Module 5 – The Digital Rulebook: DSA, DMA, and Beyond - Understanding the EU’s New Legislative Framework

Step 1 – From Product Rules to the Digital Rulebook

In Modules 3 and 4 you saw how the New Legislative Framework (NLF) structures EU product rules: harmonised standards, conformity assessment, CE marking, and market surveillance.

This module zooms out to the EU’s digital rulebook, which focuses less on the safety of products and more on the behaviour of digital services and platforms.

Where we are today (late 2025)

Digital Services Act (DSA)
Regulation (EU) 2022/2065
Entered into force in 2022
Fully applicable since February 2024 (with earlier obligations for very large platforms in 2023)
Digital Markets Act (DMA)
Regulation (EU) 2022/1925
Entered into force in 2022
Core obligations started to apply from March 2024 after the first gatekeeper designations in 2023

These are Regulations, not Directives, so they apply directly in all Member States.

How this connects to the NLF

NLF: "Is this product safe and compliant before it enters the market?"
DSA/DMA: "Are digital services and platforms behaving fairly, transparently, and safely while operating in the EU?"

You should keep asking yourself:

> How do product-focused rules (NLF) and service/market-focused rules (DSA/DMA) complement each other rather than overlap?

Step 2 – The EU Digital Strategy and Where DSA/DMA Fit

The DSA and DMA sit inside a wider EU digital strategy that aims at a human‑centric, fair, and innovative digital economy.

Key building blocks (simplified):

Digital Services Act (DSA) – Online safety & responsibility
Focus: illegal content, systemic risks, transparency, user protection
Digital Markets Act (DMA) – Fair competition in digital markets
Focus: very large online platforms acting as gatekeepers
Data & AI framework (for context, not main focus here):
GDPR – personal data protection (since 2018)
Data Governance Act – data-sharing mechanisms
Data Act – access to and use of non-personal data (entered into force 2023, applies progressively from 2025–2026)
AI Act – risk-based rules for AI systems (political agreement 2023, formally adopted 2024; obligations phase in from 2025 onwards)

Where NLF fits:

NLF-based product laws (e.g. Radio Equipment Regulation, Machinery Regulation, Toys, Low Voltage Directive, etc.) regulate products and their safety.
DSA/DMA regulate platforms, intermediaries, and digital markets.

Visual picture (imagine a layered diagram):

Bottom layer – Products: NLF + CE marking (Is the device/software as a product safe and compliant?)
Middle layer – Data & AI rules: GDPR, Data Act, AI Act (How is data and AI handled?)
Top layer – Platforms & Markets: DSA & DMA (How do online intermediaries and big platforms behave?)

Step 3 – The Digital Services Act (DSA): Who and What?

The DSA updates and replaces the older e-Commerce Directive (2000) as the main horizontal rulebook for online intermediaries in the EU.

Who does the DSA apply to?

Any intermediary service offered to users in the EU, whether or not the provider is established in the EU. This includes:

Mere conduit: e.g. internet access providers
Caching services
Hosting services, including:
Online marketplaces (e.g. Amazon Marketplace, eBay)
Social media platforms (e.g. Facebook, TikTok)
App stores
Online platforms for content-sharing, reviews, rentals, etc.

Within this, the DSA defines special categories:

Online platforms – hosting services that disseminate information to the public (e.g. social networks, marketplaces)
Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) – services with 45 million+ monthly active users in the EU (about 10% of the EU population)

Why this matters for you

If you work on:

a marketplace that sells CE‑marked products, or
a social media service where traders advertise products,

…you must understand that product compliance (NLF) and platform obligations (DSA) both apply, but in different ways.

Think of the DSA as setting the rules of the game for how platforms handle content, users, and traders.

Step 4 – DSA in Practice: From Illegal Content to Transparency

Let’s make the DSA more concrete with three practical scenarios.

Scenario 1 – Illegal product listings on a marketplace

You run an EU‑facing online marketplace. A consumer reports a listing for a toy with fake CE marking and clear non‑compliance with toy safety rules.

Under the DSA, you must:

Provide a notice mechanism: A clear, user‑friendly way for anyone to flag illegal content (in this case, the illegal listing).
Act diligently: When the notice is sufficiently precise and well‑founded, you must act to remove or disable access to the listing expeditiously.
Inform the user who posted the listing and give reasons for your decision.
Keep records of notices and actions and publish transparency reports.

Note the complementarity:

NLF/product law: says the toy itself must comply with product safety rules.
DSA: says your platform must have proper processes to detect and act on illegal offers.

