DSA Article 16 and Trusted Flaggers in 2026: Complete Guide to Notice and Action Evidence

DSA in 2026: two years of full application

The Digital Services Act — Regulation (EU) 2022/2065 — entered full application on 17 February 2024 for all in-scope providers, having applied since August 2023 to the first wave of designated Very Large Online Platforms and Very Large Online Search Engines. By May 2026, the regulation has accumulated more than two years of full application across the European Union, and the implementation phase has given way to active enforcement, infringement litigation, and the first sustained wave of trusted flagger designations.

As a regulation rather than a directive, the DSA applies directly across all 27 Member States — but unlike DORA, it relies on national authorities for most of its enforcement infrastructure. Each Member State had to designate and empower a Digital Services Coordinator by 17 February 2024. Two years later, that obligation is still in litigation for several Member States. In May 2025, the European Commission referred Czechia, Spain, Cyprus, Poland and Portugal to the Court of Justice of the European Union for failing to designate and empower their DSCs or for failing to establish penalty rules — referrals that, under Article 260 TFEU, can lead to financial penalties if not resolved.

While DSC designation has been bumpy, the trusted flagger framework has moved forward in those Member States with operational coordinators. By 2026, designated trusted flaggers include — to name a few public examples — Argo Business Solutions in Italy (designated January 2025 by AGCOM, focused on intellectual property infringement and online fraud), Bundesverband Onlinehandel and HateAid and the Verbraucherzentrale Bundesverband in Germany (designated June 2025 by the Bundesnetzagentur), ALPA and IFAW and Point de Contact in France (designated by Arcom), ECPAT Sweden, and Offlimits in the Netherlands. The Central Bank of Ireland has publicly indicated its interest in trusted flagger designation for fraud and financial scams.

The Commission is preparing guidelines on trusted flaggers under Article 22(8). A public consultation is planned for the second quarter of 2026, with adoption planned before the end of 2026. These guidelines will streamline DSC application processes, address platform handling of trusted flagger misuse, and clarify the revocation procedure. Until then, designation criteria are applied by each DSC with its own procedural framework — which has produced visible variation in throughput, transparency, and category focus across Member States.

For organisations preparing DSA notices — whether as designated trusted flaggers, applicants for trusted flagger status, brand protection teams, NGOs, or platform users with substantive content moderation interactions — this guide focuses on the operational test rather than the policy text. The Article 16 notice form, the Article 17 statement of reasons that follows it, and the Article 22 trusted flagger framework all rest on a common foundation: notices supported by defensible, preserved, time-anchored evidence are processed faster, decided more often in the notifier's favour, and survive subsequent challenges by content recipients. Notices supported by screenshots produced from memory or reconstructed after the fact face systematically worse outcomes.

Scope: the four tiers of digital services

The DSA establishes a four-tier scope structure, with each tier adding obligations on top of the lower tiers. Understanding which tier a given platform falls into determines which Article 16 obligations apply, which trusted flagger procedures are relevant, and what evidence the platform is statutorily required to retain and produce on request.

Tier 1: Intermediary services (Articles 4–6)

The base tier covers all intermediary services — mere conduit, caching, and hosting services as defined in the Directive on Electronic Commerce (now embedded in DSA Articles 4 through 6). All providers in this tier face baseline obligations: single point of contact for authorities (Article 11), single point of contact for recipients (Article 12), legal representatives for non-EU providers (Article 13), terms and conditions transparency (Article 14), and the conditional liability shield familiar from the e-Commerce regime.

Tier 2: Hosting services (Articles 16–18)

Hosting services — providers that store information provided by recipients at the recipients' request — add the substantive Article 16 notice and action obligation, the Article 17 statement of reasons obligation, and the Article 18 obligation to notify suspicions of certain criminal offences to law enforcement. This tier captures everything from cloud storage providers to comment sections, from forum software to a great deal of the modern internet economy.

Tier 3: Online platforms (Articles 19–28)

Online platforms — hosting services that, at the recipient's request, store and disseminate information to the public — add the obligations relevant to user-facing platforms: internal complaint-handling systems (Article 20), out-of-court dispute settlement (Article 21), trusted flagger priority (Article 22), measures against misuse (Article 23), transparency reporting (Article 24), interface design rules (Article 25), advertising transparency (Article 26), and recommender system transparency (Article 27). Article 19 carves out micro and small enterprises from most of these additional obligations under defined conditions.

Tier 4: VLOPs and VLOSEs (Articles 33–43)

The top tier — Very Large Online Platforms and Very Large Online Search Engines — applies to providers with more than 45 million average monthly active users in the EU. The initial designations occurred in April 2023; the Commission continues to designate new VLOPs and VLOSEs as platforms cross the threshold, with later designations including Pornhub, XVideos, Shein, and Temu. VLOPs and VLOSEs face the full additional obligations of Section 5: systemic risk assessment (Article 34), risk mitigation (Article 35), crisis response (Article 36), independent audit (Article 37), data access for vetted researchers (Article 40), and an annual supervisory fee. Commission has exclusive enforcement competence over VLOP/VLOSE systemic-risk obligations, sharing competence with national DSCs for other DSA obligations.

