The EU Digital Services Act for Indie Game Studios: What Applies to You

DSA Basics: What Kind of Service Are You?

Before you can assess your DSA obligations, you need to answer one threshold question: what type of intermediary service are you operating? The DSA builds a four-tier pyramid — mere conduit, caching, hosting service, and online platform — and your compliance obligations scale with where you land.

The foundational scope rule is unambiguous. Article 2(1) states that the DSA "shall apply to intermediary services offered to recipients of the service that have their place of establishment or are located in the Union, irrespective of where the providers of those intermediary services have their place of establishment." If EU players use your service, you're in scope. Full stop.

Article 3 defines the tiers. A hosting service stores information at the request of a service recipient — a game server hosting player saves, a mod repository, a community forum. An online platform is a hosting service that additionally disseminates that stored content to the public. Most studios with any social or UGC features will land at the online platform tier at minimum.

The good news for indie studios is the VLOP ceiling. Very Large Online Platform designation — which triggers the heaviest transparency, algorithmic accountability, and systemic-risk obligations — requires 45 million or more average monthly active EU users. That threshold effectively rules out every indie studio operating today.

At the opposite end, a studio that distributes exclusively through a third-party storefront with no server-side social features operates a pure software product, not an intermediary service. The European Commission has confirmed that standalone software products performing no hosting, caching, or conduit function fall outside the DSA entirely. If that describes your game, your DSA surface area is effectively zero — though the trader-identity requirements discussed in the next section still reach you through the storefront itself.

Platform Liability vs. Studio Liability: The Distribution Shield

One of the most useful things to understand about the DSA is what it doesn't require of you as a studio when you distribute through third-party storefronts. Steam, Epic Games Store, Apple App Store, and comparable platforms are themselves "online platforms" under the DSA — and they carry the primary compliance burden for operating those intermediary services. A studio whose game lives entirely on those platforms benefits from the storefront's own DSA compliance infrastructure without itself becoming an obligated online platform.

Epic has confirmed this directly: as a provider of intermediary services, Epic holds the DSA obligations under Articles 11 and 12, designates its own point of contact, and has updated its marketplace settings to comply. The platform absorbs the platform-tier obligations; the listing studio does not inherit them.

However, the DSA does reach studios through one direct obligation that flows through the distribution relationship: the Article 30 trader-identity requirement. Any developer selling games on an online marketplace to EU consumers qualifies as a trader, which triggers a mandatory disclosure: the storefront must collect and publicly display your studio's legal name, address, contact details, and trade registration before any EU sale.

This is already live and already has teeth. Apple requires a verified address, phone number, email, and business documentation — non-compliance blocks EU App Store distribution. Epic set a hard deadline of February 1, 2025: studios that failed to self-identify as traders had their products blocked from EU purchase, with EU buyers seeing "the product is not available in your location."

The practical action item for every studio distributing to EU customers: audit your developer accounts on each storefront and confirm your trader information is complete, verified, and current. This is the minimum DSA compliance step that applies regardless of whether you run any online services of your own.

When Your Game Becomes a Platform: UGC, Forums, and Multiplayer

The DSA's service-tier analysis doesn't end at the storefront. Once your game includes server-side social features, the DSA begins to apply to your own infrastructure. The key is mapping your game's features onto the DSA's definitions.

Legal analysis specific to game developers has established the following mapping. In-game chat and multiplayer messaging qualify as mere conduit services — the lowest tier, carrying minimal obligations. Server-hosted gameplay qualifies as a caching or hosting service. User-generated content — player-created skins, mods, game worlds, items in an in-game store — qualifies as a hosting service. If that UGC is then disseminated publicly to other players, you've crossed into online platform territory.

Once you're operating as a hosting service, Article 16 applies directly. You must establish an accessible, electronic mechanism through which any person can report allegedly illegal content. The mechanism must accept substantiated notices including an explanation of illegality, the exact URL or location of the content, and the submitter's contact information. You must confirm receipt promptly, act in a timely and non-arbitrary manner, and notify the submitter of your decision — including available redress options.

