Table of Contents

1. Introduction
   1. Political Concepts and the Limits of Legal Qualification
   2. The Structural Role of Platforms
2. The Transformation of EU Digital Governance
   1. From Market Integration to Systemic Risk Governance
   2. From Soft Law to Hybrid Governance
3. Scope of Application of the DSA
   1. Functional Approach to Intermediary Services
   2. Hierarchy of Intermediary Services
   3. Territorial Scope of Application
   4. Limits of the Scope of Application
4. Core Regulatory Mechanisms of the DSA
   1. Proceduralisation of Content Moderation
   2. Compliance as Platform Governance
   3. Systemic Risk Governance
   4. Transparency as a Governance Mechanism
   5. User Rights and Procedural Safeguards
   6. Trusted Flaggers
   7. Protection of Minors
5. Enforcement of the DSA
   1. Decentralised Supervision: Digital Services Coordinators
   2. Centralised Supervision: The Role of the European Commission
   3. European Coordination: The European Board for Digital Services
6. Controversies
   1. Freedom of Expression and the Risk of Overblocking
   2. Regulation of Lawful but Harmful Content
   3. Legitimacy of Trusted Flaggers
   4. Transparency Overload
   5. Market Effects and Regulatory Asymmetries
7. Conclusion and Outlook
   1. Systemic Risk Governance under the DSA
   2. The Limits of Systemic Risk Governance
   3. Fragmentation in Platform Governance
   4. From Platform Governance to Access Control
   5. Generative AI and the Amplification of Systemic Risks
   6. The Competitiveness Turn in EU Digital Regulation
   7. Beyond the DSA: Platform Governance in the Age of
      Synthetic Communication

A. Introduction

The digital transformation of public communication has fundamentally altered the conditions under which information is created, disseminated, and con­sumed. Social media platforms and other online intermediaries have evolved into central infrastructures of the digital public sphere, increasingly replacing traditional media as primary sources of information, particularly for younger users.

At the same time, this transformation has given rise to new forms of societal and democratic risk. Two phenomena are of particular relevance in this con­text: hate speech and disinformation. Both may have significant societal impact while also posing considerable challenges for legal regulation. A central difficulty lies in the fact that harmful online content is often disseminated across borders, amplified through platform architectures, and difficult to at­tribute to identifiable actors within traditional frameworks of legal re­spon­si­bil­ity.

The Digital Services Act (DSA)^[1]Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act), OJ 2022 L … Continue reading responds to these developments not by cre­ating new categories of unlawful content or new criminal offences, but by addressing the structural conditions under which harmful content is dis­seminated and amplified. To this end, it imposes due diligence and systemic risk-management obligations on online intermediaries, in particular online platforms. The DSA thus reflects a broader regulatory shift from content-based regulation towards systemic platform governance, focusing less on indi­vidual perpetrators than on the infrastructural and amplificatory role of plat­forms within the digital public sphere.

I. Political Concepts and the Limits of Legal Qualification

Neither “hate speech” nor “fake news” constitutes a clearly defined legal con­cept under EU law. Both terms originate primarily from public and political discourse and are often used in a broader and less precise sense than in legal doctrine.^[2]See European Commission, Tackling online disinformation: a European Ap­proach, COM(2018) 236 final, 26 April 2018, p. 4 (“verifiably false or misleading information […] pre­sented and … Continue reading Importantly, the DSA does not introduce new categories of crimi­nal liability or establish new criminal offences relating to hate speech or disin­formation. The qualification of content as unlawful therefore continues to be governed by existing legal frameworks, most notably the criminal law of the Member States.

“Hate speech” generally refers to expressions that denigrate, attack or de­hu­man­ise individuals or groups on the basis of characteristics such as ethnic­ity, religion, nationality, gender or other protected attributes. From a legal perspective, however, the relevant boundaries are often difficult to determine with precision. Certain forms of online hostility may amount to criminal of­fences, including incitement to violence, threats, defamation or racial discrim­ination. Other forms of aggressive, discriminatory or in­flam­ma­tory speech may remain below the threshold of criminal liability while nevertheless con­tributing to hostile communicative environments or broader societal ten­sions.^[3]See European Commission against Racism and Intolerance (ECRI), General Policy Rec­om­men­da­tion No. 15 on Combating Hate Speech, 2015; UN Human Rights Council, Rabat Plan of Action … Continue reading

Similar conceptual difficulties emerge with regard to “fake news”. The term does not constitute a legal category but rather serves as a broad umbrella con­cept encompassing different forms of false, misleading or manipulative infor­mation. A more precise distinction is commonly drawn between “dis­in­for­ma­tion”, which generally implies an element of intent or strategic manipulation, and “misinformation”, which refers to inaccurate information shared without such intent. From a legal perspective, false or misleading statements may be­come relevant where they interfere with protected legal interests, for exam­ple in cases involving fraud, market manipulation, electoral interference, or demonstrably false information capable of causing concrete harm to public health or public safety. At the same time, however, many forms of mislead­ing or manipulative communication remain difficult to classify in strictly legal terms, particularly where factual assertions, opinion, ex­ag­ger­a­tion and politi­cal rhetoric overlap.^[4]On limitations of the term “fake news”, see European Commission, High Level Group on Fake News and Online Disinformation, A Multi-Dimensional Approach to Disinformation, 2018, pp. 10 et seq. … Continue reading

This distinction between clearly unlawful content and broader forms of harm­ful or misleading online communication is of central importance to the reg­ulatory approach of the DSA. Significant parts of online hate speech and dis­information may operate in legally uncertain or borderline areas that are not always adequately addressed through traditional mechanisms of criminal law enforcement alone. At the same time, such content may still have considerable societal effects, including on democratic processes, public dis­course, public trust and the safety of online environments. The DSA responds to this tension not by broadly redefining the substantive boundaries of unlawful speech, but by addressing the structural conditions under which such content is dissem­inated, amplified and monetised, in particular through systemic risk assess­ment and mitigation obligations applicable to very large online platforms and search engines.^[5]Articles 34 and 35 DSA; see also Recital 84.

II. The Structural Role of Platforms

The increasing regulatory attention devoted to online platforms can only be understood in light of their specific functional role within the contemporary information environment. Platforms do not typically act as originators of con­tent. Rather, they operate as intermediaries that store, organise, curate, and disseminate user-generated information. However, their technical ar­chi­tec­ture, economic incentives, and governance structures decisively shape the vis­ibility, reach, and impact of such content. From a functional perspective, plat­forms have evolved into central infrastructures of public communication. As the European Commission has observed, they increasingly perform functions traditionally associated with media organisations, acting as ag­gre­ga­tors and distributors of information without assuming comparable editorial responsi­bilities. Empirical evidence confirms this structural shift. Survey data, includ­ing Eurobarometer findings and the EU Social Media Survey 2025, indicate that social media services have become a primary source of news and information for a substantial share of users within the European Union, particularly among younger demographics.^[6]European Commission, EU Social Media Survey 2025, Section on social media use, <https://​europa.​eu/eurobarometer/surveys/detail/3592>.

Moreover, users frequently encounter content that they have not actively sought out, but which is recommended or surfaced through algorithmic sys­tems. This “incidental exposure” reflects a shift away from user-driven infor­mation retrieval towards platform-driven information environments in which visibility is increasingly shaped by automated selection processes. Recom­mender systems tend to prioritise content that generates high levels of en­gagement, thereby creating incentives that may favour sensational, po­lar­is­ing, or misleading content. As the Commission has noted, advertising-driven and attention-based business models privilege virality over reliability, reinforcing the visibility of content that maximises user engagement.^[7]European Commission, Tackling online disinformation: a European Approach, Section 2.2., COM(2018) 236 final, 26 April 2018. In this sense, plat­forms do not merely organise information, but actively structure attention and shape the contours of public discourse. Personalised content feeds may fur­ther reinforce selective exposure and contribute to the frag­men­ta­tion of pub­lic discourse.

The dissemination of problematic content is further intensified by behavioural and technological factors, including coordinated inauthentic behaviour, au­tomated amplification, and the rapid circulation of unverified information by users themselves. Importantly, the societal impact of disinformation is not pri­marily a question of volume. Even limited quantities of misleading or harmful content may achieve disproportionate reach through platform dynamics and recommendation systems. Empirical studies suggest that dis­in­for­ma­tion can spread more rapidly and widely than other forms of content, potentially erod­ing public trust, distorting democratic discourse, and impairing informed de­cision-making.^[8]European Commission, Tackling online disinformation: a European Approach, Section 1., COM(2018) 236 final, 26 April 2018.

