Liability exemptions of non-hosting intermediaries: Sideshow in the Digital Services Act?

The European Union is currently discussing a reform of its intermediary liability rules with its recently proposed Digital Services Act. The existing rules in the e-Commerce Directive (Directive 2000/31/EC) offer a safe harbour from liability for certain intermediary functions that are central to the functioning of the internet. A safe harbour for intermediaries is one of the regulatory cornerstones that help protect innovation, creativity and the free flow of information. At the same time, these rules are under pressure. This paper discusses a subset of ‘non-hosting’ intermediary functions. Some of these have traditionally been less visible in content-related regulatory debates. We look at selected examples of functions related to the domain name system (DNS), content delivery networks (CDNs), cloud processing and live-streaming. The current liability exemption regime under the e-Commerce Directive focusses on transmission in, or access to, a communication network, as well as storage. However, significant grey areas arise both in relation to what we call the ‘auxiliary network intermediary’ function (as opposed to ‘direct network intermediary’ functions corresponding to ‘mere conduit’ functions), which does not transmit or provide access, and the ‘temporal provision and processing of information’, which is different from storage.


Introduction
The European Union (EU) is currently discussing a reform of its intermediary liability exemption rules. With a view to updating these rules, the European Commission presented on 15 December 2020 its proposal for a Regulation, termed the Digital Services Act (DSA). 1 The existing rules in the e-Commerce Directive (ECD) 2 offer a safe harbour from liability for certain intermediaries (or rather specific functions), which are central to the operations of the internet. A safe harbour for intermediaries is one of the regulatory cornerstones that help protect innovation, creativity and the free flow of information-as emphasised, for example, in the NETmundial Principles. 3 As opposed to, for example, US safe harbour protections of intermediaries, 4 the European rules apply horizontally, with a single set of rules that cover all forms of liability, including civil and criminal liability, for all forms of information content. 5 At the same time, these rules are under pressure as lawmakers, interest groups and society at large scrutinise the future role of intermediaries. This paper discusses a subset of intermediaries, which can broadly be called 'non-hosting' intermediaries. We address selected examples of functions related to the domain name system (DNS), Wi-Fi hotspots, content delivery networks (CDNs), cloud processing, and search engines. Traditionally, these intermediary functions have been less visible in content-related regulatory debates, but they have recently gained more salience.
In ongoing content moderation and regulation debates, both in Europe and abroad, much focus is (rightly) on the role of (gatekeeper) platforms. 6 One example is the recent debate about the liability of online platforms for user-uploaded copyright-protected content. 7 With this paper, we want to contribute to this discourse in the legal and the internet governance scholarly communities and nuance it with a perspective on the role of 'nonhosting' intermediaries in content regulation. Conceptually, intermediaries at the infra- structure or logical layer of the internet are much further away from content compared with their hosting and platform counterparts. Yet, we observe a shift in the narrative around these non-hosting intermediaries. Certain domain registries, for example, have-voluntarily-put in place notice-and-action regimes akin to platforms, partly going beyond the technical abuse of infrastructure and addressing content abuse. Another example of this shift relates to content delivery networks (CDNs), which have been taken to court by intellectual property rights holders both in Europe and the US to test their liability exemption.
Our starting point is the liability exemption regime of the EU's ECD, which celebrated its 20th birthday on 8 June 2020. The conditions for benefitting from a liability exemption have, in practice, led to such arrangements as notice-and-action models in relation to online platforms under Article 14 ECD. Outside of hosting, the ECD's rules traditionally address internet access service providers (Article 12), which are well described in the academic literature, and proxy caching (Article 13). However, in the 21 years since the adoption of the Directive, internet technology has developed, and it is possible that the safe harbour was defined too inflexibly from the start. This issue is especially topical because the proposed DSA is about to cement the existing safe harbours from the Directive in a Regulation. 8 As noted, instead of providing an in-depth analysis of the proposed rules, we take our starting point in the existing framework of the ECD and test to what extent certain old and new functions other than hosting qualify under the safe harbours, and with what likelihood.

The regulatory landscape
According to the Organisation for Economic Co-operation and Development (OECD), 'Internet intermediaries bring together or facilitate transactions between third parties on the Internet' . 9 The OECD's definition goes on to mention the many different intermediary functions, such as 'to give access to, host, transmit and index content, products and services originated by third parties on the Internet or provide Internet-based services to third parties' . In EU legislation, there exists no corresponding intermediary definition, and the notion of non-hosting intermediary is not used in EU legislation 10 or technical protocols.
Protocols constitute a layer of transnational private regulation as soft law, which complements national and regional regulation (eg EU law). This transnational de facto regulation, even if only soft law, has a strong influence on the architecture and functioning of the internet. Accordingly, the Internet Engineering Task Force (IETF) describes the internet as 'a loosely-organized international collaboration of autonomous, interconnected networks, 8. The wording of the liability exemptions for 'mere conduit' , 'caching' and hosting remain largely unchanged in the Commission's proposal for the DSA. 9. Karine Perset, 'The Economic and Social Role of Internet Intermediaries' (2010) No 171 OECD Publishing 9 <https://doi.org/10.1787/5kmh79zzs8vb-en> accessed 10 March 2021. 10. See the discussion below on 'information society service provider' . In the context of due diligence obligations, the DSA ('Chapter III Due diligence obligations for a transparent and safe online environment') proposes to introduce the novel notion of an 'intermediary service' in Article 2(f), which differentiates between 'mere conduit' , 'caching' and 'hosting' services. The ECD is a relatively technology-neutral regulation, because the functions performed by intermediaries are described in general terms, such as 'transmission in a communication network of information'. 18 At the same time, this neutrality is limited because the ECD conceptualises intermediary functions based on a particular architecture: it defines the liability exemptions based on certain specific functions, namely, 'mere conduit' 19 (Article 12 ECD), 'caching' 20 (Article 13 ECD) and hosting (Article 14 ECD).
In some instances, the regulation of intermediaries is also influenced by other EU legislation, and certain functions may be regulated by several frameworks, addressing such issues as competition and consumer protection in electronic communications networks, 21 11. IETF, 'Internet standards' <www.ietf.org/standards/> accessed 9 March 2021. 12. Harald Alvestrand and Håkon Wium Lie, 'Development of Core There may also be sector-specific national legislation, such as in relation to illegal content, 26 but this issue is not explored further in this article. Furthermore, related to but separate from the question of liability is the role of injunctions. Importantly, the liability exemptions in the ECD merely shield from liability; they do not restrict a court or administrative authority to issue an injunction with a view to require the service provider to terminate or prevent an infringement in accordance with the national legal system in the respective Member State (MS). 27 Injunctions are of major practical importance and there exists ample case law regarding injunctions, most notably in relation to internet access service providers; however, discussion of these issues is outside the scope of this article.