Article 15 adds an annual transparency-reporting obligation for intermediary services that aren't micro or small enterprises: a publicly accessible, machine-readable report covering orders from authorities, user notices, content moderation actions, and account restrictions. For studios below 50 employees and €10 million in annual turnover, this obligation is exempted — a meaningful relief valve for most indie teams.

Any studio running online services also needs a human-accessible single point of contact for DSA-related queries. Automated systems alone are insufficient. Your terms of service must clearly state what restrictions apply to your service — comprehensible language, not legalese boilerplate. These are operational requirements, not one-time filings.

DSA Age Verification and Child Protection Provisions

If your game includes an online platform component — accounts, multiplayer, a community hub — and is accessible to players under 18, Article 28 of the DSA applies to you. The obligation isn't contingent on your game being marketed to children. It's triggered by accessibility to minors, full stop.

Article 28(1) requires every online platform accessible to minors to implement "appropriate and proportionate measures to ensure a high level of privacy, safety and security of minors on their service." The European Commission published guidelines in July 2025 establishing what "appropriate and proportionate" means in practice, built on a risk-assessment framework using the "5Cs typology": content risks, conduct risks, contact risks, consumer risks, and cross-cutting risks.

Those guidelines require platforms to address: age assurance mechanisms calibrated to the platform's risk profile; default privacy settings that protect minors without requiring them to opt in; platform design that eliminates persuasive or addictive patterns targeting children; and content moderation appropriate to the minor's developmental stage. The Commission frames these as principles-based obligations — what counts as proportionate for a small multiplayer game is different from what's required of a social gaming platform with millions of users.

Article 28(2) adds a categorical prohibition that applies to all online platforms without a size threshold: you may not present profiling-based advertisements to users you know with "reasonable certainty" are minors. If your game has an ad-supported model and any portion of your EU player base is under 18, behavioral ad targeting to those users is flatly prohibited.

The GDPR compounds this. GDPR Article 8 requires parental consent as the lawful basis for data processing where a child's consent would otherwise apply. These aren't alternatives — a DSA-compliant age assurance process must simultaneously satisfy GDPR's parental-consent mechanics. Studios that have addressed GDPR child-consent requirements should review those systems specifically for DSA Article 28 alignment.

DSA × GDPR: The Compliance Stack for EU-Selling Studios

A question studios regularly ask: "If we're already GDPR-compliant, are we mostly covered?" The answer is: partly — but the DSA adds distinct, non-overlapping obligations that GDPR doesn't address. Both regulations apply simultaneously, and neither displaces the other.

Recital 10 of the DSA states this explicitly: "the protection of individuals with regard to the processing of personal data is governed by the rules of Union law on that subject, in particular the GDPR." The DSA is not lex specialis with respect to the GDPR. The Future of Privacy Forum confirmed in its analysis of the DSA-GDPR interplay that "all providers of intermediary services covered by the DSA are also controllers under the GDPR to the extent they process personal data and decide on means and purposes of processing — they must comply with both legal frameworks at the same time."

Here's what each framework covers distinctly:

GDPR obligations for game studios: Lawful basis documentation for each processing activity; data subject access rights (access, erasure, portability); appointment of a Data Protection Representative for non-EU controllers; consent management for cookies and analytics; and Data Protection Impact Assessments for high-risk processing.

DSA additions beyond GDPR: Dark-pattern prohibitions on interfaces (Art. 25); advertising transparency disclosures (Art. 26); notice-and-action mechanisms for illegal content (Art. 16); minor protection measures (Art. 28); and trader-identity disclosure obligations (Art. 30). None of these are GDPR requirements.

The EDPB's September 2025 Guidelines 3/2025 synthesize the interplay directly. When studios proactively scan for illegal content, they need a GDPR-compliant lawful basis for that processing. Notice-and-action systems that collect reporter data must apply data minimization principles and support anonymous reporting where identity isn't legally required. Automated moderation systems may trigger DPIA obligations under GDPR. Studios building or auditing moderation pipelines need both frameworks on the table simultaneously.

