What makes a risk “systemic”? The CJEU’s first interpretation of systemic risks under the Digital Services Act

/in

By Andrea Palumbo

This post analyses the first major CJEU interpretation of “systemic risks” under the Digital Services Act in Amazon v. European Commission (2025). It argues that the judgment clarifies systemic risks as large-scale societal risks, rejects analogies with financial systemic risk regulation, and provides some guidance on the scope of Article 34 DSA.

 

 

Introduction

Few things have puzzled digital law scholars like the new notion of systemic risks of the Digital Services Act. This concept, also used in the AI Act, is unprecedented in the field of media law and platform regulation, and its vagueness has opened up many, at times radically different, interpretations. Systemic risks have so far received significant attention by practitioners, academics and other stakeholders, with various speculations as to their meaning advanced over time (for example here, here, here and here). Scholarship has also discussed and/or criticized the vagueness and uncertainty surrounding the interpretation of systemic risks (see, among others, here, here and here).

For over two years since the DSA started to apply, this concept, of central importance within the DSA’s regulatory architecture, had not been comprehensively interpreted by either the European Commission or the Court of Justice of the European Union (CJEU). The first substantial, though partial, interpretive clarification on the meaning of systemic risks finally arrived on 19 November 2025, in the judgement Amazon v. European Commission. This blog post disentangles the passages of the judgement that clarify what systemic risks are, and reflects on its impact on the future application of the DSA.

Background of the judgement and main pleas in law

In April 2023, the European Commission issued a decision under the DSA designating the Amazon Store as a very large online platform (VLOP), on the ground that it had more than 45 million average monthly active recipients in the EU, thus exceeding the threshold set by the Regulation.

Prior to the designation, Amazon itself had published data showing that its platform’s monthly active users in the EU exceeded this threshold. Nevertheless, Amazon brought an action before the CJEU seeking annulment of the Commission’s decision, arguing that the DSA provision under which it was designated, and the related obligations imposed on platforms such as Amazon Store, were unlawful. In particular, as part of its first plea in law, Amazon claimed the illegality of Article 33(1) which sets out the designation criteria for VLOPs. This claim was based on the argument that the provision violates multiple fundamental rights enshrined in the Charter: the freedom to conduct a business, the right to property, the principle of equal treatment, the right to freedom of expression and information, and the right to private and family life. The General Court delivered its judgment on 19 November 2025 in Case T-367/23, dismissing Amazon’s action in its entirety, and thus rejecting all alleged infringements of the Charter.

What the judgement tells us about systemic risks

In alleging infringements of the Charter, Amazon put forward its own understanding of systemic risks, claiming that marketplaces such as Amazon Store do not give rise to systemic risks. This gave the CJEU the opportunity to reason about the meaning of systemic risks, as it was indirectly seized of the question of whether, and how, marketplaces can pose systemic risks under the DSA. By addressing this question, the CJEU gave us the most important clarifications on the concept, in two respects: i) the meaning of the adjective ‘’systemic’’, ii) the scope of the category of systemic risks, in terms of both the range of protected interests and geographical relevance.

The findings of the CJEU on these two aspects are illustrated below.

On the meaning of the adjective ‘’systemic’’

Amazon submitted that marketplaces cannot pose systemic risks because they are not part of a ‘system’. With this argument, Amazon essentially proposed an interpretation of the adjective ‘systemic’ as referring to risks that emanate from a system of interconnected institutions (para. 69). In constructing this interpretation, it drew a parallel with financial institutions and the concept of systemic risk in financial prudential regulatory frameworks. In particular, Amazon argued that, since financial institutions pose systemic risks when they are interconnected with other businesses and thus form part of a global financial system, it should likewise be assessed under the DSA whether online platforms are interconnected with each other and constitute a ‘system’ (para. 69). By relying on this analogy, Amazon contended that marketplaces cannot generate systemic risks because they are not part of a system of interconnected institutions subject to contagion effects (para. 69).

By advancing this argument, Amazon gave the CJEU the opportunity to resolve a decisive interpretive question: whether the meaning of ‘systemic’ concerns the origin of risks as emanating from systems, or rather their reach, in terms of large-scale effects potentially affecting a significant portion of society. In settling this issue, the CJEU endorsed the second interpretation, understanding systemic risks as relating to large-scale effects, and not deriving from a system. The CJEU held that systemic risks are those arising ‘to society as a whole in so far as they could affect a significant part of the population of the European Union’ (para. 70). In the same vein, it explicitly rejected Amazon’s interpretation by stating that systemic risks are not those arising from systems, and that independent entities not forming part of an interconnected system can still raise systemic risks (para. 70). In justifying this interpretation, the CJEU referred to recitals 75 and 76 of the DSA, which describe the role of very large online platforms as de facto public spaces with significant societal impact as intermediaries enabling the dissemination and reception of information in a large section of the EU society (paras. 63, 64). As confirmed in another passage of the judgement, in the eyes of the CJEU, these recitals clearly indicate that the difference between systemic and non-systemic risks lies in their ‘’scale and impact’’ (para. 146). This is consistent with the view, expressed by the Commission in its impact assessment for the DSA, that VLOPs are ”de facto public spaces” (para. 156).

This clarification has very important consequences for the implementation of articles 34 and 35 of the DSA on systemic risk assessment and mitigation. As financial regulation is the only other EU legislative framework where the concept of systemic risk is used, it had been largely referred to by practitioners and researchers in proposing interpretations of systemic risks under the DSA, as well as the AI Act (see, among others, here and here). This led to giving a prominent role to the criterion of interconnectedness, that is central to the notion of systemic risks in financial regulation. With this judgement, the CJEU discarded this as a decisive element in the identification of systemic risks. As a consequence, interconnectedness does not matter as such, but only insofar as it contributes to the scale and impact of systemic risks. Moreover, the interpretation of the CJEU provides actionable criteria to identify systemic risks, directing any future assessments towards the scale and impact of risks vis-a-vis a significant part of the population of the Union.

