Points of contact for Member State authorities, the Commission and the Board
Chapter 3|Due Diligence Obligations - All Intermediary Services|📖 10 min read
1. Providers of intermediary services shall designate a single point of contact to enable them to communicate directly, by electronic means, with Member State authorities, the Commission and the Board, in respect of this Regulation.
2. Providers of intermediary services shall make public the information necessary to easily identify and communicate with their single point of contact.
3. The single point of contact shall be in one of the official languages of the Member States in which they offer their services and in a language that can be easily understood by the greatest number of the largest language groups in those Member States.
Understanding This Article
Article 11 of the Digital Services Act establishes a foundational due diligence obligation requiring all intermediary service providers, regardless of size or establishment location, to designate and publish a single point of contact enabling direct electronic communication with Member State authorities, the European Commission, and the European Board for Digital Services. This provision serves as the gateway for regulatory communication, enforcement actions, cooperation procedures, and information exchanges that underpin the DSA's entire governance framework.
The universal applicability of Article 11 is significant. While many DSA obligations are graduated based on provider size and type (general platforms face additional obligations under Section 3; marketplaces under Section 4; VLOPs/VLOSEs under Section 5), the point of contact requirement applies to every provider offering intermediary services in the EU - from sole proprietor bloggers running small hosting services to global technology giants. This universality ensures authorities can reach any provider when DSA matters arise, preventing regulatory dead ends where providers claim unreachability or channel inquiries through non-responsive generic contact addresses.
The requirement for a 'single' point of contact serves multiple purposes. First, it creates clarity and prevents providers from fragmenting authority communications across multiple departments or addresses, avoiding bureaucratic run-arounds. Second, it establishes accountability by designating a specific contact responsible for DSA matters. Third, it enables efficient communication during urgent situations (such as CSAM or terrorist content requiring immediate action). Fourth, it facilitates the cross-border cooperation framework, as Digital Services Coordinators in multiple Member States need reliable channels to reach providers operating across jurisdictions.
The 'direct electronic communication' requirement has specific implications. Providers must enable email, secure messaging systems, or similar electronic channels that allow authorities to transmit legally significant documents, orders, inquiries, and enforcement notices. Web contact forms requiring users to navigate multi-step interfaces and lacking confirmation or tracking capabilities are insufficient if they're the only available channel. Phone numbers and postal addresses, while useful supplementary contacts, don't satisfy the electronic communication requirement. The emphasis on 'direct' means communications should reach responsible personnel without excessive gatekeeping or routing through general customer service channels.
Language requirements in Article 11(3) balance accessibility with practical feasibility. Points of contact must function in 'one of the official languages of the Member States in which they offer their services' and 'in a language that can be easily understood by the greatest number of the largest language groups in those Member States.' For providers operating EU-wide, this typically means offering contact capabilities in major languages like English, German, French, Spanish, or Italian that collectively enable communication with authorities across most Member States. A provider serving only Portugal could designate Portuguese-language contact; a provider serving all Member States might designate contacts in English (widely used in regulatory/legal contexts) plus several major EU languages.
The public availability requirement ensures transparency and accessibility. Providers must 'make public the information necessary to easily identify and communicate with their single point of contact.' This typically involves publishing contact information on websites (in footer sections, dedicated DSA compliance pages, or transparency reports), in terms of service, or through registries maintained by Digital Services Coordinators. The information should be 'easily accessible' - meaning findable without extensive searching, available without registration requirements, and presented in clear, understandable formats.
Article 11 points of contact serve distinct functions from other DSA contact obligations. Article 12 requires points of contact for service recipients (users), enabling individuals to communicate with providers about their service experiences, complaints, and inquiries. Article 11 contacts serve regulatory functions, facilitating authority-provider communication about compliance, enforcement, orders (Articles 9-10), investigations, transparency reporting, systemic risk assessments, and supervisory matters. Large platforms might designate different personnel or departments for Article 11 (regulatory affairs team) versus Article 12 (user support team) purposes, though nothing prevents using the same contact if adequately staffed.
