Chapter 2|Liability of Providers of Intermediary Services|📖 20 min read
1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, the service provider shall not be liable for the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information's onward transmission to other recipients of the service upon their request, on condition that the provider:
(a) does not modify the information;
(b) complies with conditions on access to the information;
(c) complies with rules regarding the updating of the information, specified in a manner widely recognised and used by industry;
(d) does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information; and
(e) acts expeditiously to remove or to disable access to the information it has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or administrative authority has ordered such removal or disablement.
2. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement.
Understanding This Article
Foundational Purpose and Technical Function: Article 5 establishes liability protection for 'caching' services, the second of three intermediary service categories in the DSA's liability framework. Caching sits between 'mere conduit' (Article 4) involving only transmission, and 'hosting' (Article 6) involving permanent storage at user request. Caching services automatically and temporarily store copies of transmitted content to improve network performance, reduce latency, conserve bandwidth, and enhance user experience. Without this protection, entities operating CDNs, proxy caches, and similar infrastructure would face crushing liability for every piece of content flowing through their networks - making efficient internet operations economically impossible. The provision recognizes that caching is essential technical infrastructure serving purely operational purposes rather than editorial functions, justifying exemption from automatic liability for cached content. Article 5 directly continues Article 13 of the e-Commerce Directive 2000/31/EC, maintaining established principles while incorporating over two decades of technological evolution and CJEU jurisprudence clarifying intermediary obligations.
The Five Mandatory Conditions - Paragraph 1 Requirements: Article 5(1) establishes that caching exemption applies only when five cumulative conditions are satisfied. Failure to meet any single condition destroys the entire exemption, exposing providers to potential liability. First, providers must not modify cached information (paragraph 1(a)). This requirement preserves content integrity - caches must store and deliver bit-perfect copies of original content. However, 'modification' is interpreted narrowly: technical adaptations necessary for transmission (format conversion between compatible standards, compression for bandwidth efficiency, protocol translation) don't constitute prohibited modification if substantive content remains unchanged. CJEU case law emphasizes substance over form - converting video from one codec to another technically compatible codec for streaming efficiency doesn't violate non-modification if visual/audio content is unchanged. Conversely, inserting advertisements into cached web pages, stripping security headers, removing attributions, or altering substantive content clearly violates the condition. Second, providers must comply with conditions on access to information (paragraph 1(b)). If original content has access restrictions - subscription requirements, geographic blocking, age verification, authentication mechanisms - the cache must enforce identical restrictions. A CDN caching premium content cannot serve cached copies to non-subscribers just because it possesses the files. This prevents caches from undermining content owners' business models or security measures. Third, providers must comply with industry-recognized rules regarding content updates (paragraph 1(c)). Modern web protocols include sophisticated cache control mechanisms: HTTP cache-control headers specify how long content may be cached (max-age), when it must be revalidated (must-revalidate), or whether caching is prohibited (no-cache, no-store). CDNs and proxy servers must respect these directives. If a news website specifies cache max-age of 5 minutes, caches must refresh content at least that frequently. Ignoring update rules and serving stale content violates this condition. Fourth, providers cannot interfere with lawful use of technology to obtain data on content usage (paragraph 1(d)). Content originators have legitimate interests in understanding how their content is accessed and used - for analytics, advertising measurement, audience insights, and business intelligence. Caching services cannot strip analytics scripts, block measurement pixels, or otherwise prevent legitimate usage tracking. However, this requirement coexists with privacy regulations (GDPR, ePrivacy Directive) - providers need not facilitate unlawful tracking, only lawful data collection. Fifth, providers must act expeditiously to remove or disable access to cached information upon obtaining actual knowledge that source content was removed from the network, access was disabled, or a court/administrative authority ordered such removal or disablement (paragraph 1(e)). This creates a 'notice and takedown' obligation specific to caching: once caches know that source content is gone or legally required to be removed, they must purge their cached copies without undue delay. 'Actual knowledge' has the same meaning as Article 6 hosting context - clear, specific awareness, typically from explicit notices, court orders, or origin server signals (404 errors, removal confirmations). 'Expeditiously' means as quickly as reasonably achievable given technical constraints - minutes to hours for automated purges, not days or weeks.
