The Digital Services Act (DSA) hits online marketplaces and platforms hard: fines up to 6 % of worldwide annual turnover are possible (EUR-Lex Regulation 2022/2065 Art 74), and on 5 December 2025 the European Commission issued the first regular DSA fine of EUR 120 million against the platform operator X (EU Commission). In Germany, the Federal Network Agency acting as Digital Services Coordinator received more than 2,000 complaints in 2025 — over double the previous year (884) — and currently runs 26 proceedings (BNetzA Activity Report 2025). Anyone running an online shop with third-party sellers, a marketplace or a platform should now implement the DSA obligations technically and organisationally — the second enforcement wave for mid-sized platforms is announced for Q2 2026 (MLex).
Who is in scope: four DSA categories
The DSA has been fully applicable since 17 February 2024 (EU Commission) and distinguishes four categories of intermediary services with cumulative obligations. Classification determines which articles of Regulation (EU) 2022/2065 apply. A BNetzA study identified 2,358 hosting providers, 977 marketplaces and 485 platforms in Germany falling under the DSA. On top, 17 Very Large Online Platforms (VLOPs) and two VLOSEs are designated by the Commission as of early 2026 (EU Commission). The VLOP threshold sits at 45 million active EU users per month (DSA Art 33).
| Obligation | Intermediary | Hosting | Platform / Marketplace | VLOP / VLOSE |
|---|---|---|---|---|
| Transparent T&Cs (Art 14) | yes | yes | yes | yes |
| Single Point of Contact (Art 11/12) | yes | yes | yes | yes |
| Annual transparency report (Art 15) | yes | yes | yes | every 6 months |
| Notice-and-action (Art 16) | — | yes | yes | yes |
| Statement of Reasons (Art 17) | — | yes | yes | yes |
| Internal complaints (Art 20) | — | — | yes | yes |
| Trusted flaggers (Art 22) | — | — | yes | yes |
| KYBC trader verification (Art 30) | — | — | yes (marketplace) | yes (marketplace) |
| Risk assessment + external audit | — | — | — | yes |
| Ad repository (Art 39) | — | — | — | yes |
Notice-and-action: mandatory implementation
Article 16 DSA requires every hosting service and every platform to operate an electronically accessible, low-threshold notice mechanism (EUR-Lex). Users must be able to flag illegal content or offers — typical marketplace cases include counterfeit goods, dangerous toys, misleading energy labels or unlawful reviews. The notice must accept a statement of illegality, a precise URL or item-ID reference and the reporter contact details. The provider must then send a confirmation of receipt and decide without undue delay. A non-functional notice mechanism is among the most frequent complaint reasons at the German DSC (BNetzA).
{
"notice_id": "NOTICE-2026-04812",
"received_at": "2026-05-08T14:23:00Z",
"reporter": {
"name": "Erika Mustermann",
"email": "reporter@example.com",
"is_trusted_flagger": false
},
"content_reference": {
"type": "product_listing",
"id": "P-9837245",
"url": "https://shop.example.com/p/9837245",
"seller_id": "S-554120"
},
"category": "counterfeit_goods",
"explanation": "Trademark infringement — logo identical to DPMA registration 30245678",
"good_faith_declaration": true,
"acknowledgement": {
"sent": true,
"timestamp": "2026-05-08T14:23:04Z"
},
"sla_due": "2026-05-15T14:23:00Z"
}Statement of Reasons (Art 17)
Whenever a platform takes action against a user or a listing — suspension, removal, demonetisation, visibility reduction — it must issue a Statement of Reasons (SoR) (EUR-Lex Art 17). The reasoning must disclose territorial scope, duration, underlying facts and circumstances, the breached T&C clause or law and the use of automated means. All SoRs additionally have to be submitted to the central DSA Transparency Database of the Commission — which received 9.4 billion Statements of Reasons within the first six months alone (DSA Transparency Database). Anyone moderating reviews, removing listings or suspending seller accounts needs a structured SoR pipeline — manual processes do not scale at these volumes.