Article 16: the notice and action mechanism

Article 16 is the operational heart of the DSA for content moderation. It requires every hosting service provider — every tier from Tier 2 up — to put in place mechanisms allowing any individual or entity to notify them of the presence on their service of information the notifier considers to be illegal content. The notice mechanism must be easy to access, user-friendly, and allow notice submission exclusively by electronic means. Critically, a sufficiently substantiated notice gives the hosting service provider actual knowledge or awareness of the illegality, removing the conditional liability shield under the e-Commerce regime — which makes the quality of the notice directly determinative of platform behaviour.

The four mandatory notice elements (Article 16(2))

Article 16(2) prescribes the minimum information that a notice must contain to qualify as a substantiated notice under the DSA: (a) a sufficiently substantiated explanation of why the individual or entity alleges the information in question to be illegal content; (b) a clear indication of the exact electronic location of that information, such as the exact URL or URLs and, where necessary, additional information enabling the identification of the illegal content; (c) the name and email address of the individual or entity submitting the notice, except in the case of information considered to involve sexual offences against children; (d) a statement confirming the bona fide belief of the individual or entity submitting the notice that the information and allegations are accurate and complete.

The 'actual knowledge' effect (Article 16(3))

A notice that contains all four mandatory elements is deemed under Article 16(3) to give rise to actual knowledge or awareness on the part of the hosting service provider — for the specific item of information the notice concerns. This is the central legal mechanism of the DSA notice regime: once actual knowledge is established, the e-Commerce Directive's liability shield ceases to operate for that specific content, and the platform that fails to act faces direct liability under the applicable national substantive law. Notices that lack any of the four elements do not establish actual knowledge automatically — though platforms may still choose to act on them.

Confirmation and feedback obligations (Article 16(4))

When a notice is submitted, the hosting service provider must send the notifier — without undue delay — a confirmation of receipt. Once a decision is made, the provider must notify the notifier of the decision, including information on the redress possibilities available against the decision. This creates a documentary chain that runs in both directions: from notifier to platform, and from platform back to notifier. The provider's response forms part of the public-facing transparency record under Article 24, and the notifier's evidence record now includes whatever response the platform delivers — relevant both for trusted flagger transparency reporting and for any subsequent dispute.

Automated processing (Article 16(6))

Where the hosting service provider uses automated means for processing or decision-making on notices, this must be disclosed in the notification to the notifier. Article 17 separately requires disclosure of automated means in the statement of reasons to the affected recipient. The information about automated processing is itself evidence — relevant for assessing whether the platform's response was disproportionate, whether the systemic-risk obligations of Article 34 may have been triggered, and whether the notice in question was decided on its merits or processed in bulk.

Action timelines: undue delay rather than fixed hours

Article 16 does not impose a fixed hour-based deadline for action on notices — unlike DORA's 4-hour clock or NIS2's 24-hour early warning. Instead, decisions must be taken 'in a timely, diligent, non-arbitrary and objective manner'. For trusted flagger notices under Article 22, the obligation is sharpened: their notices must be given priority and processed and decided upon 'without undue delay'. In practice, 'without undue delay' for trusted flagger notices has been interpreted by leading DSCs to mean hours to single-digit days for high-priority categories like child sexual abuse material — orders of magnitude faster than general user notice queues.

Article 17: statement of reasons and the evidence trail

When a platform restricts a recipient's content or service on the basis of an Article 16 notice — or on its own initiative — Article 17 requires it to provide that recipient with a clear and specific statement of reasons for the restriction. The statement must include the facts and circumstances relied on, whether automated means were used, the reasons for considering the content illegal or contrary to terms and conditions, the redress mechanisms available, and information about the DSA Transparency Database where statements of reasons are publicly aggregated.

The DSA Transparency Database — launched alongside the regulation — collects statements of reasons from all in-scope platforms and makes them publicly searchable. By 2026, the database contains hundreds of millions of records. For any individual notice that resulted in restriction, the platform's published statement of reasons is the public-facing summary of the platform's decision logic. For the notifier, the statement is the platform's own admission of what facts it found persuasive — which is itself part of the evidentiary record.

The Article 17 statement of reasons creates a curious asymmetry in the evidentiary chain. The notifier provides evidence supporting the notice (Article 16). The platform reviews and decides. The platform publishes a statement of reasons (Article 17). The recipient may challenge the decision through the platform's internal complaint-handling system (Article 20) or through out-of-court dispute settlement (Article 21). Each of these stages produces evidence — and a high-quality original notice with preserved forensic captures shapes the entire downstream chain. Notices supported by reconstructed screenshots and assertions face challenges at every subsequent stage.

