The Digital Services Act: Scope, Obligations and Practical Implications for Micro and Small Enterprises

The Digital Services Act: Scope, Obligations and Practical Implications for Micro and Small Enterprises


Key takeaways


The Digital Services Act (DSA) introduces a set of obligations relating to liability, transparency, and risk management for providers of intermediary services. Specific adjustments are provided to facilitate compliance by small businesses.


The Digital Services Act (DSA), has been fully applicable since February 2024. The DSA establishes a comprehensive framework of obligations relating to liability, transparency, and risk management for providers of intermediary services, including hosting services, online platforms, and online marketplaces operating in the EU. (1)

The Regulation includes a number of tailored measures designed to take into account the potential impact that the implementation of these obligations may have on small businesses.

The purpose of this article is to provide an overview of the provisions that specifically apply to microenterprises and small and medium-sized enterprises (SMEs) operating digital services that fall within the scope of the DSA.


1. The DSA: Scope and Online Services Covered

The DSA aims to regulate the provision of intermediary services by introducing harmonised rules across the European Union.

The Regulation pursues three key objectives, with a view to ensuring a safer digital environment, i.e. combating illegal content and systemic risks, safeguarding users’ fundamental rights, and strengthening the accountability of digital service providers.

The DSA applies to the provision of intermediary services, within the meaning of Article 3(g) of the Regulation, namely:

    a. Mere conduit services are services consisting of the transmission, in a communication network, of information provided by a recipient of the service (user), or the provision of access to a communication network. The providers concerned include internet access providers (ISPs), including telecommunications and videoconferencing service operators, open Wi-Fi services (accessible in public places), as well as domain name registrars and messaging services;

    b. Caching services, namely services involving the automatic, intermediate and temporary storage of information for the sole purpose of making onward transmission to other recipients more efficient (for example, services offered by AWS, Akamai, or Cloudflare);

    c. Hosting services are services consisting of the storage of information provided by a recipient of the service at that recipient’s request. These services include website hosting providers and cloud computing services, online platforms including online marketplaces, video-sharing services, social networks, accommodation and travel platforms, and search engines.

The DSA applies to providers of intermediary services where the recipients of the services are established or reside in the European Union. The determining criterion is that of the targeted market, rather than the place of establishment of the service provider.

These services are not operated solely by large companies. A wide range of economic actors of varying sizes, often less visible to the general public, provide digital services.


2. Partial Exclusion from the Scope of the DSA for Microenterprises and Small Enterprises

Microenterprises and small enterprises (very small enterprises and SMEs) benefit from an exemption from compliance with certain provisions of the DSA.

This partial exemption from DSA compliance, which applies as long as the enterprise meets the size criteria defined by the European Commission, is intended to avoid imposing disproportionate financial and administrative burdens on the smallest economic actors.

Microenterprises and small enterprises are defined as follows: (2)
     - A microenterprise employs fewer than 10 persons and has an annual turnover (or annual balance sheet total) of no more than EUR 2 million;
     - A small enterprise employs fewer than 50 persons and has an annual turnover (or annual balance sheet total) of no more than EUR 10 million.

Where the relevant thresholds are exceeded for two consecutive financial years, the enterprise loses this status. It must then implement the additional obligations under the DSA within 12 months following the loss of its microenterprise or small enterprise status.


3. Obligations Applicable to the Different Categories of Intermediary Services

For microenterprises and small enterprises, a common core of obligations applies to all providers of intermediary services, supplemented by specific obligations for hosting services and online platforms.

    3.1 Obligations Applicable to All Providers of Intermediary Services

Providers of intermediary services are subject to the following obligations (Articles 9 to 15):

     - the obligation to process, without undue delay, orders issued by the competent authorities to act against illegal content (removal or disabling of access to content) or to provide information relating to a recipient of the service (Articles 9 and 10);
     - the designation of points of contact enabling the authorities and users to communicate directly with the service providers by electronic means (Articles 11 and 12);
     - the designation of a legal representative for providers not established in the European Union but offering services in the EU (Article 13);
     - transparent terms and conditions, meaning that they must be easily accessible and drafted in clear, plain, intelligible and unambiguous language. The terms and conditions must in particular set out content moderation policies, algorithmic decision-making processes, and complaint-handling mechanisms (Article 14). Where the service is primarily directed at minors, the conditions and restrictions on the use of the service must be explained in a manner that is comprehensible to minors.

