What Does the GDPR’s Enforcement Journey Tell Us About DSA and OSA Compliance?

Written By Hugh Handeyside

As implementation of the Digital Services Act (DSA) and UK Online Safety Act (OSA) matures, questions arise as to the path that enforcement will take. The enforcement trajectory of the General Data Protection Regulation (GDPR) may offer instructive parallels, but important differences between these regulatory regimes, along with key external factors, suggest that the safety regulations’ enforcement curve may not mirror that of the GDPR.

Why GDPR Enforcement Patterns Are Relevant for DSA and OSA

The GDPR and the DSA are architecturally similar in ways that suggest their enforcement patterns may parallel each other. Per the European Institute of Public Administration, “the DSA and GDPR, rather than being seen as separate regimes, should be understood as complementary tools in a broader effort to foster transparency, accountability, and user rights in the digital age.” Both regulations:

  • Employ coordinated enforcement networks across member states.

  • Include graduated obligations based on platform size and risk.

  • Impose comparable fines for violations based on global annual turnover.

The UK OSA follows similar patterns: phased implementation, categorization of services by size and functionality, substantial penalty provisions (up to £18 million or 10% of qualifying worldwide revenue), and a single national regulator (Ofcom) with powers modeled on established data protection enforcement approaches.

The GDPR’s Enforcement Journey

Given these parallels, the evolution of GDPR enforcement provides a potentially helpful benchmark for anticipating DSA/OSA enforcement.

Data from the CMS.Law GDPR Enforcement Tracker reveals distinct phases of GDPR enforcement.

Phase 1: Orientation (2018-2020). The initial enforcement period was one of regulatory restraint. Regulators allowed what one analysis describes as an “initial phase to get acquainted with the new data protection regime under the GDPR for both data controllers and themselves.” Authorities imposed relatively few fines, and those imposed were small in amount—typically under €100,000. This restraint was likely a pragmatic recognition that both regulated entities and authorities needed time to understand the practical import of new requirements.

Phase 2: Escalation and Capacity Building (2020-2022). As Data Protection Authorities (DPAs) built institutional capacity and developed enforcement expertise, both the frequency and severity of fines increased. This period saw the emergence of million-euro penalties and the first significant enforcement actions against major technology platforms, which became a focus of higher-profile actions.

However, coordination challenges also emerged in this phase. Cross-border cases proved complex, requiring consensus building among multiple national authorities with varying philosophies and resource levels.

Phase 3: Maturation and Harmonization (2023-Present)

In this phase, GDPR enforcement matured substantially. The number of consistency opinions adopted by the EDPB under art. 64(2) increased. More significantly, for the first time since 2020, the EDPB issued zero binding decisions in disputes between DPAs during 2024—indicating that national authorities had achieved sufficient alignment in their interpretations and approaches that formal dispute resolution was no longer necessary.

As of early 2026, the CMS Tracker documents 2,711 fines totaling over €6.7 billion. At the member-state level, patterns emerge: Ireland and the Netherlands have imposed few but massive fines (hundreds of millions) concentrated on the largest technology companies, while Germany, Spain, Italy, and France issue higher volumes of smaller fines across diverse industries.

Status of DSA/OSA Enforcement

Both the DSA and OSA are in their early implementation period, though with notable variations.

  • The DSA became fully applicable in February 2024. The European Commission has primary enforcement responsibility for Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs), while national Digital Services Coordinators handle other in-scope services. The Commission and DSCs have initiated enforcement actions, but the pattern generally parallels early GDPR: targeted, focused on fundamental compliance gaps, and designed more to establish regulatory credibility than impose maximum penalties.

  • The UK OSA entered into force more recently, so data is limited. Illegal content duties came into force in March 2025, child safety requirements in July 2025, and categorized service obligations are expected in 2026. Still, Ofcom has demonstrated willingness to use its powers, opening multiple investigations and issuing its first £1 million+ fine in late 2025.

Call for Caution: Material Differences Between Regulatory Regimes

While the structural parallels are compelling, there are significant reasons to be cautious about assuming online safety enforcement will follow the GDPR’s trajectory.

1. Public Salience and Political Pressure

Safety harms, particularly those affecting children, can be more visceral than privacy harms and can generate immediate public outrage and sustained media attention. In turn, politicians and regulators face intense pressure to demonstrate rapid, visible enforcement—a factor that may compress or eliminate the “orientation” period seen with the GDPR.

