1. The Member State in which the main establishment of the provider of intermediary services is located shall have exclusive powers to supervise and enforce this Regulation, except for the powers provided for in paragraphs 2, 3 and 4.
2. The Commission shall have exclusive powers to supervise and enforce Section 5 of Chapter III.
3. The Commission shall have powers to supervise and enforce this Regulation, other than those laid down in Section 5 of Chapter III thereof, against providers of very large online platforms and of very large online search engines.
4. Where the Commission has not initiated proceedings for the same infringement, the Member State in which the main establishment of the provider of very large online platform or of very large online search engine is located shall have powers to supervise and enforce the obligations under this Regulation, other than those laid down in Section 5 of Chapter III, with respect to those providers.
5. Member States and the Commission shall supervise and enforce the provisions of this Regulation in close cooperation.
6. Where a provider of intermediary services does not have an establishment in the Union, the Member State where its legal representative resides or is established or the Commission shall have powers, as applicable, in accordance with paragraphs 1 and 4 of this Article, to supervise and enforce the relevant obligations under this Regulation.
7. Where a provider of intermediary services fails to appoint a legal representative in accordance with Article 13, all Member States and, in case of a provider of a very large online platform or very large online search engine, the Commission shall have powers to supervise and enforce in accordance with this Article. Where a Digital Services Coordinator intends to exercise its powers under this paragraph, it shall notify all other Digital Services Coordinators and the Commission, and ensure that the applicable safeguards afforded by the Charter are respected, in particular to avoid that the same conduct is sanctioned more than once for the infringement of the obligations laid down in this Regulation.
Understanding This Article
Article 56 establishes the jurisdictional architecture for DSA enforcement, allocating supervisory and enforcement competences between Member States and the European Commission. This provision embodies fundamental EU internal market principlesâcountry of origin supervision ensuring providers face unified regulatory oversight rather than fragmented 27-jurisdiction compliance burdens, while creating exceptions for Commission centralized enforcement over VLOPs/VLOSEs reflecting their systemic importance and cross-border impact. The competence allocation balances multiple objectives: preventing regulatory fragmentation that would burden cross-border digital services (undermining Digital Single Market), ensuring effective enforcement through clearly designated responsible authorities (avoiding gaps where no authority acts or duplications where multiple authorities conflict), leveraging national regulatory capacity and proximity for routine supervision (most providers supervised by Member State DSCs), concentrating Commission resources on systemic risks posed by largest platforms (VLOPs/VLOSEs), enabling coordinated EU-wide enforcement through cooperation obligations. Article 56 thus creates tiered enforcement ecosystem: Member State DSCs as front-line supervisors for most providers, Commission as specialized supervisor for systemically important platforms, coordination mechanisms ensuring coherent application despite distributed authority.
Country of Origin Principle - Paragraph 1: 'The Member State in which the main establishment of the provider of intermediary services is located shall have exclusive powers to supervise and enforce this Regulation'âestablishes foundational country of origin rule. Only the DSC of the Member State where provider's main establishment is located (Article 3(j) defines main establishment as head office or registered office where principal financial functions and operational control exercised) has supervisory authority over that provider's EU-wide DSA compliance. Exclusivity means other Member States cannot independently investigate or enforce against providers established elsewhereâif Facebook Ireland has main establishment in Ireland, only Irish DSC (CoimisiĂșn na MeĂĄn) can supervise Facebook's DSA compliance across entire EU. Rationale mirrors EU internal market logic from e-Commerce Directive and GDPR: providers enjoy freedom to provide services across EU without facing parallel regulatory proceedings in every Member State; unified supervision creates legal certainty and reduces compliance costs; supervision concentrated in main establishment jurisdiction leverages regulatory proximity and familiarity; prevents regulatory arbitrage where multiple Member States compete to impose harshest or most lenient enforcement. However, exclusivity creates tensions: user protection concerns in Member State A where provider established in Member State B causes significant harm but only Member State B can act, enforcement quality variations across Member States with different DSC capacities and priorities potentially creating uneven user protection, political economy concerns about platform concentration (major platforms cluster in Ireland, Luxembourg, Netherlands possibly seeking favorable regulatory environments).
Paragraph 1 exclusivity subject to exceptions in paragraphs 2-4 (Commission powers over VLOPs/VLOSEs) and paragraph 7 (all Member States can act if provider fails to appoint legal representative). Beyond these explicit exceptions, Article 56(1) country of origin principle is mandatoryâMember State B cannot claim jurisdiction over provider established in Member State A based on: territorial targeting (provider directs services toward Member State B users), effects principle (harm manifests in Member State B), protective principle (Member State B's nationals or interests affected). Such extraterritorial jurisdiction would violate Article 56(1) exclusivity and fragment internal market. However, coordination mechanisms (Articles 57-60) enable Member State B to request Member State A DSC take action against provider causing harm in Member State Bâmutual assistance, joint investigations, information exchange work within country of origin framework avoiding fragmentation.
