1. This Regulation shall apply to intermediary services offered to recipients of the service that have their place of establishment or are located in the Union, irrespective of where the providers of those intermediary services have their place of establishment.
2. This Regulation shall not apply to services provided by providers that are micro or small enterprises as defined in Commission Recommendation 2003/361/EC where those enterprises provide those services exclusively in one Member State.
Territorial Scope and Extraterritorial Application: Article 2(1) establishes one of the DSA's most significant features: comprehensive extraterritorial application based on user location rather than provider establishment. Traditional jurisdictional principles focus on where businesses are established, but digital services transcend borders - a platform established in California serves users globally without physical presence in most countries. The DSA addresses this by applying to 'intermediary services offered to recipients of the service that have their place of establishment or are located in the Union, irrespective of where the providers of those intermediary services have their place of establishment.' This 'country of destination' approach means the DSA applies whenever services reach EU users, regardless of whether the provider has any physical establishment, employees, offices, or assets in Europe. US giants like Meta, Google, Amazon, and Microsoft must comply. Chinese platforms like TikTok and Shein must comply. Any provider anywhere in the world offering services to EU users falls within scope. This extraterritorial reach raises questions about jurisdictional authority, enforcement capacity, and international law principles, but the EU asserts regulatory authority based on protecting EU residents and ensuring a level playing field in the EU market.
Substantial Connection to the Union: Recital 8 clarifies that mere technical accessibility isn't sufficient - providers must have 'substantial connection to the Union' through either establishment in the EU or specific factual criteria demonstrating targeting of EU markets. Relevant targeting factors include: offering services in languages generally used in one or more Member States (a platform available in French, German, Italian, or Polish suggests EU targeting); using currencies generally used in Member States (accepting euros indicates EU market focus); enabling ordering products or services to Member States (EU shipping options demonstrate intentional service provision); using top-level domains associated with Member States (.de, .fr, .es, etc., though .com is neutral); making applications available in relevant national application stores (presence in EU app stores); providing local advertising or advertising in languages used in Member States (EU-targeted marketing campaigns); handling customer relations in languages generally used in Member States (offering customer support in EU languages); or having significant numbers of users in Member States relative to population. These factors are assessed holistically - no single factor is determinative, but collectively they establish whether a provider is directing services toward EU users. A Brazilian e-commerce site accepting only reais, shipping only domestically, and operating entirely in Portuguese without EU marketing likely lacks substantial EU connection even if technically accessible from Europe. Conversely, a US platform with millions of EU users, EU language interfaces, euro payment options, and EU-targeted advertising clearly has substantial connection regardless of US establishment.
Location and Establishment of Recipients: The phrase 'recipients of the service that have their place of establishment or are located in the Union' encompasses both natural and legal persons. Natural persons (individuals) are 'located in the Union' based on their habitual residence - where they normally live, not temporary location. EU citizens traveling abroad remain protected; non-EU visitors temporarily in Europe gain protection while present. Legal persons (companies) are 'established' in the Union based on their registered office, central administration, or principal place of business within EU territory. This dual formulation ensures comprehensive coverage: individuals using services while living in or visiting the EU, and businesses established in the EU using intermediary services. The regulation thus protects a Spanish individual using Twitter, a German company using cloud storage, a French tourist using ride-sharing apps while visiting Paris, and an Italian business selling through online marketplaces. Importantly, applicability depends on recipient location, not recipient citizenship or nationality - a US citizen residing in Berlin enjoys full DSA protection; an EU citizen living in New York does not (though they regain protection if they return to EU residence).
Micro and Small Enterprise Exemption: Article 2(2) provides important relief for very small businesses: micro and small enterprises defined under Commission Recommendation 2003/361/EC operating exclusively within one Member State are exempt from DSA application. Under that Recommendation, 'micro enterprises' employ fewer than 10 persons and have annual turnover or balance sheet not exceeding €2 million, while 'small enterprises' employ fewer than 50 persons and have annual turnover or balance sheet not exceeding €10 million. However, exemption requires exclusive operation within a single Member State - a small German hosting company serving only German users is exempt, but if it serves users in Germany and France, the exemption disappears. 'Exclusively in one Member State' means the service is intentionally limited to that market - not merely that most users happen to come from one country. This exemption recognizes that compliance costs could crush small local businesses, potentially disadvantaging them against larger competitors. By exempting purely domestic small players, the DSA encourages local digital entrepreneurship while focusing regulatory resources on services with cross-border reach. Importantly, while exempt from DSA obligations, these enterprises remain subject to national law, consumer protection regulations, and sector-specific rules - the exemption is narrow to DSA requirements only.
