· 8 min read

DSA Compliance for Small and Medium Platforms: A Practical Guide

The EU Digital Services Act (DSA) applies to almost every platform that operates in Europe — not just the giants. If your platform hosts user-generated content and has users in the EU, you need to comply.

For small and medium platforms, DSA compliance can feel overwhelming. The regulation is dense, the fines are severe (up to 6% of global revenue), and you likely don't have a dedicated compliance team. This guide breaks down exactly what you need to do and how to do it without breaking your budget.

Does the DSA apply to your platform?

The DSA applies to intermediary services that transmit or host user-generated content. This covers forums, comment systems, social networks, marketplaces, review platforms, and any site where users can post content visible to others.

There are three tiers based on platform size:

  • Very Large Online Platforms (VLOPs): Over 45 million monthly active users in the EU. Full DSA requirements including systemic risk assessments.
  • Large platforms: Between 10-45 million monthly active users. Most DSA obligations apply, with some simplified reporting.
  • Small and medium platforms: Under 10 million monthly active users. Key obligations apply, but many requirements are proportional and manageable.

If you're in the third category, this guide is for you. The good news: the DSA was designed with proportionality in mind. Smaller platforms have lighter requirements.

What the DSA actually requires from SMEs

For small and medium platforms, here are the concrete requirements:

1. Notice and action mechanism (Article 14): Users must be able to flag illegal content or terms-of-service violations. You must act on these notices promptly and inform the user of your decision.

2. Transparency reporting (Article 15): You need to publish an annual report with data on your content moderation activities — how many pieces of content were moderated, how many user notices you received, and how you handled them.

3. Statement of reasons (Article 17): When you remove or restrict content, you must explain why. This includes which specific term was violated and whether automated tools were used.

4. Internal complaint-handling (Article 21): Users must be able to appeal moderation decisions. You need a system to review appeals and inform users of the outcome.

5. Single point of contact (Article 11-12): You need a designated contact for EU regulators and users. A simple email address is sufficient for SMEs.

Step 1: Set up automated content moderation

The DSA doesn't mandate AI moderation, but manual review doesn't scale. For any platform with meaningful UGC volume, automated moderation is the only practical path.

With OpenModeration, you can set this up in under an hour:

  1. Deploy with Docker: docker run -p 3000:3000 OpenModeration/server
  2. Choose a provider (OpenAI, Azure, HuggingFace, Mistral, or self-hosted LLM)
  3. Configure thresholds in the dashboard: "if hate score > 0.8, auto-hide"
  4. Set up manual review queue for borderline content

This gives you an Article 17-compliant system: every decision includes the provider, the scores, the rule that triggered, and the action taken.

Step 2: Build your audit trail

Audit trails are the backbone of DSA compliance. When a regulator asks "show us how you handle illegal content," your audit trail is your answer.

OpenModeration logs every moderation event with:

  • Content ID and text (hashed or stored per your retention policy)
  • Provider used and response time
  • Scores per category (hate, harassment, violence, etc.)
  • Rule matched and action taken (allow, hide, delete, flag)
  • Timestamp with UTC timezone
  • User flag if initiated by a user notice
  • Human reviewer and decision for manual reviews

These logs are stored in PostgreSQL and exportable via API. For DSA audits, you can generate a full report with a single API call.

Step 3: Implement user notice and appeal systems

Article 14 (notice) and Article 21 (appeal) require user-facing features. Your moderation platform needs to support them, but most of the logic is on your side:

  • User notice endpoint: Expose an API or UI where users can flag content. Include content identifier, reason category, and optional explanation.
  • Moderation re-evaluation: When a notice comes in, re-moderate the content and log the result linked to the notice.
  • Appeal endpoint: Let users request a human review of automated decisions. Route these to your manual review queue.
  • Notification: Inform users of decisions within the DSA's timeline (typically prompt, no defined hard deadline for SMEs but "without delay" is the standard).

OpenModeration's Action Engine supports this workflow natively. You can configure rules that flag content for human review when user notices arrive, and the audit trail tracks the full lifecycle from notice to decision.

Step 4: Generate transparency reports

Article 15 requires an annual transparency report covering:

  • Number of orders received from EU authorities
  • Number of user notices processed
  • Number of content removals or restrictions
  • Number of appeals filed and outcomes
  • Use of automated moderation tools

With OpenModeration's analytics API, you can generate these numbers on demand. The dashboard provides breakdowns by time period, content category, and action taken.

Common DSA compliance pitfalls for SMEs

No audit trail: The most common gap. If you can't produce a log of moderation decisions, you can't prove compliance. Fix this before anything else.

No human review option: Automated moderation is fine, but users must be able to appeal to a human. Even a simple manual review queue meets this requirement.

No data retention policy: The DSA doesn't mandate specific retention periods, but GDPR does. Have a policy, document it, and enforce it.

Reactive compliance: Don't wait for a regulator inquiry. Set up your systems proactively and document everything. Proactive compliance is cheaper than retroactive fixes.

DSA compliance checklist for SMEs

Use this checklist to track your progress:

  • ☐ Designated point of contact (email address for EU authorities)
  • ☐ Terms of service that explain content moderation policies
  • ☐ User notice mechanism (flag content)
  • ☐ Automated moderation pipeline configured
  • ☐ Audit trail logging all moderation decisions
  • ☐ Statement of reasons generated for every content restriction
  • ☐ User appeal mechanism (human review option)
  • ☐ Annual transparency report template ready

The DSA is the most significant platform regulation in EU history, but it's not designed to crush small platforms. The requirements are proportional, and the tools to meet them are more accessible than ever. With OpenModeration, you can satisfy the technical requirements in days, not months.

Ready to simplify your moderation stack?

Deploy in minutes with Docker or start a free trial. One API for every moderation provider, with no vendor lock-in.

Start free trial