EU Digital Services Act 2026: Complete SaaS Developer Compliance Guide
Post #1359 in the sota.io EU Regulatory Compliance Series
The EU Digital Services Act (DSA) has been in force for all platforms since February 2024 — yet most SaaS developers still assume it only applies to social networks and search engines. That assumption is wrong, and increasingly expensive. National Competent Authorities across the EU are actively auditing mid-market platforms, with fines reaching 6% of global annual turnover for non-compliance.
This guide is written for SaaS product engineers and founders who need to determine whether the DSA applies to their product, what exactly it requires, and how to build a compliant system without a team of lawyers.
What Is the Digital Services Act?
The DSA (Regulation (EU) 2022/2065) is a horizontal regulation governing intermediary services — platforms, hosting providers, and networks that store, route, or process third-party content. It entered into force on 16 November 2022, applied to Very Large Online Platforms (VLOPs) from 25 August 2023, and to all other providers from 17 February 2024.
Key design principle: DSA is a content moderation and transparency framework. Unlike NIS2 (cybersecurity) or GDPR (personal data), the DSA governs how you handle illegal content, how you communicate with users about algorithmic decisions, and how you protect users from deceptive practices.
Three Tiers of Obligations
| Tier | Category | Threshold | Applied Since |
|---|---|---|---|
| All intermediaries | Caching, mere conduit, hosting | None | Feb 2024 |
| Online platforms | User-generated content + hosting | None | Feb 2024 |
| Very Large Online Platforms (VLOP) | Online platforms | >45M EU monthly active users | Aug 2023 |
Does Your SaaS Fall Under the DSA?
The DSA applies to intermediary services with EU users, regardless of where the provider is established. A SaaS company incorporated in the US, Singapore, or Australia must comply if it has EU users.
Hosting Service (Art. 2(f))
Your SaaS is a hosting service if it stores information provided by users, even temporarily. This includes:
- B2B SaaS where customers upload files, documents, or data sets
- Developer platforms (repositories, artefact registries, deployment pipelines)
- Collaboration tools (wikis, project management, async communication)
- CRMs where users input customer data
- E-commerce backends where merchants upload product content
Key test: Does your platform store third-party content that other users or the public can access? If yes, you are a hosting service under Art. 2(f).
Online Platform (Art. 2(h))
Your SaaS is an online platform — with additional obligations — if it both stores third-party content and disseminates it publicly or to other users. Examples:
- Marketplace SaaS (sellers post product listings visible to buyers)
- Community features (discussion boards, comments, user profiles)
- API platforms where third-party developers publish apps or integrations
- Review/rating modules embedded in your product
What Is NOT in Scope
The DSA explicitly exempts certain categories:
- Private communications — end-to-end encrypted messaging between identified parties (Art. 2(5)(b))
- Pure backend processing — SaaS that processes data on behalf of a B2B customer without user-generated content visible to others (data warehouses, ETL pipelines, analytics APIs)
- Micro and small enterprises — fewer than 50 employees and annual turnover under €10M (Art. 19 exemption from most platform obligations — but not from illegal content removal obligations)
Core Obligations for Hosting Services (All Tiers)
1. Notice and Action Mechanism (Art. 16)
Any hosting service receiving a valid notice about illegal content must act expeditiously — typically defined by national authorities as 24–72 hours for manifestly illegal content (CSAM, terrorist content) and up to 14 days for grey-area content requiring legal assessment.
What counts as a valid notice (Art. 16(2)):
- Clear identification of the content location (URL)
- Explanation of why the content is allegedly illegal
- Name and email address of the notifying party
- Statement of good faith
What you must do:
- Establish a single point of contact for notices (Art. 11) — this can be an email address
- Acknowledge receipt to the notifier
- Assess and act within a reasonable timeframe
- Notify the content provider if you remove/restrict their content, with reasons (Art. 17)
- Provide a complaints mechanism for content providers (Art. 20)
Practical implementation: A dedicated legal@yourdomain.com or abuse@yourdomain.com mailbox documented in your Terms of Service and footer satisfies the single point of contact requirement. Your abuse response workflow must be documented.
2. Transparency Reporting (Art. 24)
Online platforms must publish an annual transparency report covering:
- Number of notices received (by type of illegal content)
- Number of content removal/restriction actions taken
- Number of complaints received via the internal complaint mechanism
- Automated content moderation decisions
Format: There is no prescribed format, but ERGA (European Regulators Group for Audiovisual Media Services) has published guidance. A public webpage updated annually is acceptable.
Micro/small enterprise exemption: If you have fewer than 50 employees and <€10M turnover, you are exempt from the transparency reporting obligation (Art. 24(3)).
3. Terms of Service Clarity (Art. 14)
Your Terms of Service must clearly state:
- Restrictions you impose on content
- Enforcement policies (what you moderate and how)
- Information about redress mechanisms
Vague "we may remove content at our discretion" language is insufficient. The ToS must describe categories of prohibited content and your enforcement procedure.