The recipient's Article 20 complaint can directly attack the underlying notice. Where the notice content has been preserved with a qualified electronic timestamp and verifiable integrity, the platform's review of that complaint starts from a position of factual robustness. Where the notice relied on volatile screenshots that may have been edited or that no longer match the live site, the complaint receives a structurally stronger reception. The internal handling rate at most platforms — the proportion of complaints that result in restoration of restricted content — is significantly higher for notices that lack robust evidentiary support.

For trusted flaggers specifically, the Article 17 statement of reasons trail feeds directly into the annual transparency report under Article 22(3). The report must list — among other items — the actions taken by the online platform in response to the trusted flagger's notices. A trusted flagger that systematically produces high-quality notices with preserved forensic evidence accumulates a documentary record of high platform action rates. A trusted flagger whose notices are repeatedly contested through Article 20 complaints, restored, or simply ignored produces a less favourable transparency report — and faces increased risk of DSC investigation under Article 22(6) and (7), which can result in suspension or revocation of trusted flagger status.

Article 22: the trusted flagger framework

Article 22 of the DSA formalises what was previously a patchwork of bilateral arrangements between platforms and trusted partners into a structured EU-wide framework. The article establishes the institutional architecture: who can apply for trusted flagger status, what platforms must do with trusted flagger notices, how transparency reporting works, and how status can be suspended or revoked.

Priority processing (Article 22(1))

Online platforms must take necessary technical and organisational measures to ensure that notices submitted by trusted flaggers — acting within their designated area of expertise — through the Article 16 mechanisms are given priority and are processed and decided upon without undue delay. The priority is content-specific: a trusted flagger designated for child sexual abuse material does not get priority processing for trademark infringement notices, even though they are technically the same legal entity submitting through the same notice mechanism.

Designation by the Digital Services Coordinator (Article 22(2))

Trusted flagger status is awarded by the Digital Services Coordinator of the Member State where the applicant is established — not by the platform, not by the Commission. This decentralised designation regime means that an entity established in Germany applies to the Bundesnetzagentur; an entity in France applies to Arcom; an entity in Italy applies to AGCOM. Once awarded, the status is valid across the EU vis-à-vis any in-scope online platform under Article 22, regardless of where the platform is established. A German trusted flagger files notices to a French platform with the same priority status it would file notices to a German platform.

Eligibility: entities only, three substantive criteria

Article 22(2) requires three substantive criteria: (a) particular expertise and competence in detecting, identifying, and notifying illegal content; (b) independence from any online platform provider; (c) diligent, accurate, and objective performance of the notification activity. Recital 61 clarifies that trusted flaggers must be entities — not individuals — and identifies typical categories: non-governmental organisations, private or semi-public bodies, and industry associations. The 'overall number of trusted flaggers should be limited' to preserve the framework's added value.

Geographic scope of status

The geographic scope is one of the framework's most distinctive features. Once designated by any one Member State's DSC, the trusted flagger's status is recognised by all in-scope online platforms across the entire Union. This is a strong harmonisation feature: a trusted flagger does not need to apply 27 times. It is also a stress point in the framework, because the substantive criteria are applied differently by different DSCs. An entity that would not pass the Bundesnetzagentur's diligence standards may be designated by a less rigorous DSC and then operate Union-wide. The Commission's 2026 guidelines under Article 22(8) are partly intended to address this variation.

Annual reporting (Article 22(3))

Designated trusted flaggers must publish, at least once a year, easily comprehensible and detailed reports on the notices submitted under Article 16 during the reporting period. The reports must categorise notices by hosting service provider, type of allegedly illegal content, and the action taken by the online platform in response. The reports must include an explanation of the procedures the trusted flagger maintains to ensure independence. They are submitted to the awarding DSC and made publicly available. The annual report is the principal public artefact of the trusted flagger's operation — and the quality of evidence behind the notices it describes is what determines whether the report reads as effective or as a record of contested and reversed decisions.

How to become a trusted flagger

For entities considering an application for trusted flagger status, the practical pathway runs through the Digital Services Coordinator of the Member State of establishment. As of May 2026, the application processes vary significantly by Member State — some DSCs have published detailed application forms and procedures; others have not yet developed a designation process; some Member States are in CJEU litigation over DSC empowerment. The following sections describe the substantive preparation that applies regardless of which DSC the application goes to.

Demonstrating expertise and competence

The first substantive criterion — particular expertise and competence in detecting, identifying, and notifying illegal content — is typically demonstrated through a combination of documented detection workflows, qualifications of staff handling notices, track record (where applicable, including under pre-DSA voluntary frameworks), technical infrastructure for content analysis, and area-specific subject matter expertise. The DSC will want to see procedures for confirming that flagged content actually meets the legal threshold of illegality under applicable Union or national law — not just terms-of-service violations or content the entity finds objectionable.

Demonstrating independence

The independence criterion requires the applicant to operate without financial dependence on or governance entanglement with online platforms. This is the most operationally sensitive criterion for industry associations and brand protection organisations, where platform engagement is often part of normal business. Independence does not mean prohibition of platform contact — it means the absence of financial flows, governance overlap, or contractual obligations that could compromise the trusted flagger's objectivity. The DSC will examine funding structure, governance, contractual relationships, and historical conduct.