Scenario 2 – Recommendations on a social media platform

You work on the recommendation algorithm of a video‑sharing platform.

Under the DSA, especially for large platforms:

You must explain in plain language how your recommender system works (main parameters).
You must offer at least one non‑profiling option (e.g. chronological feed) to users of large platforms.
For VLOPs/VLOSEs, you must assess and mitigate systemic risks, e.g. dissemination of illegal content, impact on fundamental rights.

Scenario 3 – Platform terms and conditions

You manage the legal/UX team for a platform.

DSA requires:

Clear and unambiguous terms and conditions, easily accessible.
Information on:
content moderation policies
use of automated tools
complaint-handling systems and out-of-court dispute settlement.

These rules do not replace GDPR, consumer law, or sectoral safety rules; they sit on top and structure how platforms behave overall.

Step 5 – Quick Check: DSA Basics

Test your understanding of core DSA ideas.

Which statement best describes the role of the DSA in the EU framework?

It sets technical safety requirements for products before they are placed on the market.
It regulates how online intermediaries and platforms handle content, users, and systemic risks in the EU.
It only governs personal data processing by digital platforms.

Show Answer

Answer: B) It regulates how online intermediaries and platforms handle content, users, and systemic risks in the EU.

The DSA focuses on **online intermediaries and platforms**: content moderation, illegal content, transparency, and systemic risk management. Product safety (option 1) is covered by NLF-based product laws, and personal data (option 3) is primarily governed by the GDPR.

Step 6 – The Digital Markets Act (DMA): Gatekeepers and Fairness

The DMA targets a specific problem: very large digital platforms that act as gatekeepers between business users and end users.

What is a gatekeeper?

A gatekeeper under the DMA is a company that:

Provides one or more core platform services (CPS) such as:
online intermediation (marketplaces, app stores)
search engines
social networking services
video-sharing platforms
operating systems
web browsers, virtual assistants, online advertising services, etc.
Has a significant impact on the internal market (based on turnover and market capitalisation thresholds).
Has a strong intermediation position between business users and end users.
Has or is expected to have a durable position.

The European Commission designates gatekeepers based on criteria and evidence. Several large tech companies were designated starting in 2023, and their core obligations have applied since 2024.

What does the DMA require?

The DMA uses a list of do’s and don’ts:

Do’s (examples):
Allow business users to access data they generate on the platform.
Ensure interoperability with third-party services in certain conditions.
Allow users to easily uninstall pre‑installed apps.
Don’ts (examples):
No self‑preferencing in rankings (e.g. favouring own services in search results).
No preventing business users from offering better prices or conditions elsewhere.
No combining personal data from different services without valid consent (in addition to GDPR rules).

The DMA is about market structure and fairness, not about individual product compliance.

Step 7 – DMA in Practice: Gatekeepers and Business Users

Consider three concrete situations to see how the DMA works.

Situation 1 – An app developer vs. an app store gatekeeper

You are a small EU app developer selling through a major app store that has been designated as a gatekeeper.

Under the DMA:

You must be allowed to:
Communicate directly with your customers (e.g. email them about cheaper offers on your website), within GDPR limits.
Use alternative in‑app payment systems (subject to specific DMA conditions and ongoing enforcement practice).
The gatekeeper cannot:
Prevent you from promoting your app outside the app store.
Use non-public data from your app to compete unfairly with your own app.

Situation 2 – Online marketplace favouring its own products

You sell electronics on a large marketplace that also sells its own brand electronics.

Under the DMA, if that marketplace is a gatekeeper:

It cannot self‑preference its own products in search rankings.
It must apply transparent and fair ranking criteria.

Situation 3 – Operating system and pre‑installed apps

You buy a smartphone with a pre‑installed browser and music app from a gatekeeper OS provider.

Under the DMA:

You must be able to easily uninstall pre‑installed apps (with some exceptions, e.g. for essential system components).
You must be able to change defaults (e.g. default browser, search engine) without undue friction.

These obligations are enforced centrally by the European Commission, which can impose significant fines and remedies for non-compliance.

Step 8 – Thought Exercise: DSA vs DMA vs NLF

Use this short exercise to connect the three frameworks.

For each scenario below, decide which framework is primarily engaged: DSA, DMA, or NLF/product law. (In reality, more than one may apply, but pick the main one.)

A smart toy sold in the EU has a design fault that can physically injure children.
A marketplace makes it hard for consumers to report clearly illegal product listings.
A dominant app store forces developers to use its own payment system with high commissions.
A connected home device is CE‑marked but later found to have cybersecurity vulnerabilities that could be exploited.
A very large social media platform’s algorithm spreads disinformation at scale, affecting elections.

