← All articles

The Digital Services Act Obligations That Actually Hit UGC and Creator Platforms

Oarized · 21 June 2026

If You Host User Content in the EU, You're Covered

The Digital Services Act became applicable to Very Large Online Platforms and Search Engines — those with more than 45 million monthly EU users — in August 2023, and extended to essentially all other platforms operating in the EU on February 17, 2024, per the European Commission's own policy page. The regulation covers intermediary services broadly: hosting services, online platforms, and marketplaces, with obligations scaled to a provider's role, size, and impact rather than applied uniformly.

The threshold for coverage is not company size — it's whether a service hosts or transmits third-party content for EU users. A platform built around user-generated video clips, creator payouts, or any form of UGC distribution is, structurally, either a "hosting service" or an "online platform" under the DSA's definitions the moment EU users can post or receive content through it. There is no revenue floor or user-count floor below which a platform is entirely outside the regulation's scope — the exemptions that exist (covered below) remove specific obligations, not DSA applicability itself.

For a UGC-clipping or payout platform operating out of the Netherlands or serving EU creators, that means DSA compliance isn't a future consideration tied to reaching some growth milestone. It applies from the point EU users can upload or view content through the service.

Notice-and-Action Applies to Every Hosting Provider, No Exceptions

Article 16 of the DSA requires every hosting service — regardless of company size — to provide a notice-and-action mechanism that lets any individual or entity flag content as illegal. Legal analysis of the article, including from CMS's DSA guide, confirms this mechanism must be easy to access, user-friendly, and available electronically, and must let a notifier submit a sufficiently substantiated explanation of why content is alleged to be illegal, the exact URL or location of the content, and their name and contact details.

Once a notice comes in, the hosting provider must send the notifier a confirmation of receipt without undue delay, then follow up with the provider's decision on the content and information on how to appeal that decision. Article 17 goes further for platforms that actually remove or restrict content: it requires a "clear and specific statement of reasons" for every takedown or restriction, citing the exact legal or contractual basis for the action.

Critically, none of this is scoped by company size. Unlike most of the DSA's creator-platform-relevant obligations, Articles 16 through 18 have no small or micro enterprise exemption at all — a two-person clipping platform faces the identical notice-and-action and statement-of-reasons requirements as a platform with hundreds of millions of users. This is the one part of the DSA every UGC platform operator needs to treat as non-negotiable from day one, regardless of size.

What the Small-Enterprise Exemption Actually Exempts

Article 19 of the DSA does carve out a real exemption for micro and small enterprises, but it's narrower than it's often assumed to be. Per CMS's analysis of Article 19, qualifying platforms are exempt from most of Section 3 of the regulation — specifically Articles 20 through 28, covering internal complaint-handling systems, out-of-court dispute settlement, trusted-flagger prioritization, misuse safeguards, most transparency reporting, dark-pattern restrictions on interface design, advertising transparency, recommender-system transparency, and minor-protection measures.

The qualifying thresholds come from Commission Recommendation 2003/361/EC: a small enterprise employs fewer than 50 people and has annual turnover or balance-sheet total under €10 million; a microenterprise employs fewer than 10 people with turnover or balance-sheet total under €2 million. A platform meeting either threshold gets the Article 20–28 exemption — with one specific carve-back. Article 24(3) — a narrower transparency reporting duty — applies regardless of size, so even the smallest qualifying platform still owes the Commission that specific disclosure.

The exemption also isn't permanent by default: a platform that grows past small-enterprise size keeps the exemption for 12 months after losing that status, but any platform designated a Very Large Online Platform under Article 33 loses the exemption immediately regardless of its actual size — a scenario relevant mainly to platforms with genuinely massive reach, not typical creator-economy startups. What's not exempt for anyone, at any size: Articles 16–18 (notice-and-action, statement of reasons), the basic terms-and-conditions transparency in Article 14, and the requirement to designate a point of contact under Articles 11 and 12.

The Transparency Database Is Already Running

The DSA's enforcement isn't theoretical or upcoming — the infrastructure is live and collecting data now. The European Commission launched the DSA Transparency Database on September 25, 2023, a public repository where covered platforms submit their statements of reasons for content moderation decisions in near-real time. Per the Commission's own transparency page, the database allows public search, review, and download of these statements, and as of July 1, 2025, moderation categories were standardized across the database to make cross-platform comparison possible.

Annual transparency reporting has been mandatory since February 17, 2024, with the first harmonized reports published in February 2026. Separately, the Commission maintains a Digital Services Terms and Conditions Database that, per the same source, already contains more than 790 terms-and-conditions documents from over 400 services — meaning a platform's own terms of service are now part of a public, comparable EU dataset.

For hosting providers not exempt from Article 24 reporting, and for the narrower Article 24(3) obligation that applies even to exempt small enterprises, this means moderation decisions and reporting data feed into infrastructure regulators and researchers can already query. Treating notice-and-action and takedown documentation as an internal process rather than a public-facing, auditable one is no longer a safe assumption for any covered platform.

The TikTok Case: Reward Mechanics Are Now a DSA Risk Category

The clearest applied precedent for creator-economy platforms is the Commission's action against TikTok's Lite Rewards programme — not a content-moderation case, but a case about the design of a reward mechanic itself. The programme, launched in France and Spain in April 2024, let users earn points for watching videos, liking content, following creators, and inviting friends, redeemable for rewards including Amazon vouchers.

The Commission opened formal proceedings on April 22, 2024, and by August 2024 had made TikTok's commitments to permanently withdraw the programme from the EU legally binding, per the Commission's own announcement. The stated concern: TikTok launched the programme without a prior risk assessment of its addictive potential and without mitigating measures — a direct application of DSA risk-assessment principles to a gamified engagement feature, not to illegal content.

TikTok also committed to never launch a similar mechanism that would circumvent the withdrawal, and any breach of that commitment is treated as an automatic DSA violation exposing TikTok to fines. For any platform running or planning creator or user reward loops — points, streaks, redeemable incentives, referral bonuses — this case is the operative signal: EU regulators will scrutinize the behavioral design of a reward mechanic on its own terms, independent of whether the underlying content is ever in question.

What Non-Compliance Actually Costs

The DSA's penalty structure is uniform across covered platforms regardless of size, which is worth internalizing alongside the small-enterprise exemptions on substantive obligations. Under the Commission's enforcement framework, the maximum fine for failing to comply with a DSA obligation is 6% of a provider's annual worldwide turnover in the preceding financial year. For continued non-compliance after a decision, the Commission can additionally impose periodic penalty payments up to 5% of average daily worldwide turnover per day of continued breach.

Enforcement is already active rather than dormant. Recent Commission actions include a €120 million fine against X over its advertising repository, and binding commitments from AliExpress — including automatic blurring of adult items from minors and improved trader-traceability measures — that took effect in June 2025. The Commission has also opened 16 formal investigations across the EU since the DSA became fully applicable, and out-of-court dispute mechanisms had resolved more than 1,800 cases by mid-2025, reversing the platform's original decision in 52% of them.

For a UGC or creator payout platform sizing up its compliance exposure, the practical order of priority is: get notice-and-action and statement-of-reasons handling right first, since there's no size exemption there; confirm actual small-enterprise status under the 2003/361/EC thresholds before assuming an exemption applies; and treat any reward, streak, or incentive mechanic as a feature that needs its own documented risk assessment before EU launch, not an afterthought bolted onto a content-moderation review.