to the EU database.
How does the DSA interact with consumer behavior and trust?
The DSA is not only a compliance cost; it is reshaping what European shoppers expect from a marketplace. Visible trader identity, clear redress channels, and fewer unsafe listings raise the baseline of trust, and trust is a conversion lever. Platforms that treat transparency as a feature rather than a burden are converting the regulation into a differentiator.
This dovetails with how buying habits are shifting more broadly. European consumers increasingly factor platform accountability and product safety into where they shop, a pattern our analysis of the state of consumer behavior in retail and e-commerce tracks across markets. A marketplace that surfaces verified-seller badges and a frictionless complaint path is not just ticking a regulatory box; it is meeting a demand European buyers now express with their wallets.
Common mistakes online marketplaces make under the DSA
Most DSA enforcement exposure traces back to a small set of avoidable errors rather than to the headline VLOP duties.
- Assuming “small business” means out of scope. The micro-enterprise exemption never covers trader traceability for a marketplace, and territorial scope catches non-EU companies regardless of size.
- Treating trader verification as a one-time gate. The duty is ongoing; failing to re-check and suspend unreliable traders is a recurring infringement, not a closed task.
- Running notice-and-action as a back-office ticket queue. A valid notice creates actual knowledge, so slow handling converts directly into content liability.
- Skipping the statement of reasons. Every restriction needs a specific, logged explanation submitted to the EU Transparency Database, not a generic policy reference.
- Filing a marketing-style transparency report. The report has a defined data schema; a glossy narrative without the required metrics fails the obligation.
- Forgetting the EU legal representative. No point of contact or representative is itself a standalone breach that DSCs flag immediately.
FAQ
Does the DSA apply to a marketplace based outside the EU?
Yes. The DSA applies on a territorial basis, meaning it covers any intermediary service offered to recipients located in the EU regardless of where the provider is established. A marketplace headquartered in the United States, the United Kingdom, or anywhere else must comply in full if EU consumers can use it. Such providers must also appoint a legal representative established in one of the member states where they offer services. That representative can be held liable for non-compliance, so the appointment is a substantive obligation rather than a formality.
What is trader traceability under the DSA?
Trader traceability, set out in Article 30, requires an online marketplace to collect and verify identifying information about every third-party trader before allowing them to sell to EU consumers. That includes name, address, phone, email, an identification document, payment account details, and where applicable a trade-register entry. The marketplace must make best efforts to verify this data against official databases and must suspend traders who fail to correct unreliable information. The aim is to ensure sellers of illegal or unsafe goods can be identified and held accountable, ending anonymous listings.
How quickly must a marketplace remove illegal content?
The DSA does not set a fixed numerical deadline for most content, but it requires platforms to act “expeditiously” once they have actual knowledge of illegal content, which a valid notice provides. Liability protection depends on this speed: a hosting provider keeps its shield only while it lacks knowledge and acts promptly after gaining it. In practice, this pushes marketplaces toward near-real-time moderation for clearly illegal goods. Certain categories, such as content flagged by trusted flaggers, must be processed with priority and without undue delay.
What is a statement of reasons and when is it required?
A statement of reasons is a clear, specific explanation a platform must give whenever it restricts a user’s content or account, including removals, demotions, disabling access, or account suspensions. It must state the legal or contractual ground for the action, whether automated tools were used, and the redress options available, including the internal complaint channel and out-of-court dispute settlement. These statements must also be submitted to the EU’s public Transparency Database. A generic reference to terms of service does not satisfy the requirement; the explanation has to be tailored to the specific decision.
When does a platform become a VLOP?
A platform is designated a Very Large Online Platform when it reaches an average of 45 million monthly active recipients in the EU, roughly 10% of the EU population. The European Commission makes the designation by formal decision, and the platform then has four months to comply with the additional VLOP duties. Those include annual systemic-risk assessments, independent audits, recommender-system transparency, an ad repository, data access for vetted researchers, and a supervisory fee of up to 0.05% of annual worldwide net income. Marketplaces below the threshold are not subject to these heavier obligations.
What are the penalties for breaching the DSA?
Fines for non-compliance can reach up to 6% of the provider’s total worldwide annual turnover. Periodic penalty payments of up to 5% of average daily worldwide turnover can be imposed for ongoing breaches, and supplying incorrect, incomplete, or misleading information can be fined up to 1% of turnover. National Digital Services Coordinators enforce against most platforms, while the European Commission supervises VLOPs directly. In the most serious cases, regulators can impose interim measures or seek a temporary restriction of access to the service within the EU.
Are small marketplaces exempt from the DSA?
Partly. Micro and small enterprises (fewer than 50 staff and under 10 million euro annual turnover) are exempt from several heavier online-platform duties, such as transparency reporting and the internal complaint-handling system. However, they remain subject to the core hosting duties, including notice-and-action and statements of reasons, and they are not exempt from trader-traceability obligations if they operate a marketplace. Assuming a small marketplace is fully out of scope is one of the most common and costly misreadings of the regulation.
Who enforces the DSA in each country?
Each member state designates a Digital Services Coordinator, an independent authority responsible for supervising intermediary services established in its territory and coordinating with peers across the EU. The DSCs handle complaints, conduct investigations, and impose penalties on platforms under their jurisdiction. For Very Large Online Platforms and Search Engines, the European Commission has direct and exclusive enforcement powers over the VLOP-specific obligations. The two layers work together through the European Board for Digital Services, which coordinates cross-border cases and consistent application of the rules.
What’s next
Start by mapping your platform to the correct DSA tier and running a trader-data audit so every active seller has complete, verified Article 30 records, then instrument your moderation pipeline so notices, actions, and statements of reasons are logged in report-ready form. As enforcement intensifies, keep tracking how this and adjacent rules move the sector through our coverage of how retail news shapes the global e-commerce industry today, and consider attending one of the compliance-focused sessions among the retail industry conferences worth attending. For the primary source itself, the consolidated text of Regulation (EU) 2022/2065 remains the authority your legal team should cite when scoping each duty.