{
"uuid": "sor-2026-05-08-9d2e",
"platform_name": "shop.example.com",
"decision_visibility": "DECISION_VISIBILITY_REMOVAL",
"decision_account": null,
"decision_monetary": null,
"decision_provision": null,
"decision_ground": "DECISION_GROUND_INCOMPATIBLE_CONTENT",
"category": "STATEMENT_CATEGORY_INTELLECTUAL_PROPERTY_INFRINGEMENTS",
"category_specification": "COUNTERFEIT_PRODUCTS",
"content_type": "CONTENT_TYPE_PRODUCT",
"automated_detection": "YES_PARTIALLY",
"automated_decision": "NO",
"territorial_scope": ["DE", "AT", "CH"],
"application_date": "2026-05-08",
"end_date": null,
"source_type": "SOURCE_ARTICLE_16_DSA",
"facts": "Listing P-9837245 infringes trademark (DPMA registration 30245678).",
"redress": "Complaint via /redress, out-of-court dispute settlement, court action."
}Treat trusted flaggers with priority
Article 22 DSA establishes priority handling for so-called trusted flaggers — bodies certified by national Digital Services Coordinators with proven expertise (EU Commission). In Germany, three trusted flaggers and one out-of-court dispute settlement body were certified at BNetzA by the end of 2025 (BNetzA). Notices from these bodies must be processed with priority and without undue delay. Anyone building a notice system should provide a dedicated trusted-flagger queue, define a separate SLA and dispatch acknowledgements automatically. For context: BNetzA recorded 3,321 submissions in 2025 across all DSA complaint categories (epd medien).
Recommendation for the platform architecture: a notice table with an is_trusted_flagger flag, a worker pool with priority queue (trusted flagger priority 0, regular notice priority 5, anonymous submission priority 9) and an audit log for every status change. SLAs become traceable should BNetzA request information.
KYBC: verifying trader data (Art 30)
Know-Your-Business-Customer (KYBC) is the DSA obligation with the highest technical effort for marketplace integrations. Before a third-party trader can offer products or services to consumers, the marketplace operator must collect, verify and plausibility-check six mandatory data points (Händlerbund, IT-Recht Kanzlei). The data have to be collected in full — pure self-declaration without verification is insufficient. On updates, re-verification is required, and in case of doubt the listing has to be suspended until clarification. Article 32 DSA also obliges marketplaces to notify all buyers of an illegal product up to six months retroactively (EU Commission).
Name + address
Full company name, address fit for service of process, identical to the commercial register. Includes sole traders.
Register + VAT ID
Commercial register number plus court, VAT ID (where applicable) — verification via Bundesanzeiger / VIES.
Identification document
Copy of an ID document of the legal representative (passport or national ID card).
Bank details
Payment account details — mandatory for marketplaces with escrow or payout function (Trusted Shops).
Contact + self-declaration
Phone number, email plus self-declaration on conformity of the products with EU law.
Plausibility check
Cross-check against public registers, sanctions lists and VIES — suspend listing in case of doubt (Art 30 para 2).
Compliance-by-design in the listing flow
Article 31 DSA requires compliance-by-design: the marketplace must design its interface so that traders can provide the legally required data before listing (Trusted Shops). This concerns both manual onboarding flows and API-based integrations — a checklist of valid mandatory fields, without which the listing is not activated.
- Onboarding validation: VAT ID check via VIES, commercial register cross-check, sanctions list lookup (EU/UN/OFAC) before activating the seller account.
- Mandatory fields per listing: energy label class, CE conformity declaration, product safety data (GPSR), allergen / ingredient information — validation server-side, not only via JS.
- Periodic re-verification: at least annual refresh of KYBC data plus trigger-based re-checks on anomalies (complaint thresholds, return rates).
