What Really Matters: The DMA and DSA – a new regulatory era in Europe for digital businesses

We are on the threshold of a new era of regulation in the EU for digital businesses, after the EU Parliament this week voted to adopt two major legislative initiatives proposed by the European Commission (EC): the Digital Services Act (DSA) and the Digital Markets Act (DMA).

While legal and regulatory specialists will have been following these developments closely for some time, this week’s news provides an opportune time for business leaders more broadly to (re)engage with the topic and consider the implications for their businesses.

What are the DMA and DSA, and where are we now?

The two Acts form part of the European Data Strategy, intended to safeguard the rights of digital services users and establish a level playing field in the market, fostering competition and innovation.

The introduction of these initiatives comes at a time of accelerated development in digital services. This has been boosted as a result of the pandemic and the rise of remote working, in a market with just a handful of large, advanced incumbents. However, alongside this, concerns heighten among citizens and lawmakers about the negative impact of a digital society – including loss of privacy, cybercrime and other threats to security, the rise of online bullying, fake news, and viral conspiracy theories.

The acts will be formally adopted in accordance with the EU’s legislative procedure. The DMA is planned to come into force across the EU from May 2023, with full-scale implementation expected in 2024, while the DSA is heading for adoption from January 2024. Fines for violation of the DMA are up to 10% of firms’ global turnover, with increased severity for repeated infringements – up to 20%. For the DSA, fines could amount to up to 6% of global turnover, while serious and repeated violations could result in national courts banning operations in their territories of jurisdiction.

The EC will need to organise itself to supervise these new regulations, for example with the creation and embedding of new structures within the Commission, the development of new capabilities and the preparation of the required documentation – including legal and procedural. Moreover, partnerships are central, the development of which takes time to gain agreement and coordination – for example with jurisdictions and other digital regulators.

On this latter point, the requirements of these digital acts will need to be managed alongside other digital regulations such as GDPR. For example, the DMA promotes data-sharing, which would need to be complied with alongside GDPR regarding the processing of personal data. The effective enforcement of these new requirements is not a straightforward task, even less so when the regulations are groundbreaking, the technology is moving fast, and the resources in the hands of large corporations are extensive.

Who do these new regulations apply to?

The DMA applies to specific organisations designated as “gatekeepers”, when they offer one or more “core platform services” (e.g., marketplaces, app stores, search engines, social networks, cloud or advertising services, voice assistants, and web browsers); and of a scale specifically defined by the EC. While the businesses that will be subject to the DMA have yet to be scoped, it will be no surprise that the familiar Big Tech names will feature.

The DSA applies to providers of intermediary services. This includes internet service providers, social media services, online marketplaces and messaging services. For these providers:

There will be a ban on “illegal content” including targeted advertising to minors, misleading practices and interfaces (“dark patterns”), and the need for enhanced transparency on the parameters to recommend, curate or prioritise content to users.
Additionally, requirements span “notice and action” procedures to enable the reporting and removal of illegal content online, a special crisis mechanism to mitigate the effects arising from the manipulation of online information, users’ right to compensation for any damage or loss suffered due to DSA infringements, and “know your business customer” requirements for online marketplaces to ensure the reliability of traders.
Specific to Very Large Online Platforms (VLOPs, or services reaching 45 million active monthly users in the EU, or 10% of the EU population), these must provide offerings not based on profiling, plus allow the EC and individual national authorities to access VLOPs’ algorithms.

What do these rules mean in practice for firms?

The DMA and DSA introduce systems of prohibition, which are expected to trigger significant and far-reaching changes to the entire business models of the businesses in scope. The prohibitions will be the subject of a period of discussion between big-tech firms and the Commission, with regard to what they mean in practice and how they can be implemented.

The prohibitions will also affect, at a more granular level:

the terms and conditions with which they deal with users
the contracts with which they deal with developers and other third parties
their internal policies, procedures, and tools
the way services are delivered with potential impacts on customers experience, and
their governance

Additionally, compliance processes will require development and enhancement, such as annual risk assessments, safeguards and controls, and active compliance monitoring.

Specific to the DMA: Companies providing “core platform services” as well as those potentially receiving data from such companies should understand not only what the DMA requires, but also its impact on existing obligations under the EU GDPR. This includes a ban on the combination and cross-use of personal data collected during the use of a service for the purposes of another service offered by the gatekeeper, and effective portability and continuous and real-time access to data provided or generated by end-users, complementing GDPR’s right to (personal) data portability.

Specific to the DSA: Amongst a number of requirements, businesses are required to report annually on content moderation conducted, including steps taken to identify and act on illegal content. Mechanisms to identify illegal content could include establishing a trusted ecosystem of content reviewers, internal quality assurance and automated detection systems.

More holistically, Big Tech firms and the other firms that are following similar digital strategies will need to establish a risk management and compliance function along the lines of firms that have been living under regulatory supervision for decades. This is likely to require a “three lines of defence” controls framework, including:

embedding controls in the first line, involving privacy and security by design as well as “content control” by design
second-line risk and compliance teams, with enough understanding of the core business, its technology, and ways of working to provide effective challenge, and
effective governance from the Board down to the engineer building the next product

These changes will almost certainly require a culture change to embed a more risk-aware mindset and behaviours across the business. Customer journeys will require an end-to-end review in order to embed the additional controls that the regulations will impose, minimising negative impacts on the consumer experience. Eventually, limitations on content publishing could reduce usage and traffic, in favour of emerging smaller players not subject to such intense regulation.

How can AlixPartners help?

We have been working with regulated firms across industries for years, including building compliance capabilities for newly regulated firms and transforming compliance in mature businesses, using our “Compliance 4.0” framework.

This practical experience helps firms who will be in scope of the DMA and DSA in multiple ways, such as:

the design and build of policies, processes and controls, in a way that recognises regulatory expectations, is effective and efficient, including the use of reg-tech tools
the design and implementation of effective governance, around these controls and processes
competition advice to navigate the future market environment
advice on handling the regulatory interface – effective regulatory engagement and communication will be essential, and some firms have not historically had to do this continuously
support for organisational transformation and lean organisation design
review of consumer journeys and impacts on the customer experience
the assessment of potential business impacts and competitive landscape changes, and
support for effective and practical culture change