Demonstrating diligence, accuracy, and objectivity

The third criterion — diligence, accuracy, and objectivity — is where the evidentiary infrastructure becomes determinative. The applicant must demonstrate procedures that ensure each notice rests on adequate verification, accurate description, and objective assessment. This is where forensic evidence preservation enters the application directly: an applicant that can show DSC reviewers a tamper-evident evidence package for a sample notice — full HTML, rendered screenshot, qualified electronic timestamp, integrity manifest — demonstrates diligence in a way that screenshots and informal descriptions cannot match. This becomes increasingly important as DSCs build out their own assessment standards under the forthcoming Commission guidelines.

Designated area of expertise

Trusted flagger designation is not generic. Each designation specifies the area or areas of expertise within which the priority processing obligation applies. Common categories observed in 2025 and 2026 designations include child sexual abuse material (CSAM), terrorist content, hate speech, intellectual property infringement, consumer fraud, illegal product listings, online financial scams, and digital violence. An entity may be designated for multiple categories, but each requires substantive expertise. A designation as a CSAM trusted flagger does not extend to trademark notices, and vice versa.

Czech and Central European context

For entities established in the Czech Republic, the practical situation as of May 2026 is constrained by the ongoing CJEU referral over ČTÚ empowerment. ČTÚ has been formally designated as the Czech DSC, has published an annual report on coordinator activities for 2025, and has been listed as the competent authority for trusted flagger certification under Article 22. However, the broader empowerment framework — including penalty rules — remains under Commission scrutiny in proceedings before the Court of Justice. Czech entities contemplating trusted flagger applications should monitor the CJEU proceedings and the implementation of the implementing legislation alongside their substantive preparation. Many Slovak, Polish, and Portuguese applicants face analogous procedural uncertainty pending resolution of parallel infringement proceedings.

Why evidence preservation determines notice quality

The DSA notice regime is structurally different from the DORA or NIS2 reporting regimes. There is no fixed hour-based clock. There is no statutory authority that receives the notice. The notice is a private-law instrument that triggers a platform decision — and that decision has consequences across the Article 17 statement of reasons, the Article 20 complaint, the Article 21 dispute settlement, and (for trusted flaggers) the Article 22(3) annual transparency report. Every one of these downstream stages tests the underlying notice. And every test is easier for the platform, or for the affected recipient, to win when the underlying notice rests on volatile or reconstructable evidence.

Illegal content has a distinctive evidentiary profile: it is designed to be ephemeral. Trademark counterfeiters change SKUs and migrate listings within hours of detection. Phishing operators abandon infrastructure once it is flagged. Hate speech is deleted or edited as soon as the recipient suspects moderation attention. CSAM hosts move content across CDNs in minutes. Brand impersonation campaigns rotate domain names. In every category where trusted flaggers operate, the evidence supporting the notice has a short half-life — and the notice that reaches the platform after the content is gone is essentially an unverifiable assertion.

The DSA contemplates this volatility implicitly. Article 16(2)(b) requires 'a clear indication of the exact electronic location of that information, such as the exact URL or URLs and, where necessary, additional information enabling the identification of the illegal content'. The 'where necessary, additional information' clause exists because URLs alone are often insufficient — the content at the URL changes, the URL itself can be repurposed, the rendered page may differ from the underlying source. Trusted flagger workflows that capture the content at the moment of identification, with verifiable integrity, satisfy this requirement at a substantively higher standard than workflows that record only the URL.

This is the operational gap that forensic web evidence platforms such as GetProofAnchor are designed to fill. A capture made at the moment of identification produces a tamper-evident package — full HTML, rendered screenshot across desktop and mobile viewports, extracted text content, network metadata, and where applicable the TLS certificate chain — bound together by a cryptographic manifest, sealed with a qualified electronic timestamp under eIDAS Article 42 by an EU-listed qualified trust service provider, and anchored independently into the Bitcoin blockchain via OpenTimestamps. When the platform processes the notice three days later and the content is gone, the evidence is available with mathematical integrity that the original content existed, in that form, at that time.

For trusted flaggers, the cumulative effect over a reporting year is substantial. A flagger producing 5,000 notices with preserved forensic evidence builds a year-long record of high action rates, low successful Article 20 complaint rates, and demonstrable diligence under Article 22(2)(c). A flagger producing the same number of notices supported by screenshots accumulates a record of contested decisions, restored content, and — eventually — the DSC investigation under Article 22(6) that can result in suspension. The evidence standard is not separate from compliance with Article 22; it is the operational core of the trusted flagger's compliance position.

Forensic capture of illegal content for DSA notices

The substantive categories where trusted flaggers and other DSA notifiers most often operate share certain evidentiary characteristics: content hosted on infrastructure the notifier does not control, designed to be deleted on detection, often replicated across multiple URLs or platforms. The following five categories cover the bulk of high-volume DSA notice traffic in 2025 and 2026 and illustrate the forensic capture standards each requires.

