The dividing line between simple technical intermediation and an active duty to moderate content is no longer a matter of abstract legal theory — because with the Digital Services Act (DSA), the European legislator has turned this distinction into an operational map that determines who must do what, through which procedures, and under which sanctions, in managing illegal content, systemic risks, and user protection on major online platforms.

From this perspective, those who design, manage, or monetize digital services aimed at the European market can no longer simply ask whether they fall within the liability exemption for hosting or mere conduit — they must examine how their information flows are structured, what notice-and-action tools have been implemented, and to what extent their design choices bring them closer to the role of an active participant in risk mitigation.

European regulation, which builds on the already familiar e-commerce directive framework and advances to the DSA as a directly applicable regulation, preserves the logic by which the intermediary is not required to monitor all user communications in a generalized way. However, this immunity rests on increasingly precise conditions and progressively more intensive due diligence obligations for categories such as online platforms and very large online platforms (VLOPs) — obligations that include accessible reporting systems, reasoned management of content removal decisions, and periodic risk assessments.

In a context where market access and business-to-consumer dialogue are largely mediated through marketplaces, social networks, app stores, and hybrid platforms, economic operators who “live” on these services discover that their level of legal risk exposure depends not only on their own content or campaigns, but also on the degree of compliance of the hosting platform and the quality of the reporting, moderation, and redress mechanisms it makes available.

Intermediaries, Hosting, and Online Platforms in the DSA

The structure of the DSA revisits and updates the classic three-tier categorization of intermediaries — mere conduit, caching, and hosting — clarifying functions, scope, and the conditions for benefiting from liability exemptions, and bringing into focus a fourth level of particular practical relevance: that of “online platforms,” meaning services that do not merely host content but disseminate it to the public at users’ request.

“Mere conduit” remains anchored to the model in which the provider limits itself to transmitting data or providing network access without modifying or selecting it; caching involves automatic and temporary storage functional to transmission efficiency; hosting concerns the storage of information provided by service recipients — with the specification that online platforms represent a sub-category of hosting subject to specific additional obligations.

Maintaining liability exemptions is conditional on the intermediary not playing an active role that would give it knowledge or control over content, not modifying transmitted information, and acting promptly when receiving specific orders from authorities or notifications that bring manifestly illegal content to its attention. While this framework does not introduce a general monitoring obligation, it makes particularly delicate the analysis of business models involving personalized recommendations, algorithmic optimization, or forms of editorial curation of content flows.

Notice and Action, the Duty to React, and Liability

The notice-and-action mechanism, codified in the DSA in more detailed terms than before, represents the pivot through which the European legislator attempts to reconcile the absence of a generalized monitoring obligation with the need for rapid removal of illegal content once the platform is aware of it — establishing specific obligations regarding the structure of reporting channels, processing timelines, reasoning of decisions, and notification to affected users.

A platform that receives a notification meeting the required criteria and fails to respond with due diligence — by adopting proportionate measures such as removal, access restriction, or other targeted interventions — risks undermining its liability exemption for hosted content. The line between mere intermediation and active liability shifts onto the terrain of timeliness, internal documentation, and consistency of applied policies.

The framework further distinguishes between manifestly illegal content and situations requiring more complex legal assessments — delineating, for very large online platforms, additional obligations of periodic risk assessment, independent audits, and mitigation measures that go beyond individual removal cases to address phenomena such as disinformation, hate speech, gender-based violence, or minor protection. In this perspective, the platform’s duty does not end with reactive responses to reports, but encompasses the capacity to identify risk patterns and intervene in its own technological architectures.

Where Mere Intermediation Ends and Active Duty Begins

The most practical question for those who manage or use a platform concerns the point at which activity diverges from technical neutrality — because every time the provider selects, orders, recommends, or otherwise affects the visibility of content, its position approaches that of a subject influencing public discourse and commercial interactions, with a corresponding regulatory expectation of a higher level of due diligence.

Human or algorithmic intervention in shaping feeds, suggestions, search results, or advertising makes it plausible that the platform is not simply transmitting data, but structuring an information environment — and the DSA builds on this premise a system of graduated obligations ranging from transparency regarding terms of use to redress mechanisms and fundamental rights impact assessments for the largest actors.

From an operational standpoint, the shift from mere intermediation to active duty can be observed at the moment when the platform possesses sufficient elements to know or ought to know that a particular piece of content is illegal and yet fails to act — or when it deliberately adopts design and business models that amplify high-risk content without putting in place adequate mitigation measures.

On this point, Antonino Polimeni, founder of Polimeni.Legal, comments: “In light of the Digital Services Act, the sensitive issue is no longer the abstract definition of hosting or mere data transmission, but the actual degree of governance the provider exercises over its information environment and the risks it generates for users, companies, and the digital public space. The boundary between mere intermediation and an active duty to control and mitigate is not measured by the number of content pieces removed, but by the quality of procedures, the traceability of decisions, and the platform’s capacity to intervene when problems arise: where awareness and adequate safeguards are absent, the platform inevitably comes to be read not as a neutral actor, but as one that participates in the production of digital risk — while those who structurally rethink internal rules, processes, and contracts discover that the new framework can be incorporated into ordinary service management rather than endured only in a reactive, emergency mode.”

Impacts for Platforms and for Those Who Do Business Online

The entry into force of the DSA has already prompted a deep revision of interfaces, general terms and conditions, and internal procedures for many platforms operating in Europe, with the Commission and national authorities engaged in verifications of the compliance of reporting systems, moderation practices, and transparency policies toward service recipients.

The sanctions provided in cases of violation — which can reach up to 6% of a company’s global annual turnover (Art. 52 DSA) — are accompanied by remedies such as the imposition of corrective measures or, in extreme cases, restrictions on service operations. This means that compliance is not a purely formal obligation, but a factor of business continuity and market access.

For companies that use these platforms to sell products, promote services, or manage their digital identity, attention shifts to at least three dimensions: the need to understand the platform’s internal rules and how they connect with the DSA, the management of risks arising from automated content removals or restrictions, and the possibility of using the new redress and transparency tools to challenge decisions perceived as arbitrary or discriminatory.

Against this backdrop, research showing that a significant portion of platforms still does not fully comply with European rules on business relationships signals that reactive compliance is no longer sustainable: those doing business online must assess their exposure not only with respect to advertising and consumer protection rules, but also with regard to the regulatory stability of the digital infrastructures on which they build their presence.

Operational Lines for Adaptation and Risk Management

The response of platforms to the DSA requires the adoption of documented internal procedures, capable of demonstrating to authorities a systematic approach to managing illegal content and systemic risks — an approach that involves revising terms and conditions, formalizing notice-and-action flows, establishing dedicated teams, and setting up clear communication channels with users and competent authorities.

For providers qualifying as very large online platforms, the organizational dimension expands further — encompassing the obligation to carry out risk impact assessments, undergo independent audits, and publicly account for measures adopted, with a level of reputational exposure that makes technology and moderation choices an integral part of corporate strategy.

On the side of companies using platforms, a conscious approach to risk management runs through: mapping of critical channels (company accounts, review systems, sponsored campaigns), review of policies in light of the DSA, preparation of internal procedures for responding swiftly to removals or restrictions, and systematic collection of documentary evidence to challenge decisions that affect the right to economic initiative.

The role of legal support does not end with advisory services on the regulations, but extends to negotiation with providers, the definition of more balanced contractual standards, and the integration of digital compliance into ordinary corporate governance processes.