    3.2 Obligations Specific to Hosting Service Providers (Including Online Platforms)

The obligations applicable to hosting service providers and online platforms include the following (Articles 16 to 18):

     - the implementation of a notice and action mechanism enabling any individual or legal entity to notify content considered to be illegal (Article 16);
     - the obligation to provide a statement of reasons for decisions to restrict or remove content (Article 17). Users affected by a content moderation decision must be informed by the hosting service provider. The statement of reasons must include, in particular, the nature of the restriction, the facts and circumstances leading to the decision, and the available means of redress (internal complaint-handling mechanism, out-of-court dispute settlement, judicial redress);
     - a procedure to notify law enforcement or judicial authorities where there is a suspicion of a criminal offence involving a serious threat to the life or safety of one or more persons (Article 18).

     - For online platforms and search engines, this also includes the obligation to communicate, without undue delay and at the request of the Digital Services Coordinator and the European Commission, information relating to the average monthly active recipients of the service in the EU (Article 24(3)).

It should be noted, however, that certain small enterprises operating online platforms or search engines may be designated as Very Large Online Platforms (VLOPs) if the average monthly number of active recipients of the service in the EU is equal to or exceeds 45 million (Article 19(2)). In such cases, the obligations applicable to those services will apply in full (see our article “DSA and Compliance of Digital Services: What Hosting Providers, Platforms and Marketplaces Need to Know”).


    The DSA is not limited to large platforms: microenterprises and SMEs in the digital sector are also concerned, even though the regulation provides for adjustments proportionate to their size. Even in a streamlined form, the obligations applicable to micro and small enterprises require the implementation of procedures, in particular with regard to transparency, content moderation, and cooperation with authorities. Failure to comply exposes companies not only to audits and sanctions, but also to reputational risk.


* * * * * * * * * * *

(1) Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act – DSA)

(2) Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (2003/361/EC)


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

January 2026

Retourner à la page des Actualités et Publications

Mots clés :

accessibilité numérique (8) adwords (3) ai (27) anssi (3) arcep (5) arcom (21) audiovisuel (4) audit (4) base de données (3) bitcoin (1) blockchain (8) cbpr (7) cgv (1) chine (1) cjue (1) cloud computing (3) cnil (19) commerce (4) communication (8) compliance (38) confidentialité (3) conformité (22) consommateurs (4) contrat (11) contrefaçon (10) cookies (6) copyright (5) cryptologie (1) csa (1) cybercriminalité (5) cybersquatting (3) data (1) data privacy framework (2) dma (4) données à caractère personnel (19) données personnelles (34) dpf (2) droit d'auteur (11) dsa (10) e-commerce (15) e-consommateurs (1) enfance (6) etats-unis (6) eu (20) europe (19) formation (4) fraude (3) gdpr (31) google (4) hébergeur (5) ia (19) ico (1) informatique (14) informatique et libertés (4) intelligence artificielle (18) internet (36) jeu vidéo (3) liberté d'expression (3) logiciel (13) loi informatique et libertés (5) loi sren (6) marque (3) métavers (3) méthode agile (2) monnaie électronique (1) moteur de recherche (7) nda (1) nft (4) nom de domaine (1) numérique (14) originalité (5) privacy shield (2) propriété intellectuelle (15) protection des données (12) publicité (6) référencement (4) réglementation (13) réseau (2) réseaux sociaux (11) responsabilité (10) responsable du traitement (13) rgpd (24) robotique (7) rpa (6) salariés (4) santé publique (1) sécurité (7) singapour (8) site web (5) us (3) vie privée (23)