Implications of Extraterritorial Application: The DSA's extraterritorial reach creates significant compliance obligations for non-EU providers. First, they must designate legal representatives within the EU (Article 13) who can receive legal notices, orders, and user communications. Second, they must comply with all applicable DSA obligations based on their service classification - a US-based hosting provider must implement notice-and-action mechanisms, transparency reporting, and terms of service requirements just as EU-established providers must. Third, they must respond to orders from EU authorities including content removal orders (Article 9) and information disclosure orders (Article 10). Fourth, they subject themselves to EU enforcement jurisdiction - the Commission and Digital Services Coordinators can investigate, impose compliance measures, and levy fines up to 6% of global annual turnover. Fifth, they must adapt business practices to EU requirements even if these differ from home-country norms - US Section 230 immunity doesn't apply in Europe; Chinese content regulation approaches don't override DSA requirements. This creates practical challenges: understanding and implementing EU legal requirements, maintaining EU legal representation, coordinating compliance across multiple jurisdictions with potentially conflicting requirements, and accepting EU regulatory authority. Some providers might consider geo-blocking EU users to avoid compliance, but this would sacrifice a market of 450 million relatively wealthy consumers - economically unviable for most global platforms.
Coordination with International Law and Other Jurisdictions: The DSA's extraterritorial application raises international law questions about jurisdiction to prescribe, adjudicate, and enforce rules affecting foreign entities. The EU justifies jurisdiction based on effects doctrine - services affecting EU territory and EU residents fall within EU regulatory competence regardless of provider location. This parallels EU data protection law (GDPR Article 3(2)) applying to non-EU processors offering services to EU data subjects, and EU competition law applying to anti-competitive conduct affecting EU markets. However, extraterritorial regulation creates potential conflicts when home countries have different rules. US law provides broad intermediary immunity under 47 U.S.C. § 230; the DSA imposes extensive obligations. Chinese law requires platforms to suppress certain content; EU law protects it as lawful expression. Russian data localization rules conflict with EU cross-border data flow principles. Providers must navigate these conflicts, potentially implementing geo-differentiated compliance - different moderation standards, recommendation systems, or data practices for different jurisdictions. International cooperation mechanisms, mutual recognition agreements, or harmonization efforts could reduce conflicts, but currently each major jurisdiction (EU, US, China, UK post-Brexit, Australia, India) is developing distinct digital regulation creating compliance complexity. The DSA represents the EU's assertion of digital sovereignty - the right to regulate digital services affecting European users according to European values regardless of where providers are based.
Determining Applicability in Practice: Service providers must conduct careful jurisdictional analysis to determine DSA applicability. Key questions include: Do we offer services to users in the EU? This requires examining user demographics, traffic sources, and marketing activities. If serving EU users, do we have substantial connection to the Union? Assess the targeting factors from Recital 8 - languages, currencies, shipping, domains, advertising, customer service. Are we exempt as a micro/small enterprise operating exclusively in one Member State? Verify employee count, annual turnover/balance sheet, and geographic service scope. If within scope, what category of intermediary service do we provide? Classify as mere conduit, caching, hosting, online platform, or VLOP/VLOSE based on technical function and user numbers. What obligations apply to our service category? Map specific DSA requirements to services provided. Do we need legal representatives in the EU? Non-EU providers within scope must designate representatives under Article 13. What compliance steps must we take? Develop implementation roadmap based on applicable obligations. Companies should document this analysis, consult legal counsel familiar with EU digital regulation, monitor user demographics and service evolution that might change applicability, and review annually or when launching new services or entering new markets. Uncertainty should be resolved conservatively - the costs of non-compliance (fines up to 6% of global turnover, enforcement proceedings, reputational damage) far exceed prudent over-compliance.