These developments have shifted regulatory attention from individual content items towards the structural characteristics of platform services. A significant proportion of problematic content does not qualify as illegal and therefore cannot effectively be addressed through traditional enforcement mechanisms alone. The resulting asymmetry is central to the DSA’s regulatory logic: while the production of harmful content is decentralised, its dissemination is shaped by centralised platform infrastructures and curation mechanisms largely out­side users’ control. It is precisely this asymmetry that gives rise to systemic risks affecting democratic processes, public health, and fundamental rights. Rather than focusing solely on individual instances of unlawful content, the DSA therefore targets the structural conditions under which content is dis­sem­i­nated and amplified. By addressing the design, functioning, and gov­er­nance of platforms, the Regulation reflects a shift from a content-centred to a structure-oriented regulatory paradigm. It is the intermediary and amplifica­tory role of platforms, rather than their function as mere hosts of information, that provides the conceptual foundation for this approach.

B. The Transformation of EU Digital Governance

I. From Market Integration to Systemic Risk Governance

The DSA forms part of a broader transformation of EU digital regulation. Ear­lier policy phases, particularly under the Juncker Commission in 2015, were primarily oriented towards market integration and the completion of the Dig­ital Single Market.^[9]Communication from the Commission, A Digital Single Market, COM(2015) 192 final, 6 May 2015; Commission Staff Working Paper, A Digital Single Mar­ket Strategy – Analysis and Ev­idence, … Continue reading The central objective was to remove regulatory barriers to cross-border digital services and to unlock economic growth potential within the internal market. The Commission explicitly framed the Digital Single Market as a project to “tear down regulatory walls” between national markets and to enable businesses and consumers to fully benefit from cross-border digital opportunities.

Within this evolving landscape, the policy agenda of the Digital Single Market was translated into a set of regulatory initiatives focused on facilitating e-commerce, reducing transaction costs, harmonising consumer and contract rules, and improving market access for digital services. The underlying ra­tionale was predominantly economic: digital integration was expected to en­hance competitiveness, stimulate innovation, and generate significant growth effects.

Since the beginning of the von der Leyen Commission in 2020, however, EU digital policy has undergone a significant reorientation. While the internal market logic remains formally central, it is increasingly complemented and in part overshadowed by concerns relating to technological sovereignty, secu­rity, and systemic risks.^[10]European Commission, DG for Informatics, Strategic Plan 2020-2024, Ref.Ares(2020) 4602715, 4 September 2020. The Digital Decade policy framework illustrates this shift particularly clearly. It conceptualises digital transformation not merely as a driver of growth, but as a key instrument for strengthening Europe’s “tech­no­log­i­cal sovereignty”, “resilience”, and “strategic autonomy” in an increasingly volatile geopolitical environment.^[11]Communication from the Commission, State of the Digital Decade 2025: Keep buliding the EU’s sovereignty and digital future, COM(2025) 290 final, 16 June 2025.

Increasingly, the policy discourse places growing emphasis on structural vul­nerabilities and dependencies. The Union is portrayed as being exposed to ex­ternal risks stemming from reliance on foreign digital infrastructures, cloud services, and foundational technologies. Addressing these dependencies has become a central objective of EU digital policy, alongside the strengthening of domestic technological capacities and coordinated investment strategies.^[12]European Commission, Shaping Europe’s Digital Future, COM(2020) 67 final, 19 February 2020, p. 3, 5.

In parallel, the regulatory focus has shifted more explicitly towards the man­agement of societal and systemic risks arising from digital technologies. Re­cent policy documents highlight threats such as disinformation, cy­ber­at­tacks, algorithmic manipulation, and risks to democratic processes, which are seen as potentially undermining public trust, electoral integrity, and even the rule of law. The growing prominence of such concerns reflects a move beyond a purely economic understanding of digital markets towards a broader concep­tion of digital infrastructures as critical components of democratic and soci­etal order.^[13]European Commission, Shaping Europe’s Digital Future, COM(2020) 67 final, 19 February 2020, p. 6.

The DSA is situated within this evolving framework. Together with in­stru­ments such as the Digital Markets Act, the GDPR, and the Artificial Intelligence Act, it forms part of an increasingly dense regulatory architecture that com­bines internal market integration with elements of risk governance, security policy, and public interest regulation.^[14]See generally Chayanis Aueamnuay/Carmen Berjón/Stella Galehr/Luca Graf/Andreas Heinemann, Digital Regulation in the European Union, EuZ 03/2024, discussing the EU’s in­creasingly integrated … Continue reading More recent debates surrounding com­petitiveness, innovation capacity, and regulatory sim­pli­fi­ca­tion suggest that this expansive phase of EU digital regulation may itself become subject to fu­ture recalibration.^[15]Proposal for a Regulation of the European Parliament and of the Council amending Regula­tions (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) … Continue reading In this respect, current discussions increasingly point to emerging tensions between ambitious regulatory intervention and concerns regarding Europe’s economic competitiveness and regulatory sustainability.

II. From Soft Law to Hybrid Governance

The regulatory approach of the DSA builds upon a sequence of earlier EU ini­tiatives which, since 2018, have progressively developed from pre­dom­i­nantly policy-driven and voluntary instruments towards a more structured co-reg­ulatory framework. The starting point at EU level was the Commission Com­munication on tackling online disinformation, which identified dis­in­for­ma­tion as a systemic challenge to democratic processes, public discourse, and elec­toral integrity.^[16]Communication from the Commission, Tackling online disinformation: A European Ap­proach, COM(2018) 236, 26 April 2018. Rather than proposing binding legal obligations, the Com­munication outlined a set of strategic priorities, including enhanced trans­parency of the online ecosystem, user empowerment, and improved capacities for monitoring and research. This initial policy framework was complemented by the Action Plan against Disinformation, which emphasised coordinated re­sponses to disinformation campaigns, particularly in the context of elections and hybrid threats.^[17]Joint Communication, Action Plan against Disinformation, Join(2018) 36 final, 5 December 2018. It introduced operational mech­a­nisms such as the Rapid Alert System and strengthened cooperation between EU institutions, Member States, and private actors.

A central element of this early phase was the Code of Practise on Dis­in­for­ma­tion, adopted in 2018 as a voluntary self-regulatory instrument.^[18]Code of Practise on Disinformation, 16 June 2022, <https://digital-strat­egy.ec.europa.eu/en/library/2018-code-practice-disinformation>. It brought to­gether major online platforms, advertisers, and civil society actors and relied on commitments relating, inter alia, to transparency, the integrity of services, and cooperation with fact-checkers. However, this framework remained lim­ited in several respects: participation was uneven, commitments were not legally binding, and enforcement mechanisms were largely absent. The revised Code of Practice on Disinformation of 2022 marks a significant evolution of this approach.^[19]Strengthened Code of Practice on DIsinformation, 16 June 2022, <https://digital-strat­egy.ec.europa.eu/en/library/2022-strengthened-code-practice-disinformation>. It introduces a substantially more detailed and operationalised set of commitments, structured across multiple areas, including de­mon­eti­sa­tion of disinformation, transparency in political ad­ver­tis­ing, integrity of plat­form services, user empowerment, and access to data for researchers. Impor­tantly, the strengthened Code also establishes more robust governance and monitoring mechanisms. It provides for structured reporting through quali­tative and quantitative indicators, the creation of a Transparency Centre, and the establishment of a permanent task-force involving the Commission, Mem­ber States, and relevant stakeholders. These features significantly enhance ac­countability compared to the original 2018 framework.

Over time, the conceptual scope of the policy has broadened. Disinformation is no longer treated merely as misleading content, but as part of a wider spectrum of phenomena, including misinformation, coordinated influence op­erations, and foreign interference in the information space. This reflects a growing alignment between disinformation policy and broader concerns of security, geopolitical competition, and democratic resilience. Despite these advancements, the Code remains formally a voluntary instrument. Its legal significance therefore depends on its integration into binding regulatory structures. This integration is realised through the DSA, adopted in October 2022 and applicable since 17 February 2024.