Paragraph 2 - Transmission-Related Transient Storage: Article 5(2) clarifies that acts of transmission and access provision include automatic, intermediate, and transient storage of transmitted information 'in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.' This provision addresses the reality that modern internet transmission inherently involves fleeting storage - routers buffer packets in memory, network equipment stages data for retransmission, transmission protocols require temporary storage for error correction and flow control. Without explicit clarification, even these microsecond technical operations might be deemed 'caching' with corresponding obligations. Paragraph 2 ensures that purely transmission-supporting transient storage remains covered by Article 4 mere conduit protection rather than triggering Article 5 caching requirements, provided two conditions hold: the storage must be solely for transmission purposes (not serving independent caching functions), and duration must not exceed what's reasonably necessary for transmission. A router holding packets in buffer memory for milliseconds while forwarding them remains mere conduit. An ISP keeping content cached for hours or days to serve repeated requests is caching under Article 5. The distinction is functional and durational - what is the storage's purpose and how long does it persist?
Paragraph 3 - Preservation of Injunctive Relief: Article 5(3) explicitly preserves courts' and administrative authorities' power to require service providers to 'terminate or prevent an infringement' in accordance with Member State legal systems. This critical provision ensures that liability exemption doesn't prevent judicial intervention against specific harms. While CDNs and proxy services aren't automatically liable for cached content, courts can issue targeted orders requiring specific action. For example, if a CDN caches infringing content, copyright holders can obtain court orders requiring the CDN to purge cached copies and block re-caching. If a proxy server caches defamatory content, affected parties can seek injunctions requiring cache purging and preventing future caching of the same content. However, Article 8's prohibition on general monitoring obligations constrains what courts can order: injunctions must be specific and targeted, not requiring comprehensive surveillance of all cached content. CJEU case law (Scarlet Extended, SABAM, subsequent rulings) establishes that injunctions can't mandate automated filtering systems identifying all potentially infringing content, as such general monitoring violates fundamental rights and imposes disproportionate burdens. Permissible injunctions identify specific content or specific infringements, enabling targeted blocking without wholesale content surveillance. The balance is delicate: courts need enforcement mechanisms, but providers resist expensive monitoring obligations, and users' fundamental rights constrain permissible orders.
Scope and Covered Services: Article 5 caching category encompasses diverse technical services sharing the function of temporary content storage for transmission efficiency. Commercial CDNs like Cloudflare, Akamai, Fastly, Amazon CloudFront, and similar services distributing cached content through geographically distributed server networks clearly qualify - their core function is temporarily caching origin content closer to users for faster delivery. ISP-operated proxy caches used to reduce bandwidth costs and improve subscriber experience fall under Article 5 when caching customer-requested web content, images, videos, and other material for repeated delivery. Reverse proxy caches deployed by content owners in front of origin servers (like Varnish or Nginx caches) technically qualify, though since content owner controls both origin and cache, liability distinction may be less significant. Forward proxy caches used by enterprises, schools, or governments to cache external content for their users are covered. Transparent caching systems operated by network operators to optimize bandwidth qualify. Browser caches present interesting edge case: while browsers cache content locally, they're typically end-user devices rather than intermediary services, falling outside DSA scope. However, if a service provider operates browser-like caching on behalf of users, it might qualify. The key factors are: (1) does the service perform intermediate temporary storage of content in transmission? (2) is storage automatic and for efficiency purposes? (3) does the service operate as an intermediary between content origin and end users? If yes to all three, Article 5 likely applies.