Commission Exclusive Powers Over VLOP/VLOSE Section 5 Obligations - Paragraph 2: 'The Commission shall have exclusive powers to supervise and enforce Section 5 of Chapter III'âcentralized EU enforcement for most stringent VLOP/VLOSE requirements. Section 5 (Articles 34-43) imposes heightened obligations on very large online platforms and very large online search engines designated under Article 33 (45+ million monthly EU users)âArticle 34 risk assessments identifying systemic risks, Article 35 risk mitigation measures addressing identified risks, Articles 37-40 independent auditing and transparency, Article 41 additional VLOP/VLOSE transparency measures, Article 42 public databases, Article 43 supervisory fees financing Commission supervision. Commission has exclusive competence supervising and enforcing these Section 5 provisionsâMember State DSCs have no authority even if VLOP/VLOSE established in their territory. Rationale for centralization: systemic importance of VLOPs/VLOSEs justifies supranational oversight given cross-border impacts (algorithmic risks, disinformation amplification, fundamental rights implications transcend single Member State), need for specialized technical capacity assessing complex sociotechnical risks beyond typical DSC resources, ensuring consistent application of risk assessment/mitigation standards across VLOPs/VLOSEs avoiding forum shopping, political sensitivity of decisions affecting powerful global platforms requiring EU-level democratic legitimacy and avoiding capture of individual national regulators. Practical implementation: Commission's Directorate-General for Communications Networks, Content and Technology (DG CONNECT) conducts Section 5 supervision, receiving VLOP/VLOSE risk assessments, reviewing audit reports, investigating non-compliance, imposing Articles 66-87 enforcement measures (periodic penalty payments, fines up to 6% global turnover, commitments, interim measures). Member State DSCs provide information and assistance but lack independent enforcement authority over Section 5.
Section 5 exclusivity is narrowâapplies only to Articles 34-43 VLOP/VLOSE-specific requirements. All other DSA provisions applicable to VLOPs/VLOSEs (Chapter III Sections 1-4 due diligence obligations, Chapter II liability exemptions, transparency requirements, etc.) fall under paragraph 3's concurrent Commission-Member State regime, not paragraph 2 exclusivity.
Commission Concurrent Powers Over VLOP/VLOSE Non-Section 5 Obligations - Paragraph 3: 'The Commission shall have powers to supervise and enforce this Regulation, other than those laid down in Section 5 of Chapter III thereof, against providers of very large online platforms and of very large online search engines'âCommission can also enforce non-Section 5 DSA requirements against VLOPs/VLOSEs but jurisdiction is concurrent with Member State DSC, not exclusive. This includes: Chapter III Section 1 (Articles 11-15 general provisionsâcontact points, legal representatives, terms of service, transparency reporting), Chapter III Section 2 (Articles 16-18 notice-and-action mechanisms, statements of reasons, law enforcement notifications), Chapter III Section 3 (Articles 19-28 platform-specific obligationsâinternal complaints, out-of-court settlement, trusted flaggers, advertising transparency, recommender systems, interface design, minor protection), Chapter III Section 4 (Articles 29-32 marketplace obligations if VLOP is marketplace), Chapter II (Articles 4-6 liability exemptions for illegal content), Chapter IV enforcement and cooperation provisions applicable to VLOPs. Commission choice to exercise paragraph 3 powers typically driven by: cross-border significance of alleged violation affecting multiple Member States, systemic importance requiring supranational intervention, Member State DSC resource or political constraints hindering effective enforcement, coordination with Commission's Section 5 supervision (parallel investigations of Section 5 and non-Section 5 violations enabling comprehensive assessment), strategic enforcement priorities (Commission focuses on precedent-setting cases clarifying DSA interpretation).
Paragraph 3 concurrent regime creates potential conflictsâboth Commission and Member State DSC could theoretically investigate same VLOP/VLOSE for same non-Section 5 violation. Paragraph 4 allocates primacy through first-mover advantage: Commission initiation precludes subsequent Member State DSC action (paragraph 4: 'Where the Commission has not initiated proceedings'ânegative condition implies if Commission has initiated, Member State cannot); Member State DSC can act only 'where the Commission has not initiated proceedings for the same infringement.' This creates jurisdictional raceâwhichever authority initiates proceedings first obtains exclusive competence for that specific infringement. Coordination through Article 56(5) and Articles 57-60 mechanisms aims to prevent conflicts: Commission and Member State DSCs exchange information about planned investigations, Board facilitates coordination discussions, informal settlements where Commission cedes or takes over jurisdiction based on comparative advantage. In practice, Commission often leads VLOP/VLOSE enforcement given superior resources, technical capacity, and political insulation, while Member State DSCs focus on smaller providers or provider-specific issues with primarily national impacts.
Member State DSC Residual Powers Over VLOPs/VLOSEs - Paragraph 4: 'Where the Commission has not initiated proceedings for the same infringement, the Member State in which the main establishment of the provider of very large online platform or of very large online search engine is located shall have powers to supervise and enforce the obligations under this Regulation, other than those laid down in Section 5 of Chapter III, with respect to those providers'âDSC of establishment retains enforcement authority over VLOPs/VLOSEs for non-Section 5 obligations if Commission hasn't acted. This preserves country of origin DSC's role even for VLOPs/VLOSEs, subject to Commission preemption. Practical effect: Irish DSC supervises Meta, Google, Apple, Microsoft, TikTok (main establishments in Ireland) for non-Section 5 violations unless Commission intervenes; Dutch DSC supervises platforms established in Netherlands; Luxembourg DSC supervises Amazon, eBay (Luxembourg establishments). DSC-of-establishment enforcement over VLOPs/VLOSEs complements Commission Section 5 oversight: DSC handles routine compliance issues, user complaint follow-ups, notice-and-action supervision, advertising transparency checks, while Commission focuses on systemic risk assessments and risk mitigation. Division of labor reflects resource realitiesâCommission cannot supervise every aspect of all designated VLOPs/VLOSEs (currently 20+ designated entities), DSC leverages established oversight relationships and local knowledge, DSC enforcement maintains accountability even where Commission deprioritizes certain violations.
