Digital Law & Platform Regulation Deep Dive
A heavy brass nameplate reading 'Gesetzlicher Vertreter · Art. 13 DSA' on a door ringed with EU stars, beneath it a discarded tin letterbox with a red line through it, a taut chain running from it across a border line to a Swiss platform shopfront.

Substantial connection suffices: when Art. 13 DSA requires a Swiss platform to appoint an EU representative

The Digital Services Act binds a Swiss platform without an EU establishment as soon as it has a substantial connection to the Union under Art. 3(e), and then requires under Art. 13 a liable legal representative — not a letterbox. Whoever fails to appoint one falls, under Art. 56(7), within the jurisdiction of all member states rather than a single supervisory authority.

Dr. iur. Servatius von Tatzenberg

Since 17 February 2024 (Art. 93(2) DSA), the Digital Services Act has been fully applicable, and it does not ask where a platform is established. Under Art. 2(1) of Regulation (EU) 2022/2065, it applies to intermediary services offered “to recipients of the service who are established or located in the Union, irrespective of the place of establishment of the providers of those services”. A Swiss platform is therefore bound as soon as it has a substantial connection to the Union under Art. 3(e) DSA. The first concrete obligation that most overlook is found in Art. 13 DSA: the appointment of a legal representative in a member state. That representative is a point of liability, not a letterbox.

The connecting factor is neither server location nor legal form. It rests in two definitions. Art. 3(d) DSA describes “offering services in the Union” as the ability for persons in a member state to use the service, provided the provider has a substantial connection. Art. 3(e) fills that connection with factual criteria: a significant number of users relative to the population, or the targeting of activities at one or more member states. Anyone who mapped the reach of Art. 3(2) GDPR in the legal department back in 2018 will recognise the mechanism.

What “targeting” means in concrete terms is explained in Recital 8 DSA: the use of a language or currency commonly used in a member state, the ability to order products or services, a relevant top-level domain, advertising directed at users in member states. A German-language interface alone decides nothing. Prices in euros, a .de checkout path, and delivery to Munich together decide a great deal. Mere technical accessibility of the website in the Union expressly does not suffice. For most Swiss platforms serving a German or French audience, the threshold is not high — it has long since been crossed.

A red examiner's hand stamps 'AUSRICHTUNG' over the euro prices and .de checkout path of a Swiss platform interface.

The second misconception concerns scale. The DSA is widely perceived as a regime for the very large — Meta, Google, and X — and the additional obligations for very large platforms in Section 5 reinforce that impression. Art. 13 sits in Section 1, however, among the obligations for all providers of intermediary services under Art. 3(g) DSA: mere conduit, caching, hosting. Even a Swiss hosting provider, a classifieds portal, or a niche marketplace falls within scope, without ever being an “online platform” under Art. 3(i) — let alone a very large one. There is no escape route for SMEs: the exemption for micro and small enterprises in Art. 19 DSA covers only Section 3, not Art. 13.

Art. 13 has five paragraphs, and they build on each other. Paragraph 1 requires the provider to designate in writing a legal or natural person as legal representative in a member state in which the service is offered. Paragraph 2 turns that into a mandate: the representative is authorised to be contacted “in addition to or instead of” the provider by authorities, the Commission, and the Board, and must be equipped with the necessary powers and resources. Paragraph 4 requires the name, address, email address, and telephone number to be reported to the Digital Services Coordinator of the relevant member state and kept publicly available. Paragraph 5 makes clear that the appointment does not constitute an establishment in the Union.

What flows through this representative is not promotional mail. It is the orders by which authorities in the Union reach the provider: the order to act against illegal content under Art. 9 DSA, the information order under Art. 10 DSA, and any enforcement decision. Such orders may be issued by a German or French judicial or administrative authority, on the basis of national law consistent with Union law. The representative receives them, and the provider must report compliance without delay. A mere letterbox without powers or resources cannot respond to this, which is precisely why Art. 13(2) requires more than an address.

