EU's Digital Services Act

The Clock’s Ticking for Tech Firms to Prepare for EU’s Digital Services Act

This blog post was authored by Kaitlin Kirkham-Cooper, Managing Director and Karter Klumpyan, Director Risk and Compliance on The Protiviti View.

Time is running short for technology companies, particularly those providing hosting services, large online platforms and search engines, to comply with the European Union’s Digital Services Act (DSA). The law aims to protect the digital space, creating a safe place for users, against the spread of illegal content, particularly on social networks, content-sharing platforms and e-commerce sites.

The big picture: The DSA has broad implications for technology firms of all types, both small and large, and some nontech enterprises. The rules are reverberating beyond Europe (New Zealand and India have introduced similar proposals) and are expected to influence the course of legislation in the United States, where legislators are eager to rein in Big Tech.

Summary obligations from the regulation:

  • It requires companies to put processes in place to be notified of illegal content and to act on notifications.
  • It imposes significant financial penalties for noncompliance, including fines of up to 6% of a company’s global annual sales.
  • It could institute an outright ban on operating in the EU single market for repeat offenders.

Which companies need to comply — and when?

Below is a high-level overview of the timeline for compliance and which types of companies are subject to the legislation:

  • August 25, 2023: This is the compliance date for very large online platforms (VLOPs) and very large online search engines (VLOSEs). The DSA classifies these platforms and search engines as having more than 45-million users per month in the EU. (More information is available here.)
  • February 17, 2024: This is the compliance date for platforms that do not meet the 45-million-user threshold. These businesses include online platforms, such as marketplaces, app stores and social media platforms; hosting services providers, such as companies that offer cloud computing; and digital intermediary services providers, such as internet access providers.

What to watch: It is crucial for companies to understand the connection between their monthly user numbers and their DSA obligations.

  • As those numbers change over time, an organisation could be promoted to or demoted from VLOP status, which would also change its compliance requirements.
  • Businesses will need to track their numbers closely and report them to the European Commission every four months.

Go deeper: For more information, read Protiviti’s white paper, The Global Consequences of Europe’s New Digital Regulatory Regime.

The value of a centralised approach and stakeholder involvement

There is no-one-size-fits-all solution for preparing to meet the DSA’s broad mandates. However, based on our experience collaborating with companies subject to the legislation, there are clear trends in initial ownership of this work:

  • Legal functions are taking the lead helping various business units, product groups and internal operations teams interpret the obligations under the DSA.
  • The legal teams are ensuring that other parts of the business are solutioning and developing controls to ensure DSA compliance.

We have also observed that some companies making the most progress have established a centralised project approach for managing DSA obligations and mapping controls and solutions against those obligations. This approach helps drive ownership, timelines and consistency.

As an example, VLOPs that use “recommender systems” must provide at least one system that is not based on profiling and that allows users to set their preferred options for content ranking:

  • Recommender systems (fully or partially automated) decide which content a user sees, and in which order, using parameters set by the platform.
  • Recommender systems often impact engineering, product, marketing, operations and sales. It can be challenging for businesses to identify the correct person or people to own compliance risk and controls for this type of requirement, and to align on the best methods to comply with it.

A key point: The centralised team should be prepared to also address the DSA in the short term as well as other critical digital regulations, including the Digital Markets Act (DMA), the Artificial Intelligence Act (AI Act) and the Digital Operational Resilience Act (DORA). These measures are part of an expanding EU digital regulations package that is expected to also have cross-border implications for a wide range of technology companies.

What impacted companies should do now

In addition to meeting the August 25, 2023, compliance deadline, VLOPs and VLOSEs must prepare for an independent audit process that the European Commission will use to assess their compliance with all key obligations under the DSA.

The commission has published guidance for auditors that can be helpful for companies to review while they wait for the final rules to be published later this year. VLOPs and VLOSEs may also want to work with their internal audit group and/or external resources in the months ahead to conduct a pre-readiness assessment for the DSA audit.

Tech firms that do not need to comply with the DSA until February will want to stay focused on programme building and accelerate efforts where they can. With myriad requirements that impact multiple functions, managing DSA compliance is a challenging undertaking for smaller firms with limited resources. That said, these companies should be well on their way toward considering the overall impact of the DSA on their business, and toward:

  • Establishing a cross-functional DSA working group that meets regularly and manages implementation efforts.
  • Assessing which requirements will apply to the company immediately upon the DSA effective date and in the future, based on growth projections.
  • Conducting a gap assessment to understand how the applicable requirements measure up to the existing controls they have in place, and building new controls where gaps exist.
  • Formalising the control environment through documentation and evidence.

Final takeaway: Technology companies should consider these foundational steps as part of a holistic and strategic approach to building a comprehensive DSA compliance programme — one responsive to the approaching deadlines and the other stringent digital regulations coming down the pike.

Associate Director Roxanne Miller contributed to this blog.

To learn more about how Protiviti can help your company navigate risk and compliance challenges in the tech industry, contact us.