Technology, Media and Telecommunications (TMT)

CJEU Grand Chamber clarifies the 'coordinated field' and hosting liability under the E-Commerce Directive

Published on 13th July 2026

Landmark rulings on country-of-origin protection and hosting safe harbours are significant for digital service operators

Hand pointing at blue touchscreen with swirl of dots

At a glance

  • The Grand Chamber has indicated when member states may override the country-of-origin principle under the E-Commerce Directive.

  • Algorithms that go beyond categorisation and indexation may disqualify operators from the hosting-provider safe harbour.

  • Procedural notification failures render national content restrictions unenforceable against cross-border service providers.

The Court of Justice of the European Union (CJEU) Grand Chamber has issued a significant ruling on the scope and limits of the country-of-origin principle and the hosting-provider exemption under the E-Commerce Directive (Directive 2000/31), with important implications for digital service operators across the EU

In the joined cases C-188/24 and C-190/24, decided on 16 June, the CJEU ruled on two references from the French Conseil d'État concerning the compatibility of French national measures with the E-Commerce Directive. The first involved Czech-based operators of pornographic websites challenging age-verification obligations imposed by the French audiovisual regulator Arcom. The second concerned a French driving-assistance service operator contesting a prohibition on rebroadcasting user messages revealing the location of certain roadside checks.

The court held that both sets of measures fall within the "coordinated field" of the directive and constitute restrictions on the free movement of "information society services" under article 3(2). France may nonetheless derogate from the country-of-origin principle under article 3(4)(a), provided the measures are necessary, individualised and proportionate, conditions that were met in both cases, subject to compliance with the procedural notification requirements, failing which the measures are unenforceable against individuals.

As regards the hosting-provider qualification under articles 14 and 15 of the E-Commerce Directive, the Court clarified that an operator cannot benefit from the hosting-provider exemption where it exercises control over the stored information, even absent actual knowledge. The control may be exercised through algorithms that determine the conditions under which information is or is not broadcast, going beyond mere categorisation or indexation. 

The CJEU held that the rebroadcasting prohibition at issue does not constitute a general monitoring obligation prohibited by the E-Commerce Directive, as the targeted information is sufficiently circumscribed to be automatically identified without an independent assessment of all stored content. A member state is not precluded from prohibiting, on public-policy, safety or security grounds, even a hosting provider from rebroadcasting such sufficiently circumscribed information.

Joined proceedings

Two proceedings were joined before the court. In Case C-188/24, WebGroup Czech Republic and NKL Associates, Czech Republic-based operators of pornographic websites, challenged formal notices issued by Arcom and the underlying Decree No 2021-1306 implementing article 227-24 of the Criminal Code and Law No. 2020-936, which prohibits broadcasting pornographic content accessible to minors.

In Case C-190/24, Coyote System, a French operator of an electronic-driving assistance and geolocation navigation service, challenged Decree No 2021-468 implementing article L. 130-11 of the Road Traffic Code, which allows the authorities to prohibit such operators from rebroadcasting user messages revealing the location of certain roadside checks, including alcohol and drug testing, counter-terrorism operations and similar. 

Both cases were referred by the Conseil d'État, which asked the CJEU whether these national measures were compatible with the E-Commerce Directive. The court structured its analysis in two parts.

The coordinated field

Part one asked if the French legislative measures at issue fell within the coordinated field and restrict the free movement of information society services? If so, could France nevertheless impose such measures on providers established in other member states, by way of derogation from the “country of origin” principle of article 3(2) of the E-Commerce Directive?

The court held that national provisions pursuing criminal law, public policy, security or safety objectives are not excluded from the “coordinated field” within the meaning of article 2(h)(i) of the E-Commerce Directive. The coordinated field covers all legal requirements of member states relating to the taking up or pursuit of the activity of an information society service, with the exception of requirements applicable to goods, the supply of goods and services not provided by electronic means.

Accordingly, both age-verification requirements and rebroadcasting prohibitions constitute requirements relating to the “pursuit of information society service activities”, as they set the conditions for user access to the service and limit its functionalities. They therefore engage article 3(2) of the E-Commerce Directive, which prohibits member states, for reasons falling within the coordinated field, from restricting the free movement of information society services from another member state.

Derogation conditions

Article 3(4)(a) allows a member state to derogate from article 3(2) for a given service, provided the measures are: necessary in the interests of public policy, the protection of public health, public security or the protection of consumers; targeted at a service that actually prejudices or seriously risks prejudicing the protected objectives such as individualised measures; and proportionate.

Such derogation is also subject to procedural rules: a prior, unsuccessful invitation to the member state of establishment of the providers concerned to take sufficient measures; and notification to the member state of establishment and to the European Commission of the intention to take such measures.

The court found that the measures at issue were necessary in the interests of public policy and public security, which encompasses the protection of minors, as well as public security and national security.

Individualisation and proportionality

The general legislative prohibitions do not, in themselves, constitute individualised measures within the meaning of article 3(4)(a). However, the formal notice that the president of Arcom, as France's digital services coordinator, has the power to issue individually to an operator of an online public communication service broadcasting pornographic content, requiring it to take all measures necessary to prevent access by minors to that content, satisfies such a requirement. 

Individual decisions prohibiting the operators of a given service from rebroadcasting certain information meet this requirement.