- Audit log: every change of a mandatory field stored with timestamp, trigger and hash — for BNetzA information requests.
- Notice escalation into the listing flow: confirmed notices must automatically suspend the affected listing until clarification — not pure backlog handling.
Make ads and recommender systems transparent
Article 26 DSA mandates that every ad must be clearly labelled as such — including who paid for it and which main parameters were used for targeting (EUR-Lex). Targeting based on sensitive data (health, religion, sexual orientation) and on minors is prohibited. Recommender systems — for example for product recommendations or search ranking — must disclose their main parameters in the T&Cs (Art 27), and users must be able to choose at least one non-profile-based alternative. VLOPs are additionally subject to Article 39 with an ad repository and a retention period of one year.
| Area | Platforms (Art 26/27) | VLOPs (Art 39) |
|---|---|---|
| Label ads | Required | Required |
| Disclose advertiser | Required | Required |
| Disclose targeting parameters | Required | Required |
| Sensitive data / minors | Prohibited | Prohibited |
| Recommender parameters | in T&Cs | in T&Cs + options |
| Non-profile option | at least 1 | at least 1 |
| Public ad repository | — | Required (1 year) |
| Dark pattern ban (Art 25) | Required | Required |
Internal complaint handling and dispute settlement
Article 20 obliges platforms to operate an internal complaint-handling system that allows challenging any moderation decision of the past six months — free of charge, electronically and with human final review (EU Commission). If the decision is upheld, the user can call upon out-of-court dispute settlement. The minimum organisational and technical requirements include:
- Electronic intake channel with identification option for the complainant and automatic acknowledgement of receipt.
- Justification of every decision — confirmation of moderation or restoration of the listing/account.
- Human final review — no fully automated complaint handling; where automated initial reviews are used, the final decision must be taken by trained staff.
- SLA tracking —
received_at,acknowledged_at,decided_at,notified_atwith escalation rules on breach. - Reference to a certified dispute settlement body in the final decision — listed at BNetzA in Germany (eucrim).
- Data export for BNetzA information requests — structured CSV / JSON output per case, including the Statement of Reasons and the complaint history.
Fines and BNetzA supervision
Article 74 DSA sets the maximum fine framework at 6 % of worldwide annual turnover (EUR-Lex). At the national level, §28 of the German Digital Services Act (DDG) details the sanction structure: up to EUR 300,000 for individual breaches, plus the EU-level 6 % cap for companies with worldwide turnover above EUR 5 million (Noerr, Freshfields). The competent authority in Germany is the Federal Network Agency as Digital Services Coordinator since 14 May 2024 (BNetzA). In 2025 the authority recorded 2,000+ complaints and currently runs 26 proceedings — an increase of more than 130 % compared to the previous year (BNetzA Activity Report 2025).
On 5 December 2025 the EU Commission issued the first regular DSA fine of EUR 120 million against the platform operator X — for insufficient transparency on advertising and blue checkmarks (EU Commission, Howsociable). The second enforcement wave is announced for Q2 2026, this time targeting mid-sized platforms (MLex). Anyone postponing DSA audits should now start a compliance roadmap.
Producing the annual transparency report
Article 15 DSA requires at least an annual transparency report (VLOPs every six months). The report has to be published in machine-readable format (JSON or CSV) and as a human-readable PDF. The content is standardised by DSA Implementing Regulation 2024/2835 (KPMG Law, IAPP):
- Number of orders by authorities — per Member State, response time, compliance status.
- Notice-and-action statistics — number of notices by category, processing time, share of automated vs. manual decisions.
- Own-initiative content moderation — proactive measures, tools used, training data of moderation systems.
- Complaints against moderation decisions — number, median processing time, reversal rate.
- Trusted-flagger statistics — split by category and response time.
- Dispute settlement — number of out-of-court proceedings, duration, outcome.
- KYBC random checks — number of traders reviewed and resulting actions.