Relationship to Other Liability Exemptions and Content Moderation: Article 5 caching protection exists within the three-tier liability exemption framework (Articles 4-6). Many service providers perform multiple functions simultaneously - an ISP might provide mere conduit (network access), caching (proxy servers), and hosting (email, web hosting). Each function receives corresponding protection. Cloudflare, for example, provides mere conduit (DNS routing, DDoS protection transmitting packets), caching (CDN services storing temporary copies), and potentially hosting (certain products storing content at customer request). Proper classification requires analyzing each specific activity. Critically, Article 7 ensures that caching providers don't lose exemption protection by conducting voluntary own-initiative investigations or implementing proactive measures to detect, identify, and remove illegal cached content. A CDN that implements automated systems scanning cached content for malware, child sexual abuse material, or other illegal content, and removes identified material proactively, maintains Article 5 protection. Without this 'Good Samaritan' provision, caches might hesitate to implement safety measures, fearing that taking proactive action would destroy their liability exemption. Article 7 explicitly states that providers 'shall not be deemed ineligible for the exemptions from liability referred to in Articles 4, 5 and 6 solely because they carry out voluntary own-initiative investigations' or take measures aimed at detecting and removing illegal content. This encourages responsible caching services to implement content safety measures without jeopardizing legal protections.
Knowledge, Notice, and Expeditious Action: The Article 5(1)(e) expeditious removal requirement creates practical obligations when caching providers become aware that cached content must be removed. 'Actual knowledge' arises from: (1) explicit notices from content owners or authorities informing the cache that source content was removed or ordered removed; (2) technical signals from origin servers (404 Not Found responses, gone-status indicators) showing source content is no longer available; (3) court or administrative orders specifically requiring cache purging; or (4) provider's own discovery through monitoring or investigation. Once actual knowledge exists, providers must act 'expeditiously' - as quickly as reasonably achievable. For automated cache management systems, this typically means immediate purging upon receiving removal signals. For manual interventions, 24-48 hours might be reasonable depending on provider size and resources. Deliberate delay or inaction after gaining actual knowledge violates the condition and exposes providers to liability. However, actual knowledge must be specific and clear - general awareness that 'some cached content might be illegal' isn't sufficient. A valid notice must identify specific cached content, explain why source was removed or ordered removed, and provide sufficient information enabling the cache to locate and purge the content. Cache operators should implement procedures for receiving and processing removal notices, automated systems for detecting origin server removal signals, technical mechanisms for rapid cache purging, documentation of when knowledge was obtained and action taken, and processes for verifying purge effectiveness.
Content Modification and Permitted Adaptations: The Article 5(1)(a) non-modification requirement prohibits substantive content alteration but permits technical adaptations necessary for transmission efficiency. Drawing the line between permitted technical modification and prohibited substantive alteration requires careful analysis. Clearly permitted: format conversion between compatible standards (transcoding H.264 video to H.265 if compatible), compression without quality degradation (gzip compression of text, lossless image compression), protocol adaptation (HTTP/1.1 to HTTP/2, IPv4 to IPv6 address translation), encryption/decryption for transmission security (TLS termination and re-encryption), resolution adaptation for device compatibility if quality-appropriate. Clearly prohibited: inserting advertisements into cached content, stripping attribution or copyright notices, modifying text content, removing or altering security headers, injecting tracking scripts beyond those in original content, censoring or redacting portions of content, combining cached content with other material. Gray areas requiring case-by-case analysis: aggressive lossy compression noticeably degrading quality, format conversion between incompatible standards potentially altering user experience, adding performance optimization scripts not in original content, security-motivated header modifications changing content behavior. The guiding principle is whether modifications serve purely technical transmission purposes while preserving substantive content as experienced by users, or whether they serve provider's business interests (advertising insertion, tracking) or alter what users receive compared to origin intent. Best practice: caches should minimize modifications, document and justify any technical adaptations as transmission-necessary, avoid business-motivated alterations, and remain as close to bit-perfect caching as technically feasible while achieving efficiency goals.