The measures were also found to be proportionate to the objectives pursued.

Procedural requirements

The court confirmed that targeted measures are subject to these procedural obligations. Failure to comply with them justifies the unenforceability of non-notified measures restricting the free movement of information society services against individuals.

A member state may derogate from these procedural obligations in the case of urgency, in which case the measures are to be notified in the shortest possible time, indicating the reasons why the member state considers that there is urgency. It is for the referring court, the French Conseil d'État, to assess whether these conditions are met in the present case.

Hosting-provider status

Part two addressed the hosting-provider qualification of Coyote System and the role of algorithms exercising control over the stored information in articles 14 and 15 of the E-Commerce Directive.

To qualify as a hosting provider, an operator must be an intermediary service provider whose activity is limited to the technical process of operating and giving access to a communication network. The activity must be of a mere technical, automatic and passive nature, which implies that the information society service provider has neither knowledge of nor control over the information which is transmitted or stored.

The two conditions of knowledge and control are alternative and independent of each other. An operator controlling the stored information can therefore not benefit from the hosting-provider qualification, even if it does not become aware of the information.

Algorithmic control

Such control can be exercised through algorithms, where these algorithms determine the information that may or may not be broadcast. Where an algorithm goes beyond a mere categorisation and indexation of information for the purpose of improving its accessibility, and instead determines, in the interest of the operator or its service, under what conditions, how and in which order of priority that information is or is not broadcast, the operator exercises control over that information and cannot benefit from the hosting-provider qualification.

Rebroadcasting prohibition

Even assuming hosting-provider status, the court found that the rebroadcasting prohibition does not amount to a general monitoring obligation prohibited by the E-Commerce Directive, as the targeted information is sufficiently circumscribed to be automatically identified without an independent assessment of all stored content (CJEU, 3 October 2019, C-18/18, Glawischnig-Piesczek, §§ 46–47).

A member state is not precluded from prohibiting, on public-policy, security or safety grounds, even a hosting provider from rebroadcasting sufficiently circumscribed information relating to certain roadside checks.

Implications for digital operators

This ruling confirms that the country-of-origin principle remains the cornerstone of the E-Commerce Directive framework, but is not absolute. Member states may impose content-related obligations, including age-verification mechanisms and rebroadcasting restrictions, on providers established in other member states, provided the substantive conditions of article 3(4)(a) are satisfied: necessity, individualisation and proportionality. 

Compliance with the procedural steps of article 3(4)(b) is also required: a prior request to the member state of establishment and notification to the Commission. Failure to comply with these procedural requirements renders the measures unenforceable against the targeted operators. How national authorities will implement these procedural requirements in practice remains to be seen.

The ruling also underscores that, in the context of the article 3(4) derogation mechanism, general legislative prohibitions alone do not satisfy the individualisation requirement of article 3(4)(a). Operators can only be bound by specific, individualised decisions, such as formal notices or injunctions, addressed to their particular service. Absent a targeted administrative or judicial decision, a general prohibition adopted by a non-establishment member state cannot, by itself, be enforced against a cross-border information society service provider.

This analysis retains direct relevance under the Digital Services Act (DSA). Article 2(3) of the DSA contains a non-affectation clause preserving the application of article 3 of the E-Commerce Directive. National legislation that restricts the cross-border provision of information society services remains in principle subject to the country-of-origin principle and the derogation mechanism of article 3(4) of the E-Commerce Directive, including its requirements of necessity, individualisation, proportionality and procedural notification obligations.

Critically for digital service operators, the Grand Chamber clarifies the scope of the hosting-provider exemption under the E-Commerce Directive. Where an algorithm determines, in the interest of the operator or its service, under what conditions, how and in which order of priority information is or is not broadcast (going beyond mere categorisation or indexation) the operator exercises control over that information and is disqualified from the liability safe harbour, irrespective of whether it has actual knowledge of the content.

Osborne Clarke comment

The implications of this ruling should not be overstated. The court expressly maintained that mere categorisation and indexation of content by means of algorithms do not, in themselves, deprive an operator of hosting-provider status. 

The judgment does not establish that any use of algorithms to process user-generated content automatically disqualifies an operator from the liability safe harbour. Rather, where algorithms are deployed in such a manner as to confer editorial control over the information by determining, in the interest of the operator or its service, the conditions, manner and order of priority in which content is or is not broadcast, then the loss of hosting-provider status may follow. 

Operators relying on recommendation algorithms, content-ranking systems or automated curation tools should reassess their liability exposure in light of this ruling and consider whether their algorithmic architecture may be characterised as exercising such control. The implications may extend to the DSA, whose liability exemption for hosting is structurally akin to the regime formerly established under the E-Commerce Directive. The DSA repealed articles 12 to 15 of the E-Commerce Directive. 

However, the extent to which the present ruling can be transposed to the definitions under the DSA remains open to debate in light of the General Court's judgment in Zalando SE v European Commission of 3 September 2025 (Case T-348/23), in which the court held that the interpretation of the concept of "intermediary service provider" was expressly limited to the meaning intended in the context of section 4 of chapter II of the E-Commerce Directive and cannot be relied upon for the purposes of applying the DSA, which establishes its own distinct liability regime.

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?