What are 'non-hosting' functions?
This article focusses on liability exemptions for 'non-hosting' functions of intermediaries. To explain our distinction between hosting and non-hosting, it is necessary to understand the design of European liability exemption rules. We employ a broad understanding of 'nonhosting' . We simply use this as a categorisation of services other than hosting (akin to the legal delimitation in Article 14 ECD). In the EU context, hosting refers to services where content provided by the recipient of a service is traditionally stored for a prolonged period.
An example of such a hosting function relates to (some of) the services offered, for example, by such online platforms as YouTube, Facebook or Twitter. However, note that hosting as a technical concept 29 does not necessarily imply that content is stored. Compared with the liability exemption for hosting functions (Art 14 ECD), the intermediary functions of the two remaining liability exemptions ('mere conduit' and 'caching', Articles 12 and 13 ECD) have been less prominently featured in recent policy discussions at the European and national levels. 30 There exist many technical and legal differences between hosting (read: platforms) on the one hand and 'mere conduit' and 'caching' on the other. For example, hosting providers can take down content if notified of its illegality. By comparison, an internet access provider-or other non-hosting provider (discussed below)-may not be in a position to take down content. The actions available for non-hosting providers are often limited, and many content-related measures can easily lead to over-blocking. These differences are important to understand with a view to avoiding unintended spill-over effects from regulatory efforts regarding hosting, ie measures that may make sense in the context of intermediaries broadly related to platforms but not in the non-hosting intermediary landscape. Within non-hosting, we do not focus on the provision of internet access but on various other grey areas, which are less explored in the academic literature. 31 Examples include DNS and Wi-Fi services, cloud processing and content delivery networks (CDNs). These functions raise a number of specific regulatory problems that are easily put in the shadow of internet access service providers on the one hand and hosting providers on the other.
At a fundamental level, the non-hosting notion can be seen as a collection of legal concepts. In legal texts, the complexity of the world often needs to be condensed into legal concepts, which complement rights and obligations. These legal concepts are not 'norms of conduct' because they do not directly regulate what actions are obligatory or permitted. However, whether a right or obligation applies in practice depends on whether its conditions are fulfilled, and this is where legal concepts play a role in the logic of the law. 32 Intermedi-29. The technical term 'host' covers any computer or similar device connected to a computer network. 30. Given the prominent role of online platforms (which often but not always are considered hosting services) in today's internet landscape, this focus seems understandable. See  Ultimately, the decision about liability in a concrete case must consider both liability rules and conditions for exemptions. The spectrum of non-hosting services is heterogeneous as it covers a wide range of offerings. These have in common that they, as intermediaries, bring together or facilitate transactions between third parties on the internet.

Conditions for liability exemptions in the EU framework
The ECD's horizontal liability exemption regime (ie covering administrative, civil and criminal liability) comes with two general criteria that need to be fulfilled: first, the service provider needs to provide a specific form of an 'intermediary' information society service, and second, that information society service provider's (ISSP's) activity must qualify as passive. The specific liability exemptions for the three types of intermediary activities then come with certain-graduated-conditions that need to be fulfilled. 33 Importantly, it is only the three functions of 'mere conduit' (Article 12 ECD), 'caching' (Article 13 ECD) and hosting (Article 14 ECD) that are exempt from liability. The ECD does not address (internet) intermediaries 34 as such; rather, it focusses on the broad, 35 EU-specific genus of the ISSP, which is defined as an autonomous concept in Article 1(1)(b) of the Technical Standards Directive. 36 According to this definition, such a service first needs to be 'normally provided for remuneration'. This criterion is of special interest in the non-hosting sphere, where the service is sometimes not paid for by the beneficiary of the service, and it may be unclear who the recipient of various services is (eg registrant paying for the domain name to be accessible or proxy caching being paid for by internet access service providers (IAPs)). Already, in accordance with the Court of Justice of the European Union's (CJEU's) case law, 37 Recital 18 ECD clarifies that 'information society services are not solely restricted to services giving rise to on-line contracting but also, in so far as they represent an economic activity, extend to services which are not remunerated by those who receive them, such as those offering on-line information or commercial communications, or those providing tools allowing for search, access and retrieval of data; information society services also include services consisting of the transmission of information Thus, whereas the service must represent an economic activity, a broad interpretation must be given, and it does not require the service to be paid for directly by those for whom it is performed. 38 The service also needs to be provided at a distance, which does not appear to have created issues so far in case law. Furthermore, the definition only covers a service provided by electronic means, which also appears to be unproblematic in the current technological remit. 39 The definitions in the ECD and the Technical Standards Directive can be seen as technologically neutral, in the sense that they do not refer to the internet, which is based on the Transfer Control Protocol (TCP)/IP suite. Thus, other potentially evolving forms that might replace TCP/IP could also be encompassed by the rules. Finally, such a service needs to be at the individual request of a recipient. This criterion does not appear to have given rise to concerns but might challenge the applicability of the ECD in relation to some services (eg live-streaming). According to Recital 42 ECD, as a second prerequisite, 'this activity is of a mere technical, automatic and passive nature, which implies that the ISSP has neither knowledge of nor control over the information which is transmitted or stored' . 40 In McFadden, the CJEU stipulated in relation to 'mere conduit' , for example, that 'providing access to a communication network must not go beyond the boundaries of such a technical, automatic and passive process for the transmission of the required information' , 41 without providing further guidance on the criterion. Thus, on the flipside, an 'active' service provider cannot benefit from the liability exemptions in the ECD. The distinction between active and passive is not as clear as it seems, as the situation both conceptually and technically is regularly more nuanced than . This is contrary to the broad interpretation and was not picked up by the CJEU. Yet, it illustrates that the economic requirement of the ISSP definition may be challenging to apply. 39. 'Electronic means' is regularly used as a short form of 'electromagnetic means' and includes optical means. In theory, there may be technological developments outside the 'electromagnetic' realm based on quantum theory, but this is unlikely to happen within a reasonable regulatory timeframe. 'just active' or 'just passive' . 42 The active/passive dichotomy is increasingly challenging to apply in practice because it is in the nature of a service that it involves some degree of activity. 43 Thus, the provider is active in some respects and passive in others. However, a closer reading of the above-mentioned recital shows that the ultimately decisive factors should be knowledge and control over the information. Further clarifications might be needed.
