SaaS Agreements – New EU and UK Laws Applicable to Online Platforms

Below is a summary of the following online platform laws, the EU Digital Services Act, the European Accessibility Directive and the UK Online Safety Act, the UK Digital Markets Competition and Consumers Act and the EU Revised Product Liability Directive, that will impact SaaS suppliers and SaaS customers in 2025. Some of these laws apply extra-territorially, meaning the laws apply even when a SaaS supplier is not located in the UK or the EU (respectively).

It is important to be aware of these new laws in order to assess whether or not they apply to your particular SaaS business, products and services.

The EU Digital Services Act (DSA)

The DSA updates the E-Commerce Directive to increase online service provider’s obligations for their online platforms and content shared on them. Most provisions only apply to:

  • Very large online platforms, (VLOPs), e.g. Amazon, Apple; or
  • Search engines with an average monthly user base in the EU of more than 45 million people (VLOSEs), e.g. Bing, Google.

There are some exemptions for VLOPs and VLOSEs based upon numbers of employees and annual sales.

It is important to note that SaaS suppliers who are not VLOPs or VLOSEs could be subject to the DSA because they provide hosting services.

The DSA sets our mandatory obligations in respect of:

  • Illegal content – obligation to permit complaints and remove content;
  • Accountability – obligations to report on content moderation; and
  • Transparency – obligation to provide information on automatic decision making and content moderation.

The DSA applies to all intermediary services established in the EU and those with a “substantial connection” to the EU. A substantial connection can exist where numbers of recipients of the intermediary service in one or more EU Member States in relation to their population is large, or the SaaS supplier targets activities towards one or more EU Member States.

Non-compliance can result in fines of up to 6% of annual global turnover.

The DSA applies extra-territorially.

Non-EU entities subject to the DSA must appoint an EU Representative.

The EU European Accessibility Directive (EAA)

The EAA is an EU directive. Each EU Member State must pass its own local law to enact its provisions. The EAA aims to make certain types of products and services identified in the EAA more accessible to individuals with disabilities. For example: online banking services and ticket machines. There are no specific technical standards that a SaaS supplier whose products or services are caught by the EEA must comply with, but compliance with the Web Content Accessibility Guidelines (WCAG) web accessibility standards is advisable.

The EAA applies to SaaS suppliers with at least ten staff and a turnover of more than 2m Euros who sell relevant goods and services to consumers based in the EU, regardless of where the SaaS supplier is located.

The EAA is currently in force for some relevant goods and services placed on the EU market on, or after, the 28th of June 2025 and for all relevant goods and services regardless of when they were placed on the market from the 28th of June 2030.

The EAA applies extra-territorially.

The UK Online Safety Act (OSA)

The OSA is the UK’s own version of the DSA, but with significant differences. For example: with detailed measures on online child protections. The OSA applies to online search engines and user to user services that permit access to content generated or shared by other users, i.e. content-sharing platforms, social media platforms, online marketplaces, online gaming services, blogs, and forums.

OFCOM published a Children’s Safety Code of Practice in April 2024, (Code). Following the Code is not mandatory, but services applying the measures set out in the Code will be deemed to comply with their OSA obligations relating to children’s safety. Other compliance measures may be applied, but services will be required to demonstrate that any alternative measures match the standards set out in the Code.

The UK Digital Markets Competition and Consumers Act (DMCC)

The DMCC is a UK law that amends the Consumer Rights Act 2015. It mainly relates to consumer law in relation to drip pricing, fake reviews and has a list of blacklisted practices that will be deemed unfair under UK consumer law. The DMCC apples to companies operating in the UK, regardless of where they are incorporated, provided they have a global turnover of more than 25 billion or a UK turnover of more than 1 billion pounds Sterling.

Although this is a consumer law, the provisions could apply BTB, if the BTB relationship relates to the promotion or supply of products to consumers. For example: any product claims (i.e. green claims) that could be made by suppliers that are repeated to resellers, who sell to consumers.

Most of the DMCC consumer law provisions are already applicable, except for the new subscription contract rules, which will apply from Spring 2026. For example: providing certain pre-contract information, reminder notices and mechanisms for cancellation in consumer subscription contacts.

The CMA regulator can impose fines of up to 300,000 GBP or 10% of a company’s annual global turnover, whichever is higher, for breaches and the DMCC applies extra-territorially.

The Revised EU Product Liability Directive (PLD)

The PLD is an Eu directive that will apply to all products (including software) placed on the EU market from the 9th of December 2026. Each EU Member State must pass its own national law to implement the PLD before the 9th of December 2026.

Software, firmware, applications, AI systems, and digital manufacturing files will become “products” and will be subject to the same strict liability regime as traditional physical goods.

The PLD will apply to integrated and interconnected digital services, such as “a health monitoring service that relies on a physical product’s sensors to track the user’s physical activity or health metrics”, smart products, IoT, automated vehicles, drones etc. when marketed in the EU.

From December 2026 any defect in software, including vulnerabilities or failures in digital services, may trigger strict liability under the PLD, if the defect causes harm.

The PLD will apply extra-territorially.

Actions to Take Now

There are a lot of new EU and UK laws now in force, coming into force in stages or into force in the next 18 months that could affect SaaS Suppliers.

After considering the above summary, SaaS suppliers need to consider which of the above laws do, could, or may, apply to their products and services that they supply or the sectors in which they their business operates. This will depend upon numerous different factors for each law, such as:

  • The location of the SaaS supplier;
  • The location of customers, suppliers, data holders;
  • Whether services are provided BTB or BTC;
  • The global turnover of the SaaS supplier;
  • The sector in which the SaaS supplier operates;
  • The types of services being provided by the SaaS supplier;
  • The sector in which the SaaS customer operates;
  • Whether or not IoT services are provided; and
  • The specific EU country in which the SaaS supplier, its customers or the services are being made available.

Each of the above laws will need to be assessed separately to determine if, and how, they apply.

Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

irene.bodle@bodlelaw.com

www.bodlelaw.com

To register for my newsletter click here