The Digital Services Act (DSA), Regulation 2022/2065/EU, became fully applicable to all in-scope businesses in February 2024. It is a framework law that regulates online intermediaries — from basic hosting services to the largest social media platforms — with obligations that scale based on the type and size of the service. Most small online businesses will find that the DSA's direct impact on them is modest, but understanding where you fit is essential before making that assessment.
The four tiers of the DSA
The DSA creates four categories of service provider with progressively more demanding obligations:
Tier 1 — Intermediary services (all): Any online intermediary service — including cloud hosting, content delivery networks, domain name services, and basic hosting — must: have a single point of contact for EU member state authorities and the European Commission; designate a legal representative in the EU if you are based outside the EU; publish annual transparency reports on content moderation.
Tier 2 — Hosting services: Beyond Tier 1, hosting services (including shared hosting providers, cloud platforms with user-uploaded content) must have a notice-and-action mechanism — a way for users or third parties to report illegal content — and must take expeditious action on notices. They must also notify authorities of suspected serious criminal offences.
Tier 3 — Online platforms: Online platforms that allow users to store and share content publicly (forums, marketplaces, social platforms, review sites) have the full set of Tier 2 requirements plus: consumer protection provisions including merchant verification for online marketplaces; tracing of traders; random checks of listed products; a complaint-handling system; and out-of-court dispute settlement mechanisms. Micro and small enterprises (fewer than 50 employees and annual turnover under EUR 10 million) are exempt from several of these provisions.
Tier 4 — Very Large Online Platforms and Very Large Search Engines (VLOPs/VLOSEs): Platforms with more than 45 million monthly active users in the EU. Heavy compliance obligations including algorithmic risk assessments, independent audits, and direct supervision by the European Commission. Irrelevant to almost all small businesses.
What most small online businesses need to do
For a typical small online business — a membership site, an e-commerce store, a course platform, a SaaS product — the DSA assessment looks like this:
If you only sell your own products or services online, you are primarily acting as a seller, not an intermediary. Your primary compliance obligations are GDPR and consumer law, not the DSA. You may have limited hosting service obligations (Tier 1/2) related to your underlying infrastructure, but your hosting provider handles these.
If your platform allows users to post content that others can see — reviews, comments, forum posts — you are an online platform under the DSA. If you are a micro or small enterprise, many Tier 3 obligations do not apply, but you should still have: a mechanism for users to flag illegal content; a basic content moderation policy; and clear terms of service describing your moderation approach.
If you operate an online marketplace — connecting buyers and sellers who are separate from yourself — Tier 3 marketplace obligations apply, including trader verification requirements regardless of your size.