The EU’s Digital Services Act: What Businesses Need to Know After the First Non-Compliance Decision

What is the Digital Services Act and why does it matter?

The Digital Services Act ((EU) 2022/2065) (DSA) entered into force on 16 November 2022, although most operative provisions did not take effect until 17 February 2024.

It is a major piece of EU legislation designed to create a safer and more transparent online environment. It may apply where intermediary services are offered in the European Union, irrespective of where the service provider is incorporated or located. When users are within the EU and the service is offered by a non-EU company, the key is whether the provider has a ‘substantial connection’ to the EU.

Providers of intermediary services include:

• Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs);
• online consumer marketplaces;
• online platforms;
• hosting service providers; and
• ‘mere conduit’ and ‘caching’ providers.

Requirements for VLOPs and VLOSEs began in 2023. For the purposes of the DSA, the Commission designates providers having more than 45 million users per month in the EU (or 10% of the EU’s population) VLOPs or VLOSEs.

For an exploration of the obligations for entities in-scope and the consequences of non-compliance, read our earlier blog on the DSA here.

Does the DSA apply to non-EU businesses?

Yes, in the preamble to the DSA (recitals (7) and (8)), if your platform targets EU users or has a significant user base in one or more EU Member States, you may be considered to have a ‘substantial connection’ under the DSA. The specific factual criteria includes:

• a significant number of recipients of the service in one or more Member States in relation to its or their population; or
• the targeting of activities towards one or more Member States.

X fined €120 million – what businesses need to know

In December 2023 the European Commission opened formal proceedings, the first under the DSA, to assess whether the platform X may have breached the DSA. Preliminary findings were released on 12 July 2024. On 5 December 2025, a fine of €120 million was issued to X.

The European Commission is able to impose fines of up to 6% of worldwide annual turnover for non-compliance generally. Following a specific procedure, and as a last resort measure, the Commission can request temporary suspension of the service.

Why was X penalised under the DSA?

The reasons the Commission outlined for the fine issued to X revolve around:

1. deceptive design,
2. failing on online advertising transparency, and
3. not meeting obligations to provide access for researchers to the platform’s public data.

In particular:

• Deceiving users with the X ‘blue checkmark’: anyone is able to pay for ‘verified’ status of an account ‘…without the company meaningfully verifying who is behind the account, making it difficult for users to judge the authenticity of accounts and content they engage with’. 

There is an obligation in the DSA for online platforms to prohibit deceptive design practices (Article 25(1)):

‘Providers of online platforms shall not design, organise or operate their online interfaces in a way that deceives or manipulates the recipients of their service or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions’. 

• Obscuring information on advertising repositories (relates to Article 39 of the DSA on online advertising transparency requirements). The Commission commented:

‘Accessible and searchable ad repositories are critical for researchers and civil society to detect scams, hybrid threat campaigns, coordinated information operations and fake advertisements’.

• Shutting out researchers from the platform’s public data (Article 40(12) addresses data access and scrutiny by researchers).

Next steps for compliance

Following the decision, X has:

• 60 working days to inform the Commission of measures planned to end Article 25(1) infringement (deceptive use of blue checkmarks); and
• 90 working days to present an action plan in relation to infringements of Articles 39 (advertising repository) and 40(12) (researcher access).

Failure to comply with the non-compliance decision may lead to periodic penalty payments.

By way of comparison…

On the same day as the fine issued to X, the Commission accepted commitments on advertising transparency from another VLOP, TikTok.

A comment from the Commission’s Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy reads:

‘Transparent ad practices can build trust in the online environment. Transparency is essential in uncovering scams, ensuring the integrity of information and keeping young users and children safe from lurking harm. The message is clear: our aim is compliance. When platforms engage constructively with the Commission, we are ready to accept solid commitments’.

Read the Commission press release here.

For an overview of other enforcement activities, read the Commission’s webpage on the supervision of designated VLOPs and VLOSEs here.

What should businesses do now?

If your business offers intermediary services that reach EU users (businesses or consumers), then the baseline obligations across all service providers include:

• Point of contact: Designating a single point of contact for users and authorities (the Commission, the European Board for Digital Services, and Member States’ authorities).
• Representative: Appointing a legal representative in the EU if not established there.
• Terms: Implementing transparent terms and conditions.
• Reporting: Complying with transparency reporting obligations.

Additional obligations if your business provides hosting services include:

• Notice and action: Put in place user-friendly and electronic mechanisms for users to report content they consider to be illegal.
• Statement of reasons: Provide clear statements as to why certain content is restricted, removed, or suspended.
• Criminal offence: Suspicions in relation to threat to life or safety of a person reported to the relevant authority.

There are then further obligations for online platforms (beyond hosting), rules for online marketplaces (B2C), and the strictest rules for VLOPs and VLOSEs. So, compliance is layered, with stricter rules for larger platforms. Failure to comply can result in significant fines, up to 6% of a company’s global annual turnover.

How we can help

We end this blog with the words of the Commission’s Henna Virkkunen, this time in relation to the X fine:

‘Deceiving users with blue checkmarks, obscuring information on ads and shutting out researchers have no place online in the EU. The DSA protects users. The DSA gives researchers the way to uncover potential threats. The DSA restores trust in the online environment. With the DSA’s first non-compliance decision, we are holding X responsible for undermining users’ rights and evading accountability’.

The DSA is complex, and enforcement is increasing. Our experienced team of technology solicitors can support you with a review of your compliance obligations under the Digital Services Act.