Questions arise, especially when an intermediary offers functions in combination with hosting. These could be seen as separate services or functions, with the consequence that some are covered by a liability exemption while related functions may not be. The intermediary could then still be held liable for the non-exempted function but not for hosting. In a sense, such related functions could be considered non-hosting, and the question arises of whether there would exist good arguments for exempting them. Alternatively, the combined service, consisting of several functions, could also be seen as a unity. In that case, the question arises of whether the related function could be of such character that it voids the passivity requirement with the consequence that the service qualifies as active and falls outside the scope of application of the liability exemption. 44 Alternatively, we may ask whether the combined service would deserve an exemption de lege ferenda.

Considerations de lege ferenda
When going forward with an update of intermediary liability rules, the European lawmaker needs to strike a fair balance between the various stakeholder interests, emphasising fundamental rights. 45 Both risk management and proportionality are relevant reference points for an updated framework. There is a trade-off between mitigating content risks and ensuring that measures against illegal content remain proportional.
The communication of illegal content or information implies a risk to some stakeholders' rights and interests. For example, children are at risk when child sexual abuse material (CSAM) is produced and disseminated. Economic literature emphasises that risk should be allocated to the actor who is best suited to avoid it, 46 and intermediaries can influence the communication of illicit content. However, the context of intermediary liability is complex and involves a variety of actors and stakeholders, so a simple risk allocation is unfeasible. Intermediary service providers differ in their ability to manage content risks, partly because they vary in their proximity to the illegal content. This parameter (proximity to unlawful content) could play a role in allocating risk. Arguments for liability could include near business relations with the originator of illicit content or a close technical connection to the material. 47 Based on a simple risk allocation rationale, intermediaries with proximity to illegal content risk should bear these risks. However, such a risk assignment would also create incentives for mitigating risks by taking down content, which is not without consequences. 42 The key problem is that taking down content also affects other stakeholders, such as internet users and society at large. Therefore, fundamental rights ought to constitute an essential starting point for the liability exemption framework. The lawmaker should weigh benefits (the protection from impacts of unlawful content) against costs (the negative effects of protection measures on other fundamental rights). Intermediaries are exempted from liability because they fulfil important societal functions. Their roles in the communications process structurally limit their ability to take proportionate and effective measures to control content-related risks without negative effects on an open and free internet. This is also acknowledged in the case law of the CJEU, which points out that one needs to strike a fair balance between the rights and interests at stake. 48 Measures imposed on a service provider must balance these rights and be proportionate.
In the non-hosting context, the various service providers differ significantly in their ability to take measures that could potentially affect content-related risks. Therefore, we must ask what technical measures the respective service providers possess and how these affect fundamental rights. Such measures include the taking down of infringing material for hosting providers, but non-hosting service providers typically cannot take down content. Non-hosting providers can influence the availability of content (eg through website blocking), but such options' effectiveness and precision are critical for avoiding disproportionately detrimental effects on fundamental rights. 49 The effectiveness and proportionality of available measures should play a role in selecting the actors best placed to tackle illegal content. Some intermediaries (eg domain name registries) may be able to take certain measures against unlawful content. Still, such measures as the taking down of domain names are both less effective and more likely to be disproportionate than those available to other actors (eg hosting providers), who are also more proximate to the content. Therefore, measures against illegal content should be targeted primarily at actors who can take proportional action. In principle, more remote intermediaries should not be targeted, or they should be targeted only as a last resort. We have previously proposed this principle in a study for the Commission. This idea was adopted in Recital 26 of the proposed DSA. 50

Selected non-hosting functions in the current EU framework
3.1 Intermediary functions related to the DNS IP addresses and domain names play crucial roles in the functioning of the internet, but the ECD's intermediary liability provisions do not explicitly cover the addressing and naming functions. 51 Technically, a domain name registration, in which the registries and registrars are involved, includes some minimal element of information storage, which could be rele- where it is necessary to involve information society services providers, including providers of intermediary services, any requests or orders for such involvement should, as a general rule, be directed to the actor that has the technical and operational ability to act against specific items of illegal content, so as to prevent and minimise any possible negative effects for the availability and accessibility of information that is not illegal content' . 51. Domain names are only mentioned in Art 2(f) ECD in the context of defining commercial communication.
vant for Article 14 ECD. However, this storage only relates to the storage of the domain name as such and the related IP address(es), as well as registrant information in the Whois database; it does not relate to the storage of content, such as a website. A domain name may itself infringe particular laws (eg law on trademarks), for which there would be a safe harbour benefitting the registry or registrar. 52 If the problem consists of illegal content accessible via a domain name, a registry or registrar arguably cannot benefit from the liability exemption in Article 14 ECD because it is not storing information. 53 The raison d'être of Article 12 ECD might fit best for domain name services in a teleological reading, but it was clearly not drafted with the DNS in mind. 54 The services of registries and registrars do not consist of the transmission of information in a communication network; these services only provide pointers to such content through globally unique, location-independent names. 55 Therefore, domain names are sometimes called 'signposts in cyberspace' , 56 and internet standards define the DNS as a support system. It may be argued that registries or registrars are too remotely related to infringing content to risk liability for infringing content in accordance with national liability standards. Nevertheless, there exists some inconclusive lower court jurisprudence. 57 So far, there have been no references to the CJEU regarding the DNS. In the trademarkrelated case of SNB-REACT, 58 the Court addressed another question related to the addressing function, namely service related to IP addresses. From the judgment, which was rendered without an Advocate General's (AG) opinion, it is somewhat unclear exactly what type of service is being considered. 59 The CJEU rephrased the referring court's question in paragraph 40, essentially addressing the 'provider of an IP address rental and registration service', which allowed the defendant's 'customers to use domain names and websites anonymously' (para 49). 60 The CJEU held that, in any case, such service can fall under the ECD's liability exemptions provided that the respective provision's criteria are fulfilled. In the referring case, the defendant argued that it provided access to an electronic communications network together with an information transmission service. giving further guidance on whether such service would qualify under Articles 12, 13 or 14 ECD, leaving it for the referring Court to verify and assess the situation (paras 50 and 52).
Regrettably, this case does not contribute to clarifying the question of whether DNS services are exempted de lege lata, and even for a service consisting of the rental of IP addresses, it is likely that neither exemption's conditions would be fulfilled. De lege ferenda, the question remains whether there ought to be such an exemption. 61 If we consider DNS actors' proximity to content risks, we need to distinguish, inter alia, between business and technical proximity. Indeed, it is possible that the providers of DNS-related services are in a business relationship with the parties committing an infringement. However, the problem is that registries and registrars are technically removed from infringing content, which they neither store nor transport. As a result, they usually do not know about any illegal content, as they would need to investigate how domain names are used. Moreover, there are significant proportionality issues related to the measures DNS actors can take to manage content risks. Registries or registrars can take various domain name-related measures; however, these would often be disproportionate for two reasons. First, the precision of such measures is low because a suspension affects all content to which a domain name points (eg all of wikipedia.org), which is overly broad. Second, the suspension of the domain name only removes the 'signpost' , whereas the content will typically still be available on the machine identified by the related domain names. Thus, suspension of a domain name is not a particularly effective measure for combating illegal content or information in the first place.
