Extraterritoriality of the EU’s Digital Services Act

Ensuring a safer online environment

A single set of rules that apply across the whole EU is how the European Commission describes the Digital Services Act ((EU) 2022/2065) (DSA) and the Digital Markets Act ((EU) 2022/1925) (DMA).

The foci of this legal framework are:

• the safety of users online;
• governance with, at the forefront, the protection of fundamental rights; and
• an online platform environment which is fair and open.

Read more about the DSA package here.

In the context of recent news

The DSA entered into force on 16 November 2022, although most operative provisions did not take effect until 17 February 2024. The DMA entered into force on 1 November 2022 and came into effect on 2 May 2023.

To put these EU regulations in the context of recent news, the European Commission:

• on 3 July, launched a public consultation on the first review of the DMA (closes 24 September 2025): read the press release here.
• on 2 July, adopted a delegated act on data access under the DSA relating to researchers obtaining access to the internal data of Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) – read the press release here.
• on 1 July, provided a reminder that harmonised transparency reporting rules start to apply – read the press release here.
• on 18 June, accepted and made binding the commitments under the DSA of the VLOP AliExpress – read the press release here.

Extraterritoriality: substantial connection to the EU

In this blog we foreground the extraterritoriality of the DSA – looking at the ‘substantial connection to the Union’ wording within the regulation. We also explore some of the obligations for entities in-scope, the tiering of those obligations, and consequences of non-compliance.

What are online intermediaries and platforms?

The European Commission explains:

• ‘Digital services include a large category of online services, from simple websites to internet infrastructure services and online platforms.
• The rules specified in the DSA primarily concern online intermediaries and platforms. For example, online marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms’.

UK-based suppliers of ‘intermediary services’

The DSA applies to intermediary services offered to recipients (businesses or consumers) in the EU. This is Article 2(1) of the DSA on its Scope:

• This Regulation shall apply to intermediary services offered to recipients of the service that have their place of establishment or are located in the Union, irrespective of where the providers of those intermediary services have their place of establishment.

So, the DSA applies irrespective of where the provider is incorporated or located.

Substantial connection

However, to be in-scope, a provider of the intermediary services would need to be established in the EU or connected to the EU based on specific factual criteria. This is referred to in the DSA as a substantial connection.

Specific factual criteria

In the preamble to the DSA (recitals (7) and (8)) there are guiding words on having a ‘substantial connection to the Union’. In addition, there are these definitions within the DSA:

‘to offer services in the Union’ means enabling natural or legal persons in one or more Member States to use the services of a provider of intermediary services that has a substantial connection to the Union

‘substantial connection to the Union’ means a connection of a provider of intermediary services with the Union resulting either from its establishment in the Union or from specific factual criteria, such as:

• a significant number of recipients of the service in one or more Member States in relation to its or their population; or
• the targeting of activities towards one or more Member States

Enforcement – fines of up to 6% of worldwide annual turnover

The European Commission has powers under the DSA to investigate and to sanction. For non-compliance generally, the European Commission is able to impose fines of up to 6% of worldwide annual turnover. Following a specific procedure, and as a last resort measure, the Commission can request temporary suspension of the service.

Read more about the enforcement framework under the DSA here.

VLOPs and VLOSEs

For the purposes of the DSA, the Commission designates providers having more than 45 million users per month in the EU (or 10% of the EU’s population):

• Very Large Online Platforms (VLOPs), and
• Very Large Online Search Engines (VLOSEs).

The Commission maintains a webpage providing an overview of the VLOPs and VLOSEs that it supervises and its main enforcement activities. Enforcement issues include:

• protection of minors;
• conducting due diligence on traders;
• informing consumers about illegal products;
• giving researchers access to data;
• risks of breaching data protection law;
• providing a searchable and reliable repository for advertisements; and
• avoiding the use of dark patterns.

Read about the supervision of VLOPs and VLOSEs here.