'For the same infringement' is critical limitationâMember State DSC cannot proceed if Commission already initiated proceedings targeting same conduct. However, DSC can investigate different infringement by same VLOP/VLOSE even if Commission has separate ongoing proceedings. Example: Commission investigates Meta's Article 35 risk mitigation failures (Section 5, exclusive Commission competence); simultaneously Irish DSC can investigate Meta's Article 16 notice-and-action deficiencies (non-Section 5, concurrent jurisdiction, Commission hasn't initiated Article 16 proceedings so DSC can act). Coordination essential to avoid overlapâCommission and DSC exchange information ensuring investigations target distinct infringements or consolidate where overlap exists. Article 56(5) close cooperation obligation requires Commission and DSC consult before initiating proceedings against VLOPs/VLOSEs, agree on investigation division, share evidence and findings supporting parallel tracks.
Close Cooperation Obligation - Paragraph 5: 'Member States and the Commission shall supervise and enforce the provisions of this Regulation in close cooperation'âprocedural duty tempering competence divisions with collaboration imperative. Close cooperation mandates: information exchange about planned and ongoing enforcement actions (DSCs notify Commission of VLOP/VLOSE investigations, Commission informs DSCs of Section 5 proceedings, cross-border DSCs share intelligence about provider behaviors), consultation before exercising jurisdiction (Commission and establishment DSC discuss who should lead VLOP/VLOSE investigation, DSCs coordinate cross-border cases through mutual assistance), joint investigations where appropriate (Article 60 enables formal joint investigations pooling resources for complex cases), consistent interpretation coordination (Board Article 61-64 coordinates interpretation ensuring uniform DSA application despite distributed enforcement). Cooperation mechanisms operationalized through Articles 57-60: Article 57 mutual assistance (DSCs provide information and investigative support to each other), Article 58 joint investigations (formal framework for multi-DSC proceedings), Article 59 cross-border cooperation settlement (DSCs negotiate coordinated responses to cross-border cases), Article 60 European Board for Digital Services (coordinator facilitating cooperation, resolving disputes, developing guidelines). Paragraph 5 is enforceableâCommission could challenge Member State under Article 258 TFEU for failing to cooperate adequately with Commission or other DSCs in DSA enforcement; Member State could challenge Commission under Article 263 TFEU for Commission enforcement action violating cooperation obligations (acting without adequate DSC consultation).
Non-EU Provider Jurisdiction - Paragraph 6: 'Where a provider of intermediary services does not have an establishment in the Union, the Member State where its legal representative resides or is established or the Commission shall have powers, as applicable, in accordance with paragraphs 1 and 4 of this Article, to supervise and enforce the relevant obligations under this Regulation'âextends jurisdiction to non-EU providers offering services in EU. Article 13 requires non-EU providers designate legal representative in one Member State. Paragraph 6 allocates jurisdiction based on representative location: if provider appoints legal representative in Germany, German DSC has jurisdiction applying paragraph 1 country of origin logic (representative treated as establishment proxy); if provider is VLOP/VLOSE, Commission has powers under paragraphs 2-3 (Section 5 exclusive, other provisions concurrent with DSC-of-representative); representative location determines 'home' DSC for non-EU provider. Rationale: legal representative serves as enforcement contact point within EU enabling DSC jurisdiction; representative presence satisfies due process requirements for regulatory assertion (provider has chosen representative jurisdiction voluntarily accepting that Member State's authority); jurisdictional certaintyânon-EU provider knows which DSC will supervise (representative's Member State), avoiding ambiguity about which of 27 Member States could assert authority. Practical examples: US platform offering services in EU appoints legal representative in IrelandâIrish DSC supervises DSA compliance; Chinese e-commerce marketplace appoints representative in NetherlandsâDutch DSC has jurisdiction; Russian social network appoints representative in CyprusâCypriot DSC supervises (assuming platform not designated VLOP subject to Commission oversight).
Paragraph 6 allocation applies 'as applicable' paragraphs 1 and 4 principlesâif non-EU provider is VLOP/VLOSE, Commission jurisdiction applies per paragraphs 2-3 even though representative located in specific Member State; DSC-of-representative supervises non-Section 5 obligations where Commission hasn't initiated proceedings (paragraph 4 logic). If non-EU provider is ordinary platform/hosting service (not VLOP), DSC-of-representative has exclusive paragraph 1 jurisdiction. Commission has residual authority even absent legal representative per paragraph 7.