Counterfeit product listings on online marketplaces

Counterfeit product listings on online marketplaces are one of the largest single categories of trusted flagger activity, with brand protection organisations and industry associations (the Bundesverband Onlinehandel example in Germany is illustrative) operating in this space. Counterfeit listings disappear quickly once reported, often within hours, and the same seller frequently relists the same product under a different SKU or marketplace identity. Forensic capture must include the full product listing page, the seller profile, the price and shipping details, all product images, and the user-visible reviews — preserved as a single coherent evidence package at the moment the listing is identified.

Brand impersonation domains and phishing infrastructure

Brand impersonation domains — typosquatting, lookalike domains, fraudulent customer support sites — are a growing category of DSA notice activity, particularly as financial institutions and large consumer brands seek trusted flagger designation. Forensic capture must cover the full visual rendering of the impersonation, the underlying HTML showing the use of brand assets, the TLS certificate chain (which often shows free Let's Encrypt certificates, themselves evidentially relevant), and where possible the network calls capturing where harvested credentials are sent. Phishing infrastructure is the most rapidly disposable category in DSA notice work; the gap between detection and content destruction is measured in hours.

Online financial fraud and investment scams

Online financial fraud and investment scams — fake brokerage platforms, fraudulent crypto exchanges, romance-scam-driven 'pig butchering' investment sites — sit at the intersection of DSA notices, DORA reporting for in-scope financial entities, and law-enforcement engagement. The Central Bank of Ireland's stated interest in trusted flagger designation for fraud and financial scams illustrates the institutional demand for structured notice authority in this category. Forensic capture must walk through the multi-page scam journey — landing page, fake dashboard, deposit interface, withdrawal-impossible mechanic — preserved coherently as a single evidence package per scam, with each component independently verifiable.

Illegal hate speech and digital violence content

Illegal hate speech and digital violence content — within the scope of the HateAid example among the June 2025 German designations — present a different evidentiary profile. Content is often hosted on platforms that delete on user report (the recipient often signalling distress through public deletion), within threads or comment sections that scroll out of view, sometimes inside livestream archives. Forensic capture must include the content itself, the surrounding thread context, the user account information for the poster, the timestamps of posting and any subsequent edits, and the URL at which the content appeared. Multi-page or threaded captures are essential because excerpting risks misrepresenting context.

CSAM and terrorist content (specialised hotlines)

Child sexual abuse material and terrorist content are handled by specialised hotlines under both DSA Article 22 and the parallel Regulation (EU) 2021/784 on addressing the dissemination of terrorist content online. Forensic capture in these categories has additional legal and operational constraints — the content cannot be downloaded or stored in standard ways without potential criminal liability for the hotline itself. Specialist hotlines operate within bespoke legal frameworks, typically national law enforcement cooperation arrangements, and use hash-based identification systems rather than raw content preservation. The general-purpose forensic capture techniques discussed for other categories do not apply directly in these specialised contexts.

Annual transparency reports under Article 22(3)

Article 22(3) requires each designated trusted flagger to publish at least once a year an easily comprehensible and detailed report on notices submitted in accordance with Article 16 during the reporting period. The report must list, at minimum, the number of notices categorised by the identity of the provider of hosting services, the type of allegedly illegal content notified, and the action taken by the online platform in response. The reports must explain the procedures in place to ensure the trusted flagger retains its independence, must be sent to the awarding DSC, and must be made publicly available. The information in those reports cannot contain personal data.

The transparency report is the principal public-facing artefact of the trusted flagger's operation. For applicants seeking designation in subsequent rounds, prior transparency reports from other designated flaggers in the same content area provide a reference point for what reasonable activity volumes, category distributions, and platform action rates look like. For DSCs supervising designated flaggers, the annual report is the primary input to ongoing assessment under Article 22(2)(c) — whether diligence, accuracy, and objectivity are still being maintained.

The connection between forensic evidence preservation and the annual transparency report is direct. The report includes the actions taken by online platforms in response to notices. Where platforms removed or restricted content, the report reflects a high action rate. Where platforms restored content following an Article 20 complaint from the recipient, the report reflects a contested decision. Where the trusted flagger withdrew or could not substantiate a notice when challenged, the report reflects a non-actioned notice. Over a year, these distributions shape both the public perception of the trusted flagger's effectiveness and the DSC's assessment of whether the designation remains warranted.

The Commission, under Article 22(4), maintains a centrally accessible publicly available database of all designated trusted flaggers, their Member State of establishment, and their area of expertise. By 2026 this database is operational and growing as designations accumulate. It is also the reference point for researchers, journalists, and regulators tracking the evolution of the trusted flagger framework. Annual reports submitted by designated flaggers become part of the publicly addressable record of how the DSA notice regime is actually functioning in practice.

