European Parliament adopts the Digital Markets Act and the Digital Services Act

Published on 10 October 2022

The question

What are the next steps in the legislative timelines for the Digital Markets Act (DMA) and the Digital Services Act (DSA) and what should companies be doing now to prepare?

The key takeaway

The DMA and DSA have huge ramifications for all in-scope businesses (being core platform services and online intermediaries respectively). There is a lot hidden within them, including from an advertising and data compliance perspective, so being aware of the enforcement dates, and changes that need to be made before they land, is becoming increasingly urgent.

The background

On 15 December 2020, the EU Commission published draft proposals for the Digital Services Act package, which includes the DSA and DMA. The European Parliament and Council then reached provisional political agreement on the text of the DSA and the DMA on 25 March 2022. Both pieces of legislation intended to introduce new rules to make digital spaces safer and more open to innovation and competitiveness. 

The development

Following the provisional political agreement of the DMA and DSA by the Council and European Parliament in March 2022 (which we discussed in our Summer 2022 Snapshots edition here), the European Parliament and Council formally adopted the DSA and the DMA on 5 July 2022. 

The next step is for the official texts of the DMA and DSA to be published in the Official Journal of the European Union. As the DMA was adopted by the Council slightly earlier than the DSA, its publication in the Official Journal is expected this autumn and the DMA will enter into force 20 days after publication and become applicable six months later (most likely in March or April 2023).

Once published in the Official Journal, the DSA will enter into force 20 days later and most of its provisions will apply from the later of 1 January 2024 or 15 months after entry into force. The DSA may apply earlier to very large online platforms and search engines, namely four months after they have been designated as such by the European Commission.

Digital Markets Act

The DMA focuses on creating a level playing field within EU digital markets by introducing a new set of rules to regulate “gatekeeper” companies, which are companies providing core platform services such as the following: online intermediation services (eg Amazon); online search engines (eg Google); online social networking services (eg Facebook); video-sharing platform services (eg YouTube); number-independent interpersonal communications services (messaging services) (eg WhatsApp); operating systems (eg Windows, iOS); web browsers (eg Chrome); virtual assistants (eg Siri, Alexa); cloud computing services (eg iCloud); and online advertising services. To be a gatekeeper, an undertaking must also meet certain qualitative criteria. It must: have a significant impact on the European market; serve as an important gateway between businesses and end users; and enjoy an entrenched and durable position in its operations.

Gatekeeper companies will need to tackle some of the following:

  • self-preferencing: gatekeepers cannot treat their products and services more favourably in rankings, indexing and crawling ie their services can’t be ranked higher than other third parties on their platforms. Additionally, they won’t be able to stop users from easily removing pre-loaded software applications or using third party applications
  • data access: the DMA requires gatekeepers to give competitors and end users access to different types of data
  • interoperability: gatekeepers will need to provide third-party services interoperability with the same software and hardware features as their own services so gatekeeper messaging services must interoperate with competing messaging services for basic functions such as text messaging, voice and video calls and sharing files.

Digital Services Act

The DSA addresses how digital services content is policed and will create new standards for digital services acting as intermediaries to connect consumers with goods/services, requiring them to regulate illegal online content and to protect users. It has a wider scope than the DMA and applies to app stores, internet providers, online marketplaces, hosting and cloud computing services, search engines, social media platforms and domain registrars.

The DSA introduces four tiers of cumulative obligations which apply to four respective categories of intermediaries, with the tier one obligations applying to all tiers of intermediaries. All intermediaries will be subject to an annual transparency and reporting regime regarding content moderation activities. Intermediary service providers without an EU establishment, offering services in the EU, must designate a local representative in one of the EU Member States in which it operates. That representative can be held liable for DSA non-compliance. 

The strictest rules apply to Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) who will need to identify systemic risks arising from the use of their services, such as risks of the sharing of illegal content or where content generates an actual or foreseeable negative effect on users’ fundamental rights eg negative effects on democratic processes, electoral processes or public security. Risk of that nature must be proactively mitigated.

Why is this important?

The legal text of each act has now been agreed at a technical level and non-compliance of the DMA could lead to fines of up to 10% of global turnover (moving up to 20% for repeated non-compliance), whilst non-compliance of the DSA could lead to fines of up to 6% of global turnover. It goes without saying that these could hit pretty astronomical levels for the larger online platforms, easily eclipsing some of the GDPR level fines to date.

Any practical tips?

The obligations and prohibitions placed on gatekeepers by the DMA cover many aspects of company operations. The European Commission estimates DMA compliance costs of €1.41 million per year, per platform and it is likely that gatekeepers will need to prepare to comply with the DMA by early 2024. Companies should anticipate and prepare for compliance costs (both direct and indirect). 

The DSA builds upon existing regulations such as the GDPR and the recently introduced UK Online Safety Bill. Intermediaries will need to consider how governance processes will work under the DSA and how any required changes to systems and processes will interact with upcoming legislation in this area. Companies in scope of the DSA should consider how existing compliance arrangements could be extended or developed to be cross-functional from a compliance perspective across the business. 

Autumn 2022

Stay connected and subscribe to our latest insights and views 

Subscribe Here