Failure to Appoint Legal Representative - Paragraph 7: 'Where a provider of intermediary services fails to appoint a legal representative in accordance with Article 13, all Member States and, in case of a provider of a very large online platform or very large online search engine, the Commission shall have powers to supervise and enforce in accordance with this Article'âuniversal jurisdiction as sanction for non-compliance with legal representative requirement. If non-EU provider offering services in EU does not appoint Article 13 representative (or appointed representative inadequate), every Member State DSC gains enforcement authorityâany of 27 DSCs can investigate and sanction. For VLOPs/VLOSEs, Commission also has authority. This near-universal jurisdiction creates severe compliance pressure: provider faces potential parallel proceedings in multiple Member States; legal uncertainty about which DSCs will act and inconsistent standards they might apply; practical difficulty defending against 27 potential investigations; reputational and operational disruption from multi-front enforcement. Paragraph 7's second sentence imposes coordination duty mitigating universal jurisdiction chaos: 'Where a Digital Services Coordinator intends to exercise its powers under this paragraph, it shall notify all other Digital Services Coordinators and the Commission, and ensure that the applicable safeguards afforded by the Charter are respected, in particular to avoid that the same conduct is sanctioned more than once for the infringement of the obligations laid down in this Regulation.' DSC planning enforcement against non-representative provider must: notify all other DSCs and Commission (transparency enabling coordination), ensure Charter compliance (fundamental rights protections), avoid double sanctioning (ne bis in idem principleâprovider cannot be sanctioned multiple times for same conduct). In practice, DSCs likely coordinate determining which one or few take lead enforcement avoiding inefficient duplication, though paragraph 7 creates legal authority for all should coordination fail.
Paragraph 7 universal jurisdiction applies to failure to appoint representative (Article 13 violation) and potentially other DSA violations by non-representative providers. Text says 'shall have powers to supervise and enforce in accordance with this Article'âarguably permits any DSC to enforce any DSA provision against non-representative provider, not just Article 13 violation itself. Purpose: non-EU providers cannot evade DSA enforcement by simply declining to appoint representatives; universal jurisdiction ensures enforcement possible even without representative; severe jurisdictional consequences incentivize Article 13 compliance. However, paragraph 7 is exceptionalâonce provider appoints compliant representative, jurisdiction reverts to paragraph 6 single-DSC model.
Practical Application
Country of Origin Supervision - Meta Platforms (Ireland Establishment): Meta's European headquarters located in Dublin, Ireland makes Irish DSC (CoimisiĂșn na MeĂĄn) exclusively competent under Article 56(1) for supervising Meta's DSA compliance across EU. Practical implications: (1) User in Germany encounters hate speech on Facebook, believes content violates Article 16 notice-and-action requirementsâfiles Article 53 complaint but must direct to Irish DSC, not German BNetzA, because Meta's main establishment is Ireland. German DSC lacks jurisdiction despite harm manifesting in Germany to German user. (2) French authorities receive numerous complaints about Instagram dark patterns potentially violating Article 24 interface design requirementsâcannot independently investigate or sanction Meta; must either coordinate with Irish DSC through Article 57 mutual assistance requesting Irish DSC take action, or accept Irish DSC enforcement priorities. (3) Italian consumer protection organization wants regulatory action against WhatsApp's terms of service potentially violating Article 14 transparencyâadvocates must engage Irish DSC, not Italian authority. (4) Spanish journalist faces account suspension on Facebook, believes Article 17 statement of reasons inadequateâchallenges through Irish DSC procedures including judicial review in Irish courts (preliminary rulings to CJEU possible if DSA interpretation questions arise). Country of origin concentration means Irish DSC supervises majority of largest platforms (Meta, Google, Apple, TikTok, Microsoft all have Irish establishments)âcreates resource challenges for Irish regulator supervising entities affecting hundreds of millions EU users, raises accountability concerns about whether single national authority adequately represents EU-wide user interests, generates political economy debates about Ireland's attractiveness to platforms (favorable corporate tax, light-touch regulation concerns, though DSA and GDPR increasingly constrain national regulatory discretion).
However, Article 56(1) country of origin doesn't prevent other Member States from: applying national law outside DSA scope to same platforms (consumer protection, competition, criminal law), requesting mutual assistance from Irish DSC to investigate issues affecting their users (Article 57), participating in joint investigations with Irish DSC (Article 60), bringing cases to CJEU challenging Irish DSC decisions or Commission enforcement affecting their interests. GDPR experience (similar country of origin under Article 56 GDPR) shows tensionsâIrish DPC criticized for slow enforcement and lenient approach, other DPAs push for joint investigations and EDPB coordination to overcome Irish authority reluctance, DSA may see similar dynamics with non-establishment DSCs pressing establishment DSCs for more vigorous enforcement.