Historically, technical abuse, 62 such as the use of malware, has been topical in the DNS space and may be addressed voluntarily by some actors. 63 Recently, however, content-related aspects have also become more topical, as witnessed at the Internet Governance Forum 2019. When ICANN sets policies for the internet, there exists no global agreement on content, and ICANN's mission has been described as unclear but rightly hesitant in relation to content. 64 Despite the above-mentioned conceptual distance from content, some domain registries have engaged in some form of voluntary self-regulation. There exist, for example, trusted notifier arrangements 65  and registrars via a registrar accreditation agreement. New gTLD registry agreements contain certain obligations on registries, which stipulate, inter alia, that registries include a provision in registry-registrar agreements regarding prohibiting registrants 'from distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law, and providing (consistent with applicable law and any related procedures) consequences for such activities including suspension of the domain name': see Mahler (n 62) ch 11.

See Council of European National Top-Level Domain Registries (CENTR), Domain Name Registries and Online
Content (CENTR 2019); see also Annemarie Bridy, 'Notice and Takedown in the Domain Name System: ICANN's Police Intellectual Property Crime Unit in the United Kingdom) and industry organisations (eg gTLD registries with the Motion Picture Association of America; gTLDs and ccTLDs in the Healthy Domain Initiative), but there is generally scarce information on their workings. Some registries also address content-or technical abuse-related aspects in their terms of service, and there exist examples of notice-and-actions arrangements. 66 The role of registration data is of special interest. Some ccTLD registries have noted a plausible correlation between domain names that are used for illegal purposes (related to content or technical abuse) and the quality of registration data. In this connection, several registries have introduced some kind of data validation process. 67 Related to registration behaviour, several DNS actors have responded to such issues as the potentially abusive registrations during the Covid-19 crisis. 68

Wi-Fi hotspots
Today, internet cafes, hotels, public places and other establishments regularly offer Wi-Fi hotspots to their customers. Furthermore, citizens sometimes share their internet access with family members, friends or visitors. There are various business models, including the inclusion of advertisement. 69 The provision of Wi-Fi hotspots has a key function for connectivity and implies significant benefits for society, particularly as a complement to existing wireless offers (eg 4G) and future 5G networks. 70 This can be illustrated by the fact that the provision of Wi-Fi hotspots and the related intermediary liability question has also been mentioned, for example, in both the public consultation 71 and the Commission's proposal 72 which lead to Regulation (EU) 2017/1953 on the promotion of internet connectivity in local communities. CJEU jurisprudence on Wi-Fi hotspots has its basis in German cases, so we need to present briefly the national legal context, which may differ significantly from the contexts of other Member States. In 2010, the German Federal Court of Justice (Bundesgerichtshof) held that 'a private person operating a Wi-Fi network with internet access may be regarded as an "interferer" ("Störer") where he has failed to make his network secure by means of a password and thus enabled a third party to infringe a copyright or related right' . 73 This secondary liability 74 applies to an actor who-without being a perpetrator or participant-contributes in any way, deliberately and adequately causally, to the violation of an 'absolute right' . 75 This implies that certain obligations are extended, to some extent, to third parties ('interferers') who have not committed the infringing act. Since the secondary liability cannot be extended excessively to third parties that have not carried out the unlawful act themselves, this liability presupposes the violation of an obligation/duty of care. 76 The extent of that obligation is determined according to what can reasonably be expected from the interferer. 77 This secondary liability was applied to owners of Wi-Fi access points. The remedy typically included monetary damages, the obligation to cease current and stop future infringements, and enforcement costs. Thus, the remedies combined damages (from which intermediaries are exempted), injunctive relief and certain costs. These costs are significant because they can also have a punitive effect, as discussed below.
According to the case law of the CJEU, it is now settled that the providers of Wi-Fi hotspots benefit from the liability exemption under Article 12 ECD. 78 However, in many cases, these 'service providers' do not offer Wi-Fi-based internet access as their main line of business; instead, they do so in their private capacity or ancillary to other businesses, which makes it challenging to achieve a fair balance of fundamental rights. As illustrated by the case law of the CJEU, problems related to the provision of Wi-Fi hotspots often occur in the context of intellectual property rights infringements committed by users of such hotspots. This includes situations in which the hotspot is unsecured, facilitating the use (and the commission of illegal acts) by potentially anonymous third parties.
What can be expected from Wi-Fi hotspot providers? In the McFadden case, the CJEU discussed the different types of measures that could be expected from the provider of a Wi-Fi hotspot. Monitoring all information transmitted would be contrary to Article 15(1) ECD 79 and terminating internet connection would infringe freedom to conduct business. 80 In contrast, requiring password protection strikes a balance in the view of the CJEU: it is sufficiently effective and targeted to protect against further infringements, and it does not damage the essence of the right to freedom to conduct business or freedom of information. 81 Regardless, this raises the question of whether injunctions on 'mere conduit' intermediaries should be delimited at the EU level. The objective with injunctions is to require the service provider to terminate or prevent an infringement. This is different from liability, which may serve restitutionary and punitive purposes. 74. Also sometimes referred to as 'indirect liability': see eg ibid para 71. 75. This means an absolute right in the sense of an exclusive right, eg copyright, based on the notion in German law. Bundesgerichtshof sition of an obligation to make access to a Wi-Fi network secure, as a means of protecting copyright on the Internet, would not be consistent with the requirement for a fair balance to be struck between, on the one hand, the protection of the intellectual property rights enjoyed by copyright holders and, on the other, that of the freedom to conduct business enjoyed by providers of the services in question' (para 147). The AG also noted the importance of having open Wi-Fi networks, which is a significant advantage for society, outweighing the disadvantages for rights holders.