Additional Obligations for Online Platforms
4. Internal Complaint Handling (Art. 20)
If you restrict user content (remove, downrank, suspend an account), you must offer the affected user:
- A free, accessible complaint mechanism
- A response within a reasonable time (regulators expect <15 days for non-emergency cases)
- A human review for automated moderation decisions
Implementation: A simple web form or email workflow that creates a ticket with a response SLA satisfies this. You do not need a full-scale trust & safety team, but you need a documented process.
5. Out-of-Court Dispute Settlement (Art. 21)
Users must be able to refer unresolved complaints to a certified out-of-court dispute settlement body. The European Commission maintains a list of certified bodies per member state.
Practical note: You must explicitly reference the right to ODR (Online Dispute Resolution) in your complaint response. You are not obligated to follow the settlement body's decision, but must participate in good faith.
6. Trusted Flaggers (Art. 22)
This obligation applies only if you receive a large volume of notices and can benefit from fast-tracked processing. Trusted flagger status is granted by national DSA coordinators. For most SaaS products this is not relevant until significant scale.
7. Prohibition on Dark Patterns (Art. 25)
Online platforms may not use interface designs that:
- Deceive or manipulate users into decisions they wouldn't otherwise make
- Make it harder to opt out than to opt in
- Use ambiguous wording to obtain broader consent
- Create artificial urgency ("only 2 left!")
This overlaps significantly with GDPR's consent requirements. A DSA-compliant dark-patterns audit covers many GDPR consent issues simultaneously.
8. Advertising Transparency (Art. 26)
If your platform displays targeted advertising, each ad must be clearly marked as advertising, identify the advertiser, and disclose the main parameters used for targeting. Users must have the ability to declare they do not want to receive targeted advertising.
Note: This applies to contextual advertising (serving ads to your users) — not to content-based pricing or product recommendations. Most B2B SaaS products do not serve advertising and are not affected.
9. Recommender System Transparency (Art. 27)
If your platform uses a recommender system (an algorithm that determines what content individual users see), you must:
- Disclose in your ToS the main parameters that determine recommendations
- Offer at least one option not based on profiling
Practical scope: This applies to curated feeds, search result ranking, personalised dashboards, and AI-powered content surfacing. It does not apply to simple chronological listings or keyword search.
Very Large Online Platform (VLOP) Obligations (Art. 33–61)
Once you cross 45 million EU monthly active users, you become a VLOP and face a significantly expanded compliance regime, including:
- Annual systemic risk assessment (Art. 34)
- Independent audit every year (Art. 37)
- Mandatory crisis response protocols (Art. 48)
- Data sharing with researchers (Art. 40)
- European Commission oversight alongside national DSA coordinators
- Additional fee (Art. 43): contribution to the Commission's supervisory costs
Realistic SaaS path to VLOP: 45M EU MAUs is a very high threshold. Most SaaS products will not hit this for many years. The VLOP risk is most relevant for horizontal collaboration tools, large developer platforms, and consumer-facing SaaS with viral growth in the EU.
National Competent Authorities (DSA Coordinators) by Country
The DSA designates a Digital Services Coordinator (DSC) in each EU member state as the primary enforcement body:
| Country | Authority | Contact |
|---|---|---|
| Germany | Bundesnetzagentur (BNetzA) | dsa@bundesnetzagentur.de |
| France | ARCOM (Autorité de régulation de la communication) | dsa@arcom.fr |
| Netherlands | Autoriteit Consument en Markt (ACM) | acm.nl/contact |
| Ireland | Coimisiún na Meán | info@cnam.ie |
| Spain | CNMC (Comisión Nacional de Mercados y la Competencia) | cmc@cnmc.es |
| Italy | AGCOM | dsa@agcom.it |
| Austria | RTR (Rundfunk und Telekom Regulierungs-GmbH) | rtr.at |
| Belgium | IBP/CSA | csa.be |
| Sweden | Swedish Press and Broadcasting Authority (MPRT) | mprt.se |
| Poland | UKE (Office of Electronic Communications) | uke.gov.pl |
Establishment rule: If you are established in the EU, you register with the DSC of your EU Member State of establishment. If you are established outside the EU, you may choose your DSC based on where the majority of your EU users are, or appoint a legal representative (Art. 13).
Fines and Enforcement
The DSA fine structure:
| Violation | Maximum Fine |
|---|---|
| Non-compliance with platform obligations | Up to 6% of global annual turnover |
| Provision of incorrect/misleading information | Up to 1% of global annual turnover |
| Failure to comply with interim measures | Up to 5% of average daily worldwide turnover per day |
| Repeat VLOPs (systemic non-compliance) | Temporary access restriction in the EU |
Enforcement is accelerating. In 2025–2026, multiple platforms received preliminary findings from national DSCs. The Commission opened formal proceedings against several VLOPs (X/Twitter, Meta, TikTok) in 2024, establishing enforcement patterns that national authorities follow.