Formal proceedings against a designated VLOP

The European Commission has issued information requests or started formal proceedings against online platforms, the first proceedings being in December 2023. These were against the platform X (formerly Twitter), with preliminary findings (the first under the DSA) released on 12 July 2024.

Read more about findings on breaches of the DSA here.

Tiering of obligations under the DSA – it’s not just VLOPs and VLOSEs!

There are certain obligations imposed by the DSA which are applicable to all providers. Providers of intermediary services include:

• VLOPs and VLOSEs;
• online consumer marketplaces;
• online platforms;
• hosting service providers; and
• ‘mere conduit’ and ‘caching’ providers.

Obligations are tiered, with the fewest applying to mere conduit and caching providers, and the most stringent applying to VLOPs and VLOSEs.

Provisions applicable to all in-scope

Obligations on all providers of intermediary services include:

Designate a single point of contact for:

• the provider to communicate with Member States’ authorities, the Commission and the European Board for Digital Services (Article 11), and
• recipients of the service to communicate with the provider (Article 12).

Appoint a legal representative in the EU if not established there – for the purpose of being addressed in addition to or instead of the provider (Article 13).

• Providers must give their legal representative the powers and resources to cooperate with Member States’ authorities, the Commission and the European Board for Digital Services, and to comply with their decisions.
• The legal representative can be held liable for non-compliance with the DSA, without prejudice to the liability and legal actions that could be initiated against the provider.
• The name, postal address, email address and telephone number of the legal representative must be notified to the Digital Services Coordinator in the relevant Member State. This information must also be publicly available, easily accessible, accurate and kept up to date.
• Include provisions in their terms and conditions clarifying any restrictions on use of their service in respect of information provided by recipients of the service (Article 14).

Comply with transparency reporting obligations (Article 15).

• A Transparency Reporting Regulation (2024/2835) was published in November 2024 and sets out what providers of intermediary services need to do.
• There is a template in Annex I and instructions in Annex 2 – use of the template is obligatory from 1 July 2025.
• Note the first reporting cycle ran to 16 February 2025; the second is shortened and runs to 31 December 2025.

Hosting service providers and upwards have additional obligations.

Codes of conduct

In addition to the DSA, there are various associated voluntary Codes of Conduct. Read more about the DSA Codes of Conduct.

The Commission has also published (5 February 2025) a statement about its approach to the challenges posed by e-commerce imports. Read the EU toolbox for safe and sustainable e-commerce here.

Key takeaways

All providers of intermediary services within scope of the DSA, not just VLOPs and VLOSEs, have obligations under the DSA, albeit that those obligations are tiered.

The European Commission has issued information requests and started formal proceedings against online platforms, with its main enforcement activities against the VLOPs and VLOSEs it supervises viewable on its dedicated webpage. We await the outcome of the proceedings against X and other VLOPs.

Related, the approach to online safety legislated for in the UK has followed another pathway – there are similarities and differences between the DSA and the Online Safety Act 2023 (OSA). Rather than the DSA’s focus on transparency and accountability, the emphasis of the UK’s OSA is protecting users, particularly children, from illegal or harmful content.

We end this blog though where we began, with the DSA and the DMA together forming the package, the set of rules that for the European Commission aims, ‘…to create a safer digital space where the fundamental rights of users are protected and to establish a level playing field for businesses’. Here we have explored the extraterritoriality of the DSA, but note too that the DMA has extraterritorial effect.

The DMA establishes criteria to identify ‘gatekeepers’. These gatekeepers are large digital platforms (e.g., Alphabet, Google’s parent company) which provide a ‘core platform service’ (CPS), such as an online search engine (e.g., Google Search), or an app store or a messenger service.

We will revisit the DMA and its effect on businesses which depend on gatekeeper CPSs in a future blog. In the meantime, you can read more about the DMA’s designated gatekeepers and their associated CPSs here.

We’re here to help

Our experienced team of technology solicitors can support you if you would like to learn more about the EU’s DSA or the UK’s OSA.