From February 17, 2024, the Digital Services Act (“DSA”) will apply to providers of intermediary services (e.g., cloud services, file-sharing services, search engines, social networks and online marketplaces). These entities will be required to comply with a number of obligations, including implementing notice-and-action mechanisms, complying with detailed rules on terms and conditions, and publishing transparency reports on content moderation practices, among others. For more information on the DSA, see our previous blog posts here and here.

As part of its powers conferred under the DSA, the European Commission is empowered to adopt delegated and implementing acts* on certain aspects of implementation and enforcement of the DSA. In 2023, the Commission adopted one delegated act on supervisory fees to be paid by very large online platforms and very large online search engines (“VLOPs” and “VLOSEs” respectively), and one implementing act on procedural matters relating to the Commission’s enforcement powers. The Commission has proposed several other delegated and implementing acts, which we set out below. The consultation period for these draft acts have now passed, and we anticipate that they will be adopted in the coming months.

Pending Delegated Acts

  • Draft Delegated Act on Conducting Independent Audits. This draft delegated act defines the steps that designated VLOPs and VLOSEs will need to follow to verify the independence of the auditors, particularly setting the rules for the procedures, methodology and templates used. According to the draft delegated act, designated VLOPS and VLOSEs should be subject to their first audit at the latest 16 months after their designation. The consultation period for this draft delegated act ended on June 2, 2023.
  • Draft Delegated Act on Data Access for Research. This draft delegated act specifies the conditions under which vetted researchers may access data from VLOPs and VLOSEs. The consultation period for this draft delegated act ended on May 31, 2023.

Pending Implementing Acts

  • Draft Implementing Act on Transparency Reporting. This draft implementing act sets out the detailed rules applicable to intermediary service providers on transparency reporting, setting out, among other things, the reference dates for the reporting period. The draft implementing act provides that the information provided in the transparency reports must be broken down, at a minimum, by calendar month. An Annex to the implementing act sets out the proposed template for transparency reports. The consultation period for this draft implementing act ended on January 24, 2024.
  • Draft Implementing Act on Information Sharing Systems. This draft implementing act (i) details the procedure and form of the information sharing system used to enable information sharing and communication between the European Commission, Digital Services Coordinators (“DSCs”), and the European Board for Digital Services (“EBDS”); (ii) establishes the concerned parties respective responsibilities; (iii) specifies general privacy rights (e.g., access rights and confidentiality obligations); and (iv) details roles that concerned parties play on personal data aspects. The consultation period for this draft implementing act ended on January 5, 2024.

What’s Next?

As noted above, we anticipate that the delegated and implementing acts will be adopted in the first two quarters of 2024. The procedure for adoption of delegated acts is included in Article 87 of the DSA, and requires that: (i) the Commission consults experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of April 13, 2016, on Better Law-Making; (ii) the Commission notifies the adoption of said delegated act to the European Parliament and Council; and (iii) the Parliament and Council do not object within a period of three months from the notification of adoption of said delegated act. In the case of implementing acts, the procedure for adoption of said acts is reflected in Article 83 of the DSA, which states that the Commission will be required to invite all interested parties to submit their comments within a dedicated period of time (no less than one month), and follow the advisory procedure referred to in Article 88 of the DSA by consulting the Digital Services Committee.

*Delegated acts are acts supplementing existing legislation on non-essential parts or amending specific and non-essential elements of a determined legislative act. Implementing acts are acts laying down the uniform conditions for implementing legally binding EU acts. Both are non-legislative instruments and provide tools for the European Commission to further clarify certain key aspects of a specific legislation — in this case, the DSA.

***

The Covington team will continue to monitor developments on the implementation and enforcement of the DSA and continue to report on them on our blog. We are happy to assist with any questions on the topic.

This blog post was drafted with the contribution of Diane Valat.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Lisa Peets Lisa Peets

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more…

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more than two decades, she has worked closely with many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU and UK legal frameworks affecting technology providers, including data protection, content moderation, artificial intelligence, platform regulation, copyright, e-commerce and consumer protection, and the rapidly expanding universe of additional rules applicable to technology, data and online services.

Lisa also supports Covington’s disputes team in litigation involving technology providers.

According to Chambers UK (2024 edition), “Lisa provides an excellent service and familiarity with client needs.”

Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.