The Digital Services Act (Regulation (EU) 2022/2065, DSA) applies to online intermediary services from 17 February 2024 and aims to create a safer digital space where the fundamental rights of users are protected. Its main goal is to prevent illegal and harmful activities online. The DSA applies to different categories of online intermediary services – from transmission service providers to digital platforms and search engines. The DSA imposes tiered obligations where providers of more complex services will have to comply with additional obligations related to content moderation, online sales and advertising, risk management obligations, and crisis response.

The starting point for service providers is to identify the service tier to which they belong by reference to the legal definitions in the DSA[1]:

Mere conduit and caching services: internet access providers, internet exchange points, domain name registers, direct messaging services, content delivery networks, caching proxy servers, reverse proxies, content adaptation proxies;

Hosting services: various cloud hosting providers, IaaS и PaaS service providers;

Online platforms: social networks, video sharing platforms, platforms for listing and renting, online forums, app markets, online games platforms;

Online platforms for B2C trading: online platforms that allow consumers to conclude distance contracts with traders;

Very large online platforms (VLOP) and very large online search engines (VLOSE): 17 VLOPs and 2 VLOSEs designated by the European Commission so far.

Under the DSA, providers are not liable for content hosted on their service if they are not aware of that fact or when they remove access to that content once aware that it is illegal or infringing. When providers identify illegal content or content infringing their terms of service through their own-initiative monitoring, they must remove such content as soon as possible to remain within the liability safe harbour.

As of 17 February 2024, all providers of intermediary services established in Bulgaria or other EU Member States, as well as companies providing services from outside the European Union must ensure compliance with DSA starting with the basic obligations:

• Transparency reporting - providers of intermediary services shall make publicly available, in a machine-readable format and in an easily accessible manner, at least once a year, clear, easily comprehensible reports on any content moderation that they engaged in during the relevant period;

• Providers should review and adapt their terms and conditions for the provision of the service while taking due account of fundamental rights;

• Cooperation with national authorities following orders – all providers should put in place organisational measures in order to comply with orders under Articles 9 and 10 DSA;

• All obliged providers shall designate a single point of contact and where applicable - a legal representative;

Hosting services should align their existing notice and action arrangements with the DSA and take organisational steps to comply with their obligation to notify authorities on suspicion of specific categories of criminal offences.

Online platforms (except micro and small enterprises) as a subcategory of hosting providers will have additional and more detailed obligations to introduce an internal complaint-handling system in line with the DSA and resolve disputes related to content moderation or service termination in an out-of-court dispute settlement procedure.  Providers of online platforms shall ensure that notices submitted by trusted flaggers are processed without undue delay and suspend the provision of services to recipients that frequently provide manifestly illegal content. Online platforms have additional transparency reporting obligations compared to hosting providers, online interface design and organisation, advertising and recommender systems. Online platforms have to take specific measures to ensure a high level of privacy, safety, and security of minors, on their service and are banned from presenting certain advertisements.

Online market places (with the exception of micro and small enterprises) will have new “Know Your Business Customer” (KYBC) obligations. KYBC obligations require the provider to verify certain information before allowing traders to make use of the marketplace and target consumers. Platforms must ensure that consumers can buy safe products or services online, by strengthening controls to prove that the information provided by traders is reliable and prevent illegal content from appearing on their platforms.

VLOPs and VLOSEs are required to comply with risk management and crisis response obligations, external and independent auditing, internal compliance, and public accountability. Providers should allow users to reject recommendations based on profiling and sharing data with authorities and researchers, and adhere to codes of conduct and crisis response cooperation. These providers are not established in Bulgaria and their activities are supervised by the European Commission and the competent authority is determined by their place of establishment. In case of infringement of rights and obligations vis-à-vis recipients of the services in Bulgaria, the national Digital Services Coordinator[2] (“DSC”) of the destination may request the DSC of the establishment to take the necessary investigatory and enforcement measures.

The DSA is a far-reaching piece of legislation that affects not only online services. On 8 February 2024, the European Commission opened a consultation on draft DSA guidelines on risk mitigation measures for election integrity addressed to very large platforms and search engines. The draft document includes inter alia recommendations for measures that seek to prevent the misuse of generative AI systems. The guidelines once adopted may in effect lead to early voluntary application of the widely anticipated AI Act.

What comes next? In Bulgaria, a bill implementing the DSA was subject to public consultations until 15 January 2024. Under the bill, the Communications Regulatory Commission (CRC) shall be designated as a DSC for monitoring non-video-sharing intermediary service providers to ensure compliance with the DSA, while the Council for Electronic Media (CEM) shall monitor the video-sharing platforms. Once that bill enters the legislative procedure, it can be expected to be completed expediently considering the deadline for application of the DSA. It is a high time the obliged providers to take internal organisation measures for compliance with the DSA.

The authors are DGKV's Partner Violetta Kunze and Senior Associate Georgi Sulev.

[1] See Article 2 of Regulation (EU) 2022/2065,

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32022R2065

[2] Communications Regulation Commission,

www.crc.bg