HomeInsightsDigital Services Act (DSA) in Bulgaria

Digital Services Act (DSA) in Bulgaria — Obligations for Online Platforms (2026)

Published: 10 April 2026 | Last updated: 10 April 2026

Regulation (EU) 2022/2065 (Digital Services Act — DSA) introduced the most ambitious reform of online intermediary rules in the EU in more than two decades. Since 17 February 2024, the Regulation is in full force for all intermediary services, and in late 2025 Bulgaria adopted the national implementing law designating the competent authorities and enforcement procedures. This guide analyses the scope, obligations and sanctioning regime, and the practical implications for Bulgarian providers of intermediary and hosting services.

What is the Digital Services Act

The Digital Services Act (DSA) is Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a single market for digital services and amending Directive 2000/31/EC (the e-Commerce Directive). The Regulation was published in the Official Journal of the EU on 27 October 2022 and entered into force on 16 November 2022.

The DSA is directly applicable in all Member States, without need for transposition, although Member States are required to designate competent authorities and regulate procedural matters. The Regulation establishes uniform rules for online intermediaries throughout the European Union and builds on the liberal intermediary liability regime established by the e-Commerce Directive in 2000.

Application of the DSA is two-tiered. For Very Large Online Platforms and Search Engines (VLOPs/VLOSEs), obligations applied from 25 August 2023 — four months after their formal designation by the European Commission. For all other categories of intermediary services — from hosting providers to SME platforms — full application began on 17 February 2024.

Bulgaria adopted its implementing law in November 2025, designating the national Digital Services Coordinator and allocating functions among competent authorities. The law does not create new substantive obligations; it organises enforcement of the Regulation.

Scope — Who is Affected

The DSA has a pyramidal structure: all intermediary services have baseline obligations, and each successive tier adds further requirements proportionate to the role, scale and risk profile of the provider. The Regulation distinguishes four tiers:

  • Tier 1 — Intermediary services: the broadest category, comprising mere conduit, caching and hosting services within the meaning of the e-Commerce Directive. Examples: internet access providers, DNS services, CDN networks, VPN providers.
  • Tier 2 — Hosting services: services consisting of the storage of information provided by the recipient of the service. Examples: cloud storage, web hosting providers, file-sharing services.
  • Tier 3 — Online platforms: hosting services that, at the request of a recipient, store and disseminate information to the public. Examples: social networks, marketplaces, review platforms, app stores.
  • Tier 4 — VLOPs and VLOSEs: Very Large Online Platforms and Very Large Online Search Engines with an average of more than 45 million monthly active recipients in the EU. That threshold corresponds to approximately 10% of the Union's population. Status is formally determined by decision of the European Commission.

The DSA has extraterritorial application: the Regulation applies to all intermediary services offered to recipients established in the Union, regardless of the place of establishment of the service provider. Therefore, third-country providers (US, UK, Switzerland etc.) serving EU users fall within the scope of obligations and must designate a legal representative in the Union.

Baseline Obligations for All Intermediary Services (Art. 11–15)

All intermediary services, regardless of type and size, must comply with the following baseline obligations set out in Chapter III, Section 1 of the DSA:

  • Single point of contact for authorities (Art. 11) — the provider must designate a single point of contact enabling direct electronic communication with Member State authorities, the Commission and the European Board for Digital Services. Contact details must be publicly accessible.
  • Single point of contact for users (Art. 12) — a separate point of contact for service recipients, enabling rapid, direct and effective communication. Automated tools may be used but not exclusively.
  • Legal representative (Art. 13) — providers without an establishment in the Union but offering services in the EU must designate in writing a natural or legal person as their legal representative in one of the Member States where they offer services. The representative bears responsibility for compliance with the Regulation.
  • Transparent terms and conditions (Art. 14) — T&Cs must include information on any restrictions imposed by the provider on use of the service, including content moderation policies, algorithmic decision-making and rules for termination. The language must be clear, intelligible and easily accessible.
  • Annual transparency reports (Art. 15) — annual publication of reports in machine-readable format containing information on content moderation, including orders from authorities, notices, actions taken on own initiative, complaints and average reaction times. SMEs are exempt from this obligation.