The relationship with Digital Services Coordinators is particularly important. DSCs serve as principal national authorities for DSA enforcement, coordination, and supervision. When a DSC needs to communicate with a provider about potential violations, transparency report requirements, risk assessment obligations, or supervisory measures, the Article 11 point of contact is the primary channel. For providers not established in the EU, Article 13's legal representative requirement complements Article 11 - the legal representative can serve as the point of contact or work closely with it to ensure effective communication with authorities.
Compliance verification and enforcement present practical challenges. While designating a point of contact is straightforward, ensuring it functions effectively requires responsive personnel monitoring communications, appropriate language capabilities, and integration with legal/compliance teams able to respond to complex regulatory inquiries. DSCs monitor whether providers designate and maintain functional points of contact. Failures to designate contacts, designating non-functional contacts (email addresses that bounce, aren't monitored, or receive no responses), or providing contacts without adequate language capabilities constitute DSA violations subject to enforcement actions and penalties.
Key Points
All intermediary service providers must designate a single point of contact for authorities regardless of size
Enables direct electronic communication with Member State authorities, Commission, and Board
Must be publicly available, easily accessible, and kept current with updated information
Must function in official languages of Member States where services offered and languages understood by major language groups
Serves as gateway for regulatory communications, enforcement actions, orders, inquiries, and cooperation
Distinct from Article 12's user-facing contact - Article 11 addresses authority-provider communication
Non-EU providers must designate EU-accessible contacts; legal representatives (Article 13) can fulfill this role
Contact must be functional, monitored, and responsive - designation alone insufficient
Applies across all intermediary service categories: mere conduit, caching, hosting, and platforms
DSCs monitor compliance and can enforce penalties for non-designation or non-functional contacts
Facilitates cross-border cooperation by providing reliable channels for multi-jurisdictional coordination
Critical for urgent matters like CSAM, terrorist content, or imminent threats requiring immediate provider action
Practical Application
For Small Hosting Provider: A Polish startup operates a web hosting service serving primarily Polish businesses and individuals. Under Article 11, it must designate a point of contact. The company designates '[email protected]' as its single point of contact, assigns a compliance officer to monitor this email daily, and ensures staff can communicate in Polish and English (useful for Commission communications or coordination with other Member States' DSCs). The company publishes this contact prominently on its website footer and in its terms of service: 'DSA Point of Contact: [email protected] | Languages: Polish, English.' When the Polish DSC sends inquiries about transparency reporting or receives complaints requiring provider communication, it uses this contact, receiving responses within reasonable timeframes.
For Global Social Media Platform: Meta operates Facebook, Instagram, and WhatsApp across the EU. It designates '[email protected]' as its single point of contact for all Meta services, staffs a dedicated DSA regulatory team monitoring this contact 24/7 (enabling rapid response to urgent matters), and ensures multilingual capabilities (English, German, French, Spanish, Italian, Polish, Dutch, Swedish covering major EU languages and markets). Meta publishes this contact in multiple locations: website transparency centers, DSA compliance pages, and submissions to Digital Services Coordinators' registries. When the Irish DSC (Meta's primary supervisor as its EU establishment) needs to communicate about VLOP obligations, when German authorities issue Article 9 orders, or when the Commission requests information for investigations, all utilize this point of contact.
For Multi-Service Provider: Cloudflare operates multiple intermediary services: CDN (caching - Article 5), DNS resolution (potentially mere conduit - Article 4), and website hosting (Article 6). Should Cloudflare designate separate points of contact for each service? No - Article 11 requires a 'single' point of contact for the provider, not per-service contacts. Cloudflare designates '[email protected]' covering all its intermediary services. When authorities need to communicate about specific service categories, they use this contact and specify which service the communication concerns. This simplifies administration while ensuring authorities have reliable access.
