Originally published by Thales.

Two hundred years ago, safety and child labor laws were monstrously lax compared to today’s standards. In two hundred years more, our ancestors will look back with similar disbelief on our regulation of digital services. However, it is also true that regulations reflect the societal principles and values of their time, and the EU Digital Services Act (DSA) is not exempt from this fact, setting strict rules for protecting kids (and not only) from being exposed to harmful content online.

Understanding the DSA

The DSA is landmark legislation that aims to create a safer and more accountable online world. From February 2024, it will apply to all online platforms in the EU and set out a range of obligations for digital services that aim to tackle illegal content, protect users’ fundamental rights, increase transparency and accountability, and grant users greater control over their online experiences.

Conscious of the potential impact of regulation on business, the EU has designed the DSA to foster “innovation, growth and competitiveness” while facilitating “the scaling up of smaller platforms, SMEs and start-ups.” This means that small and micro-enterprises are exempted from some rules, while very large online platforms and search engines (VLOPs and VLOSEs) have additional obligations.

Failure to comply with the DSA may, in severe cases, result in fines of up to six percent of annual global turnover. Lesser breaches, such as when organizations provide regulators with incorrect or misleading information, may result in fines not exceeding one percent of annual turnover.

How Does the DSA Impact Cloud Providers?

To avoid non-compliance penalties, however large they may be, cloud providers must implement the following basic measures:

• Notice and Action Mechanisms: Establish clear procedures for users to report illegal content. Providers must act swiftly to remove or restrict access to the reported content upon receiving these reports.
• Transparency Reporting: Publish annual transparency reports detailing their content moderation activities, including the number of notices received and actions taken.
• Transparent and Accessible Terms and Conditions: Ensure terms and conditions are clear and accessible and include information on content moderation policies.
• Legal Representation Designation: Non-EU-based cloud providers offering services within the EU must designate a legal representative in a member state.

What are the Security Implications for Cloud Providers?

However, the DSA has much broader impacts than those explicitly laid out in these obligations. To ensure compliance, cloud providers must understand the security implications of these obligations.

Data Governance and Sovereignty

The DSA aims to protect users from illegal and harmful content online; this inherently involves data handling and processing. As the EU has a complex legal landscape with GDPR mandating data sovereignty, cloud providers, who often store and process data across multiple jurisdictions, must navigate this complexity to comply with the DSA.

While the DSA does not explicitly detail all data sovereignty rules, it does create a framework that necessitates compliance with all relevant laws. This puts the onus on providers to ensure their data handling practices align with each jurisdiction where they operate or store data.

Strong data governance is the only way cloud providers can achieve compliance across jurisdictions. This means they must know where they store data and what laws apply to them while implementing measures to control data locations, access, and transfers.

Shared Responsibility Ambiguity

The traditional “shared responsibility” model in cloud computing divides security duties between providers and customers. However, the DSA’s focus on content moderation and illegal content complicates things.

Under the DSA, providers must act against illegal content. These actions can affect customer data or applications, potentially impinging on the customer’s security responsibilities. For example, if a customer stores illegal content, the provider might be obligated to remove it, impacting the customer’s data.

Providers must clearly define responsibilities in their contracts to avoid disputes and liabilities. This includes specifying who is responsible for what regarding content moderation, data access, and compliance with specific DSA requirements.

Increased Cybersecurity Measures

As noted, the DSA aims to create a safer online environment. This inherently requires the adoption of robust cybersecurity measures to prevent data breaches, which can expose users to illegal content, privacy violations, and other harms.

While not explicitly listing cybersecurity measures, the DSA’s focus on user safety and illegal content means that providers must enhance their security posture. Regulators will likely view a significant data breach as a failure to meet the DSA’s objectives. As such, providers must invest in stronger cybersecurity, including advanced risk intelligence, incident response, and data protection measures.