verified_user
Standardful
Homechevron_rightStandardschevron_rightEU DSA
ActiveInternational Standardupdate Standard Updated: February 2024fact_check Fact checked: Jun 28, 2026

EU DSA

Digital Services Act — Regulation (EU) 2022/2065

apartmentPublishing Organization:European Union

Standard Introduction

EU DSA is an active standard published by European Union. It is commonly used across Technology, Services, Retail and applies in European Union, European Economic Area.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with EU DSA.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define online intermediary and platform governance scope

Identify the products, services, sites, systems, teams, jurisdictions, and stakeholders covered by EU Digital Services Act. Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for intermediary classifications, notice-and-action, terms transparency, statement of reasons, complaint handling, trusted flaggers, trader traceability, advertising transparency, recommender transparency, systemic-risk assessment, and audit duties.

2
Phase 2schedule Duration: 4-10 weeks

Assess gaps and prioritize risks

Compare current practices with the expected online intermediary and platform governance approach. Review service classification, illegal-content workflows, user notices, appeals, transparency reporting, advertiser and trader records, recommender disclosures, minor protection, data access, and VLOP/VLOSE risk controls, then prioritize gaps by legal exposure, safety impact, customer commitments, operational dependency, and audit or market-access readiness.

3
Phase 3schedule Duration: 8-24 weeks

Implement controls and records

Deploy the required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain classification memos, moderation logs, notices, appeal records, transparency reports, ad repository data, trader verification records, risk assessments, audit reports, and regulator communications as traceable evidence.

4
Phase 4schedule Duration: Ongoing

Review, audit, and improve

Run internal reviews, management reporting, audits, corrective actions, and change assessments. Refresh the program when products, services, suppliers, technology, regulations, incidents, or stakeholder expectations change.

Compliance Checklist

0 / 12

checklist Scope and governance

checklist Controls and evidence

checklist Monitoring and improvement

Frequently Asked Questions

Who needs EU Digital Services Act?

expand_more

EU Digital Services Act is most relevant to online intermediaries, hosting services, online platforms, marketplaces, and very large online platforms/search engines serving the EU. The exact scope depends on products, services, jurisdictions, customer commitments, and whether the organization needs certification, conformity evidence, regulatory readiness, or internal governance.

Is EU Digital Services Act certifiable?

expand_more

The DSA is a legal compliance regime, not a certification standard; evidence supports regulator, audit, and due-diligence readiness.

What should the implementation focus on first?

expand_more

Start by defining scope and obligations, then build a current-state gap assessment. The most important early work is to confirm ownership, affected assets or processes, risk criteria, customer or legal drivers, and the evidence the organization must be able to produce.

What evidence is useful for EU Digital Services Act?

expand_more

Useful evidence includes classification memos, moderation logs, notices, appeal records, transparency reports, ad repository data, trader verification records, risk assessments, audit reports, and regulator communications. The evidence should be version-controlled, attributable to owners, and linked to risks, obligations, controls, decisions, and corrective actions.

How often should the program be reviewed?

expand_more

Review it at planned intervals and whenever products, services, suppliers, operating environments, incidents, customer commitments, or regulations change. High-risk domains should use more frequent monitoring and management reporting.

Official Documentation

View All

Related Categories