Additional Obligations for Hosting Services (Art. 16–18)

For providers of hosting services storing information provided by recipients, the DSA adds three specific obligations:

  • Notice and action mechanism (Art. 16) — hosting providers must implement easily accessible and user-friendly electronic mechanisms enabling any natural or legal person to submit notices of allegedly illegal content. Duly substantiated notices give rise to actual knowledge of the illegal nature of the content for purposes of the intermediary liability regime.
  • Statement of reasons for moderation decisions (Art. 17) — whenever content is subject to a restriction (removal, reduction of visibility, suspension or termination of the service, restriction of monetisation), the provider must supply a clear and specific statement of reasons to the affected recipient. All such decisions are recorded in the public DSA Transparency Database maintained by the Commission.
  • Notification of suspected serious criminal offences (Art. 18) — where information gives rise to a suspicion that a serious criminal offence involving a threat to the life or safety of a person is, has been or is likely to be committed, the hosting provider must promptly inform the law enforcement or judicial authorities of the Member State concerned.

Obligations for Online Platforms (Art. 19–28)

Online platforms — hosting services disseminating information to the public — bear the broadest set of obligations after VLOPs. Key provisions are summarised in the table below:

Article Obligation
Art. 19Exemption of SMEs (fewer than 50 employees and annual turnover/balance sheet ≤ EUR 10 M) from the obligations in Section 3, unless designated as VLOPs
Art. 20Internal complaint-handling system — free of charge, easily accessible, with deadlines for response and human oversight
Art. 21Out-of-court dispute settlement via certified bodies
Art. 22Priority handling of notices from trusted flaggers designated by the national coordinator
Art. 23Measures against misuse — temporary suspension of users who frequently submit manifestly illegal content or unfounded notices
Art. 25Ban on deceptive interfaces (dark patterns) that distort or impair recipients' ability to make autonomous decisions
Art. 26Ban on targeted advertising based on profiling using special categories of personal data within the meaning of Art. 9 GDPR
Art. 28Ban on targeted advertising to minors where the platform knows with reasonable certainty that the recipient is a minor

Additional requirements apply for advertising transparency (Art. 26), recommender system transparency (Art. 27) and online protection of minors (Art. 28). For online platforms allowing consumers to conclude distance contracts with traders (marketplaces), further obligations apply under Art. 30–32, including traceability of traders (trader KYC) and product safety information.

Obligations for VLOPs/VLOSEs (Art. 33–43)

Very Large Online Platforms and Search Engines are subject to the most stringent regulatory regime under the DSA. As of 2026, the list includes over 25 services designated by decisions of the European Commission, including Amazon, Apple App Store, Booking, Facebook, Google Search, Instagram, LinkedIn, TikTok, X, YouTube and others. Their additional obligations are:

  • Annual systemic risk assessment (Art. 34) — VLOPs/VLOSEs must annually identify, analyse and assess the systemic risks stemming from the design, functioning and use of their services, including risks to fundamental rights, civic discourse, electoral processes, public health and the protection of minors.
  • Risk mitigation measures (Art. 35) — introduction of reasonable, proportionate and effective mitigation measures tailored to the identified systemic risks.
  • Independent audits (Art. 37) — annual audits of DSA compliance carried out by independent external auditors.
  • Non-profiling recommender option (Art. 38) — users must be able to use the recommender system without it being based on profiling within the meaning of Art. 4(4) GDPR.
  • Public advertising repository (Art. 39) — VLOPs/VLOSEs must maintain a publicly accessible, searchable repository of all advertisements presented on their services for a period of at least one year.
  • Researcher access (Art. 40) — provision of data to vetted academic researchers for the purpose of research on systemic risks.
  • Internal compliance function (Art. 41) — designation of an independent internal compliance function with sufficient powers, staff and resources.
  • Crisis response mechanism (Art. 48) — upon the declaration of a crisis, the Commission may require VLOPs/VLOSEs to take specific measures to assess and mitigate the consequences.

Supervision of VLOPs/VLOSEs is exercised directly by the European Commission, not by national coordinators. To finance such supervision, the Commission charges an annual supervisory fee on the designated platforms themselves.

Implementation in Bulgaria

The Bulgarian implementing law was adopted in November 2025 and regulates the competent authorities, their powers, enforcement procedures and the sanctioning regime for infringements not directly covered by the Regulation. The law does not create new substantive obligations — all obligations stem directly from the DSA.

