Layer four: Very large online platforms and search engines
The DSA targets very large online platforms and very large search engines with an additional set of stringent requirements applicable to providers of such platforms.
An online platform will qualify as a very large online platform or very large online search engine if the number of average monthly users is 10% or more of the total EU consumers (for the time being 45 million people). The EC will designate which entities are very large online platforms or very large search engines. The precise methodology for calculating the number of average monthly active users is not entirely clear, but the EC may provide further guidance.
The EC is the main body responsible for supervising whether very large online platforms and very large online search engines comply with their specific obligations.
Under the DSA, very large online platforms and very large search engines must:
- Analyse any systemic risk stemming from the use of their platforms and put in place effective mitigation measures, tailored to the identified systemic risks. The definition of systemic risk is very broad and includes almost any systemic risk imaginable (eg illegal content, hate speech, privacy violations, election manipulation, etc);
- When required by "in crisis situations", (ie in the case of extraordinary circumstances that lead to a serious threat to public security or public health, the EU Commission may require providers to analyse whether their services contribute to that threat), take mitigation measures to eliminate or limit the contribution. This is clearly inspired by the presence of vaccine misinformation during the COVID crisis;
- Undergo an annual independent audit into their compliance with the DSA. within one month, the provider must either adopt the recommendations in the audit report or justify the reasons for not doing so and take alternative measures to address any instances of non-compliance identified in the audit report;
- Establish a formal compliance function to monitor compliance with the DSA that must be independent from the operational functions and report directly to the management;
- Provide access to the data necessary to monitor their compliance with the DSA to the competent authorities and researches vetted by the authorities. Providers may be required explain the design, logic the functioning and the testing of their algorithmic systems;
- Establish a public repository on the online advertisements they displayed in the past year, which must include (i) the content of the advertisement, (ii) the person on whose behalf the advertisement was displayed, (iii) the period during which the advertisement was displayed, (iv) whether the advertisement was intended to be displayed specifically to particular groups of users, and the main parameters used for that purpose; and (v) the total number of users reached.
- Provide at least one recommender system that is not based on profiling;
- Provide a machine-readable summary of the terms and conditions, including available remedies and redress mechanisms;
- Publish terms and conditions in each of the official languages of the countries they offer their services.
A layered approach to imposing obligations
Layer one: Providers of intermediary services
This covers a broad range of digital service providers in the EU including internet service providers, content distribution networks, web-based messaging services and wireless local area networks.Read more
Layer two: Providers of hosting services
Services that consist of the storage of information provided by, and at the request of, a recipient of the service (such as webhosting or cloud services).Read more
Layer three: Online platforms and market places
Providers of intermediary services that consist of the storage and public dissemination of users’ information.Read more