In our previous post regarding the €200 million fine imposed on Temu under the Digital Services Act (DSA), we highlighted a key regulatory trend: online businesses are increasingly expected not only to react to risks, but also to actively identify and manage them.
Following that post, several clients asked us a legitimate question:
“We are not Temu, Amazon or TikTok. Does the DSA have anything to do with our business?”
In many cases, the answer may be yes.
The first misconception: the DSA only applies to Big Tech
When discussing the DSA, attention usually focuses on Very Large Online Platforms (VLOPs). However, the vast majority of obligations under the DSA are not reserved for large technology companies.
Depending on the business model, the DSA may also apply to:
- online marketplaces;
- booking platforms;
- classified advertisement websites;
- SaaS providers offering user-generated content functionalities;
- hosting providers;
- online communities and forums;
- platforms connecting users with products, services or content.
For many Romanian companies, the relevant question is not whether they are a VLOP, but whether they act as an intermediary between users and content, products or services.
“We already comply with the E-Commerce Directive”
This is often true. However, compliance with the E-Commerce Directive does not automatically mean compliance with the DSA.
For more than twenty years, the E-Commerce Directive focused primarily on intermediary liability. In essence, it answered the question:
When is a platform liable for content or products uploaded by third parties?
The DSA starts from a different question:
What internal measures should a platform have in place to prevent, manage and address those risks?
The traditional safe-harbour protections continue to exist. However, the DSA introduces additional obligations regarding governance, transparency and operational processes.
What does this mean in practice?
For many businesses, DSA compliance is less about drafting new contractual clauses and more about reviewing internal processes.
Questions worth asking include:
- Do we have a mechanism through which users can report illegal content or products?
- Do we know how such reports are handled internally?
- If we operate a marketplace, do we properly identify and verify traders?
- Are our terms and conditions aligned with DSA transparency requirements?
- Can we demonstrate how decisions affecting users are taken and communicated?
- Have we assessed whether our platform design may facilitate illegal activity?
These are no longer questions relevant only to multinational technology companies.
The lesson from the Temu case
The most important aspect of the Temu decision is not the amount of the fine.
The Commission’s criticism focused largely on Temu’s inability to adequately assess and manage the risks associated with its own platform.
For businesses operating online services, the regulatory expectation is increasingly clear: if you operate a digital platform, you should understand the risks generated by that platform and be able to demonstrate what measures you have implemented to address them.
A good time for a DSA health check?
Many companies have already invested significant efforts in GDPR compliance. We are now seeing a similar development in the digital services space.
For businesses operating online platforms, marketplaces, SaaS solutions or intermediary services, a DSA assessment may help identify whether existing processes developed under the E-Commerce Directive remain sufficient, or whether additional measures are now required under the DSA framework.
The fact that your business is not Temu does not necessarily mean that the DSA does not apply. The better question is whether your business performs functions that the DSA regulates.
