No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Compliance

What Online Heavy Hitters Need to Know About New EU Rules

Regulations in effect this year apply not only within bounds of EU member nations

by Jag Lamba
June 14, 2023
in Compliance
eu flag

Starting this year, the European Union is adding new layers of regulation to its digital enforcement landscape, including the Digital Services Act. Certa’s Jag Lamba explores what the DSA means for major online platforms, both in the EU and in the United States.

This year, the European Union’s Digital Services Act (DSA) requirements came into effect, adding new regulations for all very large online platforms (VLOPs) and very large online search engines (VLOSEs) — the “very large” designation meaning those with more than 45 million average monthly users. Platforms and search engines subject to the new rules, which also apply to some U.S.-based companies, could face massive penalties if they don’t comply.

What is the Digital Services Act, who is subject to it and how can companies get their risk management practices in line with DSA requirements?

What is the DSA, and why was it passed?

Passed in April 2022, the DSA was designed to create safe online ecosystems in which the fundamental rights of all EU users are protected while rebalancing the responsibilities of users, platforms and public authorities. The aim is to do so without unfairly harming businesses or growth, so the DSA’s new rules are “proportionate, foster innovation, growth and competitiveness, and facilitate the scaling up of smaller platforms, SMEs and startups,” the European Commission says.

Even if your company is based in the U.S., these rules could apply to you. Any company that provides services to any users in the EU is subject to these new rules.

The EU has promoted the DSA by touting a number of benefits for different groups. For EU citizens, the DSA is primarily focused on ensuring effective safeguards, providing choice and content moderation, including less exposure to illegal content and cybersecurity risks, at affordable prices. Similarly, for business users, increased access to various choices across EU-wide markets should keep costs down while also providing a level playing field against providers of illegal content.

For the providers themselves, the EU has pointed to the benefits of harmonization of the rules across digital ecosystems — being able to have legal certainty into what is needed for compliance will make it easier to both begin a business and scale one up. And the broad benefits of this act for society at large, says the EU, will be greater oversight, which allows for better mitigation of systemic risks like manipulation and disinformation.

These are ambitious and admirable goals, to be sure. In more practical terms, the DSA, along with the Digital Markets Act (DMA) that was also passed in 2022 by the European Parliament in Brussels, add new rules to the EU’s e-Commerce Directive of 2000 to help it address the new ways the internet has shaped our world and how we have come to live and work with it 20-plus years later — and all the modern challenges that come with the internet in 2023.

Note that the EU’s main regulation for data protection, the GDPR, isn’t going anywhere. DSA isn’t replacing it; they will both exist, and companies must comply with each if they meet the eligibility criteria.

cybersecurity abstract fingerprints
Cybersecurity

SEC Proposes Slate of New Cybersecurity Regulations. Is Your Firm Ready?

by Baker Donelson
May 3, 2023

The SEC is continuing its focus on cybersecurity regulations by announcing three new proposed rules and re-opening the comment period on an additional proposed rule from last year.

Read moreDetails

What are the DSA’s requirements for VLOPs and VLOSEs?

While intermediary services and hosting services, and to an extent smaller online platforms, have a more limited number of new obligations under the DSA, very large platforms have a lot of work to do to meet these new requirements.

The DSA regulations on VLOPs and VLOSEs have the goal of reducing four key areas of systemic risk. This is due to the size of those organizations and their outsized impact; unlike the risks found in smaller organizations or most other industries, these risks at VLOPs/VLOSEs could apply well beyond the borders of a company or platform and have a negative impact across the globe. Those four risks are:

  1. Impacting or curtailing of fundamental rights like dignity, freedom of expression, privacy, nondiscrimination, consumer protections and more
  2. Damaging healthy democratic and electoral processes, whether in the EU or abroad
  3. Adversely affecting measures that are in place to protect public health, minors, physical and mental well-being, or to prevent gender-based violence and discrimination
  4. Disseminating illegal content or facilitating illegal activities, such as trade in prohibited goods