Key Points
Exempts caching services from liability for automatically stored temporary copies of transmitted content when acting as technical intermediaries
Covers Content Delivery Networks (CDNs), proxy servers, ISP caches, and other services storing content temporarily to improve transmission efficiency
Five mandatory conditions: no content modification, compliance with access conditions, following update rules, not interfering with lawful analytics, and expeditious removal upon notice
Protection lost if provider modifies cached information beyond what's technically necessary for transmission - content integrity must be preserved
Must respect original content's access controls - if source requires authentication or payment, cache must enforce same restrictions
Must comply with industry-standard cache control mechanisms (HTTP headers, cache-control directives, TTL specifications) governing when cached copies must be refreshed
Cannot block or interfere with legitimate usage tracking and analytics technologies used by content originators to understand distribution
Upon gaining actual knowledge that source content was removed or access disabled, or receiving court/administrative orders, must act expeditiously to remove cached copies
Exemption conditional - continues e-Commerce Directive Article 13 framework while clarifying CJEU case law on passive intermediary requirements
Courts retain authority to order termination or prevention of infringements through specific injunctions despite liability exemption
Practical Application
CDN Operations and Cache Management: A major CDN like Cloudflare operates thousands of servers globally caching content close to users. When example.com's images are requested, Cloudflare caches copies at edge locations worldwide. To maintain Article 5 protection, Cloudflare must: (1) Store exact copies without modification - images delivered from cache must be identical to origin images, preserving format, metadata, quality. (2) Respect origin server cache control headers - if example.com sets Cache-Control: max-age=300 (5 minutes), Cloudflare must refresh cached copies at least every 5 minutes. If origin sets no-cache, Cloudflare must revalidate with origin on every request. (3) Enforce access restrictions - if example.com requires authentication for certain images (subscriber-only content), Cloudflare's cache must enforce identical authentication, not serving cached copies to unauthorized users. (4) Preserve analytics - if example.com includes analytics pixels or scripts tracking image views, Cloudflare must not strip these elements, allowing origin to collect usage data. (5) Implement automated purge systems - when origin signals content removal (returns 404), Cloudflare must automatically purge cached copies. When receiving explicit purge requests from content owners (via API or dashboard), Cloudflare must rapidly remove specified cached content. (6) Respond to legal orders - upon receiving court orders to stop caching specific infringing content, Cloudflare must purge existing cached copies and implement systems preventing re-caching. Cloudflare should maintain: real-time cache purge APIs enabling instant removal, automated systems monitoring origin server responses (404s, gone signals) triggering automatic cache invalidation, documentation of purge requests and completion times proving expeditious action, technical capacity to identify and remove specific cached items based on URLs, domains, or content signatures, and processes for handling bulk purge requests during takedown campaigns. Most major CDNs provide instant purge capabilities - content owners can request purges via dashboard or API, with cached copies removed globally within seconds to minutes.
ISP Proxy Cache Implementation: An Internet Service Provider operating transparent proxy caches to reduce bandwidth costs and improve subscriber experience must implement compliant caching. When subscribers request popular websites, videos, or downloads, the ISP's proxy caches frequently-accessed content, serving subsequent requests from cache rather than fetching from origin repeatedly. To maintain Article 5 protection: (1) Cache must respect HTTP cache control headers from origin servers. If YouTube specifies max-age=3600 for videos, cache must refresh at least hourly. If news sites specify no-cache for breaking news, cache must revalidate before serving. (2) Cannot inject advertisements or tracking into cached web pages - serving exact copies only. Early 2010s practices of ISPs injecting ads into cached HTTP traffic would violate non-modification requirements. (3) Must handle HTTPS correctly - cannot downgrade HTTPS to HTTP for caching, cannot break TLS to inspect and cache encrypted traffic (this would violate both modification and access control requirements), must serve HTTPS content with encryption preserved. (4) When receiving DMCA or court orders to stop caching specific infringing content (pirated software, illegal streams), must purge cached copies and prevent re-caching. (5) Should implement automated cache expiration based on origin signals, manual purge interfaces for responding to takedown notices, monitoring for origin removal signals, and documentation proving expeditious action when required. Practical challenge: how long is 'reasonably necessary' for caching under paragraph 2? Milliseconds of router buffering clearly qualifies as transmission-related. Hours or days of proxy caching clearly falls under Article 5's caching obligations. The boundary is functional: if storage persists to serve multiple future requests beyond the immediate transmission session, it's caching requiring Article 5 compliance.
