The DSA doesn't just regulate platforms: it regulates how trust circulates in the digital economy

For some time, the debate around the Digital Services Act (DSA) was presented in a relatively simple way: it would be yet another piece of European legislation aimed at the big international technology platforms. The perception was that this legislation would be of particular interest to operators such as Google, Meta, Amazon or TikTok, companies whose scale and influence would naturally justify increased regulatory attention. Although this reading contains part of the truth, it is insufficient.

The DSA was designed to discipline certain functions carried out in the digital market. This means that the decisive element is not always the size of the operator, but the role it plays in digital intermediation between users, service providers, sellers and consumers, which is precisely why many small and medium-sized Portuguese companies may be closer to the scope of the DSA than they realise.

For years, various companies have developed digital business models without identifying themselves as platforms, such as tourism companies, technology businesses, e-commerce operators or specialised service providers. However, if we look at the way they operate, we see that most of these entities create digital platforms where third parties depend on their infrastructure to reach the end user. This is the case with marketplaces, booking platforms, tourist experience websites, applications that connect professionals with clients, or models based on public reviews and online reputation. These companies may never present themselves as platforms, but they function economically as such. And it is this functional reality that the DSA tends to observe.

For a long time, regulation focused mainly on two major themes: illegal content and the protection of personal data. These themes remain relevant, but the DSA adds a third dimension: the way digital markets are organised and how trust is built within them.

This means that questions such as the legality of content or the existence of consent for data processing are no longer just relevant. Questions that until recently weren't asked, such as "Why does a particular supplier come first? Is the vendor legitimate? Has it been verified? Are there accessible mechanisms for reporting fraud? Can an account be suspended without clear criteria?" And with that, we realise that all these questions relate to an essential element of the digital economy: trust.

When that trust is jeopardised, the problem isn't just reputational. It can become legal, regulatory and economic. That's why, for many SMEs, the risk rarely starts with a fine.

Another point that is often misunderstood is the relationship between the DSA and the GDPR. There is still a tendency to treat both regimes as separate universes. In practice, they often cross paths. If a platform promotes a particular supplier because it has paid for prominence, the main issue will be commercial transparency and how that promotion is presented to the user. If, on the other hand, that prominence is the result of segmentation based on the user's online behaviour, location, search history or inferred preferences, then issues of personal data protection come into play at the same time. What appears to be just a commercial campaign can involve digital advertising, ranking, profiling and information duties.

When DSA truly enters a company's radar, the main change is not bureaucratic. Decisions that were previously made on a case-by-case basis start to require consistent criteria. Processes that existed informally need to be given structure. Terms and conditions can no longer be generic texts taken from templates and must reflect the actual operation. Advertising needs to be clearly identifiable. The logic of highlighting or ordering becomes sensitive. Complaint and response mechanisms are no longer ancillary.

With the approval of Law no. 12-A/2026 of 15 April, Portugal strengthened the national framework for implementing the DSA, which shows that the issue no longer belongs only to the abstract level of European legislation. It is now a concrete part of the regulatory environment in which Portuguese companies operate and grow. The DSA should therefore not be seen as just another European regulatory obligation. It should be read as part of a broader change: the transition from a digital economy based on rapid growth and implicit rules to a digital economy where trust needs to be justifiable, transparent and auditable.