Paragraph 3 is the reason the position is not a formality. Under it, the designated legal representative “may be held liable for infringements of obligations under this Regulation”, and the provider’s own liability subsists in parallel. Appointing a representative therefore means appointing a co-liable contact point equipped with its own powers and resources — not a nameplate on a door. The German text’s choice of the term gesetzlicher Vertreter, which in Swiss civil law denotes the representative of a legally incapacitated person, is telling: in the DSA it means an authorised, co-liable point of contact, not a corporate officer.

This liability is no legislative accident; it is the point. A provider in Zurich or Lugano without assets in the Union is difficult for a supervisory authority in Dublin or Paris to reach. The legal representative gives the Union access to an actor who would otherwise lie beyond its reach: a reachable, resourced, co-liable person within the internal market. Delegating the role to a service provider that does nothing more than maintain a mailing address formally satisfies the appointment requirement but does not fulfil the substance of paragraph 2. The authority will notice this at the latest when the first order goes unanswered.

Here lies the second gap. Many Swiss providers have had an EU representative under Art. 27 GDPR since 2018 and assume that this also covers the DSA. It does not. The Art. 27 representative is mandated for data protection purposes, not for receiving DSA enforcement decisions. Art. 13 requires a separate written appointment, a separate mandate, and liability under paragraph 3; the same firm can hold both roles only if it carries two separate, appropriately tailored mandates.

An empty chair bearing the sign 'gesetzlicher Vertreter'. In its absence, 27 national delegates simultaneously reach from all sides for the same file labelled 'Art. 56 Abs. 7'.

Omitting the appointment carries a price, and it is asymmetric. If the provider appoints a representative, the member state of that representative is competent under Art. 56(6) DSA — one authority, one channel, one procedural language. If it appoints none, the position reverses: under Art. 56(7), all member states are competent, exposing the platform potentially to all 27 supervisory authorities. Art. 56(7) does include a coordination mechanism: once a Digital Services Coordinator notifies the others of an intended measure, they do not open parallel proceedings for the same infringement — the formal jurisdiction is therefore broader than the real simultaneous enforcement risk. The omission is moreover itself an infringement of an obligation under the Regulation, and Art. 52 DSA caps the fines for it at 6% of global annual turnover. The choice of the representative’s member state is therefore not a formality but the choice of supervisory authority.

While the obligation has long been in force, the industry is watching the wrong construction site. In late October 2025, the Bundesrat opened the consultation procedure on the Federal Act on Communication Platforms and Search Engines, a draft modelled on the DSA but deliberately milder, described in practice as a ‘Digital Services Act light’. It covers only very large platforms — those reaching at least 10% of the Swiss population per month — and will come into force at the earliest in several years. For the mid-sized Swiss platform, the sober conclusion is this: the only platform regime binding it today is the European one. The Swiss one, when it arrives, would not even catch it under that threshold.

The concrete steps for the coming week have three parts. First: assess honestly whether your platform has a substantial connection under Art. 3(e) — language, currency, domain, and orderability into the Union count; the Swiss registered office does not. Second: if it does, and if you have no EU establishment, appoint a legal representative under Art. 13, equip them with a power of attorney, powers, and resources, report them to the Digital Services Coordinator, and publish the details. Third: have it checked whether an existing Art. 27 GDPR representative genuinely holds the DSA mandate or merely appears to. Choose the representative’s member state first, since it determines your supervisory authority.

Finally, the separation of what is settled and what is open. What is settled is the legal position: the DSA has applied since 17 February 2024, a substantial connection under Art. 3(e) triggers Art. 13, and the legal representative is liable under paragraph 3. What is open is enforcement against a Swiss provider without assets in the Union; no published precedent appears to exist, and clarity will come only with the first measure taken by a Digital Services Coordinator under Art. 56(7). Also open is whether Switzerland will regulate at all — and that will not be decided by a court but by the threshold set in the dispatch the Bundesrat submits following the consultation that closed on 16 February 2026. The question you can answer today is the smaller and more pressing one: whether your platform has the connection, and whether the representative it then needs has been appointed.