Non-EU Tech Giants' Compliance Obligations: Major US technology companies serve hundreds of millions of EU users and clearly fall within DSA scope despite US establishment. Meta Platforms (Facebook, Instagram, Threads, WhatsApp) must comply for all services offered to EU users - Facebook and Instagram are designated VLOPs subject to full Chapter IV obligations including annual risk assessments, independent audits, and researcher data access. Alphabet (Google Search, YouTube, Google Play, Google Maps, Google Shopping) faces VLOP designation for YouTube and VLOSE designation for Google Search, requiring comprehensive compliance programs. Amazon's marketplace qualifies as a VLOP, subjecting it to enhanced obligations including systemic risk assessment of counterfeit products, recommender system transparency, and advertising repository requirements. Apple's App Store must comply with platform obligations for EU users. Microsoft's services including LinkedIn (designated VLOP), cloud services, and gaming platforms must implement applicable requirements. X (formerly Twitter), despite ownership changes and policy shifts, remains a designated VLOP subject to Commission supervision - recent Commission proceedings against X for alleged DSA violations demonstrate active enforcement. Netflix and Spotify, while not currently designated VLOPs, must comply with hosting and platform obligations. TikTok (ByteDance), despite Chinese ownership and US operations, is a designated VLOP subject to particularly intense scrutiny given concerns about algorithmic amplification, minor protection, and foreign influence - the Commission's 2024 proceedings against TikTok for alleged child safety violations illustrate enforcement against non-EU platforms.
Targeting Assessment for Service Providers: Companies must systematically assess whether they're offering services to EU recipients with substantial connection. A practical assessment framework includes: User Analysis - What percentage of users are EU-located? If more than minimal, substantial connection likely exists. Where does traffic originate? EU traffic sources (direct visits, search engines, referrals) indicate EU presence. What user behaviors occur? Accounts created with EU addresses, payments from EU cards, and EU IP addresses demonstrate EU user base. Interface Analysis - What languages are supported? Offering French, German, Spanish, Italian, Polish, or other EU languages (beyond English) suggests EU targeting. What currencies are accepted? Euro acceptance strongly indicates EU market focus. What payment methods work? Accepting EU payment cards, SEPA transfers, or local payment methods demonstrates EU service provision. Marketing Analysis - Where are ads placed? EU-targeted advertising campaigns indicate intentional EU market approach. What markets are mentioned in promotional materials? Referring to EU markets in marketing suggests targeting. Are there EU-specific landing pages or campaigns? Localized content demonstrates deliberate EU reach. Commercial Terms Analysis - Where can products ship? Offering EU shipping shows EU service provision. What jurisdictions do terms reference? Terms mentioning EU law or jurisdictions acknowledge EU operations. What customer support is provided? EU phone numbers, support in EU languages, or EU business hours indicate EU customer focus. Companies finding multiple positive indicators should presume DSA applicability and prepare compliance programs rather than risk enforcement exposure.
Micro/Small Enterprise Exemption Application: Small businesses must carefully verify exemption eligibility. A Polish web hosting company with 30 employees and €8 million annual revenue serving only Polish customers clearly qualifies - fewer than 50 employees, under €10 million turnover, exclusively one Member State. However, if that company begins serving Czech customers, even as a small portion of business, the exemption disappears entirely and full DSA compliance becomes mandatory. A French content moderation startup with 45 employees but €15 million revenue exceeds the financial threshold and doesn't qualify. A German app developer with 8 employees and €1.5 million revenue operating only in Germany qualifies as a micro enterprise. Critical considerations include: Employee Counting - Count all employees including part-time (weighted by hours) and temporary workers. Annual average determines compliance. Financial Thresholds - Use either annual turnover OR balance sheet total, not both - whichever is more favorable. Base on most recent financial year. Exclusive Operation - 'Exclusively in one Member State' requires genuine limitation to one market. Passive acceptance of occasional users from other states likely doesn't destroy exemption if service isn't targeted at other markets, but active marketing, localization, or service provision to multiple states ends exemption. Growth Monitoring - Companies approaching thresholds should monitor carefully and prepare compliance programs to implement when exemption ends. Exemption loss doesn't provide grace periods - compliance becomes immediately mandatory upon threshold crossing.
