DSA Obligations for Online platforms and search engines

Obligations in scope

Article 35 — provider of very large online platforms and of very large online search engines

Providers of very large online platforms and of very large online search engines shall put in place reasonable, proportionate and effective mitigation measures, tailored to the specific systemic risks identified pursuant to Article 34, with particular consideration to the impacts of such measures on fundamental rights. Action required: implement.

Article 35 — provider of very large online platforms and of very large online search engines

Providers of very large online platforms and of very large online search engines shall ensure that an item of information, whether it constitutes a generated or manipulated image, audio or video that appreciably resembles existing persons, objects, places or other entities or events and falsely appears to a person to be authentic or truthful is distinguishable through prominent markings when presented on their online interfaces. Action required: ensure.

Article 35 — provider of very large online platforms and of very large online search engines

Providers of very large online platforms and of very large online search engines shall provide an easy to use functionality which enables recipients of the service to indicate information that constitutes a generated or manipulated image, audio or video that falsely appears to be authentic or truthful. Action required: provide.

Article 36 — provider of very large online platforms or of very large online search engines

Assess whether, and if so to what extent and how, the functioning and use of their services significantly contribute to a serious threat to public security or public health, or are likely to do so. Action required: assess. Deadline: within the reasonable period specified in the Commission's decision.

Article 36 — provider of very large online platforms or of very large online search engines

Identify and apply specific, effective and proportionate measures to prevent, eliminate or limit any contribution to the serious threat identified, taking due account of the gravity of the threat, urgency, and implications for rights and legitimate interests. Action required: apply. Deadline: within the reasonable period specified in the Commission's decision.

Article 36 — provider of very large online platforms or of very large online search engines

Report to the Commission by a certain date or at regular intervals specified in the decision on the assessments, the precise content, implementation, and qualitative and quantitative impact of the specific measures taken, and any other related issues. Action required: report. Deadline: by a certain date or at regular intervals specified in the decision.

Article 36 — provider of very large online platforms or of very large online search engines

Review the identification or application of specific measures if the Commission considers them not effective or proportionate, after consulting the Board. Action required: review.

Practical steps

What the obligations on this page actually require you to do, ordered by article. Use this as a starting checklist; verify each item against the underlying article text before treating it as legal advice.

• Art 35 — implement (provider of very large online platforms and of very large online search engines)
• Art 35 — ensure (provider of very large online platforms and of very large online search engines)
• Art 35 — provide (provider of very large online platforms and of very large online search engines)
• Art 36 — assess (provider of very large online platforms or of very large online search engines)
• Art 36 — apply (provider of very large online platforms or of very large online search engines)
• Art 36 — report (provider of very large online platforms or of very large online search engines)
• Art 36 — review (provider of very large online platforms or of very large online search engines)

Obligation reference table

Penalty exposure

None of the 44 obligations on this page carry an explicit penalty figure in the DSA text itself — the fine ceiling is set elsewhere in the regulation and applies by reference. Refer to DSA's general penalties article (or the diagnostic below) to estimate exposure before signing off on a compliance programme.

Cross-regulatory conflicts

DSA interacts with other EU regulations in ways that can pull compliance teams in opposite directions. The most concrete conflicts in the Fontvera corpus involving this regulation:

• DSA Art 17 ↔ NIS2 Directive Art 12 (medium) — [entity affected: Providers of hosting services / ICT product providers] DSA requires providers to disclose reasons for content restrictions including notifier identity if strictly necessary, while NIS2 emphasizes anonymity for vulnerability reporters, creating tension in disclosure practices when a content restriction is based on a reported vulnerability.
• DSA Art 10 ↔ Data Act Art 18 (medium) — [entity affected: provider of intermediary services / data holder] DSA Art 10 requires providers to inform authorities of the receipt and effect of orders without undue delay, while Data Act Art 18 allows data holders up to 30 working days to decline or modify requests, potentially conflicting with the immediacy expected under DSA enforcement orders.
• DSA Art 10 ↔ GDPR Art 5 (medium) — [entity affected: provider of intermediary services] DSA Art 10 limits information orders to data already collected for service provision, which may conflict with GDPR Art 5's purpose limitation principle if the original purpose did not include law enforcement cooperation.
• DMA Art 1 ↔ DSA Art 10 (high) — [entity affected: gatekeeper] DMA Art 1 prohibits Member States from imposing further obligations on gatekeepers, while DSA Art 10 allows Member States to issue orders for information, potentially creating a conflict if a gatekeeper is also a DSA entity.
• DSA Art 15 ↔ ePrivacy Directive Art 6 (high) — [entity affected: provider of hosting services / provider of a publicly available electronic communications service] DSA requires reporting on content moderation actions and data processing for transparency, while ePrivacy strictly limits the processing and retention of traffic data to specific purposes like billing, potentially conflicting with broad reporting requirements if they imply data retention beyond necessity.
• DSA Art 10 ↔ ePrivacy Directive Art 5 (high) — [entity affected: provider of intermediary services / provider of a publicly available electronic communications service] DSA allows authorities to order providers to provide specific information, whereas ePrivacy strictly prohibits interception or surveillance of communications without user consent, creating tension when orders require access to private communication content.

Related Fontvera pages

• dsa obligations online advertising
• dsa vs eprivacy comparison
• dsa vs gdpr comparison
• dsa vs nis2 comparison

Check your full compliance exposure with the 5-minute Fontvera diagnostic →