The potential of the punitive effects of injunctions has been of concern. 82 In the German cases, injunctions were procedurally based on a formal notice ('Abmahnung') issued by a lawyer, with costs to be borne by the recipient of the notice. In the leading 2010 Wi-Fi case, the claimed pre-litigation enforcement costs were more than double the claimed damages. In cases where the infringing action-for instance, copyright infringement based on peerto-peer file sharing-was committed by a third person that could not be identified or targeted (eg a family member, visitor or business customer), the costs related to the injunction were ultimately borne by the Wi-Fi hotspot owner (the intermediary) and could have a punitive effect similar to damages for liability. As pointed out by AG Szpunar in McFadden, especially the punitive effect of pre-litigation costs related to injunctions may be problematic in light of the objective of the liability exemption. 83 Although the CJEU did not follow the AG's argument (to exclude pre-litigation expenses), the subsequently mentioned legislative changes in Germany, where the McFadden case had its origin, illustrate the significance of this point. 84 'Mere conduit' service providers in Germany are no longer required to pay the enforcement costs related to the remedy that can be used to require the blocking of access to information. The advantage of this legislative solution is that it affords the rightsholder a mechanism to ensure the future blocking of information while avoiding the punitive effects of substantial pre-litigation costs. Particularly in the context of Wi-Fi hotspots, where service providers may also include private individuals and small businesses, this relates to the interests and fundamental rights of individuals and entities that offer such 'services' in the context of private and family life or simply as an accessory to other business activities. An exhaustive comparative analysis is outside the scope of this article, but if the punitive effects of injunctions targeting Wi-Fi owners are also a problem in other Member States, a harmonised EU approach may be advisable. Under Article 7 of the Charter of Fundamental Rights of the European Union, persons belonging to the same family may, as such, benefit from special protection allowing them not to be compelled to comply with an obligation requiring them to incriminate one another, where one or another of them is suspected of having committed an illegal act. 85 However, EU law 86 precludes national legislation, under which 'the owner of an internet connection used for copyright infringements through file-sharing cannot be held liable to pay damages if he can name at least one family member who might have had access to that connection, without providing further details as to when and how the internet was used by that family member'. 87 Although this has not been highlighted in case law, it is not always clear that all providers of Wi-Fi hotspots provide an information society service (ISS). It is questionable, for example, whether private hotspots provided for family members and friends fulfil the economic requirements of ISSP or whether a Wi-Fi service is always supplied 'at a distance' . While these concepts can be (and often are) defined in a way that includes Wi-Fi hotspots, this also raises the more general question of the usefulness of the ISSP concept for the context of intermediaries (including individuals) facilitating communication in a network.

CDNs
A CDN is a geographically distributed network of both (traditional) caching and reverse proxy servers and data centres that improves the efficiency of the delivery of content to end users. Practically, CDNs solve the need to maintain a large number of specialised caching proxy servers in data centres all over the world and the need to store large media files, such as video content, on servers either in the same data centres as the caching proxy servers or in similar data centres in close physical proximity to users. The technical setup of CDNs is complex and can vary. Two functions of a CDN service provider can be distinguished for their legal assessment: first, they can provide traditional caching service to benefit IAPs based on content requests from users; second, CDN service providers can act on behalf of content owners by moving some of the reverse proxy functions from the data centre of the origin host (hosting in the sense of Article 14 ECD) to data centres at the edge of the network, where CDN equipment is located. The CDN servers become surrogate hosts and can offer both caching of unencrypted content and temporary content hosting at the edge of the network as a service to the host provider; this can also comprise content adaptation services, including encrypting the content using a digital certificate identifying the content owner.
In addition to traditional caching of potentially illegal information, such functions as surrogate hosting and content adaptation could raise some questions on the applicable conditions of the liability exemption if some part of the content in the CDN is illegal. Below, we concentrate on the CDN service on behalf of a content owner. This aspect relates to the question of how the CDN can be integrated into the communication between a content owner and end users. The use of a reverse proxy enables a CDN to distribute the requests of end users to either the cached or the original content.
In practice, CDNs use the DNS as the mechanism for this function. A simple way of handling this is for the content owner (registrant of a domain name) to use the authoritative DNS name server of the CDN provider. As a result, the reverse proxy used by a CDN is 'fronting the host' with an IP address of the CDN. This enables the CDN's DNS name server to respond with the IP address of the reverse proxy with the shortest distance to the user looking up the IP address of the domain name. One relevant technical consequence of this setup is that the IP addresses of the CDN's reverse proxy become the IP addresses of the domain name in the lookup. In other words, the IP address(es) of the host is (are) not visible to the end user. This can be compared to the 'care of ' ( c ⁄ o ) or post office box in the analogous world of letter mail, where the sender does not know the address of the recipient, but the 87. Bastei Lübbe (n 85) para 55.
item is rerouted to a post office. In relation to this consequence, one prominent CDN service provider, Cloudflare, was included in the Commission's Counterfeit and Piracy watch list in 2018 because CDNs can 'provide anonymity to the operators of pirate sites' and 'hide the original IP address of the site which actually hosts the content' . 88 CDN services are often combined with additional related services, such as DNS resolvers, cybersecurity services 89 , hosting or domain registrar services. Today, the use of CDNs is widespread and relied on by a large number of lawful and unlawful services. Given the range of CDN business models consisting of a variety of complex functions, the CDN notion would not be useful as a legal concept. Instead, it is necessary to differentiate between the respective services and functions, which may fall under different liability exemption rules.
Given the increased practical importance of CDNs, it is of interest to assess their role in the intermediary liability regime of the ECD. The availability of liability exemptions has also been identified to be of major business importance to CDN service providers. 90 Generally, there exists little jurisprudence on CDNs and the related technical functions. However, in 2019 and 2020, Cloudflare was subject to several lower court proceedings in EU Member States in the context of injunctions. 91 A CDN provider can guarantee the availability of a website, even when a customer's website is temporarily inaccessible. This relates to hosting, which is covered under Article 14 ECD and not further explored here. The traditional caching aspects of CDNs (on behalf of IAPs) qualify for the liability exemption in Article 13 ECD. Only if a CDN performs content adaptation is the availability of a liability privilege uncertain. This uncertainty emerges because of the requirement not to modify the information. Modifications to the representation of information will likely be unproblematic, whereas modifying the content may void the liability exemption. 92 When the CDN provides a service to the content owner (ie not the IAP), it functionally becomes a 'surrogate host' and can offer both caching of unencrypted content and temporary content hosting at the edge of the network. In addition, the use of a reverse proxy enables a CDN to distribute the requests of end users to either the cached or the original content as load balancing. As a result, the reverse proxy used by a CDN is 'fronting the host' with an IP address of the CDN. This enables the CDN's DNS name server to respond with 88. European Commission, 'Counterfeit and Piracy Watch List' , SWD(2018) 492 final. In the German Cloudflare case (see below), the court underlined that this business model, however, is not based on the promotion of copyright infringements. 89. Eg Distributed-Denial-of-Service (DDoS) attack protection, which is a further function of reverse proxy servers. the IP address of the reverse proxy with the shortest distance to the user looking up the IP address connected to the domain name. This use of a reverse proxy is not covered by Articles 13 or 14 ECD, as it is different from storage (although it could be combined with storage). To be exempted under Article 12, the service would have to consist of transmission in a communication network. However, the reverse proxy is arguably not engaged in the data transmission, but can instead be said to facilitate content delivery by fronting the host with the IP address of the CDN (which is connected to the domain name of the content owner). Even if one conceptualises data transmission broadly, such that it would include reverse proxies, a CDN may engage in the selection of recipients, which would void Article 12. Therefore, it could be argued that no liability exemption is available de lege lata for the reverse proxy mechanism. This could be seen as an unintended consequence, given the significant benefits offered by CDNs and their role as an intermediary between the content owner and the end user. Given that CDNs employ various mechanisms for content delivery, it is possible that the same conclusion would also apply to other technological solutions not addressed here or developed in the future.
