Skip to main content

Digital Services Act compliance for AI

Last updated: 8 April 2026 · 8 min read · Regulation (EU) 2022/2065

The DSA governs online platforms and intermediary services. If your AI deploys on a Very Large Online Platform (WhatsApp, Instagram, Facebook), you are subject to both the DSA’s platform rules and the EU AI Act’s transparency obligations.

What is the DSA?

The Digital Services Act (Regulation 2022/2065) is the EU’s framework for online platform accountability. It entered into force in November 2022 and has beenfully applicable since 17 February 2024. VLOP/VLOSE obligations applied from August 2023.

The DSA coversintermediary services— platforms that host, transmit, or cache third-party content. Maximum fines:up to 6% of global annual turnover.

Digital Services Act Article 14 transparency obligations

Article 14 requires every provider of an intermediary service to set out, in clear and unambiguous language, any restrictions it imposes on user-generated content — including the content-moderation policies, procedures, tools and human review applied. For providers using algorithmic decision-making or AI-based moderation, the terms must explicitly describe the parameters of those systems. The information must be publicly available, machine-readable and updated whenever the rules change.

In practice Article 14 raises the evidentiary bar for any AI moderation stack: companies must be able to show, after the fact, what policy was in effect, what the model’s parameters were, and how contested decisions were handled. Cryptographically anchored logs are rapidly becoming the de facto standard for satisfying this burden.

VLOPs vs SMEs under the Digital Services Act

The DSA applies a proportional regime. Micro and small enterprises (under 50 staff and €10M turnover) are exempt from the heaviest duties, including the obligation to publish transparency reports and to comply with the trusted-flagger process. Online platforms that cross those thresholds pick up notice-and-action, internal complaint-handling and statement-of-reasons obligations. Very Large Online Platforms — those with 45 million or more average monthly recipients in the EU — face the full regime: annual systemic-risk assessments, independent audits, researcher data access, crisis protocols and a dedicated compliance function.

Crucially, SME exemption does not extend to AI Act transparency: an exempt SME running a customer-facing chatbot still owes Article 50 disclosure. Conversely, a VLOP must treat AI-generated content underboththe DSA risk framework and the AI Act — the two regimes stack, they do not substitute.

DSA vs. EU AI Act — key distinction

A common misconception: the DSA doesnotcontain a specific chatbot disclosure article. The obligation to inform users they are interacting with AI comes fromEU AI Act Article 50(effective 2 August 2026).

The two regulations are complementary:

  • AI Act Article 50= chatbot disclosure (“you are talking to AI”) — applies toall deployers
  • DSA= platform transparency, content moderation, systemic risk — applies tointermediary services and platforms

Compliance with one doesnotcover the other.

VLOPs — Very Large Online Platforms

The European Commission has designated multiple VLOPs including:

  • WhatsApp(designated as VLOP)
  • Facebook, Instagram, YouTube, TikTok, X/Twitter
  • LinkedIn, Snapchat, Amazon, Apple App Store
  • Google Play, Google Maps, Google Shopping
  • Booking.com, Pinterest, Zalando, Temu, Shein

ChatGPT reported 120M+ EU monthly users — well above the 45M threshold — and the Commission has been weighing a designation (reportedly as a Very Large Online Search Engine, VLOSE, rather than a VLOP). Deployers building on ChatGPT should track its designation status, as it changes which obligations the platform carries.

What this means for AI deployers

If you deploy an AI chatboton your own websitegenerating its own content, the DSA likely doesnotapply to you directly (you are not an intermediary hosting third-party content). Your obligation comes from the AI Act.

If you deploy an AI chatboton a VLOP(WhatsApp, Instagram, Facebook Messenger), theplatform bears the VLOP obligations(systemic risk assessments, transparency reports). You must comply with the platform’s terms and any applicable sector regulation.

DSA enforcement and Coordinator powers

Enforcement under the DSA is bifurcated. The European Commission has exclusive supervisory powers over designated VLOPs and VLOSEs, with the ability to launch own-initiative investigations, conduct inspections, demand internal documents, interview staff, impose interim measures and ultimately fine up to6% of global annual turnover. Periodic penalty payments of up to 5% of average daily worldwide turnover can be levied for ongoing non-compliance.

Every Member State has appointed a nationalDigital Services Coordinator(in the Netherlands: the ACM; in Ireland: Coimisiún na Meán) to police all other intermediaries established in its territory. DSCs can order content removal, suspend repeat infringers, certify trusted flaggers and refer cross-border cases to the European Board for Digital Services. AI deployers should map their establishment country and identify the relevant DSC before any enforcement letter arrives.

DSA enforcement in action

  • X/Twitter finedfor transparency violations under DSA (2025)
  • Grok chatbot incident(late 2025): AI generated illegal imagery, triggering the first major chatbot-related DSA enforcement proceedings
  • Commission ordered X to preserve all Grok-related data until end of 2026

How Audact helps

  • AI Act Article 50 support:Audact enforces AI disclosure on voice today — the primary transparency obligation for AI deployers; chatbot disclosure across channels follows when chat ships (Q4 2026)
  • Platform-mediated governance:When your AI operates on VLOPs (WhatsApp, Messenger), Audact validates platform-specific content policies (patent-pending)
  • Content moderation evidence:Cryptographic evidence trail for every AI interaction, supporting DSA transparency requirements
  • Watermark verification:Will verify that AI-generated content is correctly watermarked per Code of Practice requirements — on the roadmap (patent-pending)

Frequently asked questions

Does the DSA require chatbot disclosure?

No. The chatbot disclosure obligation comes from EU AI Act Article 50, not the DSA. The two are complementary and compliance with one does not cover the other.

Who must comply with the DSA?

Intermediary services and online platforms that host, transmit, or cache third-party content. Very Large Online Platforms (VLOPs) face additional obligations.

What are the maximum fines?

Up to 6% of global annual turnover for serious breaches.

What if my AI runs on a VLOP like WhatsApp?

The platform bears the VLOP obligations. You must comply with platform terms and any sector-specific rules applicable to your deployment.

Compare EU AI compliance laws

LawDeadlineWhoPenalty
EU AI Act Art. 502 Aug 2026All AI deployers in EU€15M / 3% turnover (Art 99(4))
NL Telecomwet1 Jul 2026Outbound marketing to NL consumers€900k per violation
GDPRIn forceAny processor of EU personal data€20M / 4% turnover
DSAIn force (Feb 2024)Intermediaries & VLOPs6% global turnover
ePrivacyIn forceSenders of electronic communicationsVaries by Member State

Related compliance resources

Disclaimer: This page is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for your specific compliance obligations.