DGA and DSA: Two EU Laws That Are Already in Force and Still Widely Misunderstood

Two significant pieces of EU digital regulation are fully in force and enforced — yet remain poorly understood by many of the businesses they apply to. The Data Governance Act has applied since September 2023. The Digital Services Act has applied in full since February 2024. Both carry meaningful enforcement consequences. Neither is on the radar of most legal and compliance teams outside the tech sector.

This article covers what each law requires, who it applies to, and what enforcement looks like in practice.

Part 1: The Data Governance Act

The Data Governance Act (DGA, Regulation (EU) 2022/868) is fundamentally an enabling regulation. It does not prohibit data sharing — it creates trusted structures for making it happen. Its primary compliance obligations fall on a specific category of actors: data intermediary service providers.

What is a data intermediary?

The DGA defines a data intermediary as a service that establishes commercial relationships between data holders (the entities that control data) and data users (the entities that want to use the data) — where the intermediary itself does not use the data for its own purposes.

This covers platforms and marketplaces that:

• Allow individuals or companies to share data with each other
• Operate B2B data exchanges where companies can buy or sell access to datasets
• Provide personal data spaces where individuals can aggregate and selectively share their personal data
• Run cooperative data pools where members contribute and access pooled data

If your platform primarily buys data and resells it — acting as a data broker — you are not a data intermediary under the DGA. The critical distinction is that DGA intermediaries facilitate sharing between parties without claiming the data for themselves.

DGA obligations for data intermediary providers

Once your service falls within the DGA's scope as an intermediary, you must:

• Notify the national competent authority before providing the service. Notification is not approval — it is registration. EU member states have designated competent authorities (typically a digital regulator or data protection authority).
• Structural separation: You must not use the data flowing through your intermediary service for your own purposes — including training AI models, targeted advertising, or informing your own pricing decisions. If you operate other businesses alongside the intermediary, these must be legally and technically separated.
• Non-discrimination: You must offer equal conditions to all data holders and users, and cannot preference your own commercial affiliates.
• Data security: Appropriate technical and organisational security measures for all data processed through the intermediary service.
• EU data residency: Where required by the data holder, processing and storage must remain within the EU.
• Annual activity reports: Covering the volume of data exchanged, number of participants, and geographic distribution.

Non-notification or operating a service that fails DGA structural requirements can result in orders to cease the service and proportionate administrative sanctions under national law.

Data altruism organisations

The DGA also creates a category of data altruism organisations — non-profits that collect data donated by individuals or companies for general interest purposes (public health research, environmental monitoring, open science). These must register on a national register and comply with governance requirements ensuring data is used only for declared public interest purposes.

Part 2: The Digital Services Act

The Digital Services Act (DSA, Regulation (EU) 2022/2065) is a much broader regulation covering how online intermediaries and platforms must govern content, advertising, and algorithmic systems. It replaced the E-Commerce Directive's intermediary liability rules and extends significantly beyond them.

The tiered scope

DSA obligations increase by tier:

• All online intermediary services (hosting, caching, mere conduit): basic liability provisions, transparency in terms of service, obligation to cooperate with orders from authorities.
• Hosting services including platforms: Notice-and-action mechanisms, statement of reasons for content decisions, internal complaint-handling system, out-of-court dispute resolution access, annual transparency reporting.
• Online marketplaces: Know Your Business Customer trader verification, random checks on product listings, traceability to suppliers, specific duties when notified of illegal products.
• Very Large Online Platforms (VLOPs) — 45M+ EU monthly active users: Annual systemic risk assessments, independent audits, algorithmic transparency, advertising repositories, researcher data access, crisis response protocols. Directly supervised by the European Commission.

Key obligations for mid-size platforms

Even platforms below the VLOP threshold face significant obligations from February 2024:

Transparency reporting (Article 15): Platforms must publish annual reports covering: total content moderation actions taken (automated and human), number of notices received, appeals processed, and the error rate of automated moderation tools. This data must be machine-readable and publicly accessible.

Notice-and-action (Article 16): A clear, accessible mechanism for users and national authorities to flag allegedly illegal content. The platform must acknowledge the notice, act on clearly illegal content expeditiously, and notify the reporter of the outcome.

Statement of reasons (Article 17): When content is removed, an account suspended, or a user restricted, the affected party must receive a clear explanation — including the grounds for the decision, the legal basis, and information about the internal complaint mechanism. This must be provided without delay unless law enforcement has requested confidentiality.

Advertising transparency (Article 26): Users must be able to identify any advertisement, the identity of the advertiser, and why they were targeted. Advertising based on sensitive personal data (health, religion, sexual orientation, ethnicity, political views) is prohibited.

Enforcement

DSA enforcement rests primarily with Digital Services Coordinators (DSCs) — national authorities designated by each EU member state. DSCs have broad investigative powers including on-site inspections, document requests, and the ability to impose interim measures. The European Commission has direct enforcement jurisdiction over VLOPs and VLOSEs.

The Commission opened formal proceedings against X (formerly Twitter), TikTok, and Meta in 2024. National DSCs are ramping up capacity to investigate non-VLOP platforms. Fines can reach 6% of global annual turnover.

The common thread

Both the DGA and DSA share an underlying philosophy: if you are an intermediary operating in the EU digital economy — facilitating data flows or hosting content — you take on obligations that go beyond simply not harming users. You must actively support the functioning of a fair, transparent, and trustworthy digital environment. The era of the neutral platform with no compliance obligations is over.

For legal and compliance teams that have spent the past two years focused on GDPR, AI Act, NIS2, and DORA, the DGA and DSA may not have received proportionate attention. Both regulations are now fully applicable. Both have designated enforcement bodies. Both have begun generating enforcement activity. The right time to assess your exposure was last year — the second best time is now.