To tackle this gap (at least for the use of reverse proxies by CDNs), the lawmaker should consider extending the existing safe harbour provisions, taking into account the degree of control CDNs have over content risks. CDNs have a high business proximity to the content owner because it is most likely a customer of the CDN. The CDN's reverse proxy function is closely related to the content owner, even when it does not store the content. By distributing user requests to various locations where the content is available, the CDN acts as a 'surrogate host' . To some extent, the situation of the CDN is similar to the hosting regulated in Article 14 ECD, except that the CDN does not (necessarily) store the data. When a CDN is employed, users viewing the web page www.example.com are sent to the CDN's IP address, via which the content is delivered or provided. CDNs often also encrypt content using a digital certificate identifying the content owner, thereby increasing the business and technical proximity. At the same time, CDNs are arguably unaware of the possible illegality of the content they distribute. If Article 14 ECD were modified to intermediary services that provide (rather than store) the information, such CDN services would arguably be covered by an amended Article 14. Similarly, Article 13 ECD could be amended to cover the 'intermediate and temporary provision of content', which might be more suitable given the temporal dimension. As a consequence, the reverse proxy used by CDNs and similar solutions would be exempted from liability subject to the conditions of either Article 13 or 14 ECD. The consequences of the respective conditions require further analysis. However, two caveats need to be mentioned with respect to this solution. First, a narrow interpretation of the active/passive criterion might inhibit the solution delineated above, so this would require further analysis. Second, the envisaged extension of Article 13 or 14 ECD would also require further scrutiny because it might have unintended side effects for other services that are not considered here.
There is generally limited information on the self-regulation of CDN providers. From anecdotal evidence, it appears that some CDN service providers may also make contentor use-related decisions based on the enforcement of the terms of service (ToS) with customers. 93 At the company level, Cloudflare has a trusted reporter programme in place in relation to CSAM. 94 According to the German Cloudflare case, this also exists with music rights holders. 95

Processing in the cloud
Remote processing operations carried out in cloud computing and other contexts imply the possibility that the service provider is involved with processing illegal content. 96 Similarly, the remote processing of illegal information may also be problematic in other scenarios, such as with respect to content adaptation, for example, in a CDN context. Content adaptation can be divided into two categories that involve either modifying the representation of the content or the content proper. 'Cloud computing' is used as a label for a variety of business models that primarily offer the use of resources in data centres. A 'cloud computing service' can be defined as a 'digital service that enables access to a scalable and elastic pool of shareable computing resources' . 97 Further characteristics include self-service and metered provision, meaning one only pays for the resources one is using.
Within the liability exemptions of the ECD, it is not easy to locate all services offered in a cloud setting. Under Article 14 ECD, 98 the service provider is not liable for the information stored at the request of a recipient of the service. Storage of information is certainly relevant in cloud settings, but the stored information is often encrypted, which makes notice-andaction challenging. 99 In addition, the relatively complex cloud business models typically go far beyond the storage of information. Services involving the processing of data (thus going beyond storage) include infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). Cloud-based data processing can have a variety of use cases, including the Internet of Things (IoT) and robotics.
A first question, as mentioned above, is whether cloud processing services can be seen as separate from storage, in the sense that these would be separate actions for which the service provider could be liable. There is no clarity on whether the performance of processing services could be taken as an argument for constituting liability, separate from the argument for the storage of information. It may be argued that the processing is carried out in close relation to the storage function and constitutes some form of 'enhanced hosting' with some extra services. In contrast, Article 14 does not explicitly include wording that would include other (eg processing-related) functions in the safe harbour it provides. 100 Thus, one would have to identify a separate liability exemption for such function. This second question depends on an interpretation of Articles 12 and 13 ECD.
None of the specific liability exemptions of the ECD seem directly to encompass remote processing operations. Potentially, it could be envisaged that a protection may nevertheless be found by interpretation of the ECD's liability exemptions, eg based on a general analogy. Alternatively, a teleological interpretation of some of the aims of the ECD could lead to an expansive interpretation, encompassing services offered that are similar to those covered in Articles 12 to 14, or which are offered in conjunction with such services (in particular, Article 14). However, such general arguments for extending the scope of the liability exemptions, de lege lata, could be difficult because they are based on specific conditions that are closely related to the respective specified function. It would be unclear which conditions would apply to services not explicitly covered currently by the ECD. For example, the requirement that the information cannot be modified clearly appears to be of limited utility in the context of remote processing (including adaptation of the content). Furthermore, such processing is usually not visible to the service provider, particularly if encryption is used and when there are several layers of cloud computing. Concomitantly, we recommend that the European lawmaker address the exemption gap for remote processing operations, as well as the possibility that new business models offer functions that do not fit into the existing limitations.

Live-streaming
Live-streaming has recently become more topical than it was before, both in a commercial context and in the context of illegal or harmful content. The internet supports multicasting, that is, one-to-many communication by streaming content to a group of receivers in a single transmission. In principle, live-streaming without intermediaries storing the content is technically possible. However, in practice, live-streaming is a service that usually provides simultaneous storing and real-time streaming of an event, and live-streaming will use the same CDNs that are used for streaming stored content. There are many service providers offering a technical platform and hosting service for live-streaming.
Because live-streaming involves an event that is transmitted in real time, the party initiating the streaming will start transmitting when the event starts. This party may decide to publish the recorded event as an ordinary streamed video as soon as the real-time event terminates. Users obtain access to the live stream by requesting to receive the transmission. Live-streaming is also part of the content offered by social media services like Facebook and Twitter, and live-streaming content may be suggested to anyone using these services. Many-to-many live-streaming is also supported by many service providers, and this service is usually called video conferencing.