DSCs across Member States: the Czech CJEU case

Article 49 of the DSA required each Member State to designate one or more competent authorities and to entrust one of them with the role of Digital Services Coordinator by 17 February 2024. Two years after that deadline, the designation landscape remains uneven. Some Member States completed the designation and empowerment process on schedule. Others designated a DSC but failed to grant it the necessary enforcement powers or to establish national penalty rules. Several never completed the designation at all.

On 7 May 2025, the European Commission decided to refer Czechia, Spain, Cyprus, Poland and Portugal to the Court of Justice of the European Union under Article 258 TFEU. Poland had not designated a DSC at all. Czechia, Spain, Cyprus and Portugal had each formally designated a DSC but had failed to entrust it with the necessary powers or to establish penalty rules. The referrals trigger the litigation phase of the infringement procedure; if the CJEU finds a breach, the Member State is legally bound to comply, and continued non-compliance can result in further proceedings under Article 260 TFEU including financial penalties.

The Czech case is particularly visible in Central European DSA practice. The Czech Telecommunications Office (Český telekomunikační úřad, ČTÚ) has been formally designated as the Czech DSC, has published its first annual coordinator activity report covering 2025, and is listed as the competent authority for trusted flagger certification, vetted researcher access under Article 40, and out-of-court dispute settlement body certification. The Czech implementing legislation has not been finalised in the form the Commission considers necessary to grant the DSC its full enforcement competence — which is the basis of the CJEU referral. Czech entities preparing trusted flagger applications work within ČTÚ's published process but operate against a backdrop of unresolved litigation over the broader DSC framework.

By contrast, several Member States have rapidly built out the institutional architecture. Germany's Bundesnetzagentur, hosting the DSC role, has issued multiple trusted flagger designations during 2024 and 2025 and operates a public registry of certified entities. France's Arcom maintains a publicly available list of trusted flaggers updated regularly. Italy's AGCOM designated its first trusted flagger (Argo Business Solutions) in January 2025. Ireland's Coimisiún na Meán is operational and is the home regulator for many large platforms headquartered in Ireland. The Netherlands' ACM and the Hungarian NMHH are similarly active.

The uneven DSC landscape creates an enforcement geography for DSA notice work. A trusted flagger established in a Member State with a fully operational DSC has predictable application timelines, transparent procedures, and a regulator capable of supervising its activity. A trusted flagger established in a Member State whose DSC framework is still being litigated faces longer timelines and procedural uncertainty. For cross-border content categories — counterfeit goods, financial fraud, brand impersonation — the practical effect is concentration of trusted flagger applications in those Member States with the most operational coordinators, which in turn shapes which platforms see which kinds of notices most often.

Trusted flagger designations in practice

By May 2026, several dozen entities across the EU have been designated as trusted flaggers under Article 22 of the DSA. The designations reflect the priorities of each DSC and the substantive areas where civil society, industry, and specialist organisations are most active. The following examples — drawn from public DSC announcements — illustrate the range of organisational types and content areas in the framework.

In Germany, the Bundesnetzagentur certified Bundesverband Onlinehandel e.V. (BVOH), HateAid gGmbH, and Verbraucherzentrale Bundesverband e.V. (vzbv) in June 2025. BVOH focuses on commercial legal protection and unfair competition on online marketplaces — counterfeit listings, comparative advertising violations, unfair competition. HateAid focuses on digital violence, fraud and deception on social media. vzbv focuses on consumer rights, product safety, and e-commerce fraud. The three designations illustrate how a single DSC can build coverage across distinct content categories with distinct civil society partners.

In France, Arcom has designated ALPA (Association de Lutte contre la Piraterie Audiovisuelle, focused on audiovisual piracy), IFAW (International Fund for Animal Welfare, focused on illegal wildlife trade content), INDECOSA-CGT (a consumer association), Point de Contact (focused on illegal content including CSAM and terrorist content), and Addictions France (focused on illegal promotion of addictive products). The French list illustrates a more diverse category distribution, including specialist hotlines that handle CSAM and terrorist content.

In Italy, AGCOM designated Argo Business Solutions S.r.l. as the country's first trusted flagger in January 2025, focused on intellectual property infringement and online fraud. This designation marks a notable structural feature: the first Italian trusted flagger is a commercial digital security company rather than a civil society organisation, reflecting the DSA's openness to industry associations and specialised commercial entities as eligible trusted flaggers under Article 22(2).

Across Member States, the trusted flagger framework remains an emergent rather than fully institutionalised regime. Many DSCs have not yet issued designations. Several Member States are blocked by ongoing CJEU infringement proceedings. The Commission's forthcoming 2026 guidelines under Article 22(8) are likely to standardise application procedures and assessment criteria across DSCs. The 2025-2026 period therefore represents a window in which civil society organisations, industry associations, and specialised entities with substantive expertise can establish themselves in the framework — provided they can demonstrate the diligence and accuracy that Article 22(2)(c) requires.

