Platform and Marketplace Compliance · Memo

DSA and DMA Implications for US Platforms With EU Users

US platforms with EU users are subject to the DSA and, for the largest of them, the DMA. I will walk through the threshold tests, the operational obligations, and the enforcement reality as it has developed through 2024-2025.

The Digital Services Act, Regulation (EU) 2022/2065, entered into application across the EU in February 2024 for most platforms (the very large online platforms and very large online search engines were subject earlier, from August 2023). The Digital Markets Act, Regulation (EU) 2022/1925, entered into application in March 2024 for the designated gatekeepers. Both regulations apply to providers of online services regardless of the provider's place of establishment, conditioned on the services having users in the EU. US platforms with meaningful EU user bases are subject to both regimes.

The DSA threshold framework

The DSA imposes tiered obligations based on the platform's classification.

• All providers of intermediary services. Basic transparency, notice-and-action mechanisms, single points of contact for authorities and users, terms-of-service obligations.
• Hosting services. Notice-and-action mechanisms for illegal content, statement of reasons for content moderation decisions, suspected criminal offense reporting.
• Online platforms. Internal complaint-handling systems, out-of-court dispute settlement, trusted flaggers, anti-misuse measures, dark-pattern prohibition, advertising transparency, recommender-system transparency, protection of minors.
• Very large online platforms (VLOPs) and very large online search engines (VLOSEs). Systemic risk assessment, mitigation measures, crisis response, independent auditing, data sharing with researchers, compliance functions, additional advertising obligations.

The VLOP/VLOSE threshold is forty-five million average monthly active EU users, which the European Commission designates on a per-service basis. The Commission has designated specific services as VLOPs/VLOSEs and the list is updated periodically. As of the date of this memo, the designated list includes major US platforms (Meta, Google, X, TikTok, Amazon, others).

The DMA gatekeeper framework

The DMA applies to designated 'gatekeepers,' which the Commission designates based on quantitative and qualitative criteria. The quantitative criteria include EU turnover or market capitalization thresholds, presence in at least three EU member states, and core platform service usage thresholds (forty-five million end users and ten thousand business users monthly). The qualitative criteria allow the Commission to designate gatekeepers based on entrenched and durable position considerations.

The Commission has designated specific services as gatekeepers and the list is updated. As of the date of this memo, the designated gatekeepers include Apple, Google, Meta, Microsoft, Amazon, ByteDance, and Booking. The designation triggers obligations including:

• Anti-self-preferencing requirements.
• Interoperability requirements for messaging services.
• Restrictions on combining personal data across the gatekeeper's services.
• Restrictions on requiring business users to use the gatekeeper's payment systems.
• Transparency obligations on online advertising and crawling.
• Right of business users to access data generated by their activities.

The threshold tests for US platforms

The practical threshold question for a US platform is whether it has sufficient EU user presence to fall within the DSA's online-platform category. The DSA's article 3 definitions and articles 33 (VLOPs) and 28 (online platforms generally) drive the analysis. A US platform with EU users in the low thousands is likely subject to the general DSA obligations for intermediary or hosting services but not to the online-platform-specific obligations. A US platform with EU users in the millions is subject to the online-platform obligations. A US platform with more than forty-five million EU users is subject to the VLOP obligations.

The DSA's small and medium enterprise carve-out exempts platforms below the SME threshold from some obligations. The carve-out is conditional on the platform's annual turnover and headcount; a US platform with significant EU revenue may exceed the SME threshold even if it qualifies as a small business in US terms.

The operational obligations

For a US platform that qualifies as an online platform under the DSA, the operational obligations include:

1. Notice-and-action mechanisms. Users must be able to report content they believe is illegal in the EU. The platform must respond, document the decision, and provide reasons.
2. Internal complaint-handling systems. Users whose content has been moderated must have access to an internal complaint mechanism that operates promptly and provides a reasoned decision.
3. Out-of-court dispute settlement. Users have the right to seek out-of-court dispute settlement with certified bodies. The platform must engage in good faith.
4. Trusted flagger procedures. Notices from trusted flaggers (designated by EU member state digital services coordinators) must be prioritized.
5. Anti-misuse measures. Suspension of users who repeatedly post manifestly illegal content; suspension of users who repeatedly submit manifestly unfounded notices.
6. Dark-pattern prohibition. The platform must not design or operate its interfaces in ways that deceive or manipulate users.
7. Advertising transparency. The platform must provide information about each advertisement including the funder, the parameters used for targeting, and (in some cases) the rationale.
8. Recommender system transparency. The platform must provide information about the main parameters used in recommender systems and provide users with options to modify them.
9. Protection of minors. The platform must implement measures to protect minors, including not displaying targeted advertising to minors.

For VLOPs, additional obligations apply, including risk assessment, mitigation, auditing, data sharing with researchers, and crisis-response mechanisms.

The enforcement reality

The European Commission has jurisdiction over VLOPs and gatekeepers. EU member states have jurisdiction over other platforms through national digital services coordinators. The enforcement docket through 2024-2025 has been active. The Commission has opened formal proceedings against multiple VLOPs and gatekeepers, with investigations into recommender systems, advertising practices, dark patterns, and DMA compliance.

For a US platform that is not a VLOP or gatekeeper, the enforcement risk is principally through EU member state digital services coordinators. The DSCs have varying enforcement capacity and posture. The platform's exposure depends on the specific member state(s) where users are located and the platform's compliance posture.

The DMA's anti-self-preferencing reach

The DMA's anti-self-preferencing obligation under article 6 prohibits gatekeepers from treating their own services more favorably than competing third-party services in rankings, search results, and other displays. The reach is broad and the enforcement is active. Google's compliance changes since March 2024 are the most visible example, with related changes from Apple, Meta, and other designated gatekeepers.

For US platforms approaching gatekeeper thresholds, the DMA's reach is forward-looking. A US platform that grows to gatekeeper-threshold levels in the EU will be subject to the same obligations. The compliance architecture is substantial and the operational changes are not trivial.

The cross-jurisdictional considerations

US platforms subject to the DSA and DMA face overlapping obligations under other regimes: the CCPA/CPRA, the GDPR, the EU AI Act (for AI-related deployments), the UK Online Safety Act, and national-level platform regulations in various jurisdictions. The compliance architecture for a US platform operating internationally is complex. The drafting move for outside counsel is to map the obligations against a single internal compliance framework and identify the strictest applicable rule for each operational element.

What I would not assume

The DSA and DMA are still in the early years of application. The Commission's enforcement posture, the member state coordinators' enforcement posture, and the judicial review of enforcement decisions are all still developing. The applicable obligations for a specific US platform depend on the platform's size, services, and EU user base. Counsel advising a US platform on DSA/DMA exposure should engage EU counsel for the substantive compliance design and should not rely solely on US-side analysis. The enforcement actions through 2025 and 2026 will set the operational expectations, and the playbook in 2027 will look different from the playbook in 2024.

Sergei Tokmakov, Esq., CA Bar #279869. This memo is attorney commentary on legal questions and is not legal advice. Reading it does not create an attorney-client relationship. Past matter outcomes depend on facts and the responding party; nothing here is a prediction of result.