Digital Services Act compliance for AI

What is the DSA?

The Digital Services Act (Regulation 2022/2065) is the EU's framework for online platform accountability. It entered into force in November 2022 and has been fully applicable since 17 February 2024. VLOP/VLOSE obligations applied from August 2023.

The DSA covers intermediary services — platforms that host, transmit, or cache third-party content. Maximum fines: up to 6% of global annual turnover.

Digital Services Act Article 14 transparency obligations

Article 14 requires every provider of an intermediary service to set out, in clear and unambiguous language, any restrictions it imposes on user-generated content — including the content-moderation policies, procedures, tools and human review applied. For providers using algorithmic decision-making or AI-based moderation, the terms must explicitly describe the parameters of those systems. The information must be publicly available, machine-readable and updated whenever the rules change.

In practice Article 14 raises the evidentiary bar for any AI moderation stack: companies must be able to show, after the fact, what policy was in effect, what the model's parameters were, and how contested decisions were handled. Cryptographically anchored logs are rapidly becoming the de facto standard for satisfying this burden.

VLOPs vs SMEs under the Digital Services Act

The DSA applies a proportional regime. Micro and small enterprises (under 50 staff and €10M turnover) are exempt from the heaviest duties, including the obligation to publish transparency reports and to comply with the trusted-flagger process. Online platforms that cross those thresholds pick up notice-and-action, internal complaint-handling and statement-of-reasons obligations. Very Large Online Platforms — those with 45 million or more average monthly recipients in the EU — face the full regime: annual systemic-risk assessments, independent audits, researcher data access, crisis protocols and a dedicated compliance function.

Crucially, SME exemption does not extend to AI Act transparency: an exempt SME running a customer-facing chatbot still owes Article 50 disclosure. Conversely, a VLOP must treat AI-generated content under both the DSA risk framework and the AI Act — the two regimes stack, they do not substitute.

DSA vs. EU AI Act — key distinction

A common misconception: the DSA does not contain a specific chatbot disclosure article. The obligation to inform users they are interacting with AI comes from EU AI Act Article 50 (effective August 2, 2026).

The two regulations are complementary:

• AI Act Article 50 = chatbot disclosure ("you are talking to AI") — applies to all deployers
• DSA = platform transparency, content moderation, systemic risk — applies to intermediary services and platforms

Compliance with one does not cover the other.

VLOPs — Very Large Online Platforms

The European Commission has designated multiple VLOPs including:

• WhatsApp (designated as VLOP)
• Facebook, Instagram, YouTube, TikTok, X/Twitter
• LinkedIn, Snapchat, Amazon, Apple App Store
• Google Play, Google Maps, Google Shopping
• Booking.com, Pinterest, Zalando, Temu, Shein

ChatGPT is NOT designated as a VLOP — the Commission is still deliberating, despite ChatGPT having 120M+ EU monthly users (well above the 45M threshold).

What this means for AI deployers

If you deploy an AI chatbot on your own website generating its own content, the DSA likely does not apply to you directly (you are not an intermediary hosting third-party content). Your obligation comes from the AI Act.

If you deploy an AI chatbot on a VLOP (WhatsApp, Instagram, Facebook Messenger), the platform bears the VLOP obligations (systemic risk assessments, transparency reports). You must comply with the platform's terms and any applicable sector regulation.

DSA enforcement and Coordinator powers

Enforcement under the DSA is bifurcated. The European Commission has exclusive supervisory powers over designated VLOPs and VLOSEs, with the ability to launch own-initiative investigations, conduct inspections, demand internal documents, interview staff, impose interim measures and ultimately fine up to 6% of global annual turnover. Periodic penalty payments of up to 5% of average daily worldwide turnover can be levied for ongoing non-compliance.

Every Member State has appointed a national Digital Services Coordinator (in the Netherlands: the ACM; in Ireland: Coimisiún na Meán) to police all other intermediaries established in its territory. DSCs can order content removal, suspend repeat infringers, certify trusted flaggers and refer cross-border cases to the European Board for Digital Services. AI deployers should map their establishment country and identify the relevant DSC before any enforcement letter arrives.

DSA enforcement in action

• X/Twitter fined for transparency violations under DSA (2025)
• Grok chatbot incident (late 2025): AI generated illegal imagery, triggering the first major chatbot-related DSA enforcement proceedings
• Commission ordered X to preserve all Grok-related data until end of 2026

How Audact helps

• AI Act Article 50 compliance: Audact enforces chatbot disclosure across all channels — the primary transparency obligation for AI deployers
• Platform-mediated governance: When your AI operates on VLOPs (WhatsApp, Messenger), Audact validates compliance with platform-specific content policies (Patent P32)
• Content moderation evidence: Cryptographic evidence trail for every AI interaction, supporting DSA transparency requirements
• Watermark verification: Verification that AI-generated content is correctly watermarked per Code of Practice requirements (Patent P39)

Frequently asked questions

Compare EU AI compliance laws

Related compliance resources

• EU AI Act Article 50 compliance overview
• GDPR AI compliance with Audact
• ePrivacy AI communications compliance
• Audact compliance platform pricing