Sanctions, revocation, and platform countermeasures

The DSA sanctions regime operates on two parallel tracks: penalties against in-scope service providers for DSA breaches, and the suspension or revocation regime for trusted flaggers that misuse their status. Both tracks rely on documentary evidence — of platform behaviour in the first case, of trusted flagger notice quality in the second — and the documentary quality of that evidence directly affects outcomes.

Penalties against platforms under Article 52 must be effective, proportionate, and dissuasive, with maximum amounts set at the higher of 6% of the worldwide annual turnover of the provider in the preceding financial year, or — for failure to supply correct information, complete information, or to submit to an on-site inspection — 1% of annual income or worldwide annual turnover. National laws set the specific maxima within the DSA's framework. For VLOPs and VLOSEs, where the Commission has exclusive enforcement competence over systemic-risk obligations, penalties are imposed directly by the Commission under Article 74. By 2026, the Commission has opened multiple formal proceedings against designated VLOPs.

Platform handling of trusted flagger misuse is structured through Article 22(6). Where a provider of an online platform has information indicating that a trusted flagger has submitted a significant number of insufficiently precise, inaccurate, or inadequately substantiated notices — including information gathered through the Article 20 internal complaint-handling system — the provider must communicate that information to the DSC that awarded the status, with necessary explanations and supporting documents. The DSC then assesses whether to open an investigation, during which the trusted flagger status is suspended.

Revocation under Article 22(7) is the terminal step. The awarding DSC revokes trusted flagger status if it determines, following investigation, that the entity no longer meets the Article 22(2) conditions. Before revoking, the DSC must give the entity an opportunity to respond. The procedural protections track standard administrative procedure: notice, opportunity to be heard, reasoned decision, judicial review under national law. From the trusted flagger's perspective, the entire revocation chain is documentary — and a record of high-quality, forensically supported notices is the strongest defence against revocation proceedings.

The link to evidence preservation is direct. A platform challenge under Article 22(6) is, at its core, an evidentiary dispute about whether specific past notices were 'insufficiently precise, inaccurate, or inadequately substantiated'. A trusted flagger that produced each contested notice with a verifiable forensic evidence package — preserved at the moment of identification, sealed with an eIDAS qualified electronic timestamp, anchored into the Bitcoin blockchain, independently verifiable — can produce that package on the DSC's request and demonstrate that the notice was, at the time of submission, substantively supported. A trusted flagger that relied on volatile screenshots cannot produce equivalent proof, and the DSC investigation proceeds against a structurally weaker defence.

DSA, NIS2, DORA and GDPR: cross-framework evidence

The DSA operates within an expanded EU digital regulatory cluster that also includes NIS2, DORA, GDPR, and sector-specific instruments. Different regimes apply different obligations to different entities, but in practice a single incident or content event may trigger obligations under several frameworks at once. Trusted flaggers and DSA notice authors that build coherent cross-framework evidence packages avoid duplicative capture work and produce evidence that satisfies multiple regulators simultaneously.

The clearest interface is with NIS2 and DORA for cybersecurity-related content. A phishing page impersonating a bank is, from the perspective of the bank's compliance team, a DORA incident under Article 19 (operational disruption affecting customers) and potentially a NIS2 incident if the bank's ICT supply chain is also affected. From the perspective of a trusted flagger like the Central Bank of Ireland (in the role it has publicly indicated interest in), the same phishing page is the subject of a DSA Article 16 notice to the platform hosting the phishing infrastructure. A single forensic capture of the phishing page — with eIDAS-qualified timestamp and Bitcoin blockchain anchoring — supports DORA reporting, NIS2 reporting via the Article 47 cooperation channel, and the DSA notice itself.

The interface with GDPR is similar. Many DSA notice categories involve personal data exposure — fake KYC portals collecting passport and driving licence images, romance scam sites collecting identity-document scans, brand impersonation pages with credential harvesting that includes personally identifiable information. From the GDPR perspective, the data controller affected by the breach may have Article 33 notification obligations to the relevant DPA. The same forensic capture that supports the DSA Article 16 notice supports the GDPR Article 33 evidence trail.

Platforms such as GetProofAnchor are designed to produce evidence packages that satisfy multiple regulators from a single capture made at the moment of identification. The Evidence ZIP — sealed with a qualified eIDAS timestamp delivered through an EU-listed qualified trust service provider, anchored independently into the Bitcoin blockchain via OpenTimestamps, and supplied with an open-source verification utility — works equally for a DSA Article 16 notice, a parallel DORA Article 19 incident report (where relevant), a parallel NIS2 cooperation channel notification (Article 47 of DORA), and a GDPR Article 33 evidence trail. The evidence is independently verifiable by all of these recipients without dependency on the producing entity or on GetProofAnchor itself.

The operational efficiency of cross-framework evidence becomes most visible at scale. A trusted flagger producing 5,000 notices per year, where 20% of those notices also involve personal data, may face GDPR Article 33 implications for some categories. A single coherent evidence architecture — capture once at identification, package once with integrity primitives, distribute to multiple regulators as the legal obligations of each become applicable — is substantially more efficient than maintaining separate evidence flows for each regulatory framework. It is also more defensible when challenges under any one framework draw on the integrity of evidence used under another.

