DSA Obligations for Online advertising

Obligations in scope

Article 39 — Providers of very large online platforms or of very large online search engines

Compile and make publicly available a repository containing specific advertising information via a searchable tool and APIs for the duration of the ad presentation and one year thereafter. Action required: compile and make publicly available. Deadline: until one year after the advertisement was presented for the last time.

Article 39 — Providers of very large online platforms or of very large online search engines

Ensure that the advertising repository does not contain any personal data of the recipients of the service to whom the advertisement was or could have been presented. Action required: ensure.

Article 39 — Providers of very large online platforms or of very large online search engines

Make reasonable efforts to ensure that the information in the advertising repository is accurate and complete. Action required: ensure.

Article 39 — Providers of very large online platforms or of very large online search engines

Include in the repository the content of the advertisement, including the name of the product, service or brand and the subject matter. Action required: include.

Article 39 — Providers of very large online platforms or of very large online search engines

Include in the repository the natural or legal person on whose behalf the advertisement is presented. Action required: include.

Article 39 — Providers of very large online platforms or of very large online search engines

Include in the repository the natural or legal person who paid for the advertisement, if different from the person on whose behalf it is presented. Action required: include.

Article 39 — Providers of very large online platforms or of very large online search engines

Include in the repository the period during which the advertisement was presented. Action required: include.

Practical steps

What the obligations on this page actually require you to do, ordered by article. Use this as a starting checklist; verify each item against the underlying article text before treating it as legal advice.

• Art 39 — compile and make publicly available (Providers of very large online platforms or of very large online search engines)
• Art 39 — ensure (Providers of very large online platforms or of very large online search engines)
• Art 39 — include (Providers of very large online platforms or of very large online search engines)

Obligation reference table

Penalty exposure

None of the 18 obligations on this page carry an explicit penalty figure in the DSA text itself — the fine ceiling is set elsewhere in the regulation and applies by reference. Refer to DSA's general penalties article (or the diagnostic below) to estimate exposure before signing off on a compliance programme.

Cross-regulatory conflicts

DSA interacts with other EU regulations in ways that can pull compliance teams in opposite directions. The most concrete conflicts in the Fontvera corpus involving this regulation:

• DSA Art 17 ↔ NIS2 Directive Art 12 (medium) — [entity affected: Providers of hosting services / ICT product providers] DSA requires providers to disclose reasons for content restrictions including notifier identity if strictly necessary, while NIS2 emphasizes anonymity for vulnerability reporters, creating tension in disclosure practices when a content restriction is based on a reported vulnerability.
• DSA Art 10 ↔ Data Act Art 18 (medium) — [entity affected: provider of intermediary services / data holder] DSA Art 10 requires providers to inform authorities of the receipt and effect of orders without undue delay, while Data Act Art 18 allows data holders up to 30 working days to decline or modify requests, potentially conflicting with the immediacy expected under DSA enforcement orders.
• DSA Art 10 ↔ GDPR Art 5 (medium) — [entity affected: provider of intermediary services] DSA Art 10 limits information orders to data already collected for service provision, which may conflict with GDPR Art 5's purpose limitation principle if the original purpose did not include law enforcement cooperation.
• DMA Art 1 ↔ DSA Art 10 (high) — [entity affected: gatekeeper] DMA Art 1 prohibits Member States from imposing further obligations on gatekeepers, while DSA Art 10 allows Member States to issue orders for information, potentially creating a conflict if a gatekeeper is also a DSA entity.
• DSA Art 15 ↔ ePrivacy Directive Art 6 (high) — [entity affected: provider of hosting services / provider of a publicly available electronic communications service] DSA requires reporting on content moderation actions and data processing for transparency, while ePrivacy strictly limits the processing and retention of traffic data to specific purposes like billing, potentially conflicting with broad reporting requirements if they imply data retention beyond necessity.
• DSA Art 10 ↔ ePrivacy Directive Art 5 (high) — [entity affected: provider of intermediary services / provider of a publicly available electronic communications service] DSA allows authorities to order providers to provide specific information, whereas ePrivacy strictly prohibits interception or surveillance of communications without user consent, creating tension when orders require access to private communication content.

Related Fontvera pages

• dsa obligations online platforms
• dsa vs eprivacy comparison
• dsa vs gdpr comparison
• dsa vs nis2 comparison

Check your full compliance exposure with the 5-minute Fontvera diagnostic →