The European Union (EU) continues its work on the Digital Services Act (DSA) to clarify the rules for digital intermediary service providers to protect consumers and establish a clear accountability framework for online platforms. As a representative of small and medium-sized enterprises (SMEs) and startups in the digital sector, ACT | The App Association fully supports the EU’s objectives to create safe, secure, and accessible digital spaces for business users and consumers that protect fundamental rights and encourage fair competition.

We are, however, observing some concerning developments in the European Parliament, especially from the Internal Market and Consumer Protection Committee (IMCO), which leads the parliamentary process on the DSA. The IMCO committee recently released a draft report that considerably broadens the set of the DSA’s obligations applicable to micro- and small enterprises. By removing the exemptions for SMEs and microenterprises from the European Commission’s original proposal, the IMCO draft report exposes smaller players to substantial compliance costs and potentially creates insurmountable regulatory burdens for them.

Without exemptions for SMEs, the compliance costs for the DSA, in combination with the compliance costs for other pieces of legislation targeting the digital sector, would become disproportionate for digital SMEs. Thus, we urge all policymakers currently negotiating texts aiming to regulate the online world, in particular the DSA, to speak to each other and ensure that the combined obligations for micro- and small enterprises do not jeopardise their ability to enter and compete against incumbents in the market. We also recommend the following steps to make the DSA more SME-friendly:

  1. Consider the combined burden of potentially simultaneous obligations across different legislative texts

We fully support a safe digital environment for all business users and consumers. However, SMEs have limited human and financial resources to comply with multiple legal obligations to which they may simultaneously become subject. Excessive regulation may stunt the growth of our members and other innovative SMEs before it can begin. Although individual legislative proposals emphasise proportionality, we believe policymakers are not fully appreciating the total potential administrative burdens various pieces of legislation may introduce.

Along with the daily cost of running a business, the combination of legal obligations of laws like the Copyright Directive, the Platform-to-Business Regulation, the General Data Protection Regulation (GDPR), the ePrivacy Directive, or other legislative proposals such as the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) rules, can easily constitute a prohibitive cost for SMEs.

For example, a small online platform could already be subject to simultaneous removal or disabling of access to works or performances while it also activates and engages in an internal complaint-management system. That small platform may also need to notify subscribers about a potential data breach while preparing statements of reasons to business users upon suspension of their services. Additionally, the platform must communicate the outcomes of complaint-handling processes to complainants, provide data subjects with information on the collection of their data, and offer authors and performers information on the exploitation of their work at least once per year (1). For each of these steps, regulators expect online platforms to act quickly and often with direct human oversight.

Each of these actions comes with tangible financial costs. Upcoming legislation like the DSA may increase this regulatory burden further if it does not include the proper exemptions for smaller digital actors. In its impact assessment for the DSA, the European Commission estimates that an average micro-enterprise receiving 50 takedown notices per year, of which only five per cent require a counter-notice procedure, will have to sustain a cost of approximately €15,000 annually. Although these costs may decrease with more standardised procedures, a multiplication of similar processes may void the benefits of such standardisation.

While we endorse the goals of these obligations and the principle of transparency behind them, they represent only a small sample of the requirements to which SMEs in the digital sector are already subject. We thus urge regulators to avoid creating a situation in which SMEs must use their limited financial assets for administrative activities rather than to research and develop new products and hire more employees.

  1. Appreciate that compliance may require specialist knowledge or external support

The digital age enabled entrepreneurs to build successful businesses with limited finances and only a handful of staff. However, some laws require highly specialised knowledge that SMEs can only obtain through expensive legal counsel or external consultants. Yet, most SMEs don’t have the funds to hire this staff.

Knowing whom to report illegal material or personal data breaches to is already a complex task for an emerging enterprise. Nonetheless, certain pieces of legislation further expect SME platforms to identify whether a removal order contains errors, what additional measures could address a security breach without compromising user freedoms, and where to find the various templates the company needs in order to communicate with national authorities (2).

Larger companies likely have specific teams and resources to find this information when necessary. Regulators cannot reasonably expect smaller platforms to access the same information as quickly, especially if they do not implement the appropriate tools to facilitate information-sharing and other cost-cutting solutions.

  1. Acknowledge the challenges digital entrepreneurs face in addition to business expenses

Regulatory compliance aside, SMEs in the digital sector manage a host of other challenges. They may face the unfair exploitation of their intellectual property (IP), algorithms, or business secrets, just to name a few, that require both time and financial resources, on top of the daily cost of running a business. The myriad responsibilities an emerging enterprise must face when competing in the digital sector may discourage some entrepreneurs from entering the market altogether. We should work to ease the path to market for European entrepreneurs rather than mount regulatory barriers that only deplete further SMEs’ already limited resources.

  1. Maintain a simple Single Market for digital services

Large enterprises can determine the regulatory differences between the EU Member States and tailor their offerings to each in turn. Policymakers cannot expect smaller enterprises to do the same just as easily.

Policies like the country-of-origin principle in the eCommerce Directive has allowed digital SMEs to enter the Digital Single Market as a single market, rather than a complicated system of 27 conflicting laws. The country-of-origin principle is particularly important as recent legislation already complicates legal certainty for SMEs in the digital sector. Some laws, for example, give individual Member States discretion in determining whether the administrative burden on SMEs is proportionate or excessive or whether authorities can impose penalties on SMEs for failure to comply with existing obligations (3). The European Institutions should harmonise the rules for SMEs as much as possible across the EU, and make those rules proportionate to SMEs’ real capacity and capability. To ensure that SMEs continue to access and grow in this market, any new legislation and the DSA must preserve this principle in particular.

Conclusion

We urge European policymakers to acknowledge the mounting cost of regulatory compliance for SMEs in the digital sector and to mitigate these costs as much as possible in future legislation while ensuring safe and secure digital spaces. Upcoming legislation must ensure the fundamental principle of proportionality to avoid overwhelming small and emerging actors who already face significant regulatory burdens.

To the extent possible, we encourage policymakers to seek ways to reduce financial burdens and the multiplication of obligations across different texts or provide more flexible, simple, and clearly communicable options for digital SMEs across the EU.

Footnotes

(1) The obligations cited here appear in Directive (EU) 2019/790 (Copyright Directive), Regulation (EU) 2019/1150 (Platform-to-Business Regulation), Directive (EU) 2002/58/EC (ePrivacy Directive) and Regulation (EU) 2016/679 (General Data Protection Regulation

(2) The specific obligations cited here refer primarily to Regulation (EU) 2021/784 (Regulation on addressing the dissemination of terrorist content online) and Directive (EU) 2002/58/EC (ePrivacy Directive), though several other pieces of digital legislation require platforms to appropriately balance security and accessibility.

(3) Consider, for example, Article 19 of Directive (EU) 2019/790 (Copyright Directive) or Article 18 of Regulation (EU) 2021/784 (Regulation on addressing the dissemination of terrorist content online).