For Non-EU Provider Without EU Establishment: A US-based image hosting service serves EU users but has no EU establishment or legal representative (if required under Article 13). The service still must designate an Article 11 point of contact enabling EU authorities to communicate. It designates '[email protected]' monitored by its legal team in California. When Member State authorities issue orders or inquiries, they use this contact. However, if the provider meets Article 13 thresholds requiring legal representative designation, the legal representative's contact information complements or may serve as the Article 11 point of contact, providing in-EU accessibility for authorities.
For Language Compliance: A marketplace platform operates in Germany, France, Spain, Italy, and Poland. How should it handle Article 11(3) language requirements? Option 1: Designate multiple language-specific contacts ([email protected] for German, [email protected] for French, etc.). Option 2: Designate a single multilingual contact with staff handling all relevant languages. Most providers choose Option 2 for simplicity. The platform designates '[email protected]' and ensures staff can communicate in English, German, French, Spanish, Italian, and Polish. When German authorities contact the platform, communications can occur in German; when French authorities contact, communications in French, etc. Publishing language capabilities ensures authorities know which languages are available.
For Urgent Communications: Swedish police identify imminent child safety threats involving content on a forum. They need immediate provider contact to issue emergency removal orders under Article 9. They locate the forum's Article 11 point of contact, send an urgent order to '[email protected],' and receive confirmation of receipt and action within hours. The forum's compliance team, monitoring the DSA contact email, immediately escalates urgent matters to trust and safety teams, enabling rapid response. Without Article 11's requirement for functional, monitored contacts, such urgent communications might be delayed or lost in generic customer service channels.
For Cross-Border Coordination: A video platform with EU establishment in Ireland receives an Article 9 order from Italian authorities requiring content removal. Italy sends the order to the platform's Article 11 contact and notifies the Irish DSC (establishment state) and other relevant Member States' DSCs. The platform receives the order, its legal team (monitoring the Article 11 contact) assesses compliance requirements, and the company executes the order while documenting the process for transparency reporting. The Irish DSC, notified by Italy, can monitor the platform's compliance and coordinate if issues arise. Article 11 enables this multi-jurisdictional coordination by providing reliable contact channels all participants can use.
For Contact Information Updates: A hosting provider changes its DSA contact email due to organizational restructuring. It immediately updates public information on its website, notifies all relevant DSCs about the change, and ensures the old contact forwards to the new one temporarily to prevent communication gaps. Keeping contact information current is an ongoing Article 11 obligation - providers can't designate contacts and then abandon them. Outdated, non-functional, or unmonitored contacts constitute compliance failures.
For Enforcement - Non-Functional Contact: A Bulgarian DSC needs to communicate with a hosting provider about potential DSA violations. The DSC sends inquiries to the provider's published Article 11 contact but receives no response. After multiple attempts over weeks, the DSC opens enforcement proceedings for Article 11 non-compliance. The provider claims it designated a contact as required. However, investigation reveals the email address isn't monitored regularly, forwarding was misconfigured, and responsible staff never received DSC communications. The DSC determines that designating a contact is insufficient - the contact must be functional, monitored, and responsive. Penalties are imposed for failing to maintain an effective point of contact, highlighting that Article 11 requires genuine accessibility, not merely formal designation.
Real-World Challenge - Balancing Responsiveness and Resources: A medium-sized platform receives dozens of communications weekly through its Article 11 contact - orders from multiple Member States, DSC inquiries, Commission information requests, Board communications about guidance and standards. Maintaining adequate staffing to monitor, triage, respond, coordinate internal actions, and document communications requires significant resources. However, Article 11 compliance is non-negotiable - providers cannot claim resource constraints excuse non-responsive contacts. Effective platforms invest in dedicated regulatory affairs teams, legal support, translation capabilities, and case management systems handling Article 11 communications. This underscores that while Article 11 appears simple (designate a contact), operationalizing it effectively requires organizational commitment and resources proportionate to the provider's scale and complexity.