Responding to Cache Purge Requests and Court Orders: When content owners discover that a CDN is caching infringing content (pirated movies, unauthorized copyrighted images, trademark-infringing materials), they can demand cache purging. A practical scenario: A copyright holder notices that Fastly CDN is caching pirated copies of their film at pirate-streaming-site.com. The copyright holder sends Fastly a notice stating: 'Your CDN is caching infringing content from pirate-streaming-site.com including our copyrighted film [title]. This is copyright infringement. Under DSA Article 5(1)(e), we notify you that this content is illegal and must be removed from your cache. Cached URLs: [list]. We have court orders confirming infringement.' Upon receiving this notice, Fastly gains actual knowledge that cached content should be removed. Expeditious action requires: (1) Immediate technical purge of identified cached content from all Fastly edge servers globally - achievable within minutes through automated purge systems. (2) Documentation of receipt, review, and purge action with timestamps. (3) Notification to copyright holder confirming purge completion. (4) If content owner provides court orders mandating blocking, Fastly should implement proactive measures preventing re-caching (blacklisting URLs, monitoring and auto-purging if content reappears). Failure to act expeditiously after gaining actual knowledge exposes Fastly to liability for cached content, potentially losing Article 5 protection and facing legal action for copyright infringement facilitation. If a court issues formal injunction ordering Fastly to cease caching all content from pirate-streaming-site.com, Fastly must: purge existing cached content, implement technical blocks preventing future caching from that origin, document compliance, and maintain blocks for duration specified by court order. However, under Article 8, courts cannot order Fastly to implement general monitoring of all cached content to proactively identify everything potentially infringing - orders must be specific to identified content or sources.
Access Control and Subscription Content: Many origin servers implement access controls - subscription paywalls, authentication requirements, geographic restrictions, age verification. Caches must preserve these restrictions per Article 5(1)(b). Practical scenario: The New York Times (NYT) operates a metered paywall allowing 10 free articles per month before requiring subscription. NYT uses a CDN to cache article content globally for performance. The CDN must enforce NYT's access controls: (1) When caching subscriber-only premium content, the CDN cannot serve cached copies to non-subscribers. The cache must verify user authentication status (typically via cookies or tokens) before serving cached content, matching origin's restrictions. (2) If NYT uses geographic restrictions (content available only in certain regions), the CDN's cache must enforce identical geo-blocking. Cached content restricted to US users cannot be served to European users just because cache possesses the files. (3) The CDN must preserve any authentication headers, cookies, or other access control mechanisms NYT implements. Stripping authentication requirements would violate access condition compliance. Practical implementation: modern CDNs support sophisticated access control logic at the edge. Cloudflare Workers, Fastly VCL, AWS CloudFront Lambda@Edge enable custom logic examining request headers, cookies, geolocation, and other factors before serving cached content. CDNs can replicate origin's access control logic at cache layer, serving cached copies only to authorized users while blocking unauthorized access, maintaining Article 5 compliance while achieving caching efficiency. For adult content sites implementing age verification, caches must preserve age gates - cannot serve cached adult content to unverified users just because cache has the files.