Commission Exclusive VLOP Supervision - X (Twitter) Risk Assessment: X Corp. designated as VLOP under Article 33 (over 45M EU monthly users) triggers Commission exclusive jurisdiction over Section 5 obligations. Commission investigation scenario: (1) Commission opens Article 66 investigation into X's Article 34 risk assessment and Article 35 risk mitigation concerning disinformation risks. Commission examines whether X adequately identified disinformation amplification risks in Article 34 risk assessment, whether Article 35 mitigation measures proportionately address identified risks, whether risk assessment methodology meets Article 34(2) standards. (2) X established in Ireland but Irish DSC has no role in Article 34-35 investigationâCommission exclusivity under Article 56(2) means Commission alone investigates, requests information under Article 67, accesses data, interviews X personnel, reviews internal documents. Irish DSC may provide Commission factual information about X's Irish operations but cannot independently assess Article 34-35 compliance or sanction X for Section 5 violations. (3) Commission finds Article 34 risk assessment inadequateârisks understated, methodology flawed, external expert review insufficient. Also finds Article 35 mitigation measures ineffectiveâCommunity Notes feature fails to counter viral false information, algorithmic amplification changes inadequate given risks. (4) Commission imposes Article 74 periodic penalty payment (âŹ500,000 daily) requiring X submit revised risk assessment and implement enhanced mitigation within 60 days. Also initiates Article 52 fine calculation procedure for original violation (potentially hundreds of millions EUR based on 6% global turnover ceiling). (5) X challenges Commission decision before General Court (Article 263 TFEU judicial review)âargues risk assessment adequate, Commission overstepped discretion substituting judgment for X's risk evaluation. General Court reviews Commission decision for legal errors, manifest errors of assessment, procedural defects. Member States cannot participate as defendants (Commission is sole respondent) but may intervene supporting or challenging Commission position. Throughout process, Irish DSC excluded despite X's Irish establishmentâSection 5 is exclusively Commission competence.
Rationale for Commission exclusivity: Article 34-35 risk assessments involve complex sociotechnical judgments (algorithmic amplification dynamics, disinformation ecosystem analysis, fundamental rights balancing) requiring specialized expertise beyond typical DSC capacity, systemic nature of VLOP risks (affecting all Member States) justifies supranational assessment rather than single-DSC evaluation, political sensitivity of risk mitigation decisions (restricting expression, determining what constitutes civic discourse vs. harmful disinformation) requires EU-level democratic legitimacy, ensuring consistent risk assessment standards across all VLOPs avoiding divergent interpretations creating compliance uncertainty and competitive distortions.
Concurrent Jurisdiction - TikTok Content Moderation (Commission vs. Irish DSC): TikTok designated VLOP with main establishment in Ireland creates concurrent Commission-Irish DSC jurisdiction for non-Section 5 violations. Investigation scenarios: (1) Complaints accumulate about TikTok's Article 16 notice-and-action failuresâcontent reported as illegal (hate speech, dangerous challenges) remains accessible weeks after notice, Article 16(4) manifestly illegal content not acted upon expeditiously. Question arises: should Commission or Irish DSC investigate? Article 56(3) gives Commission power; Article 56(4) allows Irish DSC if Commission hasn't initiated proceedings. (2) Coordination discussion: Irish DSC proposes taking leadâArticle 16 enforcement within DSC's established competencies, DSC can handle investigation efficiently, proximity to TikTok's Dublin office enables on-site inspections, Commission should focus scarce resources on Article 34-35 systemic risk issues. Commission defersâhasn't initiated Article 16 proceedings, agrees Irish DSC better positioned for this investigation. Irish DSC proceeds under Article 56(4). (3) Irish DSC investigation finds systematic Article 16 violationsânotice processing delays, inadequate content moderation resources, manifestly illegal content not prioritized. Irish DSC imposes Article 51 fine (âŹ25M), requires TikTok hire additional content moderators, implement enhanced notice triage systems, report quarterly compliance. (4) Different scenario: Commission receives intelligence suggesting TikTok's recommendation algorithm (Article 27) systematically amplifies harmful content to minors despite Article 28 minor protection requirements. Commission decides to investigate given overlap with broader Article 35 risk mitigation oversight Commission conducting. Commission initiates Article 27-28 investigationâIrish DSC now precluded from parallel proceedings for 'same infringement' under Article 56(4). Irish DSC provides Commission mutual assistance (Article 57) sharing information from prior TikTok supervision but cannot sanction Article 27-28 violations independently. (5) Commission finds Article 27 transparency violations (insufficient information about recommendation parameters) and Article 28 minor protection failures (age verification inadequate, default settings not highest privacy). Imposes âŹ180M fine and Article 66 commitments requiring algorithm transparency improvements and minor protection enhancements. Irish DSC supports enforcement monitoring TikTok's implementation compliance.
Concurrent jurisdiction requires continuous Commission-DSC coordination avoiding conflictsâinformal consultations about investigation priorities, information exchange about provider compliance patterns, division of labor based on comparative advantage (DSCs handle routine due diligence, Commission focuses on complex algorithmic issues), potential for Commission to take over DSC investigations if EU-wide importance becomes apparent or conversely cede jurisdiction if initially started investigation later deemed better handled by DSC. Board (Article 61-64) facilitates coordination providing forum for Commission and DSCs to discuss VLOP/VLOSE supervision strategies.