Pause and decide before reading the suggested mapping below.

Suggested primary mapping:

NLF/product law – product safety and conformity.
DSA – notice-and-action mechanisms and platform duties.
DMA – gatekeeper abuse of power over business users.
NLF/product law (plus, in some cases, cybersecurity-specific acts) – safety and essential requirements for connected products.
DSA (especially VLOP obligations) – systemic risk assessment and mitigation, transparency.

Notice how DSA and DMA are horizontal service/market rules, while NLF is about products and CE marking.

Step 9 – Key Term Flashcards

Flip the cards (mentally or with your study tool) to reinforce the core concepts.

Digital Services Act (DSA): EU Regulation (EU) 2022/2065 that sets horizontal rules for online intermediaries and platforms, focusing on illegal content, transparency, user protection, and systemic risk management.
Digital Markets Act (DMA): EU Regulation (EU) 2022/1925 that imposes obligations on large digital platforms designated as gatekeepers to ensure fair and contestable digital markets.
Gatekeeper: A large platform provider of core platform services that has a significant impact on the internal market, a strong intermediation position, and a durable market position, designated under the DMA.
Very Large Online Platform (VLOP): An online platform with at least 45 million monthly active users in the EU (about 10% of the EU population), subject to enhanced DSA obligations such as systemic risk assessments.
New Legislative Framework (NLF): A set of EU principles and reference provisions structuring product legislation around essential requirements, harmonised standards, conformity assessment, CE marking, and market surveillance.
Systemic risks (under DSA): Risks arising from the design or functioning of a platform’s services that can have broad societal impacts, such as dissemination of illegal content, harms to fundamental rights, or impacts on public security and elections.
Core Platform Services (CPS): Services listed in the DMA such as online intermediation, search engines, social networks, operating systems, web browsers, virtual assistants, and online advertising services, which can be subject to gatekeeper rules.

Step 10 – Linking DSA, DMA, and NLF

One more question to check how well you can connect the frameworks.

An EU-based online marketplace hosts thousands of third-party traders selling CE-marked electronics. Which combination best captures its main legal responsibilities?

Only NLF/product rules apply, because the marketplace does not manufacture products.
Only DSA applies, because the marketplace is just a hosting provider.
NLF/product rules apply to the products themselves, while the DSA sets horizontal obligations for the marketplace as a platform; if the marketplace is a gatekeeper, the DMA may also impose competition-related obligations.

Show Answer

Answer: C) NLF/product rules apply to the products themselves, while the DSA sets horizontal obligations for the marketplace as a platform; if the marketplace is a gatekeeper, the DMA may also impose competition-related obligations.

Product safety and conformity remain governed by NLF-based product laws. The marketplace, as a hosting service and online platform, must comply with DSA obligations (e.g. notice-and-action, transparency). If it is designated a gatekeeper, DMA obligations on fair competition and self-preferencing also apply.

Key Terms

Gatekeeper: A large provider of core platform services that meets specific quantitative and qualitative criteria under the DMA and is formally designated by the European Commission.
Self-preferencing: A practice prohibited for gatekeepers under the DMA, where a platform unfairly favours its own services or products over those of business users (e.g. in rankings or recommendations).
Digital Markets Act (DMA): Regulation (EU) 2022/1925, with core obligations applying from 2024, that regulates large digital platforms designated as gatekeepers to ensure fair and contestable digital markets.
Digital Services Act (DSA): Regulation (EU) 2022/2065, fully applicable since 2024, that sets horizontal rules for online intermediaries and platforms in the EU to ensure a safer and more transparent online environment.
Notice-and-action mechanism: A user-facing process required by the DSA that enables individuals or entities to notify platforms of illegal content and obliges platforms to act diligently on well-founded notices.
Systemic risk (DSA context): A broad risk to society or fundamental rights that arises from the functioning or use of a platform’s services, such as large-scale spread of illegal content or disinformation.
Core Platform Services (CPS): Categories of services listed in the DMA (e.g. online intermediation, search engines, social networks, operating systems) that can be subject to gatekeeper obligations.
New Legislative Framework (NLF): The EU’s overarching approach to product legislation, based on essential requirements, harmonised standards, conformity assessment, CE marking, and market surveillance.
Very Large Online Platform (VLOP): An online platform with at least 45 million monthly active users in the EU, subject to enhanced obligations under the DSA.
Very Large Online Search Engine (VLOSE): A search engine with at least 45 million monthly active users in the EU, subject to enhanced DSA obligations.