Out-Law Analysis

KYC: the EU Digital Services Act adds to platforms’ DAC7 duties

Many online platforms subject to the EU Digital Services Act (DSA) need to engage in extensive data gathering and disclosure to comply with ‘know your customer’-like (KYC) ‘trader traceability’ requirements.

Those businesses – B2C online marketplaces and other online platforms that allow consumers to conclude distance contracts with traders – can, however, look to build on existing compliance processes they should already operate to accord with an EU tax law known as DAC7, to meet their new requirements.

However, the overlap of requirements arising under the DSA and other laws like DAC7 pose risks for businesses and put an extra emphasis on action by regulators.

The Digital Services Act in brief

The DSA is an EU regulation that came into full effect on 17 February 2024. It broadens online intermediaries’ responsibilities for managing illegal and harmful content and sets new requirements around how goods and services are sold.

A tiered system of regulation applies under the DSA – the requirements online intermediaries must meet depends on the type of intermediary service they provide. The legislation, among other things, outlines specific requirements that online platform services that allow consumers to conclude distance contracts with traders must meet.

The KYC-like requirements

Online platform services that allow consumers to conclude distance contracts must collect a wide range of details from traders operating on their platform – i.e. from both advertisers promoting and merchants selling products or services via the platform – to allow for a basic level of identification and traceability. These trader traceability requirements are set out in Article 30 of the DSA and took effect on 17 February 2024.

In summary, providers of B2C online marketplaces must ensure that their services are used only by traders who have provided them with pre-defined information, such as their name and contact details, identification and registration details. They must also make “best efforts” to verify the reliability and completeness of the information provided, allow traders to correct or complete the information where necessary, and store the information received for a certain period.

Although these requirements are far-reaching and burdensome for online marketplaces, the concept of making platform providers responsible for the collection and verification of data about traders is not new.

DAC7, EU legislation that promotes administrative cooperation in tax, entered into effect on 1 January 2023. Under those rules, many platform operators have already faced up to obligations to perform due diligence on the traders they facilitate, and to collect and annually report information about sellers on their digital platforms to the tax authority of their relevant EU member state.

Such due diligence procedures include procedures for identifying the so-called ‘reportable sellers’. For individuals, details such as first and last name, primary address, Tax Identification Number (TIN), VAT identification number, date of birth, and place of birth in the absence of a TIN, must be collected. For legal entities, similar details must be gathered – including their legal name, primary address, TIN, VAT identification number, business registration number, and the existence of any permanent establishment in the EU where ‘relevant activities’ are conducted.

Read more on this topic

There is great overlap in the already existing KYC requirements in DAC7 and the newly introduced KYC requirements in the DSA. Online platforms would be wise to re-use resources spent on DAC7 to comply with Article 30 of the DSA. However, there are differences arising under the respective regimes that platform operators will need to understand and manage.

Differences for platforms to manage and the role for regulators

In relation to verification, the DSA includes the opaque obligation for platform providers to make “best efforts” to verify the KYC data submitted by traders. Instead, DAC7 provides more robust guidelines indicating that such details should only be verified by platform operators against “all information and documents available to them in their own records”, or any public register operated by a member state. The latter approach allows for a more sensible and tailored approach, whereas the first raises issues about when best efforts have sufficiently been made.

In addition, the DSA requires the “swift” suspension of a trader in case of failure to remedy inaccurate KYC data, whereas DAC7 grants such traders a grace period of 60 days before they may be suspended by a platform operator. This could create opposing obligations in case for platform operators in their dealings with different regulators.

The DSA not only overlaps with DAC7 – there are important overlaps with other EU legislation too, such as the General Data Protection Regulation and even the impending new EU AI Act.

The areas of interplay between the DSA and other existing regulations require there to be consistent interpretation and application of the laws. Without that, there is a risk of disproportionate obligations being imposed on platform operators and inconsistencies arising between different legislative frameworks, which can be especially burdensome for smaller operators with reduced budgets and a lack of legal teams.

It is vital, in the context of digital markets where there are overlapping regulatory regimes, that processes for coordination and cooperation at an EU and national level are set up.

The implementation of the DSA will reveal the complexity of the interaction with different regulations. There will be a onus on the regulators under the DSA – Digital Service Coordinators (DSCs) designated in each member state, together with the European Commission – to ensure a coordinated approach in the application and enforcement of the DSA.

We are working towards submitting your application. Thank you for your patience. An unknown error occurred, please input and try again.