Cross-Border Mutual Assistance - German-French Coordination: Article 56(1) exclusive jurisdiction doesn't prevent cooperation through Article 57 mutual assistance. Scenario: (1) French ARCOM receives complaints about German-established video-sharing platform systematically violating Article 28 minor protection requirementsâage verification absent, inappropriate content accessible to children, parental controls ineffective. French users disproportionately affected but platform's main establishment is Germany, so German BNetzA has Article 56(1) jurisdiction. (2) French ARCOM invokes Article 57 mutual assistance requesting BNetzA investigate platform's Article 28 compliance. ARCOM provides evidence: complaint documentation, screenshots of minor protection failures, expert analysis of platform's age verification gaps, data on French minor usage patterns. (3) BNetzA assesses requestâobligation under Article 57 to provide assistance, ARCOM's evidence suggests credible Article 28 violations, prioritizes investigation given child protection concerns. BNetzA opens formal investigation examining platform's Article 28 compliance EU-wide (not just France). (4) BNetzA investigation confirms Article 28 violationsâage verification systems inadequate, default settings fail to provide highest privacy for minors, platform didn't implement Article 28(1) measures. BNetzA issues compliance order requiring platform implement robust age verification, default minor accounts to private/restricted, remove inappropriate content accessible to minors. Also imposes âŹ8M fine under Article 52. (5) BNetzA notifies ARCOM of outcome satisfying mutual assistanceâFrench users benefit from enforcement even though French authority lacked direct jurisdiction. Platform implements EU-wide Article 28 improvements benefiting all Member States. Mutual assistance enables user protection despite country of origin exclusivityâDSCs leverage each other's jurisdictional authority, share enforcement burdens (BNetzA benefits from ARCOM's investigative work gathering evidence), ensure violations affecting users in non-establishment Member States receive attention even if establishment DSC might not prioritize independently.
Mutual assistance limitations: requesting DSC cannot compel responding DSC to investigate or sanction (Article 57 creates cooperation duties but respects enforcement discretion), responding DSC applies its own enforcement priorities and legal interpretations (may reach different conclusions than requesting DSC would), timing may frustrate requesting DSC's expectations (responding DSC resource constraints delay investigation), remedies reflect responding DSC's judgment (may impose different sanctions than requesting DSC preferred). Despite limits, mutual assistance operationalizes country of origin model enabling distributed concerns to reach competent authority.
Non-EU Provider Jurisdiction - US Platform Legal Representative: US-based social media platform (not VLOP) offers services to EU users, must designate Article 13 legal representative. Platform analysis: (1) Platform assesses Member States considering business presence, regulatory environment, language capabilities, legal expertise availability. Chooses Ireland given existing operational presence, English-language legal system, perceived favorable regulatory environment. (2) Platform designates Irish law firm as Article 13 legal representative notifying all Member State DSCs and Commission. Article 56(6) now appliesâIrish DSC has jurisdiction over platform's DSA compliance as if platform were Irish-established. (3) Estonian user files Article 53 complaint with Irish DSC about platform's Article 16 notice-and-action failure (reported illegal content not removed). Estonian DSC receives complaint, refers to Irish DSC (explaining platform's legal representative in Ireland gives Irish DSC jurisdiction). Irish DSC investigates, finds Article 16 violation, orders platform remove content, imposes warning. (4) Platform expands, reaches 45M EU users, designated VLOP under Article 33. Jurisdiction shiftsâCommission now has Article 56(2) exclusive powers over Section 5 (Articles 34-43), concurrent Article 56(3) powers over other provisions, while Irish DSC retains Article 56(4) residual powers where Commission hasn't initiated proceedings. Legal representative location (Ireland) still determines 'home' DSC for non-Section 5 matters, but Commission's VLOP jurisdiction overlay adds complexity. (5) Platform considers whether legal representative location choice still optimalâCommission supervision focuses on Section 5 regardless of representative location, but Irish DSC remains competent for Article 16, 17, 27, 28, etc. violations absent Commission action. Platform maintains Irish representative but understands primary supervisor now Commission for most significant obligations (risk assessment, mitigation, transparency).
Legal representative choice strategic for non-EU providersâdetermines DSC that will supervise routine compliance, affects regulatory engagement dynamics (DSC responsiveness, expertise, enforcement culture), may influence enforcement likelihood and severity (though DSA harmonization limits differences, Member State regulatory traditions persist). However, VLOP designation substantially reduces choice significanceâCommission becomes primary supervisor regardless of representative location, though DSC-of-representative remains involved for non-Section 5 and coordination matters.
Failure to Appoint Representative - Universal Jurisdiction: Russian social network offers services in EU but refuses to appoint Article 13 legal representative (claims EU lacks extraterritorial authority, refuses compliance). Article 56(7) universal jurisdiction triggered: (1) Any Member State DSC can now enforce against platform. German BNetzA initiates investigationâplatform accessible to German users, Article 13 violation clear (no legal representative despite EU service provision), broader DSA violations likely (Article 16 notice-and-action, Article 15 transparency reporting also non-compliant given platform's EU law rejection). (2) Article 56(7) coordination dutyâBNetzA notifies all other DSCs and Commission of intent to investigate and sanction platform. Several DSCs respond indicating own concerns (Polish DSC reports Polish user complaints, French DSC notes similar Article 13 violation, Dutch DSC interested in coordinated approach). (3) Coordination discussionâDSCs agree BNetzA leads investigation given substantial German user base and BNetzA resources, but several DSCs will support providing evidence and potentially parallel proceedings if BNetzA enforcement insufficient. Commission monitors given potential VLOP status (user numbers suggest possible designation but platform's non-cooperation prevents verification). (4) BNetzA investigation finds multiple DSA violations: Article 13 (no legal representative), Article 15 (no transparency reporting), Article 16 (no notice-and-action mechanism), Article 17 (no statement of reasons for content removals). BNetzA issues decision: âŹ15M fine for Article 13, âŹ10M fine for Article 15, âŹ20M for Article 16-17. Also orders platform appoint legal representative within 30 days or face access restriction under Article 51(1)(h). (5) Platform ignores BNetzA decision (no EU presence or assets enabling easy enforcement). BNetzA pursues Article 51(1)(h) access restriction requesting German ISPs block platform access. Several other Member States follow suit with parallel access restrictions leveraging Article 56(7) concurrent jurisdictionâFrench ARCOM, Polish DSC, Dutch DSC issue own access restriction orders multiplying enforcement pressure. Platform faces EU-wide access blocking absent compliance. (6) Platform eventually capitulatesâappoints legal representative in Cyprus (smallest Member State hoping for minimal oversight), begins limited DSA compliance. Article 56(7) universal jurisdiction reverts to Article 56(6) single-DSC model (Cypriot DSC now exclusively competent). Outstanding fines and enforcement from multiple DSCs during Article 56(7) period remain enforceable, but future violations subject to Cyprus DSC jurisdiction alone.
