Companies may face penalties of up to 6% of their annual overall turnover, as well as daily penalty payments of 5% per day or even temporary suspension of service in cases of serious non-compliance.
The regulation of digital services in Europe has taken a decisive turn with the entry into force of the Digital Services Act (DSA) in February 2024.
This new regulation affects platforms, marketplaces, social networks and hosting services that operate or have users within the European Union market.
From ECIJA Advisory, we explain what this regulation implies, who it affects and how it can impact your digital business if you operate in Spain or in Europe.
A new stage in European digital regulation
The Digital Services Act (DSA) is a European Union regulation that establishes a new regulatory framework for digital platforms and services operating within the EU market. Its full implementation started in February 2024 and involves a wide range of online players.
The essential purpose of this legislation is to strengthen security, clarity and accountability in the European digital ecosystem. From e-commerce to social networks, all digital intermediaries must comply with the provisions set by this regulation.
This law replaces the E-Commerce Directive passed in 2000 and creates a uniform set of obligations for digital service providers, no matter where they are established, whenever they interact with users in the European Union.
Who is affected by the DSA
The DSA affects all companies that act as digital intermediaries, whether they offer internet access services, web hosting or online platforms.
This ranges from technology SMEs to large platforms with millions of users, regardless of whether they are based in Europe or outside Europe, as long as they target their services to the European market.
The obligations are tiered according to the size and impact of the company. The greater their influence, the higher the level of legal requirements.
General obligations for all digital services
Any company providing digital services in the EU must designate an accessible point of contact, especially if operating from outside the EU.
The terms and conditions of service must be clear and specific, including information on content moderation and possible restrictions.
It is also mandatory to publish annual transparency reports, including information on how much content has been removed and for what reasons.
Requirements for hosting services and platforms
Hosting providers and platforms must have a "notice and action" system, which allows illegal content to be reported and removed quickly.
When content is removed, the affected user must be notified with a reasoned explanation, justifying the decision taken.
In cases of possible serious offences, companies are obliged to notify the competent authorities, complying with established protocols.
Online platforms: specific obligations
Platforms must offer a free internal complaints' system for users, which operates with agility and transparency.
They are obliged to prevent misuse of their services, combat fraud and prioritise attention to reliable alerter and official bodies.
They must also guarantee the traceability of sellers and full transparency in advertising, prohibiting advertisements based on sensitive data or aimed at minors.
Large platforms and search engines: maximum requirements
Platforms with more than 45 million active users in the EU must undergo annual systemic risk assessments, related to misinformation, manipulation or harm to minors.
These companies are required to implement measures to mitigate these risks, undergo independent audits and maintain accessible ad repositories.
They must provide full transparency in their recommendation systems, allowing non-customised options and providing access to investigators and regulatory authorities.
Sanctions and supervision in Spain
In case of serious non-compliance, fines can reach up to 6% of annual global turnover. For hindering supervision, penalties can be up to 1%.
Daily coercive fines of up to 5% of daily turnover are also envisaged to induce compliance. In extreme cases, suspension of service is allowed.
In Spain, the Comisión Nacional de los Mercados y la Competencia (CNMC) is the body in charge of supervision, except in cases of large platforms, which fall under the direct competence of the European Commission.
Impact of the DSA on SMEs and marketplaces
SMEs with less than 50 employees and less than EUR 10 million turnover are exempt from some advanced obligations, but must comply with the general ones.
Marketplaces, apps and rental platforms must verify the identity of their sellers, ensure compliance with EU regulations and avoid dangerous products.
Technology SMEs need to adapt their internal procedures, update their terms of service and strengthen user support and transparency mechanisms.
What companies need to know to comply with the DSA
Reviewing and updating the website's legal terms is an essential initial step, especially with regard to content and data use.
Appointing a legal representative in the EU and having a compliance team in place is essential if the company is based outside Europe.
Implementing traceability systems, advertising control and whistleblowing mechanisms helps reduce regulatory risk and protects corporate reputation.
How ECIJA Advisory prepares your company for compliance with the Digital Services Act
At ECIJA Advisory we have a legal team specialised in European digital law, which accompanies companies from all sectors in their adaptation to the new regulations.
We help to design a customised compliance plan, realistic and aligned with the business, integrating legal, technical and operational solutions.
If your company offers digital services in Spain or in the EU, contact us to ensure compliance with the Digital Services Act with guarantees.
LATEST FROM #ECIJA
Frequently asked questions about the Digital Services Act
Very large online platforms (more than 45 million active users) had to comply with the DSA obligations by 23 August 2023, while the remaining providers had a longer deadline of 17 February 2024.
Article 21 of the Digital Services Act allows users to turn to Certified Out-of-Court Dispute Resolution Bodies (ODS). There are currently entities such as ADROIT, ACE, and the ADR Center, among others, as certified bodies as of May 2025.
Yes. Any digital intermediary offering its services within the European Union, even if not based in the EU, must comply with the DSA and, where applicable, appoint a legal representative in the EU for supervisory purposes.
Platforms should implement age verification systems, child-friendly complaint mechanisms, and avoid advertisements based on children's profiles or sensitive data. In addition, they should combat misleading interfaces designed to manipulate user decisions.
The DSA requires transparency on how recommender systems work, even allowing the user to opt for options without personalisation. It also requires data sharing with researchers and regulators.
Yes. The European Commission initially designated 19 very large search engines and platforms, including Amazon, Facebook, Google Search, YouTube, TikTok, among others, that must comply with more stringent measures.