Competences among Bulgarian authorities are allocated as follows:

  • Communications Regulation Commission (CRC) — designated as the Digital Services Coordinator within the meaning of Art. 49 DSA. The CRC is the primary supervisory authority and the contact point for the Commission and the European Board for Digital Services. It is responsible for certifying trusted flaggers, out-of-court dispute settlement bodies and researchers, as well as for coordinating with the other competent domestic authorities.
  • Commission for Personal Data Protection (CPDP) — competent for aspects relating to personal data protection, including the prohibitions on targeted advertising based on profiling using special categories of data (Art. 26) and targeted advertising to minors (Art. 28). The CPDP's work is coordinated with its GDPR compliance functions.
  • Council for Electronic Media (CEM) — competent in relation to video-sharing platforms within the meaning of the Audiovisual Media Services Directive.
  • Consumer Protection Commission (CPC) — competent for consumer protection aspects, including the dark patterns prohibition under Art. 25 and the obligations of online platforms allowing distance contracts.

The CRC must ensure adequate coordination between these authorities, including through cooperation agreements and exchanges of information.

Sanctions (Art. 52)

The DSA sanctioning regime is among the strictest in European digital legislation. Under Art. 52 of the Regulation, Member States lay down rules on penalties, with harmonised maximum amounts that cannot fall below the set thresholds:

InfringementMaximum Penalty
Infringement of DSA obligationsUp to 6% of the worldwide annual turnover for the preceding financial year
Supply of incorrect, incomplete or misleading information, or refusal to cooperate with an inspectionUp to 1% of annual income/turnover
Periodic penalty payments (enforcement measures)Up to 5% of the average daily worldwide turnover or income for the preceding financial year, per day

Penalties are imposed by the national Digital Services Coordinator (CRC for Bulgaria), except for VLOPs/VLOSEs, where the power belongs directly to the European Commission. The specific amount is determined taking into account the nature, gravity, duration and recurrence of the infringement, the financial situation of the infringer and the degree of cooperation with authorities.

The first DSA fines against VLOPs are already the subject of pending Commission investigations, demonstrating that the regulator is not hesitant to exercise its powers.

Frequently Asked Questions

Who is the competent authority for DSA in Bulgaria?
The competent authority is the Communications Regulation Commission (CRC), designated by the implementing law of November 2025 as the Digital Services Coordinator within the meaning of Art. 49 DSA. The CRC coordinates its work with the CPDP (data protection), CEM (video-sharing platforms) and CPC (consumer protection).
What are the sanctions for DSA infringements?
The maximum penalty for infringement of DSA obligations is up to 6% of the worldwide annual turnover of the infringer for the preceding financial year. Separately, fines of up to 1% of turnover apply for misleading information, and periodic penalty payments may reach up to 5% of average daily worldwide turnover.
Are SMEs exempt from DSA obligations?
Yes. Under Art. 19 DSA, small and medium-sized enterprises (fewer than 50 employees and annual turnover/balance sheet up to EUR 10 million) that qualify as online platforms are exempt from the obligations in Art. 20–28. Baseline obligations under Art. 11–15 still apply. The exemption falls away if the platform is designated as a VLOP.
Does the DSA affect non-EU companies?
Yes. The DSA has extraterritorial application — the Regulation applies to all intermediary services offered to recipients in the EU, regardless of the place of establishment of the provider. Third-country providers (US, UK etc.) must designate a legal representative in the EU under Art. 13 DSA.
What is the difference between DSA and GDPR?
GDPR (Regulation 2016/679) regulates the processing of personal data and protects the right to privacy. The DSA (Regulation 2022/2065) regulates illegal content, online intermediary liability and the functioning of digital platforms. The two regimes complement each other: for example, the targeted advertising prohibitions in Art. 26 and 28 DSA are built on GDPR concepts of special categories of data and profiling.
When did the DSA come into full force?
The DSA entered into force on 16 November 2022. For Very Large Online Platforms and Search Engines (VLOPs/VLOSEs), the obligations have applied since 25 August 2023. For all other categories of intermediary services, full application began on 17 February 2024.
Do I need a single point of contact?
Yes. All intermediary services — without exception and regardless of size — must designate a single point of contact for authorities (Art. 11) and a single point of contact for recipients of the service (Art. 12). These obligations sit at the heart of the DSA baseline regime and are not waived for SMEs.

Need legal analysis of DSA compliance?

The Innovires Legal team offers full DSA compliance audits, drafting of terms and conditions and moderation policies, designation of legal representatives for non-EU providers, and representation before the CRC and other competent authorities.