Article 56(7) demonstrates extreme enforcement scenarioâuniversal jurisdiction creates overwhelming pressure few providers can resist, coordination duty prevents pure chaos though allows multiple parallel proceedings if needed, access restriction as ultimate enforcement tool (platforms depend on EU market access regardless of asset presence). However, Article 56(7) rarely neededâmost non-EU providers comply with Article 13 recognizing EU market importance, even providers contesting DSA substance appoint representatives preserving market access while challenging regulations, universal jurisdiction exists as credible threat encouraging voluntary compliance.
VLOP Enforcement Division - Commission Section 5 Plus DSC Other Provisions: Meta designated VLOP with Irish establishment demonstrates layered supervision. (1) Commission supervises: Article 34 systemic risk assessments (hate speech amplification, disinformation, minor safety, mental health, election integrity, gender-based violence, civic discourse risks), Article 35 risk mitigation measures (algorithm changes, content moderation enhancements, researcher data access, transparency tools), Article 37-40 independent audits (reviewing auditor reports, assessing audit quality, requiring remediation), Article 42 publicly accessible databases (ad libraries, content moderation reporting). Commission's DG CONNECT maintains permanent oversight relationship with Metaâregular reporting, ongoing dialogue, audit reviews, algorithm assessments, enforcement actions when non-compliance found. (2) Irish DSC CoimisiĂșn na MeĂĄn supervises concurrently: Article 16 notice-and-action (user complaints about content moderation delays, manifestly illegal content persistence), Article 17 statements of reasons (adequate explanation of content removal decisions), Article 20 internal complaint systems (functionality, responsiveness, redress adequacy), Article 27 recommender system transparency (information to users about recommendation parameters, choice of alternatives), Article 28 minor protection (age verification, default privacy settings for minors), plus general provisions (Article 11 contact points, Article 15 transparency reporting). Irish DSC conducts routine supervisionâprocesses user complaints forwarded to Meta, reviews quarterly transparency reports, investigates specific alleged violations, issues compliance orders and fines for non-Section 5 breaches. (3) Coordination between Commission and Irish DSC: regular bilateral consultations discussing Meta's compliance patterns, information sharing (Commission provides Irish DSC insights from Section 5 supervision; Irish DSC shares Article 16-28 enforcement intelligence to Commission), investigation coordination (if overlap between Article 35 risk mitigation and Article 27 algorithm transparency, Commission and DSC discuss who leads or whether joint investigation appropriate), Board trilateral discussions (Commission, Irish DSC, other DSCs concerned about cross-border Meta issues coordinate through Board framework). (4) User perspective: Meta user uncertain which authority to contactâBoard and DSC websites provide guidance: Section 5 matters (risk assessment complaints, audit concerns, systemic content amplification issues) direct to Commission complaint channels; other matters (notice-and-action failures, individual content moderation complaints, recommender transparency) direct to Irish DSC via Article 53. (5) Enforcement interactions: Commission finds Article 35 risk mitigation inadequate for hate speech amplification risks, requires algorithmic changes within 90 days with âŹ1M daily periodic penalty. Simultaneously, Irish DSC investigates Article 16 notice-and-action delays for hate speech reports, finds violations, imposes âŹ30M fine requiring improved notice processing. Meta implements changes satisfying both Commission's Article 35 and Irish DSC's Article 16 requirementsâalgorithm adjustments reduce amplification (Commission concern) while enhanced moderation resources speed notice responses (Irish DSC concern). Enforcement complementary addressing related issues from different DSA angles.
Layered supervision reflects DSA's hybrid modelâcentralized Commission oversight for systemic risks (requiring supranational perspective and specialized capacity) combined with national DSC supervision for operational compliance (leveraging DSC's established regulatory relationships and routine oversight capabilities). Effectiveness depends on coordination qualityâoverlapping jurisdictions create compliance burden if poorly coordinated, but generate comprehensive enforcement if Commission and DSCs cooperate sharing information, dividing labor strategically, and avoiding contradictory requirements.