2. Freedom of Expression Tensions

The GDPR’s core tension is privacy vs. business efficiency—a relatively straightforward commercial tradeoff. The DSA/OSA directly implicate tensions between safety and freedom of expression, making enforcement politically and geopolitically charged in ways privacy enforcement is not. These controversies are prompting legal challenges and polarization, complicating enforcement.

3. Measurement and Verification Complexity

Compared to GDPR compliance, online safety compliance involves more subjective judgment about the effectiveness of mitigation measures and systems. That subjectivity could mean:

  • Inconsistent enforcement across jurisdictions and even by individual regulators.

  • Litigation risk as platforms challenge regulatory determinations about what “effective” means.

  • Moving targets as harms evolve rapidly (e.g., generative AI-driven abuses).

4. Different Industry Starting Points

When the GDPR came into force, most companies were building data protection infrastructure from scratch, creating a relatively level playing field. For online safety, major platforms already have substantial safety operations and detection technologies. This existing maturity could contribute to an expectation among regulators that such platforms should be able to comply immediately, but that expectation may be unreasonable for smaller platforms.

5. Technical Challenges

Many of the technical requirements for GDPR compliance (encryption, access controls, data minimization) were well-understood and implementable at the time the law was passed. Some online safety requirements, on the other hand, involve technical measures that don’t yet exist or are in tension with privacy: age assurance at scale, content detection on end-to-end encrypted services, algorithmic transparency.

These feasibility issues could lead to either compliance theater or enforcement delays while technology catches up to requirements.

6. Regulatory Momentum

The DSA and OSA, along with other online safety regulations, carry forward authorities’ long-term digital regulatory agenda—an agenda that was much less robust at the time the GDPR was passed. Regulators and companies are now much more accustomed to online regulation, building on a learning curve that could heighten regulatory expectations and accelerate enforcement.

7. Enforcement Authority Structure

While both regimes use networked enforcement, there are important distinctions. The GDPR is enforced primarily national DPAs, with cross-border cases coordinated through EDPB. The European Commission, on the other hand, has direct enforcement authority over VLOPs/VLOSEs for DSA compliance, not just coordination authority. And Ofcom has comprehensive authority to enforce the OSA.

These structural differences may accelerate implementation of the safety regulations by avoiding some of the coordination bottlenecks that slowed GDPR enforcement.

Strategic Implications

These differences suggest several adjustments to how platforms should think about DSA/OSA compliance compared to GDPR:

  • Don’t assume a period of extended restraint. The 2-3 year orientation phase may compress to 12-18 months, particularly for child safety violations.

  • Prepare for contested enforcement. Greater subjectivity may mean more variation across regulators and more frequent litigation challenging specific determinations.

  • Build for technical evolution. Safety measures will need continuous updating as harms, technologies, and industry baselines evolve.

  • Anticipate jurisdictional conflicts. Platforms may need to accept some jurisdiction-specific implementation rather than global solutions.

  • Frontload foundational work. This early phase is the optimal time to build robust governance structures, risk assessment frameworks, and data governance practices. Platforms that do so position themselves to adapt more efficiently as regulatory expectations evolve.

  • Invest in Demonstrable Process. The ability to demonstrate consistent, good-faith effort to meet requirements—including through detailed documentation and auditable processes—will be critical to maintaining the trust of regulators, users, and partners.

  • Prepare for cross-regulatory integration. Regulators have already acknowledged that privacy and safety requirements intersect. Platforms must adopt integrated approaches to risk assessments, data governance, content moderation, user rights, incident management, and transparency reporting rather than treating them as separate silos.

Ultimately, the GDPR enforcement trajectory is instructive for understanding regulatory maturation patterns, but platforms should view the GDPR experience as merely a reference point, not a precise roadmap. Given key differences between the GDPR and DSA/OSA regimes, escalating regulatory scrutiny may come sooner in the safety space than it did for privacy.

The platforms most likely to thrive are those that invest in foundational compliance capabilities now, systematically learn from early enforcement actions, and build integrated systems designed to evolve as regulatory enforcement matures.

Hugh Handeyside
Previous

When Government Actors Are the Safety Problem: Why Trust & Compliance Frameworks Need Human Rights Foundations
Next

From Friction to Framework: A Responsible Approach to Trust Domain Conflicts