Live-streaming can be a type of linear audio-visual media service that is regulated in the revised AVMSD. This Directive addresses video-sharing platform services, including both non-linear (on demand) and linear services, which arguably include live-streaming. 101 The revised AVMSD (Article 28b) requires providers of video-sharing platforms to take appro-priate measures to address incitement to violence and some forms of hatred against individuals or groups. In addition, the providers need to protect the public from content that is illegal under Union law (related to terrorism, child abuse images, racism and xenophobia). The AVMSD explicitly states in Article 28a(5) that Articles 12 to 15 ECD apply to videosharing platform providers. 102 In the context of the ECD, live-streaming is difficult to locate, and relevant case law is scarce. Functionally, live-streaming is similar to hosting, but it likely does not qualify as such under Article 14 because the streamed content is not stored before the communication but streamed in a linear manner. Technically, live-streaming involves some element of transmission in a communications network ('mere conduit'), 103 but the nature of the service may be different from the one envisaged by Article 12 because of temporal and functional characteristics. 104 The default situation for mere conduit is the instantaneous communication of data in a network, which is over when the data are communicated. Thus, by the time a notice is issued, the communication is already over. In the case of live-streaming, content is continuously streamed for a limited time. This is somewhat comparable to hosting because the live-streaming service 'hosts' the live-stream. However, this is not necessarily using a stored file (like in hosting), but a continuous content stream. Thus, notice-and-action may be possible, and certain measures are obligatory under the AVMSD. Live-streaming may also involve a temporary storage of content (Article 13 ECD), but it is uncertain whether the provider does so 'for the sole purpose of making more efficient the information's onward transition'. 105 Moreover, an eventual liability might be based not (only) on the temporary storage but on the streaming (the provision of access to the streamed content), for which no dedicated exemption exists.
Underlying this is also the question whether live-streaming falls under the ECD regime in the first place. The ISS definition requires that such a service is 'at the individual request of a recipient of services' . 106 It could be argued that this criterion is not fulfilled in the case of live-streaming, which resembles broadcasting. 107 At the same time, the criterion could be fulfilled if the streamer (the person initiating the streaming) were seen as the recipient of the service, but this makes it difficult to distinguish between streaming and broadcasting. Moreover, the live-streaming provider can select the viewer of the live stream-that is, the receiver of the communications-for example, based on algorithms that evaluate the users' interests. This can be the case with respect to existing live-streaming services, such as Facebook and YouTube, but it would arguably void the protection afforded by Article 12(1)(b) ECD. Therefore, under a narrow reading of the ECD, at least some instances of live-streaming may be protected neither under Article 12 or Article 14 ECD.
A future regulation could address the gap, taking into account the control the service provider reasonably has over the content-related risks. A live-streaming services provider has a relatively close proximity to the content compared with typical mere conduit providers. Technically, the live-streaming provider is directly or indirectly connected to the live stream because the streamer is most likely its customer. Moreover, as foreseen in the AVMSD, these providers of video services are in a position to manage some aspects of the live-streaming they organise. At the same time, a service provider cannot be expected to have knowledge of everything happening on its service in real time.
Live-streaming providers might be able to take certain measures. Providers can be notified of an infringing live stream and react to such a live stream (eg take it down), at least while it is still continuing. Providers' failures to react to notices were among the criticisms voiced after the terrorist attack in Christchurch, New Zealand, in 2019. There is limited systematic information on the self-regulation of live-streaming, although this has substantially increased in importance following the Christchurch attack. 108 It is unclear whether providers might technically be able to engage in ex ante monitoring, which would be problematic from a fundamental rights perspective. If mandated, it would have to comply with the prohibition of 'general' monitoring obligations in Article 15 ECD. This temporal aspect is challenging from a regulatory perspective because the service provider needs to act in a timely fashion, and it may be difficult to ascertain whether a certain live-stream contains illegal material. Therefore, a regulation would need to provide possibilities for the service provider to act expeditiously, while at the same time, respecting fundamental rights. It is not clear how this challenge can be resolved going forward.

Search engines
Search engines, 109 or information location tool services, and hyperlinks 110 are other areas of interest related to the delimitation between Articles 12, 13 and 14 ECD. They are also explicitly mentioned in Article 21(2) ECD, a provision in relation to which the Commission was called upon to examine the 'need for proposals concerning the liability of providers of hyperlinks and location tool services' . A closer examination of this is outside the scope of this article, but it should be noted that several Member States have included specific liability exemptions for these services in their national legislation. 111 In Austria and Liechtenstein, for example, the liability exemption for search engine services and hyperlinks follows Article 12 ECD. Spain, Portugal and Romania have enacted such liability exemption for search engines and hyperlinks modelled after Article 14 ECD. 112 In Google France, the CJEU applied Article 14 ECD in the advertising context of search engines, Adwords. 113 In relation to data protection, the CJEU interpreted Data Protection Directive 95/46/EC to contain a ground for removal-that is, de-indexing-of search results in Google Spain, 114 now codified in Article 17 GDPR; however, it did not take a stance on search engines' position with respect to the ECD. A comprehensive overview of national case law on the matter is outside the scope of this article. Despite stark differences in consequences under Article 12-vis-àvis Article 14-akin national regimes, the Commission did not see a risk for fragmentation in the internal market in 2003. 115 Still, this grey area might be of interest when reviewing the ECD. 116

Filling in the missing parts of the liability exemption regime going forward
The ECD was adopted more than twenty years ago. The non-hosting examples analysed in this article have so far generally-but to varying degrees-given little rise to case law before the CJEU. At the same time, the landscape of non-hosting intermediaries has developed significantly since the adoption of the ECD, for example, with regard to the development from caching to CDNs and content adaptation, as well as developments related to cloud computing. We conclude that, despite rapid technological developments, the focus of and the rationale for the intermediary liability exemption regime in relation to non-hosting intermediaries have aged well. However, the above analysis of certain selected non-hosting functions related, for example, to the DNS, CDNs, processing in the cloud and live-streaming, has revealed that clarifications and upgrades are advisable or necessary to a varying extent. Certain non-hosting functions appear to fall through the cracks, for example, because they do not fit properly in the current regime. Notably, this relates both to relatively new intermediary functions and old established intermediary functions (eg related to the DNS), which may be uncertain under the current liability exemption regime.
