Selling and Operating Online into Europe: What Australian and NZ Businesses Need to Know About the DSA and the AI Act in 2026

If your business reaches customers in the European Union through a website, marketplace, app or AI-enabled service, two EU regimes now demand your attention: the Digital Services Act (DSA), which is already in full force and being actively enforced, and the EU Artificial Intelligence Act, whose next major compliance milestone arrives on 2 August 2026. Neither regime requires you to have an office, subsidiary or server in Europe. Both apply on the basis that your service is offered to, or produces effects for, users in the EU. For Australian and New Zealand companies, that means EU regulatory exposure can arise from nothing more than accepting orders from European customers or making an AI-powered feature accessible to them.

The Digital Services Act: platform responsibility is now being enforced with real money

The DSA (Regulation (EU) 2022/2065) governs "intermediary services" offered in the EU, including hosting providers, online marketplaces and platforms that allow users to post, sell or share content. Its central bargain is conditional liability protection: platforms are not automatically liable for illegal content or products uploaded by users, but only if they act diligently. That diligence includes maintaining accessible notice-and-action mechanisms so that anyone can report illegal content, acting expeditiously to remove or disable access once on notice, giving priority to reports from designated "trusted flaggers", providing statements of reasons to affected users, and, for marketplaces, verifying the identity and details of traders before allowing them to sell (the "know your business customer" obligation). Non-EU providers within scope must appoint a legal representative in an EU Member State, and that representative can be held liable for the provider's non-compliance.

The consequences of getting this wrong are no longer theoretical. On 28 May 2026 the European Commission issued its first DSA fine directed at illegal products, imposing €200 million on the marketplace Temu — the largest DSA penalty to date, following the €120 million fine against X in December 2025. The Commission found that Temu, as a designated Very Large Online Platform, had failed to properly identify, analyse and assess the systemic risk of illegal products being offered on its service. Critically, the Commission's objection was to the quality of Temu's risk assessment itself: it relied on generic, sector-wide information rather than evidence specific to Temu's own platform, and it seriously underestimated how often EU consumers would encounter illegal items — a finding supported by the Commission's own mystery shopping exercise, in which a high proportion of tested chargers failed basic safety tests and baby toys breached chemical limits or presented choking hazards. Temu must now submit a remedial action plan by 28 August 2026, with periodic penalty payments available if it fails to comply.

Three lessons follow for ANZ businesses. First, the DSA's heaviest obligations (annual systemic risk assessments, independent audits, recommender-system transparency) apply only to designated very large platforms, but the core notice-and-action, take-down, trader-verification and transparency obligations apply to platforms and marketplaces of all sizes, with only limited carve-outs for micro and small enterprises. Second, risk and compliance documentation must be specific, evidence-based and genuinely engaged with your own service — box-ticking assessments modelled on industry generalities are precisely what the Commission penalised. Third, if you sell physical goods into the EU via your own platform or third-party marketplaces, the DSA operates in addition to, not instead of, EU product compliance law. Market surveillance authorities will still trace non-compliant products back to the manufacturer or importer, so listing through a marketplace does not outsource your regulatory exposure. Fines under the DSA can reach 6% of global annual turnover.

The AI Act: what actually changes on 2 August 2026

The AI Act (Regulation (EU) 2024/1689) has been applying in stages since prohibited practices took effect in February 2025 and general-purpose AI model obligations in August 2025. The original plan was for the Act's most demanding tier — high-risk AI systems — to become enforceable on 2 August 2026. That timeline has now shifted. Under the Digital Omnibus on AI, finally approved by the European Parliament on 16 June 2026 and the Council on 29 June 2026, the high-risk obligations for standalone Annex III systems (covering areas such as recruitment, credit scoring, education and biometrics) are deferred to 2 December 2027, and for AI embedded in regulated products (medical devices, machinery, vehicles) to 2 August 2028.

What was not deferred is just as important. The Article 50 transparency obligations still apply from 2 August 2026. From that date, businesses deploying AI systems that interact with people in the EU must ensure users know they are dealing with AI; providers of generative AI must ensure synthetic content is identifiable as artificially generated (with a short grace period, to 2 December 2026, for the machine-readable watermarking of outputs from systems already on the market before 2 August 2026); and deployers must disclose deepfakes and AI-generated text published to inform the public on matters of public interest. A new prohibition on AI systems designed to generate non-consensual intimate imagery or child sexual abuse material also takes effect on 2 December 2026. Penalties under the AI Act scale up to €35 million or 7% of global annual turnover.

The extraterritorial reach mirrors the DSA. The AI Act applies not only to providers placing AI systems on the EU market but also to providers and deployers located outside the EU where the output of the system is used in the EU. An ANZ company embedding a chatbot, recommendation engine or generative tool in a service accessible to European users should assume it is in scope.

GEMA v OpenAI: the IP dimension of deploying AI into Europe

Alongside regulatory compliance sits a rapidly hardening copyright landscape. In November 2025, the Munich Regional Court I delivered Europe's first major judgment on AI training and copyright in GEMA v OpenAI (case 42 O 14139/24). The court held that the "memorisation" of copyright works within a language model's parameters, and the reproduction of those works in the model's output, each constitute acts of reproduction under German copyright law, and that the EU text-and-data-mining exception did not excuse the training of the model itself. OpenAI was ordered to cease the infringing use, provide information about the scope of use and associated revenues, and pay damages. The decision is under appeal and may ultimately reach the Court of Justice of the EU, but its immediate message is clear: European courts are prepared to hold AI developers directly liable for unlicensed training data, and the outcome diverges sharply from the more permissive fair-use trajectory emerging in US litigation. For ANZ businesses building or fine-tuning AI models, or procuring AI tools whose outputs will be delivered into Europe, the provenance and licensing of training data is now a genuine legal risk factor, not a theoretical one.

Navigating the obligations: a practical approach

The starting point is a scoping exercise: map which of your services are offered to EU users, whether any of them constitute intermediary services or marketplaces under the DSA, and which AI systems you provide or deploy whose outputs reach Europe. From there, DSA-exposed businesses should establish (and document) notice-and-action workflows, trader verification for marketplace sellers, an EU legal representative where required, and risk documentation that engages with the specific characteristics of their own service. Businesses within the AI Act's reach should prioritise the Article 50 transparency measures now — AI-interaction disclosures, content labelling and watermarking capability — while using the deferred high-risk deadlines to build conformity assessment, technical documentation and human-oversight frameworks properly rather than pausing them. On the IP side, contractual warranties and indemnities around training data provenance should be standard in any AI procurement or development arrangement touching the EU, and businesses generating content with AI should understand where their tools sit in the emerging European licensing environment.

The common thread across the DSA, the AI Act and GEMA v OpenAI is that the EU regulates by effect, not by establishment. If European consumers can reach your platform or your AI can reach them, the obligations follow — and, as Temu's €200 million fine demonstrates, the enforcement now does too.

Regional IP helps businesses protect, manage and enforce their intellectual property in Australia and overseas, as well as advising on avoiding legal risks in the global marketplace. Let us know if you need assistance.

 

This article is provided for general information only and does not constitute legal advice. Businesses should seek advice specific to their circumstances before acting.

Next
Next

Wool is Back in Business — And Regional NSW is Back in the Room