Extraterritorial Reach: US Studios Aren't Exempt

The DSA's territorial scope provision leaves very little interpretive room. Article 2(1) reads: "This Regulation shall apply to intermediary services offered to recipients of the service that have their place of establishment or are located in the Union, irrespective of where the providers of those intermediary services have their place of establishment."

That language forecloses the "we're a US company" argument entirely. A US indie studio serving EU players through its own online services is subject to the DSA. The relevant question is not where you're incorporated — it's whether EU users access your service.

For studios without a formal EU presence, the DSA provides a self-assessment test: the "substantial connection" standard. Mere technical accessibility of your service from EU territory isn't enough to trigger applicability on its own. But active targeting indicators are: offering the game in EU Member State languages or currencies, EU-localized pricing, app store availability in EU markets, or advertising directed at EU audiences. Any US studio distributing through Steam or the App Store in EU markets and offering localized pricing almost certainly meets the substantial connection standard.

If you conclude the DSA applies to your studio's own online services, Article 13 creates an immediate structural obligation: you must designate, in writing, a legal representative in an EU Member State. That representative must be empowered to receive and comply with binding orders from EU authorities, and to respond to queries from EU enforcement bodies. The regulation explicitly states that studios "shall be held liable for non-compliance with obligations under this Regulation, regardless of whether their legal representative failed to comply" — the duty doesn't transfer, it multiplies.

DSA enforcement has moved from paper to practice. In December 2025, the European Commission imposed a €120 million fine on X (Twitter) — the first major DSA enforcement action — for dark-pattern violations, advertising transparency failures, and researcher access restrictions. Fines under the DSA are structured as a percentage of global annual turnover, up to 6%. The enforcement machinery now exists and has been used.

Practical Compliance Checklist for Indie Studios

The DSA has been in full force for all intermediary service providers — including non-VLOP platforms and hosting services — since February 17, 2024. There is no grace period still running. The compliance clock started, and your exposure has been accruing if you haven't acted.

Use the following decision tree to identify your minimum compliance floor:

Branch A — Distribute-only studio (no own online services): Your game is sold through third-party storefronts and has no server-side social features. Your DSA obligation is singular: verify that your trader identity information — legal name, business address, phone number, email, trade registration, and EU-law compliance attestation — is complete and verified on every storefront where EU players can purchase your game. Check your Epic, Apple, and Steam developer dashboards. If your products have been blocked from EU purchase, this is why.

Branch B — Own online services, micro/small enterprise (under 50 employees and under €10M annual turnover): You're subject to DSA hosting-service obligations but exempt from annual transparency reporting and the more burdensome complaint-handling provisions. Minimum floor: (1) implement an electronic notice-and-action mechanism for illegal content reports; (2) ensure a human-accessible single point of contact exists — automated-only systems are non-compliant; (3) if minors can access your service, document your Article 28 measures.

Branch C — Own online services, above the micro/small enterprise threshold: Full hosting-service or online-platform obligations apply. Add to Branch B's floor: annual transparency reporting in machine-readable format; a formal complaint and dispute-resolution mechanism; repeat-infringer account protocols; and documented dark-pattern and minor-protection compliance. If you're a non-EU company, appoint an EU legal representative under Article 13.

For studios in Branches B or C that offer games accessible to EU players: if any portion of your player base is under 18, conduct a risk assessment using the Commission's 5Cs framework (content, conduct, contact, consumer, cross-cutting) and document the proportionate measures you've implemented. This documentation is your defense in an enforcement inquiry.

Your national contact for DSA enforcement as a non-VLOP provider is your relevant Digital Services Coordinator — for many non-EU tech companies, that's Ireland's Coimisiún na Meán, given Ireland's status as the EU establishment jurisdiction for major digital services. Knowing your DSC matters when an enforcement inquiry arrives.