The DSA does not regulate disinformation through substantive prohibitions but instead incorporates earlier policy approaches into a binding framework of due diligence obligations. In particular, the strengthened Code of Practice on Disinformation has been integrated into the DSA framework as a Code of Con­duct and thereby acquires particular relevance in the context of systemic risk mitigation by very large online platforms and search engines.^[20]See European Commission, The Code of Conduct on Disinformation, Press Release, 13 Feb­ruary 2025, confirming the integration of the strengthened Code into the DSA framework as a Code of Conduct … Continue reading Adherence to the Code may serve as a relevant benchmark for assessing compliance with the DSA’s obligations relating to risk assessment and mitigation, particularly under Articles 34 and 35 DSA. The DSA thus transforms what was previously a largely voluntary and fragmented governance model into a hybrid regime combining binding regulatory obligations with structured industry com­mit­ments.

C. Scope of Application of the DSA

I. Functional Approach to Intermediary Services

The scope of application of the DSA is defined by a functional rather than a sector-specific approach. The Regulation applies to a broad range of interme­diary services within the meaning of Article 3(g) DSA, i.e. services that trans­mit, cache, or host information provided by recipients of the service. The de­cisive criterion is therefore not the business model of a provider, but its role in facilitating the storage and, where applicable, the dissemination of user-gen­erated content. In particular, the DSA covers services that enable communi­cation, exchange, intermediation, or the provision of goods and services, pro­vided that they involve user-generated content. Where such content is made available to the public, the service may qualify as an online platform within the meaning of Article 3(i) DSA. This includes not only social networks and con­tent-sharing platforms, but also online marketplaces, service intermediation platforms, and various forms of peer-to-peer or community-based services.

This broad and technology-neutral approach is designed to capture the di­verse and evolving ecosystem of digital services. It ensures that the applicabil­ity of the Regulation does not depend on formal classifications, but on the ac­tual functions performed by the service, in particular its role in mediating the dissemination of information and thereby potentially contributing to systemic risks.

II. Hierarchy of Intermediary Services

The DSA distinguishes between different categories of intermediary services, each subject to a specific set of obligations. These categories form a hierarchi­cal structure, which can be described as a “due diligence pyramid”. At the base are mere conduit services, such as internet access providers and domain name registrars, which primarily transmit information without modifying it. These services benefit from the liability exemption set out in Article 4 DSA and are subject to relatively limited obligations. These obligations include, in particu­lar, compliance with orders to act against illegal content (Article 9 DSA) or to provide information about recipients of the service (Article 10 DSA), as well as general transparency and contact point re­quire­ments (Articles 11 and 15 DSA).

The next category comprises hosting services, which store information pro­vided by users. Examples include cloud storage services or web hosting providers. These services are subject to the liability regime under Article 6 DSA and more extensive due diligence obligations. In particular, they must imple­ment notice-and-action mechanisms enabling the submission of notices con­cerning illegal content (Article 16 DSA) and provide statements of reasons for content moderation decisions (Article 17 DSA).

A central category is that of online platforms, defined as hosting services that store and disseminate user-generated content to the public (Article 3(i) DSA). This category includes social media platforms, online marketplaces, and vari­ous forms of community-based services. In addition to the obligations applic­able to hosting services, online platforms are subject to further requirements, including the establishment of internal complaint-handling systems (Article 20 DSA), participation in out-of-court dispute settlement (Article 21 DSA), and en­hanced transparency obligations, including reporting on content moderation activities (Article 15 DSA) and the publication of information on active users (Article 24 DSA).

At the top of the hierarchy are very large online platforms (VLOPs) and very large online search engines (VLOSEs). These are defined by a threshold of more than 45 million average monthly active recipients of the service in the European Union (Article 33 DSA) and are formally designated by the European Commission. As of early 2026, the Commission has designated more than twenty VLOPs and two VLOSEs, including platforms and services such as Face­book, Instagram, TikTok, YouTube, X, LinkedIn, Amazon Store, Zalando and Google Search.^[21]The list of designated VLOPs and VLOSEs can be found on the Website of the European Commission: <https://digital-strategy.ec.europa.eu/en/policies/list-designated-vlops-and-vloses>. These services are subject to particularly stringent obliga­tions, especially with regard to systemic risk management, including the oblig­ation to conduct regular risk assessments (Article 34 DSA), to adopt risk mit­igation measures (Article 35 DSA), to undergo independent audits (Article 37 DSA), and to provide data access to researchers and authorities (Article 40 DSA).

III. Territorial Scope of Application

The DSA has a broad territorial scope. It applies not only to providers estab­lished within the European Union, but also to providers established outside the Union, provided that they offer services to recipients located in the EU internal market. This follows from the general scope provision of the Regula­tion (Article 2(1) DSA), read in conjunction with the definitions of intermedi­ary services and recipients of the service (Article 3 DSA). In order to ensure the effective application of the Regulation to such providers, the DSA requires those not established in the Union to designate a legal representative within the EU (Article 13 DSA). This requirement facilitates enforcement and ensures that obligations under the DSA can be effectively imposed on providers oper­ating across borders.

Given the global nature of digital services, this extraterritorial reach is essen­tial. It ensures that major international platforms are subject to the regulatory framework of the DSA when targeting users in the EU, thereby reducing the risk of regulatory circumvention and contributing to a level playing field within the internal market.^[22]See also Anu Bradford, The Brussels Effect: How the European Union Rules the World, Ox­ford University Press 2020, pp. 131 et seqq., describing the global spillover effects and de facto … Continue reading

IV. Limits of the Scope of Application

Despite its broad scope, the DSA does not apply to all digital services. Its ap­plication is limited to intermediary services within the meaning of Article 3(g) DSA, i.e. services that transmit, cache, or host information provided by users. Services that do not involve the intermediation of user-generated content, such as purely editorial services, fall outside this definition. Similarly, services limited to private interpersonal communication will generally not qualify as online platforms, since they do not disseminate information to the public. By contrast, services that make user content available to an indeterminate num­ber of recipients may fall within the definition of an online platform (Article 3(i) DSA). Sector-specific exclusions, including in the field of financial services, are reflected in Article 2(3) DSA.

D. Core Regulatory Mechanisms of the DSA

The Digital Services Act introduces a comprehensive framework of due dili­gence obligations for intermediary services. Rather than primarily relying on direct content-based regulation, it establishes procedural, organisational, and risk-based obligations designed to structure how platforms address poten­tially harmful content.

I. Proceduralisation of Content Moderation

A central innovation of the DSA lies in the regulation of content moderation procedures. While the regulation does not impose a general obligation to monitor content, it requires platforms to establish structured mechanisms for dealing with illegal content. In particular, hosting services and online plat­forms must provide notice-and-action mechanisms that allow users to notify the provider of allegedly illegal content (Article 16 DSA). These mechanisms must be easily accessible and enable the submission of sufficiently precise and adequately substantiated notices. Furthermore, platforms are required to pro­vide statements of reasons for decisions to remove or disable access to con­tent (Article 17 DSA). This obligation enhances transparency and enables af­fected users to understand and challenge moderation decisions. In addition, online platforms must establish internal complaint-handling systems (Article 20 DSA), allowing users to contest moderation decisions such as the removal of content, the suspension of accounts, or restrictions on visibility. These pro­cedures must be accessible, free of charge, and processed in a timely and non-arbitrary manner.

Taken together, these provisions introduce, for the first time, a harmonised set of procedural safeguards for content moderation across the European Union. The DSA thereby transforms content moderation from a largely private and discretionary practice into a legally structured process subject to minimum procedural standards.

II. Compliance as Platform Governance

Beyond individual procedures, the DSA systematically embeds compliance obligations within the organisational structures of platforms. Providers are re­quired to establish internal processes, designate contact points, and, where applicable, appoint legal representatives within the Union (Articles 11–13 DSA). Moreover, platforms must publish transparency reports on their content mod­eration activities (Article 15 DSA), thereby enabling public scrutiny and regula­tory oversight.

This set of obligations reveals a broader transformation: platforms are no longer treated merely as passive intermediaries, but as regulated actors with defined organisational responsibilities. Compliance thus becomes a structural feature of platform governance rather than a reactive response to individual cases.

