EU Digital Services Act: Role of the Legal Representative


In an era dominated by digital interaction, the European Union has taken a decisive regulatory step with the adoption of the Digital Services Act (DSA) in 2022. This legislative landmark aims to create a transparency and accountability framework, counter illegal online content, enhance user safety, and provide users with strengthened rights. Some companies designated as very large online platforms and very large online search engines (companies with at least 45 million users in the EU) are already compelled to comply with the DSA. Now, the rest of the regulated information society service providers must also comply from February 17, 2024.

The DSA features extraterritorial application, meaning that it imposes obligations on non-EU organizations targeting the EU market or with a significant number of customers in the EU. Intermediary service providers outside the EU must now designate a legal representative in an EU member state where they offer their services. 

This post aims to unpack the role of the legal representative as required by Article 13 of the DSA, shedding light on its responsibilities, and the potential ramifications for non-compliance.

Who must appoint a representative?

Article 13 of the DSA targets providers of intermediary services who do not have an establishment in the EU but offer their services in the EU. These entities are now required to appoint a legal representative in the EU in writing. 

This applies to non-EU providers of:

  • mere conduit services,1 hosting services,2 and caching services,3 
  • online marketplaces,4
  • online platforms,5 and 
  • online search engines.6

Where must the representative be located?

The legal representatives required by the DSA must be located in one of the EU Member States where the provider offers its services. This geographical alignment ensures proximity for effective communication with relevant authorities, enhancing regulatory oversight.

Types of Representatives

The DSA permits the appointment of both natural and legal persons as legal representatives. An organization can also appoint an EU entity within the same corporate group or an external provider in the EU for this purpose. While the DSA enables service providers to appoint an individual in the EU as its DSA representative, the complexity and potential liability associated with this role (as explained below) may make it a less favored option. Many providers opt for specialized external firms that offer legal representation services, balancing expertise with liability management.

What are the representative’s responsibilities?

Under Article 13, a legal representative assumes a pivotal role in serving as a communication point for regulators. Their responsibilities encompass interacting and cooperating with authorities, complying with authorities’ decisions, and ensuring the provider’s compliance with relevant decisions by the authorities.

Sharing Contact Details

To facilitate regulatory oversight, intermediary service providers are mandated to share the contact details of their legal representatives (name, postal address, email address, and phone number) with the Digital Service Coordinator (DSC) in the Member State where that legal representative resides or is established. (The DSC is the relevant EU member state’s authority responsible for the DSA application and enforcement.) The provider must also make the legal representative’s information publicly available and easily accessible. Providers must keep the information about their legal representatives current, promptly reflecting any changes.

Liability Framework

One of the distinctive features of the DSA is the establishment of clear liability for legal representatives. In the event of their non-compliance with the DSA, these representatives can be held directly accountable under the DSA. This liability is distinct from that of the intermediary service providers appointing them, and legal action can be taken against them separately.

Sanctions for Non-Compliance

The consequences for non-compliance with the DSA are robust. Regulatory authorities are empowered to impose fines of up to 6% of an organization’s annual worldwide turnover in the preceding financial year. Continuous breaches may incur daily penalties of up to 5% of the provider’s worldwide turnover.

Additionally, those who provide wrong or incomplete information, do not respond to authorities or fail to correct information, or refuse inspections, could face fines up to 1% of annual income or global turnover from the previous financial year.


Article 13 of the DSA, with its focus on legal representatives, reinforces the EU‘s commitment to accountability and responsible conduct. The DSA’s extraterritorial application further extends the law’s influence. Accordingly, it is key to understand the nuances of this new requirement to mitigate risks and avoid enforcement action.

VeraSafe’s DSA Representative Program provides a simple, professional, cost-effective way of satisfying Article 13’s requirements. By appointing VeraSafe as your company’s official representative, you can rest assured that your organization has taken a substantial step toward compliance, while also being prepared to respond in a reliable, professional manner to any inquiries that may arise under the DSA.

You may also like:
Lessons from FTC Enforcement on Security Language in Privacy Notices
Decoding the EU-U.S. Data Privacy Framework: What Your Business Needs to Know
Drizly Data Breach: The FTC’s Findings and Implications for Online Businesses

Related topic(s): Digital Services Act, EU Privacy Laws, Compliance Tools and Advice

  1. 1.
    “Mere conduit” services cover a wide variety of basic internet infrastructure roles, such as internet exchange points, Wi-Fi hotspots, VPNs, DNS services, domain name registries, companies that register domain names, and those issuing digital certificates. This category also includes voice over IP and other direct communication services.
  2. 2.
    “Hosting services” are services where the provider stores information provided by, and at the request of, a recipient. Examples include cloud computing, cloud hosting, virtual private hosting, web hosting, paid referencing services, and platforms that allow for the sharing of information and content online, like file storage and sharing services.
  3. 3.
    “Caching” services specifically refer to technologies like content delivery networks, reverse proxies, and tools that adjust content for different devices.
  4. 4.
    Online marketplaces are platforms that allow consumers to conclude distance contracts with traders or other consumers acting as traders.
  5. 5.
    This is a type of hosting service that allows users to store and disseminate information to the public (at the request of the recipient).
  6. 6.
    Online search engines allow users to input queries in order to perform searches of all websites or all websites in a particular language on the basis of a query in the form of a keyword, voice request, phrase or other input and returns results in any format to which the requested content can be found.

Contact VeraSafe to discuss your data security management and privacy program today.