The importance of the liability exemption framework is underlined by the fact that intermediaries' response to illegal content or information on the internet is influenced by, inter alia, the respective liability conditions, which vary greatly between 'mere conduit' and hosting. As shown, some non-hosting actors rely on notice-and-action mechanisms, which we know from the hosting/platform discussion. However, voluntary measures should also be subject to transparency obligations and procedural safeguards, and effective remedies should be available for users to safeguard fundamental rights. 117 The current European framework and its proposed upgrade in the form of the DSA are characterised by several properties that contribute to legal certainty, such as their horizontal nature and focus on illegal content rather than unclear notions, such as harmful or abusive content. It is also important to underline that the European framework is directed at certain specific intermediary functions, not actors. Notably, the existing liability exemptions are proposed to remain largely unchanged, which would further cement this classification. 118 From a legal certainty perspective, this is preferable to, for example, a 'sliding scale' without clear conditions. Intermediaries fulfil important societal functions that structurally limit their ability to take proportionate and effective measures to control all risks related to illegal content, without negative effects on an open and free internet. In this respect, Article 15 ECD is a cornerstone of ensuring a fair balance of interests and rights, including fundamental rights. Yet, today, the ECD lacks a foundation for intermediary liability exemptions that would open for a teleological interpretation, for example, based on a proportionality principle, meaning that more remote intermediaries should not be targeted or only be targeted as a last resort. 119 An upgraded liability exemption regime should be future proof and become even more technology neutral, thereby increasing its shelf life. A level playing field and uniform interpretation may be ensured by a Regulation (as opposed to a Directive) as proposed. Appropriate liability exemptions should be based on clear criteria. Addressed intermediary functions should be kept technology neutral and flexible while ensuring legal certainty. If possible, the focus ought to be on abstract criteria-that is, on 'what is done' rather than 'how it is done' . Furthermore, conditions of liability exemptions should be differentiated from obligations on service providers, as foreseen in the proposal for the DSA.
The current ECD liability exemption regime, as well as the proposed update in the form of the DSA, focus on transmission in, or access to, a communication network and storage. Significant grey areas arise in two dimensions. First, 'auxiliary network intermediary' functions do not transmit data in a communications network or provide access to these. 120 Thus, these functions do not easily fit into 'mere conduit' ('direct network intermediary' functions) or other categories. Second, the 'temporary provision and processing of information' is different from storage, so it may not qualify as hosting.
On the first point, the liability exemption regime for these more remote-that is, auxiliary-network intermediaries (eg related to provision of domain names and domain name-related services, IP addresses, client software, etc) 121 is currently unclear. This could be resolved either by introducing a general liability exemption principle (for all network intermediaries outside existing categories), introducing a specific exemption for 'auxiliary network intermediaries' , 122 or adopting a hybrid approach representing a combination of both.
Criteria for assigning conditions and obligations could be based on the degree of control. Relevant parameters include the service provider's proximity to the content risk and the 118. Compare Articles 3-5 DSA proposal. 119. See, however, Recital 26 DSA proposal, as discussed above. 120. As we suggested to the Commission, a definition of auxiliary network intermediary functions could be 'a service that does not fall into any of the remaining categories of intermediary functions. Such service supports the functions of other intermediaries, for example, by facilitating an underlying logical architecture and addressing system of networks, or offering software or services that enable or improve the functions of other intermediaries.' See Schwemer and others (n 47), along with considerations for drafting available at SSRN <http://ssrn.com/ abstract=3810963>. Recital 27 DSA proposal partly relies on this wording without introducing a designated liability exemption. 121. Search raises specific issues and should not be included here. 122. Such an exemption could be based on Article 12 ECD and take into account the low degree of control of these functions.
availability of proportional mechanisms for managing risk (see above). Actors with limited or no control over content risk should be exempted with few/no conditions. Actors with more control over content risk should be exempted only based on more extensive conditions, subject to specific obligations. 123 Furthermore, non-exhaustive lists of examples in clarifying recitals for each category may contribute to technological neutrality while maintaining legal certainty. 124 In the recent DSA proposal, the European lawmaker indeed appears to attempt this by acknowledging in Recital 27 that 'new technologies have emerged that improve the availability, efficiency, speed, reliability, capacity and security of systems for the transmission and storage of data online, leading to an increasingly complex online ecosystem'. The recital goes on to recall that 'providers of services establishing and facilitating the underlying logical architecture and proper functioning of the internet, including technical auxiliary functions, can also benefit from the exemptions from liability set out in this Regulation, to the extent that their services qualify as "mere conduits", "caching" or hosting services' . In this context, Recital 27 provides a non-exhaustive list of examples, including services related to Wi-Fi, the DNS, top-level domain name registries, certificate authorities, CDNs, Voice over IP, messaging and web-based e-mail. However, given that the existing liability exemptions for 'mere conduit' , 'caching' and hosting remain largely unchanged, the recital seems to add little legal certainty against the background of the challenges identified in this article.
On the second point, remote (cloud) processing does not currently appear to be covered by existing exemptions in the ECD. This also applies to 'content adaptation' , where the content as such is modified. Modifying the representation of content in the context of caching might be covered by Article 13 ECD. These services are desirable in the digital society and enable new innovations and business opportunities, including those with a focus on IoT. Furthermore, the liability exemption for the 'provision' of information (other than storage, ie hosting) is unclear. As a possible result, as argued above, certain CDN and live-streaming services appear to fall outside the scope of current and proposed liability exemptions, inter alia, because they might not store the information. If there are good reasons for exempting these non-hosting functions, these issues could be remedied by introducing a liability exemption for the 'temporary provision' and 'processing' of information. 125 In addition to the liability exemptions framework, the DSA proposal also introduces certain novel due diligence obligations, which are to be seen as separate from but related to the liability exemptions. These obligations increase gradually from 'intermediary services' via 'hosting services' and 'online platforms' to 'very large online platforms' . At first glance, it seems that services related to non-hosting could indeed fall under the broad notion of 'intermediary service' . However, a closer look at the proposed definition reveals that the definition of 'intermediary service' relies on the notions of 'mere conduit' , 'caching' and hosting. 126 Given our analysis of potential difficulties in fitting some non-hosting functions in these 'boxes', it may well be that providers of certain non-hosting services would not 123. This could also be part of a recital that helps solve future unclear cases. See too Recital 26 DSA proposal. 124. For example, Wi-Fi hotspots, IAPs, IXPs, etc in the context of direct network intermediaries. 125. This needs further scrutiny and could, for example, be done in two alternative ways. First, it could involve introducing a new liability exemption with appropriate conditions depending on the degree of control, for example, inspired by the current Article 14 ECD. This could be used for remote cloud processing and content adaptation in the form of modification of content as such, as well as the 'provision of information' , irrespective of whether that content is stored or provided in a linear fashion or otherwise. Second, inspired by Article 13 ECD, it could be expanded to 'temporary storage or processing' and the 'intermediate and temporary provision of content' . 126. See Article 2(f) DSA proposal.