DSA vs. GDPR vs. NIS2: The Compliance Interaction
The three major EU digital regulations interact significantly for SaaS platforms:
| Topic | GDPR | NIS2 | DSA |
|---|---|---|---|
| Illegal content removal | Not governed | Not governed | Art. 16 ✓ |
| Dark patterns | Art. 5(1)(a) (fairness) | Not governed | Art. 25 ✓ |
| Algorithm transparency | Art. 22 (automated decisions) | Not governed | Art. 27 ✓ |
| Security incidents | Art. 33–34 (72h notification) | Art. 23 (24h early warning) | Not governed |
| Data minimisation | Art. 5(1)(c) | Not governed | Not governed |
A combined GDPR + DSA compliance audit is the most efficient approach — the Art. 25 dark patterns audit overlaps almost completely with GDPR Art. 6/7 consent requirements.
SaaS DSA Compliance Checklist (Hosting Service + Online Platform)
Hosting Service Baseline
- Single point of contact: Abuse email documented in ToS footer and Privacy Policy
- Notice & Action procedure: Written internal policy defining response times by content type
- Content provider notification: Template response when you remove/restrict content
- Complaint mechanism: Process for content providers to contest removal decisions
- Terms of Service: Content restrictions clearly described with enforcement procedures
- Legal representative (if outside EU): Representative appointed per Art. 13
Online Platform Additional
- Annual transparency report: Published on website (can be a simple webpage)
- Internal complaint form/email: With documented response SLA (<15 days)
- Out-of-court dispute settlement: Reference included in complaint responses
- Dark pattern audit: UI reviewed against Art. 25 prohibited practices
- Recommender system disclosure (if applicable): Parameters described in ToS
- Advertising transparency (if applicable): Ad marking and targeting disclosure
- DSC registration (if >45M EU MAUs): Register as VLOP with Commission
Technical Implementation
- Abuse ingestion system: Email/webhook → ticketing system
- Response SLA tracking: Automated alerts when abuse tickets exceed response time
- Audit log: Record of all notice-and-action decisions for 6-year retention
- Legal hold capability: Ability to preserve content associated with judicial orders
Common Mistakes SaaS Teams Make with DSA Compliance
Mistake 1: Assuming B2B SaaS is exempt. The DSA does not have a B2B exemption. If your B2B platform stores user-generated content that can be accessed by other platform users (even other company employees), you are in scope.
Mistake 2: Confusing the DSA with GDPR. GDPR is about personal data; DSA is about content and algorithmic transparency. You can be GDPR-compliant and DSA-non-compliant simultaneously (and vice versa).
Mistake 3: Thinking the micro/small exemption is binary. The Art. 19 exemption only covers specific platform obligations (transparency reports, recommender disclosure, advertising rules). It does not exempt you from illegal content removal obligations or the notice-and-action mechanism.
Mistake 4: No audit log for moderation decisions. DSAs Art. 17 requires you to explain moderation decisions to affected users. Without a record of why you removed content, you cannot comply with this requirement when users contest decisions.
Mistake 5: Using the same ToS for EU and non-EU users without DSA-specific provisions. Your ToS must include DSA-specific disclosures for EU users. A global ToS without EU-specific sections creates enforcement risk.
Building a DSA-Compliant SaaS: The Minimal Viable Compliance Stack
For a typical B2B SaaS platform with user-generated content and fewer than 50 employees:
1. Abuse inbox (abuse@yourdomain.com) → connected to a shared ticketing system (Linear, Jira, or a dedicated tool like Zendesk).
2. Response playbooks: Written procedures for CSAM (immediate removal + INHOPE report), hate speech, IP infringement, and general ToS violations.
3. Moderation decision log: Append-only database table logging: content ID, decision type, decision date, reviewer, reason code, notification sent (Y/N).
4. Content provider notification template: Automated email triggered on content removal, containing: what was removed, why, and how to contest the decision.
5. ToS update: Add a section describing prohibited content categories, your enforcement procedure, and the right to complain to an out-of-court body.
6. Annual DSA report: A simple public webpage (or blog post) listing aggregate statistics. Even zero-incident reporting satisfies the obligation.
Next in the EU-DSA-SAAS-COMPLIANCE-2026 Series
This is Post #1 of 5 in our EU DSA compliance deep-dive:
- Post #1359 (this post): DSA Scope and Core Obligations for SaaS Developers
- Post #1360: DSA Notice & Action Implementation: Building Your Abuse System
- Post #1361: DSA Recommender Systems & Algorithmic Transparency for SaaS (Art. 27)
- Post #1362: DSA vs. GDPR vs. NIS2: The Combined EU Platform Compliance Stack
- Post #1363: EU DSA Compliance Stack Finale: Country-by-Country Enforcement Map 2026
sota.io is an EU-native managed PaaS — 100% GDPR, no US parent, no CLOUD Act exposure. Deploy any framework on Hetzner Germany from €9/mo. Start free →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.