Skip to main content

Checklist · Updated 2026

DSA Compliance Checklist

Last updated 2026 · 7 min read

Quick answer

To comply with the Digital Services Act, first classify your service tier, then meet the duties for it: appoint contact points (and an EU representative if you are outside the EU), make your terms transparent, build a notice-and-action mechanism, give statements of reasons for moderation, run complaint handling, follow ad and recommender-system transparency rules, and publish transparency reports. VLOPs add systemic-risk assessments and independent audits.

The 10-step DSA compliance checklist

  1. 1

    Work out which tier you are

    Classify your service under the DSA: intermediary, hosting service, online platform, or Very Large Online Platform/Search Engine (45M+ EU monthly users). Duties scale up by tier, so this determines your whole checklist.

  2. 2

    Appoint contact points

    Designate a single point of contact for authorities and for users (Articles 11–12), and — if you are established outside the EU — appoint an EU legal representative (Article 13).

  3. 3

    Make your terms transparent

    Publish clear terms of service that explain any content-moderation policies, tools, and recommender-system rules in plain language (Article 14), and apply them diligently and proportionately.

  4. 4

    Build a notice-and-action mechanism

    Provide an easy, electronic way for anyone to report illegal content (Article 16), act on valid notices, and confirm receipt and the decision taken.

  5. 5

    Give statements of reasons

    When you remove, restrict, or demote content or accounts, give the affected user a clear statement of reasons (Article 17) explaining the decision and how to appeal.

  6. 6

    Offer internal complaint handling

    For online platforms, run an internal complaint-handling system and tell users about out-of-court dispute settlement options (Articles 20–21).

  7. 7

    Comply with advertising rules

    Label ads clearly, disclose who paid and the main targeting parameters (Article 26), and do not target ads using profiling based on special-category personal data; never use such profiling to target minors (Article 28).

  8. 8

    Disclose recommender systems

    Explain the main parameters of your recommender systems and how users can change them (Article 27); VLOPs must also offer at least one non-profiling option.

  9. 9

    Publish transparency reports

    Publish periodic transparency reports on moderation activity (Article 15 / Article 24 for platforms), and keep an advertising repository if you are an online platform.

  10. 10

    Run systemic-risk duties (VLOPs only)

    If designated a VLOP/VLOSE, carry out annual systemic-risk assessments, implement mitigation, commission independent audits, and report — overseen directly by the European Commission.

DSA compliance — frequently asked questions

How do I comply with the Digital Services Act?
Start by classifying your service tier (intermediary, hosting, online platform, or VLOP), then work through the duties for that tier: appoint contact points and an EU representative if needed, make your terms transparent, build a notice-and-action mechanism, give statements of reasons for moderation decisions, run complaint handling, follow advertising and recommender-system transparency rules, and publish transparency reports. Very Large Online Platforms add annual systemic-risk assessments and independent audits.
Who does the Digital Services Act apply to?
The DSA (Regulation (EU) 2022/2065) applies to providers of intermediary services offered to users in the EU — mere-conduit and caching services, hosting services, online platforms, and online search engines — regardless of where the provider is established. Duties scale with the type and size of the service; the heaviest duties fall on Very Large Online Platforms and Search Engines with 45 million or more average monthly EU users.
Are small businesses and startups exempt from the DSA?
Micro and small enterprises are exempt from the platform-specific obligations (such as complaint handling and transparency reporting) but still have the baseline intermediary duties — for example, contact points, transparent terms, and acting on illegal-content notices. The systemic-risk and audit obligations only apply to designated Very Large Online Platforms.
When did the DSA come into force?
The DSA entered into force on 16 November 2022. It applied to designated Very Large Online Platforms and Search Engines from 25 August 2023, and to all other in-scope intermediary services from 17 February 2024.
What are the penalties for breaching the DSA?
Fines can reach up to 6% of a provider’s global annual turnover, with periodic penalty payments of up to 5% of average daily worldwide turnover for continued non-compliance. For Very Large Online Platforms, enforcement is led directly by the European Commission; for other services it is led by national Digital Services Coordinators.

DSA, AI Act and GDPR in one place

If your platform uses AI for moderation, recommendation, or ads, you likely face the DSA and the EU AI Act together. GeraCompliance maps both so shared evidence is reused.

Run the free classifierPricing

DSA & platform-rules alerts

The DSA, AI Act and platform rules keep evolving. Get a short, no-spam update when a duty, deadline or designation that affects you changes.

Related reading