Legal Representative Designation for Non-EU Providers: Article 2's extraterritorial application combined with Article 13's legal representative requirement creates practical implementation needs for non-EU providers. A US SaaS company offering cloud collaboration tools to European businesses must: identify an appropriate legal representative in the EU (options include establishing a subsidiary, designating an existing EU affiliate, or retaining a law firm or compliance service provider); execute written mandate authorizing representative to receive and respond to orders, decisions, notices, and communications; ensure representative can be contacted electronically and by postal address; publish representative contact information publicly; establish communication channels between representative and US headquarters for rapid coordination on orders and notices; and provide representative with resources, authority, and information to respond effectively. A Chinese e-commerce platform like Shein serving EU customers must designate representatives even without EU physical presence - typically through law firms or specialized compliance services. VLOPs and VLOSEs like TikTok must designate representatives in every Member State where they operate, requiring coordination across multiple representatives and ensuring consistent responses. Practical costs include representative fees (law firms typically charge annual retainers plus hourly rates for active matters; subsidiaries require staffing and overhead), coordination infrastructure, and management attention - but these costs pale compared to potential fines (up to 6% of global turnover) and enforcement consequences of non-compliance.
Geo-Differentiated Compliance and Service Delivery: Providers serving both EU and non-EU markets frequently implement geo-differentiated compliance - different features, policies, or procedures for different jurisdictions. For EU users, platforms might: provide DSA-compliant notice-and-action mechanisms, statement of reasons, and internal complaints systems not offered to non-EU users; implement stricter content moderation aligned with EU illegal content definitions; provide recommender system choice and transparency required for EU VLOPs; maintain advertising transparency repositories for EU users; and enable researcher data access for EU operations. This geographic differentiation requires: reliable geolocation to determine user location; user communication explaining geographic variations; systems capable of supporting different rule sets by geography; compliance documentation for each jurisdiction; and legal analysis ensuring geo-differentiation doesn't violate other rules (e.g., non-discrimination obligations). Some providers, particularly smaller ones, may implement EU-compliant approaches globally to avoid complexity - if DSA-compliant notice-and-action works, apply it worldwide rather than maintaining separate systems. Larger providers with resources for geographic differentiation can optimize for each jurisdiction's requirements but face greater complexity. The rise of divergent digital regulation (EU DSA, UK Online Safety Bill, Australian Online Safety Act, US state laws, Chinese Cybersecurity Law) increasingly forces platforms into geo-differentiated approaches or choosing one standard to apply globally - often the strictest standard to ensure compliance everywhere.
Cross-Border Enforcement Scenarios: Article 2's scope creates various enforcement scenarios: Scenario 1 - EU-Established Provider: An Irish-established platform serving all EU countries falls under Irish Digital Services Coordinator supervision as establishment-state authority. If it's a VLOP, Commission has exclusive competence for enhanced obligations but Irish DSC retains competence for baseline obligations. French or German DSCs can request Irish DSC take action affecting French or German users. Scenario 2 - US-Established Provider: A US platform serving EU users must designate EU legal representatives, respond to orders from any Member State authority regarding EU users, and submit to Commission supervision if designated VLOP. No specific Member State DSC has establishment jurisdiction, so Commission or requesting Member State authorities coordinate enforcement through legal representatives. Scenario 3 - Provider in Non-Cooperating Jurisdiction: A Russian or Chinese provider may resist EU jurisdiction. EU can order measures affecting EU users, block access within EU territory if providers don't comply, impose fines (though collection may be difficult without EU assets), and coordinate with international partners. Scenario 4 - Small Provider Expanding: A small Spanish company exempt under Article 2(2) begins serving Portuguese users. Exemption immediately ends, and all DSA obligations apply. The provider must rapidly implement compliance - designate points of contact, establish notice mechanisms, create transparency reports - despite resource constraints. These scenarios illustrate why providers need clear jurisdictional analysis, legal representation strategies, compliance roadmaps, and monitoring systems to track threshold changes affecting applicability.