Security Bits Logo no alpha channel

Security Bits — 1 May 2022

Feedback & Followups

Deep Dive — 🇪🇺 The European Parliament & Council have Reached Agreement on the Digital Services Act

About a month ago it was big news when the European Commission, European Parliament, and the European Council reached an agreement on the big-picture structure of the Digital Markets Act (DMA), and we dug into it in detail in Security Bits on 3 April 2022.

We mentioned then that the DMA was just the first of two major tech-related acts that were in the works in Europe, the second being the Digital Services Act or DSA. Last weekend, the DSA made it to a similar stage, having reached Provisional Political Agreement. The DSA’s arrived here via a slightly different process because it’s being led by a different commissioner, so there was no last-minute trialogue this time, just a two-way agreement between the parliament and the ministers, and the next step is not technical wording, but final approval by the parliament and council of ministers. I think the reason for the difference is that this bill is smaller, and a lot less prescriptive — it’s more about defining responsibilities than mandating specific actions.

While the scale may be smaller, and the technical details different, a lot of the philosophy sounds very similar to me — like the DMA, the DSA is aimed primarily at big companies. But, with the DSA, unlike the DMA, smaller companies aren’t completely exempted, they’re just subject to fewer rules and less stringent oversight.

What Companies are Primarily Targeted?

The DSA focuses mostly on what it calls very large online platforms (VLOPs) and very large online search engines (VLOSEs). The threshold for being considered very large is having at least 45 million monthly active users in the EU. Smaller platforms and search engines are “exempted from certain new obligations”.

The biggest difference between the big guys and the little guys is that the big guys will be centrally regulated by the European Commission, while the smaller companies will continue to be regulated by the appropriate national institutions within the member countries.

The Most Significant Rules for Everyone

The most significant change affecting all services IMO is a new responsibility to safe-guard minors using online services and an outright ban on targeted advertising aimed at children.

Three other requirements for all online service providers stand out:

  1. All online marketplaces (regardless of size) will have a duty of care to ensure they display appropriate information on products and services being sold, regardless of the seller. The aim here is to protect consumers. It means online resellers can’t knowingly sell things like counterfeit chargers that could kill people without being liable.
  2. So-called dark patterns, i.e. intentionally misleading UIs will be illegal for all online services.
  3. There will be transparency requirements for all recommendation engines.

The Most Significant Rules for the VLOPs & VLOSEs

The single biggest requirement is that large companies must implement annual systematic risk assessments and put in place measures to reduce the risks they find. This is where the controversy lies because addressing some of these risks will inevitably lead to limits on speech. These are the risks called out in the press release describing the agreed act:

  1. Dissemination of illegal content
  2. Adverse effects services may have on fundamental rights
  3. Adverse effects services may have on democratic processes and public safety
  4. Adverse effects on minors
  5. Increased gender-based violence
  6. Adverse effects on users’ physical or mental health

The big companies also have an extra responsibility to offer versions of their recommendation engines not based on user profiles.

Finally, there was a last-minute addition allowing the Commission to decide that a crisis has broken out, and then, impose restrictions on VLOPs & VLOSEs. The examples they give in the press release are pandemics and wars (can’t imagine why those were on their minds). This hasty last-minute addition has some people nervous because the commission seem to get all the power here — they get to both declare emergencies and decide what emergency rules to impose on the large services.


Worthy Warnings

Notable News

  • Time to buy your sysadmin friends another coffee – Oracle have released a patch to Java that fixes a catastrophic hole in one of the languages core crypto libraries (all zeros is effectively a skeleton key!) —… (There’s nothing for regular folks to do, this is another one for corporate IT like Log4Shell earlier in the year)
  • 🇬🇧 Apple is bringing its Communication Safety in Messages parental control feature to the UK (this is the uncontroversial CSAM protection feature that is already active in the US, not the controversial feature that’s indefinitely postponed) —…

Interesting Insights

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top