- Advertising — number of ads, targeting parameters, sponsor statistics.
Implementation roadmap in 5 phases
A pragmatic implementation can be done in five phases. We recommend tackling related compliance topics — such as e-invoicing connections and extended information duties — alongside DSA, since their organisational overlap is significant.
- Classification (week 1–2): determine your DSA category. Rule of thumb — as soon as third parties sell through your shop, marketplace obligations including KYBC apply. A DSA consulting session clarifies edge cases.
- Quick wins (month 1): set up Single Point of Contact, update imprint, review T&C language, publish a notice form — that covers the baseline obligations of intermediary services.
- KYBC + listing validation (month 2–3): add mandatory fields to seller onboarding, integrate VIES and register checks, enforce listing validators server-side — typically the most demanding development package.
- Statement-of-Reasons pipeline (month 3–4): build a SoR generator, connect to the DSA Transparency Database, set up an audit log with a hash chain.
- Complaint handling + trusted flaggers (month 4–5): internal complaint UI, trusted-flagger priority queue, dispute settlement reference, BNetzA CSV export. Generate the first transparency report directly from this system.
This article is based on: EUR-Lex (Regulation (EU) 2022/2065 — DSA), EU Commission (DSA designations, X fine of 5 Dec 2025), BNetzA Activity Report 2025 (DSC statistics), DSA Transparency Database (Statement-of-Reasons volume), Händlerbund (KYBC practice), IT-Recht Kanzlei (marketplace duties), Trusted Shops (compliance-by-design), Noerr (DDG sanctions), Freshfields (DSA penalties), KPMG Law (transparency report), MLex (Q2 2026 enforcement wave), eucrim (dispute settlement DE), IAPP (Implementing Regulation 2024/2835), Goodwin Law (compliance roadmap), Howsociable (X fine analysis). Numbers may change with new BNetzA announcements.
DSA compliance is architecture work
Treating the DSA as a purely legal topic underestimates the technical effort. Notice pipelines, Statement-of-Reasons generators, KYBC validation against external registers, audit logs and transparency-report data models are software jobs. A structured architecture pays off twice — it lowers the risk of supervisory proceedings and delivers the data foundation for optimisations such as adaptive image loading or AI-supported ticketing within complaint handling. With Shopware adjustments and clean marketplace integrations the whole obligation package can be implemented in a few months — provided you start before the next enforcement wave.
Pure own-brand shops without an intermediary function typically do not fall under the platform obligations. As soon as you allow external traders to sell to consumers via your infrastructure — including white-label marketplaces — the platform obligations including KYBC generally apply. In case of doubt, an individual classification helps.
The DSA provides for fines up to 6 % of worldwide annual turnover under Article 74; under §28 DDG up to EUR 300,000 are possible in Germany for individual breaches (Noerr). Practice shows BNetzA proceedings typically start with orders and deadlines and tend to escalate to fines on continued non-compliance.
Pure self-declaration is generally not sufficient under Article 30. The regulation requires plausibility cross-checks against publicly accessible sources — for example VIES for VAT IDs, the commercial register for HR numbers and sanctions lists. In case of doubt, the listing typically has to be suspended until the data are verified.
As a rule yes, where the action concerns specific content or an account. The DSA recitals provide for exceptions for clearly illegal, authority-ordered content. An automated SoR generator connected to the DSA Transparency Database tends to be the most efficient solution at higher volumes.
Platforms must report at least annually, VLOPs every six months. The typical reporting period follows the financial year; many German providers publish on 28 February of the following year. Machine-readable format (JSON or CSV) is mandatory; an additional human-readable PDF is best practice.
Experience shows that the legal-organisational baseline obligations can be covered internally once the legal requirements are clear. The technical components — KYBC validation, SoR pipeline, audit log — typically benefit from a combination of legal advice and e-commerce development, especially for Shopware-based marketplaces.