DSA notice evidence checklist (15 points)

The following checklist consolidates the operational priorities from this guide for entities preparing DSA notices, applying for trusted flagger status, or operating as designated trusted flaggers. It is not legal advice for any specific situation, but it captures the distinguishing characteristics of operationally DSA-ready entities as opposed to those still treating the regime as document-compliance.

• Determine whether your entity is a candidate for trusted flagger status under Article 22 (or whether you are submitting notices as a regular notifier) and document the analysis.
• Identify the Digital Services Coordinator of the Member State where your entity is established; verify the operational status of the DSC, including any ongoing CJEU infringement proceedings that may affect application timelines.
• Define your designated area of expertise specifically — the substantive content categories within which your trusted flagger status will operate. Designation is category-specific, not generic.
• Document your independence from online platform providers: governance structure, funding sources, contractual relationships, historical conduct. Maintain this documentation as part of ongoing compliance, not only at application.
• Build a structured notice workflow that captures, at the moment of content identification, all four mandatory Article 16(2) elements: substantiated explanation, exact electronic location, notifier identity, bona fide statement.
• Implement forensic capture procedures for the specific illegal content categories within your designation: counterfeit listings, brand impersonation, financial fraud, hate speech, or other relevant areas. Each category has distinctive evidentiary requirements.
• Bind capture artefacts together through cryptographic manifests (SHA-256 over all files) and seal the manifest hash via an EU-listed qualified trust service provider for a qualified electronic timestamp under Article 42 of Regulation (EU) 910/2014.
• Anchor each evidence package independently — for example, through the Bitcoin blockchain via OpenTimestamps — so that integrity can be verified without reliance on the trusted flagger entity, the trust service provider, or any single point of failure.
• Document chain of custody in line with ISO/IEC 27037:2012 phases (identification, collection, acquisition, preservation) for each evidence item, with roles, timestamps, and actions recorded.
• Submit notices through the platform's Article 16 mechanism with the preserved forensic evidence attached or linked from a verifiable location. Maintain the original evidence package in your own retained archive regardless of platform delivery method.
• Track platform responses systematically: Article 17 statement of reasons received, content restriction or non-restriction, Article 20 internal complaints from recipients, Article 21 dispute settlement outcomes. Each response becomes part of the documentary record for Article 22(3) annual reporting.
• Maintain procedures for responding to platform challenges under Article 22(6). When a platform questions notice precision or substantiation, the preserved forensic evidence package is the defence.
• Prepare the annual Article 22(3) transparency report systematically across the year rather than retrospectively. Each notice should be categorised at submission, with the platform response captured automatically, so that the year-end report is a summary rather than a reconstruction.
• Map the cross-framework interactions between DSA notices and parallel obligations under NIS2, DORA, GDPR Article 33, and sector-specific regulation. A coherent cross-framework evidence architecture is more defensible than parallel separate flows.
• Make every evidence package independently verifiable by third parties — DSCs, platforms, recipients challenging restriction decisions, courts, researchers, regulators — using open-source verification tools and without dependency on the producing entity's infrastructure.

Frequently asked questions and conclusion

The following answers address the questions that arise most often when entities begin operationalising DSA notice and trusted flagger workflows. They are intended as practical orientation, not as legal advice for any specific situation.

Two years into full DSA application, the regulation has settled into a recognisable operational shape. Platforms have built out Article 16 notice mechanisms. DSCs in most operationally empowered Member States have designated trusted flaggers. The Commission has opened proceedings against multiple VLOPs and is preparing the trusted flagger guidelines for adoption in late 2026. The CJEU infringement cases against Czechia, Spain, Cyprus, Poland and Portugal are working their way through litigation. The trusted flagger framework, in particular, has shifted from theoretical to practically active.

The capabilities that distinguish operationally DSA-ready entities are recognisable. Detection workflows that identify illegal content rapidly within designated areas of expertise. Notice procedures that capture all four Article 16(2) elements with forensic integrity at the moment of identification. Annual reporting infrastructure that produces transparency reports under Article 22(3) as accumulated documentation rather than year-end reconstruction. Defence procedures for Article 22(6) platform challenges that rest on preserved evidence rather than reconstructed accounts. None of these capabilities is exotic; what distinguishes well-prepared entities is that all of them are in place before the first platform challenge.

GetProofAnchor exists to make the forensic preservation component of this stack — specifically the web-facing illegal content that disappears fastest in the hours after identification — straightforward, defensible, and independently verifiable across the DSA notice and action regime. If your organisation is preparing a trusted flagger application, operating as a designated trusted flagger, or building structured notice workflows under Article 16, the most direct way to see how qualified-timestamped forensic web capture integrates with the DSA evidence requirements is to create a sample proof from any public URL and inspect the Evidence ZIP. Verification is open-source and runs on any laptop. The standard is reproducible because, in DSA notice work, it has to be.