For Platforms - Jurisdictional Compliance Strategy: (1) Determine applicable jurisdiction: Identify main establishment (head office/registered office where principal decisions made, financial management located)âdetermines DSC-of-establishment with Article 56(1) jurisdiction. If no EU establishment, designate Article 13 legal representative strategically (consider Member State regulatory capacity, language, legal system, business presence, enforcement cultureâthough DSA harmonization limits divergence). If VLOP/VLOSE designated, understand Commission has exclusive Section 5 jurisdiction and concurrent jurisdiction for other provisions, potentially reducing main establishment location significance for largest obligations but not eliminating it. (2) Engage primary supervisor proactively: Establish compliance dialogue with DSC-of-establishment (or DSC-of-representative), invest in regulatory relationship (transparency, responsiveness, good faith cooperation), anticipate DSC priorities and concerns addressing proactively, participate in DSC consultations and stakeholder processes building trust. For VLOPs/VLOSEs, prioritize Commission relationship for Section 5âDG CONNECT is primary interlocutor for risk assessments, audits, mitigation measures; maintain Commission compliance dialogue recognizing Commission's enforcement authority and resource capacity. (3) Cross-border compliance monitoring: Though DSC-of-establishment has jurisdiction, monitor user issues across all Member Statesâmutual assistance means any DSC can request establishment DSC investigate based on their users' concerns, high complaint volumes from specific Member State may trigger mutual assistance requests and enforcement attention, proactive cross-border compliance prevents issues escalating to formal enforcement. (4) Prepare for concurrent jurisdiction scenarios (VLOPs/VLOSEs): Understand Commission may assert jurisdiction for any non-Section 5 provision if EU-wide significance, maintain compliance readiness for both Commission and DSC investigation possibilities, coordinate responses if both authorities engage on related issues avoiding contradictory representations. (5) Use coordination mechanisms strategically: If multiple DSC investigations threatened (cross-border issue affecting many Member States), work with DSC-of-establishment to coordinate response under Articles 57-60, request Board involvement if DSC conflicts emerge providing platform forum to argue for coherent single-proceeding approach. (6) Plan for enforcement scenarios: Budget for potential Article 52 fines (up to 6% global turnover for serious violations), maintain legal and technical capacity to respond to information requests (Article 67 can require extensive data provision quickly), prepare crisis response for Article 51 measures (particularly access restriction threat requiring urgent legal challenges or compliance), consider insurance or financial reserves for regulatory costs and fines. (7) Monitor jurisdictional evolution: Track VLOP designation risk if approaching 45M users (triggers Commission jurisdiction shift), assess impact of legal representative relocation if changing EU operational structure, stay informed about Commission vs. DSC enforcement patterns understanding where scrutiny likely focuses.
For DSCs - Managing Article 56 Competence Framework: (1) Assert jurisdiction appropriately: Clearly communicate to providers established in Member State that DSC has Article 56(1) supervisory authority, explain jurisdiction to users filing complaints (whether DSC is competent authority or must refer to establishment DSC), resist provider arguments attempting to forum-shop or contest jurisdiction based on established EU precedent (CJEU case law on main establishment, GDPR jurisdiction experience). (2) Coordinate with Commission on VLOPs/VLOSEs: Respect Commission's Article 56(2) exclusive Section 5 competenceâdon't attempt to supervise VLOP risk assessments or mitigation directly, support Commission with information and expertise where requested, exercise Article 56(4) powers for non-Section 5 VLOP violations strategically consulting Commission about investigation priorities and potential overlap, participate in Board discussions coordinating EU-wide VLOP supervision approach. (3) Engage mutual assistance actively: Respond to Article 57 requests from other DSCs promptly and thoroughly (though respecting own enforcement priorities and resource constraints), proactively request mutual assistance when own users affected by providers established elsewhere rather than accepting enforcement gaps, build bilateral relationships with frequently-partnered DSCs (e.g., Irish-French cooperation given Irish platform establishments affecting French users) improving coordination efficiency. (4) Use Board coordination mechanisms: Participate actively in Board Article 61-64 processes, leverage Board to resolve jurisdictional conflicts or interpretation disputes with other DSCs or Commission, contribute to Board guidelines and recommendations improving consistent DSA application, share enforcement experiences and best practices with DSC peers enhancing collective capacity. (5) Transparent jurisdictional communications: Publish clear information for users and providers explaining DSC's jurisdiction scope (which providers supervised, how users file complaints, interaction with Commission for VLOPs), provide referrals when users contact DSC about provider outside jurisdiction directing to competent authority, report jurisdictional activities in Article 55 annual reports (how many mutual assistance requests processed, cross-border cooperation statistics, joint investigations). (6) Manage resource constraints strategically: Recognize if Member State hosts many major platforms (Ireland, Netherlands, Luxembourg) DSC faces extraordinary supervision burden relative to user protection benefits for national citizens, advocate for adequate resources from national government emphasizing EU-wide significance of DSC function, prioritize enforcement actions based on user harm and compliance impact even if political pressure focuses on specific high-profile platforms, leverage Commission capacity for VLOP Section 5 allowing DSC resources to focus on non-VLOP providers or non-Section 5 VLOP obligations. (7) Monitor Article 56 implementation effectiveness: Track whether country of origin model prevents or enables effective user protection, document challenges (provider non-cooperation, cross-border coordination difficulties, resource inadequacy) for Article 94 DSA evaluation informing potential legislative refinement, participate in policy discussions about Article 56 reform if evidence shows competence framework impedes enforcement effectiveness.