III. Systemic Risk Governance

The most distinctive element of the DSA is its systemic risk-based approach, particularly with regard to very large online platforms (VLOPs) and very large online search engines (VLOSEs). These services are required to identify, analyse, and assess systemic risks arising from the design, functioning, and use of their services (Article 34 DSA). The notion of systemic risks is deliberately broad and encompasses, inter alia, the dissemination of illegal content, nega­tive effects on fundamental rights, adverse impacts on democratic processes, public security and public health, as well as risks related to the intentional man­ipulation of services.

Importantly, the DSA’s systemic risk framework is not limited to illegal content. Recitals 84 and 87 clarify that systemic risks may also arise from the dis­semination of information capable of negatively affecting fundamental rights, democratic discourse, electoral processes, or public health, including in sit­uations commonly associated with disinformation, even where the content concerned is not necessarily unlawful. Where such risks are identified, providers of VLOPs and VLOSEs are required to implement reasonable, proportionate, and effective mitigation measures (Article 35 DSA). These may include adjustments to content moderation sys­tems, modifications of rec­om­mender systems, changes to terms and condi­tions, adaptations of platform design, or enhanced cooperation with trusted flaggers, researchers, and civil society actors (Recital 87).

The focus of these obligations is not primarily on individual items of content, but on the structural and systemic features of platform environments that contribute to the amplification of societal risks. Particular attention is there­fore directed towards algorithmic recommendation systems, engagement-based amplification mechanisms, platform design choices, and the incentive structures inherent in platform business models.

IV. Transparency as a Governance Mechanism

Transparency constitutes another central pillar of the DSA. Platforms are re­quired to provide information on various aspects of their operations, including content moderation practices, online advertising, and recommender systems. In particular, platforms must disclose the main parameters of their recom­mender systems (Article 27 DSA) and provide transparency regarding online advertising, including information on the advertiser and the targeting criteria (Article 26 DSA). For VLOPs and VLOSEs, transparency obligations are further extended to include access to data for vetted researchers (Article 40 DSA) and the publication of risk assessment and audit reports.

The objective of these measures is to reduce the opacity of platform opera­tions, often described as “black boxes”, and to enable both regulatory author­ities and external actors to better understand and assess the functioning of digital platforms. Transparency thereby serves not merely as an informational obligation, but as a broader governance mechanism aimed at facilitating over­sight, accountability, and external scrutiny of platform practices.

V. User Rights and Procedural Safeguards

The Digital Services Act significantly strengthens the procedural position of users vis-à-vis online platforms by introducing a set of procedural rights and safeguards designed to ensure that content moderation decisions remain transparent, reviewable, and subject to minimum standards of fairness.

A central element of this framework is the obligation for online platforms to establish internal complaint-handling systems (Article 20 DSA). These systems must enable users to challenge moderation decisions, including the removal or disabling of access to content, the suspension of accounts, or other restric­tions imposed on the basis of allegedly illegal or incompatible content. Such procedures must be easily accessible, free of charge, and handled in a timely, diligent, and non-arbitrary manner.

In addition, the DSA provides for out-of-court dispute settlement mechanisms (Article 21 DSA), allowing users to seek independent review of platform deci­sions by certified bodies. These mechanisms complement internal complaint procedures and are intended to offer a low-threshold alternative to judicial proceedings, thereby strengthening the practical enforceability of user rights.

VI. Trusted Flaggers

The DSA also establishes a mechanism for so-called trusted flaggers under Ar­ticle 22 DSA. These are entities with recognised expertise in detecting illegal content whose notices benefit from priority treatment by online platforms. This mechanism is designed to improve the efficiency and reliability of notice-and-action procedures by ensuring that platforms give particular weight to notifications submitted by qualified actors. Trusted flagger status is granted by the competent Digital Services Coordinator (DSC) of the Member State in which the entity is established. The designation is subject to specific criteria, including demonstrated expertise in detecting illegal content, independence from online platform providers, and the ability to act in a diligent, accurate, and objective manner (Recital 61). While the number of designated trusted flaggers is still evolving, several dozen entities have already been recognised across the European Union, reflecting a diverse landscape of actors ranging from civil society organisations to specialised reporting bodies.^[23]A list of designated trusted flaggers can be found on the website of the European Commis­sion: <https://digital-strategy.ec.europa.eu/en/policies/trusted-flaggers-under-dsa>.

The institutional landscape of trusted flaggers is heterogeneous. It includes a range of actors such as non-governmental organisations, specialised civil soci­ety bodies, and entities with a more formalised or quasi-public status, includ­ing consumer protection organisations or sector-specific institutions. Their areas of activity reflect the diversity of illegal content addressed by the DSA and may cover, inter alia, hate speech and online violence, the protection of minors, consumer protection and fraud prevention, intellectual property en­forcement, and data protection.

From a legal perspective, the role of trusted flaggers is clearly delimited. They do not take binding decisions on the legality of content but rather submit no­tices that must be prioritised by platforms. The final decision on whether to remove or restrict content remains with the platform provider, subject to the procedural safeguards established by the DSA. Despite this formal limitation, the prioritised treatment of trusted flagger notices may create indirect incen­tives for platforms to align moderation decisions with such assessments in practice.

The DSA does not establish a harmonised funding model for trusted flaggers. Funding structures may vary and include public financing, private donations, membership contributions, or sector-specific support. While this diversity al­lows for flexibility, it also underscores the importance of ensuring indepen­dence and transparency in the designation and operation of trusted flaggers.

VII. Protection of Minors

The protection of minors constitutes a distinct and increasingly structured component of the Digital Services Act. While Article 28 DSA formulates this objective in broad terms, recent Commission guidance has significantly spec­ified its content, transforming it into a comprehensive framework of risk-based and design-oriented obligations.^[24]Communication from the Commission, Guidelines on measures to ensure a high level of privacy, safety and security for minors online, pursuant to Article 28(4) of Regulation (EU) 2022/2065, … Continue reading At its core, Article 28(1) DSA requires providers of online platforms accessible to minors to implement appropriate and proportionate measures to ensure a high level of privacy, safety, and se­curity. This obligation is explicitly contextual and cannot be avoided merely by excluding minors in formal terms where services remain de facto accessible. The regulatory model is guided by principles such as proportionality, the “best interests of the child”, and the notion of safety- and privacy-by-design. Plat­forms are thus required to integrate protective features directly into the ar­chitecture of their services, rather than relying solely on ex post content mod­eration.

Operationally, the framework is centred on a structured risk-based ap­proach.^[25]C/2025/5519, para 5. Platforms must identify and assess risks to minors, including expo­sure to harmful content, contact risks such as grooming, and design-related risks stemming from recommender systems or persuasive interface features.^[26]For broader classifications of digital risks affecting minors, including content-, contact-, conduct-, contractual-, and systemic risks, see Oberlin/von Hoyningen-Huene, Navigating Digital Safety for … Continue reading On this basis, they are expected to implement appropriate mitigation mea­sures, ranging from age-appropriate design and default settings to restrictions on advertising and recommender systems.

This approach raises important tensions. The emphasis on design-based interventions and behavioural safeguards may lead to a form of indirect paternalism, in which platforms shape the online experience of mi­nors in ways that are only partially transparent and not always subject to clear legal standards. In particular, the reliance on age assurance mechanisms and content curation tools highlights the difficulty of balancing effective protec­tion with fundamental rights, including privacy, data protection, and freedom of expression. This tension is also reflected in the prohibition of targeted ad­vertising based on profiling where the platform is aware that the user is a mi­nor (Article 28(2) DSA), which aligns the DSA with the General Data Protection Regulation, but leaves open questions regarding enforcement and the practi­cal feasibility of reliably identifying minors without excessive data processing.

E. Enforcement of the DSA

The effectiveness of the DSA depends not only on the substantive obligations it imposes, but also on its enforcement architecture. The Regulation estab­lishes a multi-level system combining decentralised enforcement by national authorities, centralised oversight at EU level, and structured mechanisms of coordination. This architecture is designed to ensure both effective supervi­sion of cross-border services and a consistent application of the DSA across the internal market.

I. Decentralised Supervision: Digital Services Coordinators

At the national level, Member States are required to designate a Digital Ser­vices Coordinator (DSC) as the primary authority responsible for the supervi­sion and enforcement of the DSA (Article 49 DSA).^[27]A list of the Digital Service Coordinators can be found on the website of the European Com­mission: <https://digital-strategy.ec.europa.eu/en/policies/dsa-dscs#1720699867912-1>. These authorities act as central points of contact and are entrusted with a broad range of investiga­tive, supervisory, and coordinating tasks. In particular, DSCs are responsible for supervising intermediary services established in their jurisdiction, with the exception of very large online platforms (VLOPs) and very large online search engines (VLOSEs), which fall under the enhanced supervisory role of the Euro­pean Commission. Their powers include the ability to conduct investigations, request information, carry out inspections, issue orders to bring infringements to an end, and impose penalties in accordance with national law (Articles 51 and 52 DSA).

DSCs also play a key role in the operational functioning of the DSA framework. They are responsible for certifying out-of-court dispute settlement bodies (Article 21 DSA) and for designating trusted flaggers (Article 22 DSA), thereby contributing to the institutionalisation and proceduralisation of content mod­eration processes. This decentralised enforcement structure builds on existing traditions of na­tional regulatory authorities, while embedding them within a broader Euro­pean system of cooperation. In particular, DSCs participate in the European Board for Digital Services (Article 61 DSA), which facilitates coordination, con­sistency, and the exchange of best practices across Member States.

Despite the harmonising character of the DSA, the institutional implemen­tation of its decentralised enforcement structure remains partly dependent on national administrative arrangements. In Germany, for example, the Bun­des­netz­agen­tur has assumed the role of Digital Services Coordinator and ex­ercises important supervisory and procedural functions under the Regulation.

II. Centralised Supervision: The Role of the European Commission

A distinctive feature of the DSA is the strong role assigned to the European Commission in the supervision of VLOPs and VLOSEs. For these services, pri­mary enforcement responsibility is largely centralised at EU level (Article 56 DSA), reflecting the assumption that systemic risks associated with large plat­forms cannot be adequately addressed through purely national supervision.

The Commission’s enforcement framework follows a structured administrative procedure. It may initiate investigations where there are indications of a po­tential infringement, either on the basis of its own monitoring activities or in­formation obtained from third parties. In this context, it may deploy a broad range of investigative tools, including requests for information, access to plat­form data and relevant technical systems, interviews, and inspections (Articles 67–69 DSA). If the Commission maintains its preliminary assessment of a pos­sible infringement, it may formally open proceedings. Before adopting a final decision, the provider concerned must be given the opportunity to be heard, reflecting the procedural guarantees characteristic of EU administrative en­forcement.

Where an infringement is established, the Commission may adopt a non-compliance decision and impose sanctions. Fines may reach up to 6% of the provider’s total worldwide annual turnover, depending on the nature, grav­ity, duration, and recurrence of the infringement. The Commission also has the power to impose interim measures where there is an urgent risk of seri­ous harm to users. Such measures may include modifications to recommender systems or other specific risk mitigation measures, underlining the preventive and risk-oriented character of the DSA’s enforcement model. As a measure of last resort, the Commission may initiate procedures leading to the temporary restriction of access to a service within the Union, subject to judicial authori­sation at national level.

The Commission has already started to make use of these powers: In July 2024, the Commission adopted preliminary findings concerning breaches of transparency-related obligations, including deceptive design practices, de­fi­cien­cies in the platform’s advertising repository, and restrictions on re­searchers’ access to public data. Following the completion of its investi­gation, the Commission adopted a non-compliance decision under the DSA in December 2025 and imposed a fine of €120 million.^[28]European Commission, press release IP/25/2934, 5 December 2025, <https://ec.eu­ropa.eu/commission/presscorner/detail/en/ip_25_2934>. In addition to the fine, the Commission ordered X to adopt specific remedial measures within defined timeframes, with the possibility of periodic penalty payments in the event of continued non-compliance. Further proceedings have been initiated against other VLOPs, including Meta and TikTok, focusing on issues such as the protection of minors, recommender system design, and the mitigation of systemic risks, as well as against plat­forms such as AliExpress in relation to illegal products and marketplace gov­ernance.^[29]An overview on the Commissions enforcement activities on the basis of the DSA can be found here: <https://digital-strategy.ec.europa.eu/en/policies/list-designated-vlops-and-vloses>. In April 2026, for example, the Commission issued preliminary find­ings against Meta concerning Facebook’s and Instagram’s compliance with the DSA’s obligations relating to the pro­tec­tion of minors.^[30]European Commission, press release IP/26/920, 29 April 2026, <https://ec.europa.eu/commission/presscorner/detail/en/ip_26_920>. The Commission crit­icised, inter alia, ineffective age assurance mechanisms, inadequate risk as­sessments concerning underage users, and insufficient mitigation measures aimed at preventing children under the age of 13 from accessing the services. The proceedings also address broader concerns relating to addictive platform design and so-called “rabbit hole” effects, thereby illustrating the increasingly design-oriented and risk-based character of DSA enforcement.

III. European Coordination: The European Board for Digital Services

In order to ensure the coherent application of the DSA, the Regulation es­tablishes the European Board for Digital Services (EBDS) (Article 61 DSA). The Board is composed of representatives of the national Digital Services Coor­dinators (DSCs) and is chaired by the European Commission. The EBDS does not exercise independent enforcement powers. Its primary function is to fa­cilitate coordination, promote the consistent interpretation and application of the DSA, and support cooperation between national authorities and the Com­mission (Articles 62 and 63 DSA). In particular, the Board may issue opinions, recommendations, and guidance, thereby contributing to the development of a common supervisory practice.

This coordination mechanism is of particular importance in cross-border cases, where multiple jurisdictions may be involved. By providing a structured forum for exchange, alignment, and mutual assistance, the EBDS contributes to the uniform application of the Regulation within the internal market and helps to mitigate the risk of divergent enforcement approaches across Member States. At the same time, its role remains primarily advisory, and the ef­fectiveness of coordination depends largely on the alignment of national and EU-level practices.

F. Controversies

Despite its innovative approach, the DSA gives rise to a number of contro­versies relating to freedom of expression, the regulation of lawful but harmful content, the growing reliance on private and hybrid actors in the governance of online speech, and the structural limits of transparency.

I. Freedom of Expression and the Risk of Overblocking

One of the most prominent controversies surrounding the DSA concerns its potential impact on freedom of expression, in particular through the risk of overblocking.^[31]See, for a detailed discussion of the risks of overblocking and the tension between content moderation and freedom of expression, Julia Mroz, Regulierung von Hate Speech in sozialen Netzwerken auf … Continue reading By imposing extensive compliance obligations on platforms, in­cluding notice-and-action mechanisms (Article 16 DSA) and systemic risk mit­igation duties (Articles 34 and 35 DSA), the Regulation creates a regulatory en­vironment in which platforms are structurally incentivised to minimise legal, financial, and reputational risks. This incentive structure is not neutral. Rather, it systematically favours precautionary moderation practices, encouraging platforms to remove or restrict content even where its legal status is uncer­tain. In this sense, overblocking does not merely arise as an incidental side effect but may be understood as an inherent feature of a regulatory model that externalises risk onto private actors and rewards risk-averse behaviour. Such practices risk suppressing lawful expression, particularly in areas char­acterised by legal ambiguity, such as hate speech and disinformation.^[32]Alexander Peukert, Zu Risiken und Nebenwirkungen des DAS, KritV 2022, 57, 63 et seq.

The risk is further amplified by the open-ended nature of key regulatory con­cepts, most notably that of “systemic risks”. While the flexibility of this concept allows the DSA to address evolving societal harms, it also confers a consid­erable degree of interpretative discretion on platforms. In combination with automated moderation tools and decision-making at scale, this may produce systematic biases towards removal, as platforms are likely to err on the side of caution in order to ensure compliance.

From a fundamental rights perspective, this dynamic gives rise to concerns about chilling effects, insofar as users may refrain from lawful expression due to the perceived risk of removal or reduced visibility. The combination of broad risk concepts, automated moderation, and strong compliance incentives may therefore create structural pressures towards precautionary moderation practices that disproportionately affect lawful expression.^[33]Folkert Wilman/Saulus Lukas Kaleda/Paul-John Loewenthal, The EU Digital Services Act, A Commentary, 2024, Art. 14, para. 18; Janos Tamas Papp, Moving Forward: Charting the Much-Needed Evolution of … Continue reading

II. Regulation of Lawful but Harmful Content

A second, closely related controversy concerns the treatment of so-called law­ful but harmful content. While the DSA does not formally establish such a cat­egory, its systemic risk framework unmistakably addresses phenomena that may not necessarily fall within clearly defined categories of illegality but may nevertheless generate broader societal risks. In particular, the obligations ap­plicable to very large online platforms and search engines extend to risks af­fecting civic discourse, electoral processes, public security and public health, including risks linked to the dissemination and amplification of disinformation (Articles 34 and 35 DSA; Recital 84).

This development marks a broader shift in regulatory logic. Rather than ex­panding substantive prohibitions, the DSA focuses on the structural condi­tions governing the dissemination, visibility and amplification of content.^[34]See Giovanni De Gregorio, Digital Constitutionalism in Europe: Reframing Rights and Pow­ers in the Algorithmic Society, Cambridge University Press 2022, Section 5.1 (“Expressions in the … Continue reading The Reg­u­la­tion thus seeks to address large-scale societal harms associated with platform-mediated communication without formally redefining the legal bound­aries between lawful and unlawful speech. At the same time, however, this approach has generated significant conceptual and constitutional debate, particularly because notions such as “systemic risks”, “harmful effects” and ma­nip­u­la­tive amplification remain inherently open-ended and context-de­pendent.^[35]See also Alexander Peukert, Zu Risiken und Nebenwirkungen des DAS, KritV 2022, 57, 70 et seqq.

Assessing whether online content contributes to systemic or harmful societal effects nevertheless remains highly difficult in practice. Content relating to public health crises, armed conflicts, migration or elections often combines factual assertions, political rhetoric, emotional mobilisation and ideological framing in ways that resist clear legal or factual classification. Platform op­erators are therefore frequently required to take operational decisions under conditions of significant legal and societal uncertainty, creating considerable discretion at the level of platform governance and content moderation.^[36]Practical enforcement developments further illustrate these tensions in practice. Proceed­ings initiated by the European Commission against platforms such as X and TikTok have focused on risks … Continue reading

The resulting model may accordingly be characterised as a form of indirect or architecture-based content governance. By targeting recommender systems, content prioritisation, virality mechanisms and platform design, the DSA seeks to influence visibility dynamics and communicative outcomes without directly regulating speech as such. At the same time, however, this form of governance is not subject to the same doctrinal constraints that traditionally govern direct restrictions on freedom of expression. Whereas direct limitations on speech typically require a clearly defined legal basis and remain subject to judicial scrutiny, the modulation of visibility through platform systems is largely me­diated by private actors operating under significant regulatory pressure and within complex technical infrastructures. The DSA may therefore contribute to a gradual shift from legally defined limits of expression towards opera­tionally defined limits of visibility, thereby relocating important normative de­cisions from courts and legislators to privately mediated systems of platform governance and systemic risk management.

III. Legitimacy of Trusted Flaggers

The DSA assigns an important role not only to platforms and public authori­ties, but also to a range of non-platform actors, most notably trusted flaggers (Article 22 DSA). These entities are granted a privileged procedural status within notice-and-action mechanisms, as platforms are required to prioritise the processing of notices submitted by them.

The Regulation does not prescribe a specific organisational form or funding structure for trusted flaggers, resulting in a considerable degree of institu­tional diversity. Trusted flaggers may include civil society organisations, con­sumer protection bodies, or public and quasi-public institutions. In practice, designated entities include organisations such as HateAid^[37]Website HateAid: <https://hateaid.org>., which focuses on combating online abuse, the Verbraucherzentrale Bundesverband^[38]Website Verbraucherschutzzentrale Bundesverband: <https://www.vzbv.de>., rep­resenting consumer interests, and jugendschutz.net^[39]Website Jugendschutz.net: <www.jugendschutz.net>., which operates in the field of youth protection online. Their fields of activity extend across a broad range of areas, including hate speech, consumer protection, intellectual prop­erty, fraudulent commercial practices, and violations of personality rights.^[40]Across the European Union, the number of formally designated trusted flaggers remains relatively limited but is steadily increasing; at present, roughly 50 entities have been granted this status by … Continue reading

Although trusted flaggers do not formally take binding decisions, their prac­tical influence should not be underestimated. By structuring the prioritisation of content review, they may significantly shape which content is examined and ultimately removed, thereby influencing how legal standards are opera­tionalised in practice. In this sense, trusted flaggers contribute to the practi­cal enforcement of legal norms in the digital sphere without themselves being subject to the full set of institutional and procedural constraints typically ap­plicable to public authorities.

This gives rise to questions of legitimacy, accountability, and procedural fair­ness.^[41]Nicolas Harding, Trusted Flagger nach dem Digital Serices Act, MMR 2025, 94, para III; Folkert Wilman/Saulus Lukas Kaleda/Paul-John Loewenthal, The EU Digital Services Act, A Commentary, 2024, … Continue reading While designation by Digital Services Coordinators introduces a degree of public oversight, the relevant criteria, such as expertise, independence, and representativeness, remain relatively open-textured and may be applied un­evenly across Member States. As a result, the institutional quality and nor­mative orientation of trusted flaggers may vary considerably throughout the Union. This is also reflected in public controversies surrounding individual or­ganisations. In Germany, for example, HateAid has been subject to political and media scrutiny concerning its role in online content governance, including de­bates regarding neutrality, public funding, and its broader influence on mod­eration processes.^[42]Kontraste/rbb24, press release, 9. April. 2026: <https://www.rbb-online.de/kontraste/archiv/20260409_2145/hate-aid-im-visier.html>.

More broadly, the trusted flagger mechanism exemplifies a wider structural development in platform regulation: the increasing reliance on non-state ac­tors in the enforcement of legal norms. The DSA does not merely rely on plat­forms as intermediaries but incorporates additional private or hybrid actors into the enforcement framework. This may be understood as a form of func­tional delegation of enforcement tasks, raising the question whether sufficient safeguards exist to ensure that such hybrid arrangements remain compatible with principles of democratic legitimacy and the rule of law.

IV. Transparency Overload

Transparency constitutes a central pillar of the DSA’s regulatory model. The Regulation introduces extensive disclosure obligations, including trans­parency reports (Article 15 DSA) and the publication of statements of reasons in the DSA Transparency Database (Article 24(5) DSA). These mechanisms gen­erate large quantities of highly granular data, reflecting the scale and individ­ualised nature of content moderation decisions.

This transparency architecture is operationalised in particular through the DSA Transparency Database operated by the European Commission, which aggregates statements of reasons submitted by online platforms in near real time.^[43]Website DSA Transparency Database: <https://transparency.dsa.ec.europa.eu/>. The database already contains several billion entries covering modera­tion decisions across hundreds of platforms. Nevertheless, the practical value of this information for effective oversight remains contested. Reported figures may vary depending on relevant timeframes, aggregation methods, and re­porting practices, creating difficulties for comparability and systematic analy­sis. Moreover, the sheer volume and complexity of the available data may itself become an obstacle to meaningful scrutiny.

This gives rise to a broader structural concern which can be described as “transparency overload”. While the DSA significantly increases the availability of information concerning platform governance, transparency does not auto­matically translate into accountability. Effective oversight depends not only on disclosure as such, but also on the accessibility, comprehensibility, and prac­tical usability of the information provided. In this respect, the DSA raises the question whether large-scale transparency mechanisms alone are sufficient to ensure meaningful democratic, regulatory, and academic scrutiny of platform governance practices.^[44]Marie-Therese Sekwenz/Rita Gsenger, The Digital Services Act: Online Risks, Trans­parency and Data Access, in: Gsenger/Sekwenz, Digital Decade: How the EU Shapes Digi­talisation Research, … Continue reading

V. Market Effects and Regulatory Asymmetries

Finally, the DSA may have unintended consequences for market structure. Compliance with its obligations entails significant administrative, organisa­tional, and technical costs, particularly for services subject to enhanced oblig­ations, such as very large online platforms and search engines (Articles 33–37 DSA). Although the Regulation differentiates obligations according to size and reach, the overall compliance burden may still disproportionately affect smaller providers. These actors may lack the resources necessary to imple­ment complex risk management systems, auditing procedures, and trans­parency mechanisms. As a result, the DSA may contribute to regulatory asym­metries, reinforcing the position of large platforms that are better equipped to absorb compliance costs.

Moreover, the Regulation relies extensively on information generated and con­trolled by the platforms themselves, particularly in the context of systemic risk assessments and data access (Article 40 DSA). This creates a potential infor­mational dependency of regulators on large platforms, which possess superior technical expertise, infrastructural knowledge, and control over relevant data. The DSA therefore risks producing a structural paradox; while seeking to con­strain platform power, its enforcement model simultaneously depends on the organisational and informational capacities of the very actors it aims to regu­late.

G. Conclusion and Outlook

The preceding analysis suggests that the DSA does not constitute a definitive solution to the underlying challenges that prompted its adoption. Its effec­tiveness remains shaped by persistent tensions within the Regulation itself, including the indeterminacy of systemic risk governance, the increasing re­liance on private actors, and the continuing difficulties associated with balanc­ing freedom of expression and the mitigation of online harms. Moreover, re­cent developments, such as shifting platform moderation practices, new forms of state intervention aimed at controlling access to digital services, and the growing impact of generative artificial intelligence, suggest that the regula­tory environment surrounding digital communication remains subject to sig­nificant and ongoing transformation.

I. Systemic Risk Governance under the DSA

The Digital Services Act introduced a fundamental shift in the regulation of digital communication. Rather than focusing on the legality of individual con­tent, it establishes a framework for governing the systemic conditions under which content is produced, disseminated, and amplified. In this model, plat­forms are no longer treated merely as intermediaries, but as key infrastruc­tures of the digital public sphere. In the context of hate speech and disinfor­mation, this shift is particularly significant. Both phenomena expose the limits of traditional legal approaches based on clearly defined categories of unlaw­ful conduct. While certain forms of harmful content may be illegal, a substan­tial proportion remains within the scope of protected expression. The DSA responds to this challenge not by expanding substantive prohibitions, but by targeting the mechanisms that shape visibility and reach, including recom­mender systems, platform design, and organisational processes.

II. The Limits of Systemic Risk Governance

This regulatory model is not without tensions. At its core lies the concept of systemic risk, which functions as a central organising principle of the DSA. While this concept enables a flexible and forward-looking form of regulation, it remains inherently indeterminate, leaving considerable discretion in its in­terpretation and operationalisation. At the same time, the DSA relies heavily on private actors for the implementation of regulatory objectives. Platforms are required to assess and mitigate risks, design safeguards, and operationalise abstract legal standards. This effectively shifts key normative decisions to private entities, raising questions of legitimacy, accountability, and effective oversight, particularly where such decisions shape the visibility of lawful expression.

Further challenges arise in relation to fundamental rights. The risk of overblocking, the opacity of algorithmic systems, and the procedural asymme­tries between platforms and users may affect freedom of expression and ac­cess to information. Although the DSA introduces procedural safeguards, such as notice-and-action mechanisms, reason-giving obligations, and complaint-handling systems, these primarily structure decision-making processes rather than substantively constrain outcomes.

Ultimately, the responsibility for safeguarding the conditions of democratic discourse and media pluralism remains with the state. The DSA does not elim­inate this responsibility but redistributes it within a hybrid governance frame­work in which public oversight and private ordering are closely intertwined, and not always clearly aligned.

III. Fragmentation in Platform Governance

At the same time, developments at the level of platform governance point in a partially divergent direction. In recent years, major platforms have begun to recalibrate their content moderation strategies, in some cases significantly re­ducing the scope of proactive interventions and shifting responsibility away from centralised moderation structures.

A particularly illustrative example is provided by recent policy changes at Meta. In January 2025, the company announced a fundamental restructuring of its content moderation framework, including the discontinuation of large parts of its third-party fact-checking programme, initially in the United States, and its replacement with user-driven mechanisms such as “community notes”.^[45]See Meta, “More Speech and Fewer Mistakes”, 7 January 2025, <https://about.fb.com/news/2025/01/meta-more-speech-fewer-mistakes/?utm_source=chatgpt.com>. Inspired by similar approaches adopted by X, this model relies on users themselves to identify and contextualise potentially misleading content. Moreover, Meta signalled a broader shift towards prioritising freedom of ex­pression and reducing what it described as excessive or erroneous removals of lawful content. These developments can be interpreted as marking a departure from the more interventionist moderation strategies adopted in the aftermath of earlier disinformation crises. Content moderation has increasingly become a site of political contestation, particularly in the United States, where platforms have faced criticism for allegedly over-enforcing moderation rules and engaging in forms of private censorship. The shift towards community-based moderation might also be driven by economic and operational con­sid­er­a­tions, as it reduces the need for extensive moderation in­fra­struc­tures while allowing platforms to limit both costs and legal exposure.

However, these developments have also raised significant concerns. Meta’s own Oversight Board criticised the company for implementing the policy changes “hastily” and without sufficient assessment of their human rights im­pact.^[46]See Dan Milmo, ‘Meta “hastily” changed moderation policy with little regard to impact, says oversight board’, The Guardian, 23 April 2025, … Continue reading In particular, concerns have been expressed that reducing proactive moderation and automated detection mechanisms may increase the circula­tion of harmful content, especially in high-risk contexts such as political crises or situations of intergroup conflict.

More fundamentally, these developments reveal a potential misalignment be­tween evolving platform practices and the regulatory logic underlying the DSA. While the DSA is premised on the idea that platforms should assume structured responsibilities for the identification and mitigation of systemic risks, recent developments suggest a partial retrenchment from precisely such responsibilities in certain political and regulatory environments. This creates a risk of increasing regulatory divergence, particularly where global platforms adopt differentiated governance models across jurisdictions. These tensions have also acquired a more explicitly geopolitical dimension. In late 2025, the United States adopted restrictive measures against several European actors associated with content moderation and disinformation governance frame­works, framing their activities as forms of “extraterritorial censorship”.^[47]See SRF News, “USA: Entry bans against five Europeans – EU threatens retaliation” (24 De­cem­ber 2025), available at: … Continue reading This episode illustrates how platform regulation is increasingly embedded in broader conflicts over digital sovereignty and the legitimate limits of state in­fluence over online discourse.

IV. From Platform Governance to Access Control

Recent developments suggest that political responses to online harms may in­creasingly extend beyond platform governance towards more direct forms of state intervention and access control. While the DSA is built around due dili­gence, procedural safeguards, and systemic risk mitigation, a growing num­ber of states are considering or adopting more direct interventions aimed not merely at structuring platform behaviour, but at restricting access to digital services themselves.

A particularly important example concerns age-based restrictions on access to social media services. Australia has moved furthest in this direction. Since 10 December 2025, age-restricted social media platforms must take “reasonable steps” to prevent Australians under 16 from creating or keeping accounts.^[48]See Australian Government, Department of Infrastructure, Transport, Regional Development, Communications and the Arts, ‘Social media minimum age’, available at … Continue reading The regime is enforced against platforms rather than against children or par­ents, and the law has been presented as a response to the harmful effects of social media design features, including compulsive use, exposure to harmful content, and risks to minors’ health and wellbeing.

Comparable debates are now unfolding in Europe. In France, the National Assembly approved a bill in January 2026 that would ban access to social media for children under 15, although disagreement between the parliamen­tary chambers has persisted over the exact scope of the measure.^[49]See The Guardian, ‘French lawmakers vote to ban social media use by under-15s’, 27 January 2026, <https://www.theguardian.com/world/2026/jan/27/france-social-media-ban-under-15s>. In Austria, the government announced in March 2026 its intention to introduce a statu­tory minimum age of 14, with the proposal specifically framed around harmful platform functionalities and addictive algorithmic design rather than particu­lar named services.^[50]See Reuters, ‘Austria plans social media ban for children under 14’, 27 March 2026, … Continue reading At EU level, the debate has also intensified: the Commis­sion has promoted a common age-verification solution, and a broader politi­cal discussion on minimum age thresholds is now underway across a growing number of Member States.^[51]European Commission, press release, ‘Commission sets out a common approach for EU-wide Age Verification technologies’, 29 April 2026, … Continue reading

These initiatives respond to legitimate concerns, particularly regarding harm­ful content, cyberbullying, addictive design, and the commercial exploitation of minors’ attention. At the same time, they raise difficult legal and practical questions. Effective age assurance may require intrusive forms of verification; anonymous or privacy-preserving solutions remain technically and institu­tionally contested; and broad age-based restrictions risk shifting regulatory attention away from platform architecture and systemic incentives towards exclusionary access bans. In this respect, such measures go beyond the DSA’s basic logic. Rather than structuring platform governance through procedural and risk-based duties, they seek to exclude certain users from participation altogether, at least with respect to specified services or functionalities.

A second development concerns more direct state interventions affecting ac­cess to platforms as such. The most prominent recent example is Brazil’s tem­porary blocking of X in 2024.^[52]See The New York Times, ‘Brazil Blocks X After Musk Ignores Court Orders’, 30 August 2024, <https://www.nytimes.com/2024/08/30/world/americas/brazil-elon-musk-x-blocked.html>. After a conflict over compliance with judicial orders and the requirement to appoint a legal representative in the country, Brazil’s Supreme Federal Court ordered internet service providers to block ac­cess to the platform nationwide. Access was restored only after X complied with the relevant orders, paid fines, and appointed a representative.

This type of intervention reflects a regulatory logic fundamentally different from that of the DSA. The DSA seeks to discipline platforms through trans­parency, accountability, and systemic risk mitigation while preserving the ba­sic availability of services within the internal market. By contrast, age-based bans and platform suspensions rely on exclusion, service restriction, or di­rect sovereign control over access to communication infrastructures. They therefore raise distinct concerns under constitutional and international hu­man rights law, including proportionality, due process, freedom of expression, and access to information. Current developments thus suggest that the fu­ture regulation of digital communication may not be shaped by the DSA alone, but by a more heterogeneous and increasingly interventionist set of legal re­sponses.

V. Generative AI and the Amplification of Systemic Risks

These challenges are likely to intensify in light of ongoing technological devel­opments. Generative artificial intelligence significantly lowers the barriers to the production of misleading, manipulative, and synthetic content. It enables the rapid creation of texts, images, audio, and video that can be disseminated at scale and tailored to specific audiences. In this respect, generative AI does not merely increase the quantity of problematic content; it also enhances its plausibility and strategic usefulness.

A further challenge lies in the growing sophistication of synthetic media, par­ticularly deepfakes. AI-generated or AI-manipulated content increasingly blurs the line between authentic and fabricated communication and thereby un­dermines established cues of credibility.^[53]See Bobby Chesney and Danielle Citron, “Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security”, 107 California Law Review (2019), Part I.C (“Fueling the Fire”), … Continue reading The EU has begun to respond to these risks through transparency obligations under the AI Act, including spe­cific rules concerning AI-generated content and deepfakes. Yet such obliga­tions address only part of the problem: they may improve transparency, but they do not in themselves prevent the rapid dissemination and amplification of deceptive content through platform systems. At the same time, generative AI interacts with existing platform architectures in ways that may intensify sys­temic risks. Where recommendation systems privilege emotionally charged or polarising material, AI makes it easier to produce precisely such content in scalable and highly adaptable forms. In this sense, generative AI amplifies ex­isting vulnerabilities in the digital information environment rather than creat­ing an entirely new category of risk.

Under these conditions, the distinction between illegal content and lawful but harmful content may become increasingly difficult to operationalise in a con­sistent and predictable manner. This places additional pressure on regulatory models that rely on that distinction as a central organising principle and sug­gests that future governance will require a combination of transparency du­ties, systemic oversight, and broader forms of societal resilience.

VI. The Competitiveness Turn in EU Digital Regulation

Recent developments suggest a broader shift in the political and regulatory environment surrounding EU digital regulation. While the legislative cycle be­tween roughly 2020 and 2024 was characterised by an unprecedented expan­sion of digital regulation, including the adoption of the DSA, the DMA, the AI Act and the Data Act, the current regulatory discourse increasingly empha­sises simplification, competitiveness, innovation capacity, and the cumulative burden of regulation on European businesses. This shift is particularly visible in the European Commission’s “Digital Omnibus” proposal presented in No­vember 2025.^[54]Proposal for a Regulation of the European Parliament and of the Council amending Regula­tions (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) … Continue reading The initiative forms part of a broader series of Omnibus pack­ages aimed at reducing regulatory complexity and streamlining compliance obligations across several policy fields within the Union. In the digital field, the Commission explicitly frames the initiative as a first step in a wider effort to “stress-test” the digital acquis and simplify the increasingly dense framework of EU digital legislation.

From a broader governance perspective, this development may indicate the emergence of a third phase of EU digital regulation. The first phase, particu­larly associated with the Juncker Commission’s Digital Single Market strategy, focused primarily on market integration and the removal of barriers within the internal market. The subsequent phase under the von der Leyen Commis­sion was marked by a substantial expansion of regulatory intervention aimed at platform accountability, digital sovereignty, systemic risk governance, and the constitutionalisation of the digital public sphere. By contrast, the current phase appears increasingly shaped by concerns relating to Europe’s economic competitiveness and regulatory sustainability. The Staff Working Document accompanying the Digital Omnibus repeatedly refers to the need for a “simpler and faster Europe”, a reduction of compliance costs, and a more “innovation-friendly implementation” of digital rules.^[55]European Commission, Commission Staff Working Document Accompanying the docu­ments Proposal for a Regulation of the European Parliament and of the Council Amending Regula­tions (EU) 2016/679, … Continue reading The initiative is also explicitly linked to the broader competitiveness discourse reflected in the Draghi^[56]Mario Draghi, The Future of European Competitiveness, Report for the European Commis­sion, September 2024, <https://commission.europa.eu/topics/competitiveness/draghi-report_en>. and Letta^[57]Enrico Letta, Much More Than a Market: Speed, Security, Solidarity – Empowering the Sin­gle Market to Deliver a Sustainable Future and Prosperity for All EU Citizens, Report to the European … Continue reading reports, both of which warned against the economic effects of regulatory ac­cumulation and administrative fragmentation within the Union.

At present, the Digital Omnibus does not directly amend the DSA itself. The proposal primarily targets parts of the data acquis, cybersecurity legislation, and aspects of the AI regulatory framework. Nevertheless, the accompanying documents expressly announce a broader “Digital Fitness Check” of the Union’s digital legislation and identify the DSA as one of the instruments scheduled for future evaluation during the current legislative cycle. Although the Commission simultaneously emphasises that simplification efforts should not undermine the underlying objectives or standards of existing legislation, the initiative nonetheless illustrates a changing political and economic envi­ronment surrounding EU digital governance.

VII. Beyond the DSA: Platform Governance in the Age of Synthetic Communication

The Digital Services Act represents a significant step in the evolution of plat­form regulation. By shifting the regulatory focus from individual pieces of content towards systemic risks, platform architectures, and procedural gov­ernance mechanisms, it provides a more structurally oriented response to the dynamics of digital communication. At the same time, the model intro­duced by the DSA remains inherently contested and exposed to continuous transformation. Platform governance practices are evolving rapidly, regulatory approaches increasingly diverge across jurisdictions, and technological de­velopments, particularly generative artificial intelligence, are reshaping the production and dissemination of digital content.

These developments expose the limits of a regulatory framework that contin­ues to rely on transparency obligations, procedural safeguards, and risk miti­gation duties as instruments for stabilising digital public discourse. The grow­ing proliferation of AI-generated and synthetic content may increasingly blur the distinction be­tween authentic and artificial communication, thereby con­tributing to broader forms of informational uncertainty and declining trust in online environments.^[58]See Sarah Montani/Rolf H. Weber, Synthetische Persönlichkeit und der Schutz des Selbst, in Rolf H. Weber, Künstliche Intelligenz und rechtliche Normenordnung (2025), pp. 244 et seq., arguing that … Continue reading If digital platforms gradually lose their function as trusted spaces of public communication, political pressures for more inter­ventionist forms of regulation may intensify, including stronger identity verifi­cation requirements, mandatory labelling of synthetic content, or more direct forms of state intervention aimed at protecting the integrity of digital commu­nication infrastructures. Against this background, the DSA is best understood not as a final settlement, but as a regulatory baseline within a rapidly evolving technological and geopolitical environment.