Cache Control Header Compliance: Modern HTTP protocol includes sophisticated cache control mechanisms via response headers. Origin servers specify caching behavior through Cache-Control, Expires, ETag, Last-Modified, and similar headers. Article 5(1)(c) requires caching services to comply with 'rules regarding the updating of the information, specified in a manner widely recognised and used by industry' - i.e., standard HTTP cache control. Practical requirements: (1) Cache-Control: max-age=N - content may be cached for N seconds, then must be refreshed from origin. A news site setting max-age=60 requires caches to refresh content every minute. CDNs must purge cached copies or revalidate with origin after expiration. (2) Cache-Control: no-cache - cache can store content but must revalidate with origin before serving each request, ensuring users always get current version. Used for content that changes frequently. (3) Cache-Control: no-store - content must not be cached at all. Caches must fetch from origin for every request. Used for highly sensitive or personalized content. (4) Cache-Control: must-revalidate - after expiration, cache must revalidate with origin before serving stale content. Cannot serve expired content even temporarily. (5) Cache-Control: s-maxage=N - separate max-age for shared caches (CDNs, proxy servers) vs. private browser caches. Enables different caching strategies for intermediaries vs. end users. (6) ETag and Last-Modified - enable conditional requests where cache can ask origin 'has content changed since last fetch?' If not modified (304 response), cache serves existing copy; if modified (200 response), cache updates. Caches must implement conditional GET requests to efficiently validate cached content. (7) Vary header - specifies that cached content varies based on request headers (Accept-Encoding, Accept-Language, User-Agent). Cache must store separate copies for different variations. Non-compliance risks serving stale content (violating Article 5(1)(c)), undermining content owner intent, providing outdated information to users, and potentially causing legal/business issues if expired content contains errors, outdated pricing, or obsolete information. Best practice: CDNs should default to respecting all origin cache headers, provide clear documentation of caching behavior, offer origin servers tools to test and verify cache behavior, and implement robust cache invalidation mechanisms for emergency updates.
Analytics and Usage Tracking Preservation: Content owners embed analytics scripts, measurement pixels, and tracking technologies to understand content usage - page views, video plays, download counts, user demographics, engagement patterns. This data informs business decisions, advertising valuations, and content strategies. Article 5(1)(d) prohibits caching services from interfering with 'lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information.' Practical application: (1) If a website includes Google Analytics tracking scripts in cached HTML, CDNs must not strip these scripts. Removing analytics would prevent content owners from measuring traffic, violating this condition. (2) If videos include audience measurement pixels (Nielsen, comScore) tracking viewership, caches must preserve these elements. (3) If images include referrer tracking or impression beacons, caches must not block them. However, 'lawful use' is critical - caches need not facilitate unlawful tracking violating GDPR, ePrivacy Directive, or other privacy regulations. If origin server implements tracking violating user privacy rights, caches aren't obligated to preserve illegal tracking. The requirement protects legitimate analytics while coexisting with privacy regulations. Modern approach: CDNs typically adopt 'passthrough' approach - serving cached content exactly as origin provided it, including all embedded analytics. This automatically preserves lawful tracking while not making caches responsible for determining which tracking is lawful vs. unlawful (GDPR compliance remains origin's responsibility). CDNs might also offer value-added analytics - Cloudflare Analytics, Fastly Real-Time Stats - providing separate CDN-level usage data augmenting (not replacing) origin's analytics. This helps content owners understand cache performance while maintaining origin's own analytics capabilities.
Security Considerations and Content Integrity: Caching introduces security considerations: cached copies could be compromised, caches might serve malware unknowingly, cache poisoning attacks could inject malicious content. Article 5 compliance requires: (1) Implementing security measures preventing unauthorized cache content modification - access controls on cache servers, audit logging of cache operations, intrusion detection monitoring for unauthorized access. (2) Preserving security headers from origin content - Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, etc. Stripping security headers would modify content and violate Article 5(1)(a). (3) Handling HTTPS content correctly - not downgrading to HTTP, preserving TLS, serving cached content with appropriate encryption. (4) Responding to security incidents - if cache is compromised and malware is injected into cached content, provider gains actual knowledge of problem and must act expeditiously to purge compromised content, restore legitimate copies, and secure infrastructure. (5) Implementing DNSSEC, TLS for cache-to-origin connections, and other security protocols ensuring content authenticity. Some CDNs offer security value-adds - DDoS protection, Web Application Firewall (WAF), bot mitigation - that technically modify traffic by blocking attacks. These security modifications are generally permissible as they protect content and transmission without substantively altering legitimate content served to legitimate users. The key distinction: security modifications preventing attacks preserve legitimate content; business modifications inserting ads or tracking alter content for provider benefit.