On the category of systemic risks: exhaustive or open-ended?

The category of systemic risks in the DSA stands out for its vagueness. It encompasses risks to fundamental rights and several other individual and societal interests, some of which are both broadly-phrased and politically-laden. This inevitably raises many interpretive questions on the precise boundaries of this category. While Article 34(1) provides a list of systemic risks, it states that risk assessments shall ‘’include’’ the risks outlined in the list. This led scholars to speculate that the category could potentially be open-ended and include risks not mentioned in the list, as argued here and here.

In the judgement, the CJEU is not fully explicit about the exhaustive or non-exhaustive nature of the list in Article 34(1), but some passages of the judgement may indirectly indicate that the list is to be understood as exhaustive. First, in the section dedicated to the interpretation of the concept of systemic risk, the CJEU enumerates only the systemic risks outlined in the list, stating that those on the list are the ‘systemic risks which may be caused by very large online platforms’ (paras. 65-68). In this context, the CJEU does not note that the category may include additional systemic risks, nor it uses the word ‘include’ or other terminology suggesting a non-exhaustive character of the list. On the contrary, it only refers to the systemic risks of the list and, consistently, only refers to the systemic risks outlined in the list in any other passage of the judgement. While still rather implicit, the clearest indication that the list is exhaustive can be found in two identically phrased passages, where the CJEU states that marketplaces ‘may give rise to numerous systemic risks referred to in Article 34(1)(a) to (d)’ (paras. 82, 118, 137). The phrasing of this sentence suggests that systemic risks are only those listed in Article 34(1), thus providing a relatively clear confirmation that the list must be understood as exhaustive. Again, similarly relevant passages refer to ‘systemic risks within the meaning of Article 34(1)(a) to (d)’ (para. 72).

On the geographical scope of systemic risks

The politically-laden nature of protected interests may raise questions about the geographical scope of systemic risks, considering that some protected interests relate to matters traditionally regulated at the national level, such as public security, notwithstanding the clear ambition of the systemic risk management regime to address EU-wide issues.

Amazon submitted that the DSA breaches the principle of equal treatment as it only applies to entities operating in multiple Member States, which is inevitably the case for providers with more than 45 million users, and does not apply to providers posing similar systemic risks at the national level. In referring to national systemic risks, Amazon mentioned the example of risks to the democratic process, stating that they are national in character.

In its answer to this contestation, the CJEU made two important clarifications on the geographical scope of systemic risks. First, it discarded as irrelevant the fact that the operation of a provider is limited only to a Member State, reiterating the paramount and sole relevance of the quantitative criterion on the average monthly active recipients (para.150). This resonates with the confirmation, in another passage, that only the quantitative criterion matters for the designation of VLOPs, as opposed to a case-by-case qualitative criterion (paras. 83-90). This is in line with the CJEU’s holding in Zalando, where it dismissed that a qualitative assessment is needed to determine if a service actually gives rise to systemic risks. Second, the CJEU seems to have rejected the idea that risks to democratic processes only arise at the national level, noting that a democratic process also exists at the EU level, as follows from Articles 10 TEU and 22(2) of the Treaty on the Functioning of the European Union (para. 149).

The key takeaway from these passages is that, even in cases where only recipients of a single Member State were exposed to systemic risks, it cannot be excluded that these risks arise at the EU level. The quantitative threshold is the sole relevant criterion, irrespective of geographical reach. Moreover, the CJEU recognised the existence of an EU-wide democratic process, which is a first step to understand the EU dimension of systemic risks.

Conclusions

In these early years of DSA enforcement, many judicial proceedings have unsurprisingly focused on the designation procedure under Article 33. Even if these proceedings do not directly invest Articles 34 and 35, they have offered the opportunity for the CJEU to, at least indirectly, say something about systemic risks. While very little was said in NKL Associates and Zalando, the Amazon judgment marks the first time the Court has offered substantial interpretive guidance on the concept. Although still limited, this guidance allows to draw a much needed first sketch of the notion of systemic risk, upon which future interpretive efforts can build.

By rejecting the analogy with systemic risks in the financial sector, the Court has attributed a more independent meaning to systemic risks in the DSA, a development that is welcome given the fundamental differences between the risks posed by online platforms and search engines, on the one hand, and financial institutions, on the other. In doing so, the judgment introduces a degree of discontinuity in the entrenched tendency to rely on financial systemic risk regulation as a reference point for interpreting systemic risks under the DSA.

Despite the clarifications on the meaning of systemic risks, the judgement regrettably fails to provide an explicit confirmation on the exhaustive nature of the list in Article 34(1). As it was invested with a question on whether marketplaces give rise to systemic risks, it almost comes as a surprise that the Court did not, even incidentally, more decisively clarified this point. Pending confirmation of this interpretation, the judgement already provides important clues, perhaps unexpected ones amidst the scholarship that was already assuming the open-ended nature of the category.

Looking ahead, at present there are three proceedings before the CJEU, all related to the designation procedure of VLOPs, that could lead to more clarifications on systemic risks. They concern the designation as VLOPs of Xvideos, Stripchat and Pornhub. In the meantime, one could also wait for more DSA enforcement actions, that may in turn lead to more judicial cases on the interpretation of systemic risk management provisions.