Among other obligations for VLOPs and VLOSEs, these large platforms must “prevent abuse of their systems by taking risk-based action.” These risk management obligations largely boil down to the following requirements:

  • Conducting risk assessments for the four systemic risks numbered above; these should be incorporated into any existing compliance programs
  • Designing proactive plans and crisis responses to actively mitigate risks and react if they are realized
  • Providing independent audits into risk management systems
  • All actions taken to mitigate risk must not restrict the fundamental rights of EU citizens

Meeting DSA compliance requirements

It’s clear that the DSA will have wide-ranging implications for the online ecosystem. Users will expect more accountability and transparency from large platforms that previously answered to no one, and a company clearly acting in good faith to comply should enjoy a positive bump in how customers view their brand. Given these obligations for risk management laid out by the DSA, what do companies need to have in place to meet them?

  • Comprehensive risk assessments: Using the four systemic risks laid out by the DSA as a framework, the ability to undertake comprehensive risk assessments is crucial for companies. Each of these risks are complex and require assessment from multiple angles, whether they be financial, security-related, operational, or any other risk dimension, in order to be properly accounted for.
  • Automated workflows: Risk management teams should consider building automated workflows into risk control processes. Automation allows companies to quickly adapt to changing regulations or world developments that could increase risk without IT bottlenecks. It also allows for risk-based due diligence — enhancing the actions taken based on the level of risk identified — with little delay. Systems, automated or not, should also be capable of generating monthly DSA compliance reports.
  • Maintain a central repository for resources: Any risk management systems that companies can rely on for DSA compliance will also allow trusted flaggers to generate intelligence on any notices that arise. Terms and conditions and explanations for how it all fits into DSA compliance should be maintained in a central repository of the risk management system for easy publishing and access as needed — DSA compliance itself is important, but so is transparency on how that compliance is being achieved.

The clock is ticking

The penalties from the EU for noncompliance can be significant, enough to potentially pull a company off its projected path for growth and hamper operations. Failure to comply with any of the DSA’s obligations could incur a fine of up to 6% of a company’s annual revenue. If submitted reports include inaccurate, incomplete or misleading information, that could cost the company 1% of revenue as well. And if penalties recur, fines could be levied every day of up to 5% of daily revenue. VLOPs and VLOSEs can’t afford to wait to meet DSA regulations. The quicker these risk management capabilities are put in place, the less exposure they’ll have, and the potential fines could be lessened. 


Tags: GDPR
Previous Post

Avoiding the Pitfalls of Predatory Lending in a High-Rate Environment

Next Post

Don’t Get Left Behind: How Supply Chain Data Keeps You Ahead of EU Product Regulations

Jag Lamba

Jag Lamba

Jag Lamba is the founder and CEO of Certa, a third-party lifecycle management platform for procurement, compliance and ESG. Certa is backed by Techstars and top global VCs. A Wharton and McKinsey alum, Jag lives in Saratoga, Calif., and loves hiking and playing soccer with his son.

Related Posts

origami tiger

Paper Tigers Won’t Protect You: The Reality of Effective NIS2 Compliance

by Hans Kayaert
March 24, 2025

Why Belgium's early adoption model could prevent another round of ‘compliance theater’ across Europe

examining data on laptop screen

Privacy Rights Surge Forces Rethink of Data Management

by Gal Ringel
March 14, 2025

As global privacy regulations multiply, organizations face mounting pressure to efficiently respond to data subject requests amid complex data environments

gdpr website screenshot

In the World of JavaScript, GDPR Consent Forms Merely Scratching the Surface

by Rui Ribeiro
December 16, 2024

Consent forms alone don’t mean much when consumers are so tired of checking boxes they don’t even read the policies

us map black and white

Minnesota Latest State to OK Consumer Data Privacy Law

by Amanda Novak
August 26, 2024

Measure set to go into effect for most covered entities next summer

Next Post
man scanning boxes on forklift

Don't Get Left Behind: How Supply Chain Data Keeps You Ahead of EU Product Regulations

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights