Breaking down data rules from around the globe

Privacy laws

Dsa

Digital Services Act (DSA): Transparency and Content Accountability

Here, you’ll find out what the DSA actually requires in 2025, what it means if you run a business online, and how it fits with other regulations you might already know, like GDPR.

Why the Digital Services Act Matters in 2025

When the GDPR arrived in 2018, it changed how companies collected and stored personal data. But that was seven years ago, and the internet has shifted. Today the bigger question is: what happens with the content people see on their screens?

The Digital Services Act (DSA) tries to answer that. It covers things like ad labeling, algorithmic feeds, and how platforms deal with takedown requests.

Think of the problems it’s aimed at: political ads with no sponsor listed, recommendation engines pushing conspiracy videos, or cookie banners that trick you into clicking “accept.” These are the issues regulators want cleaned up.

For companies, the law isn’t abstract. It means putting a visible label on ads, writing terms of service people can actually read, and keeping a record of why posts were removed. Do it now, and inspections later will be far less painful. Wait too long, and you’ll face fines — and probably bad press.

From GDPR to DSA: Shifting the Focus from Data to Content

The GDPR gave users rights over personal data — to check it, fix it, or delete it. The DSA doesn’t replace that, but it shifts attention to what people actually interact with: feeds, ads, and search results.

So instead of only asking “what data are you holding?”, regulators now ask “why is this video showing up first?” or “who paid for this ad?” The focus moves from back-end databases to the front-end experience. That’s the real difference.

What Is the Digital Services Act?

The DSA is an EU law that tells online services how they must deal with ads, content, and complaints. It was passed in 2022, but only started to really bite in 2024, when it became binding across the EU. Unlike the GDPR, which is about how companies use your personal data, the DSA looks at what people actually see on their screens — ads, search results, posts, recommendations.

So what does that mean in practice? Companies have to mark ads clearly, give people ways to report content, publish transparency reports, and explain how recommendation systems rank things. The very biggest platforms also face audits and regular risk checks.

Who Must Comply

Not everyone online has the same workload under the DSA. The rules scale up:

  • Intermediary services – internet access providers and hosting companies. Their main job is to respond when someone flags illegal content.
  • Online platforms – marketplaces, app stores, review sites, social networks. They need clearer terms of service, proper complaint systems, and ad transparency.
  • Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) – more than 45 million EU users a month. Think Meta, TikTok, Amazon, Google. These giants have the toughest job: yearly audits, risk checks on disinformation and manipulation, and plain-language explanations of how their algorithms work.

Small and mid-sized firms usually fall into the “online platform” tier. Their obligations are lighter, but still stricter than under the old E-Commerce Directive.

Key Deadlines and Enforcement Updates in 2025

  • August 2023 → The first VLOPs and VLOSEs were named and had to comply.
  • February 2024 → The DSA started applying to all online services in the EU.
  • February 16, 2025 → Platforms had to publish their first annual transparency reports.
  • July 2025 → The Commission adopted new rules giving vetted researchers access to platform data.

By now, enforcement is active. The Commission is investigating X (Twitter) over its moderation approach and TikTok for missing a proper ad library. Regulators are also calling out “dark patterns” in cookie and consent flows. \

The penalties are serious: fines up to 6% of global turnover, plus daily penalties of up to 5% for companies that drag their feet.

Transparency & Accountability Duties

The DSA puts heavy emphasis on making platforms more open about how they work and more responsible for the choices they make. Instead of long legal texts or hidden practices, the law sets out clear duties that affect everything from terms of service to how ads and algorithms are handled.

Here’s what it requires in practice:

  • Clearer Terms of Service → Companies must write terms in plain language and explain moderation rules. Regulators have already pushed some platforms to fix vague or confusing wording.
  • Ad Transparency — Ads must be labeled, show who paid for them, and explain why they appear. Sensitive targeting based on politics, religion, or sexuality is banned, and ad libraries are being checked in 2025.
  • Algorithmic Accountability — Platforms must explain how recommendation systems rank content. Very large services have to offer non-personalized feeds, such as chronological timelines, and submit to annual audits.
  • Transparency Reports — Since Feb 2025, platforms must publish yearly reports with numbers on flagged posts, removals, and complaint handling, which regulators now compare across services.
  • Illegal vs. Harmful Content — Illegal material (e.g., hate speech, counterfeit goods) must be taken down quickly. Harmful but not illegal content, like misinformation, still requires risk assessments and mitigation.
  • Notice-and-Action Mechanisms — Users must have simple tools to report illegal content and the right to receive explanations or appeal decisions when posts are removed.
  • Independent Audits and Risk Assessments — The largest platforms must carry out yearly risk reviews on issues like disinformation and have their practices checked by external auditors.
  • Tackling Disinformation and Dark Patterns — The law bans manipulative design tricks (e.g., “accept” in bold vs. “reject” hidden). Platforms must also show how they’re addressing disinformation risks, especially around elections.

Business & Ecosystem Impacts

The DSA doesn’t only affect tech giants — its rules ripple through the entire digital ecosystem. From small website owners to regulators and watchdog groups, each feels the impact in different ways.

  • Website Owners and SMEs — Small sites and online shops fall into the “online platform” category. Their obligations are lighter than those of Big Tech, but they still have to deal with notices about illegal content and keep their terms and ad practices clear enough for regulators to sign off on.
  • Large Platforms — Very Large Online Platforms (VLOPs) and Search Engines (VLOSEs) carry the most weight. They’re under direct EU oversight, face annual audits, and risk fines of up to 6% of global turnover if they don’t follow the rules.
  • Regulators and Civil Society — National regulators (Digital Services Coordinators) and the European Commission now act as enforcers. Civil society groups and researchers can dig into transparency reports and ad libraries in ways they couldn’t before, giving outside scrutiny more teeth.
  • Compliance as a Competitive Advantage — For many businesses, meeting DSA standards early isn’t just about avoiding fines — it can also signal reliability. Being upfront about ads and content handling builds trust in crowded markets.
  • Overlap with GDPR, DMA, and eprivacy — The DSA doesn’t stand alone. Companies have to juggle it alongside GDPR (data), DMA (competition and gatekeeper rules), and eprivacy (cookies and communications). Coordinating these obligations reduces duplicated effort and helps avoid “compliance fatigue.”

The Role of CMPs

Consent Management Platforms (CMPs) are becoming a practical way for businesses to meet the DSA’s transparency and accountability standards. They help companies avoid dark patterns, handle consent fairly, and prove compliance when regulators come calling.

One example is CookieScript, which offers a wide set of tools designed to help businesses manage consent and cookies in line with EU rules.

Here are the CookieScript features most relevant to DSA compliance and why they matter:

  • User consents recording — Logs every consent choice so companies can prove when and how users agreed, a key requirement for audits.
  • Third-party cookie blocking — Automatically blocks Tracking Cookies until consent is given, preventing unauthorized profiling.
  • Google Consent Mode v2 — Adjusts how Google tags behave based on user consent, making ad personalization and measurement more transparent.
  • IAB TCF 2.2 integration — Shares standardized consent signals with advertising partners, ensuring ad transparency throughout the ecosystem.
  • Google-certified CMPCookieScript is certified by Google, giving businesses confidence that it meets Google’s consent standards.
  • geo targeting — Shows the right Cookie Banner depending on the user’s region, so EU users see DSA-compliant options without complicating experiences elsewhere.
  • Privacy Policy Generator — Helps businesses create clear, accessible policies that match the DSA’s plain-language requirement.
  • Automatic script blocking — Stops non-essential scripts from loading until a user makes a choice, reducing the risk of hidden tracking.
  • Automatic monthly scans — Regularly scans websites to detect new cookies and trackers, keeping disclosures up to date.
  • Advanced reporting — Provides detailed dashboards and exportable reports on consent activity, which makes demonstrating compliance easier.
  • Cookie Banner sharing — Allows businesses to use the same banner across multiple domains, ensuring consistent compliance for larger setups.
  • Self-hosted code — Gives businesses control to host consent scripts themselves, improving reliability and data security.
  • 40+ languages — Makes cookie banners available in the user’s preferred language, which supports accessibility and clarity across markets.

Together, these features show how CookieScript supports businesses in meeting DSA requirements — from handling everyday cookie banners to preparing for regulatory audits.

Challenges, Criticism, and Global Tensions

The DSA sets ambitious goals, but enforcing them is proving complicated. Regulators, businesses, and policymakers are still working out how the law works in practice — and where it struggles.

  • Enforcement Gaps — The Commission has opened high-profile investigations into X and TikTok, but smaller services may slip through the cracks. National regulators, the new Digital Services Coordinators, are active, yet critics worry about uneven pressure: strict for Big Tech, lighter for small or mid-sized firms. Others note that the Commission is both regulator and political actor, which can blur how consistently rules are applied.
  • EU–US Platform Disputes — Most of the platforms under the heaviest DSA rules are American, and that has led to friction. In 2025, U.S. Secretary of State Marco Rubio Marco Rubio pushed a lobbying campaign in Washington to weaken or roll back the law, while the Trump administration has threatened tariffs on EU goods. Brussels has rejected claims that the DSA discriminates against U.S. firms, but disputes over ad libraries, moderation, and algorithm transparency have become part of a wider trade fight.
  • Balancing Safety, Innovation, and Free Speech — The DSA is meant to make online spaces safer, but it raises hard questions about speech and innovation. Platforms warn that to avoid fines they may take down too much content, especially in gray areas like misinformation that is harmful but not illegal. Civil society groups argue the opposite — that companies are still leaving too much dangerous material online. To support balanced decisions, the EU created the European Centre for Algorithmic Transparency (ECAT), which studies how algorithms shape online experiences and provides input for enforcement.

In Conclusion

The DSA is pushing tech companies to be more open about how their platforms actually work. It’s not just about rules on paper — it’s about what shows up in people’s feeds and who gets to decide. The choices businesses make now will set the tone for the internet we all use next.

Frequently Asked Questions

Who does the Digital Services Act apply to?

It covers intermediaries, online platforms, and very large platforms like Meta or TikTok. Smaller businesses are included too, and CookieScript helps them stay compliant by logging consents, blocking third-party cookies, and keeping banners clear.

What’s the difference between illegal and harmful content under the DSA?

Illegal content must come down quickly. Harmful content — such as misinformation — isn’t always illegal, but platforms still need risk checks. CookieScript supports this with automatic scans and reporting tools that help show regulators you’re on top of compliance.

How does the DSA affect online advertising?

Ads must carry a label and show who paid for them. With CookieScript, cookies don’t load until users give consent, and Google Consent Mode v2 ensures Google tags respect that choice.

What are transparency reports under the DSA?

Platforms now need yearly reports on flagged posts, removals, and complaints. CookieScript makes this easier with advanced reporting and detailed consent records ready for audits.

What happens if companies don’t comply with the DSA?

Fines can reach up to 6% of global turnover. CookieScript reduces risk with features like automatic script blocking and IAB TCF 2.2 integration.

Do small websites need to worry about the DSA?

Yes. Even small shops must have fair consent flows and clear policies. CookieScript helps with a Privacy Policy Generator, banners in 40+ languages, and geo-targeting so EU users see the right version.

How are algorithms covered under the DSA?

Platforms must explain how recommendation systems work and offer non-personalized feeds. CookieScript ensures consent for ads and tracking is managed properly, keeping algorithm-driven content compliant.

What role do regulators play in DSA enforcement?

National regulators and the Commission enforce the rules, while researchers and watchdogs review ad libraries. CookieScript helps businesses prepare with consent logs, regular scans, and audit-ready reports.

How does the DSA interact with GDPR and ePrivacy?

It works alongside GDPR (data) and ePrivacy (cookies and communications). CookieScript bridges the gap by combining consent management, cookie blocking, and Privacy Policy generation.

Why are dark patterns banned under the DSA?

They trick people into saying yes — for example, hiding “reject” buttons. CookieScript avoids this with customizable, compliant banners that show choices fairly.

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.