Brussels, 26 November 2024
Starting this week, the providers of the first 19 very large online platforms (VLOPs) and very large search engines (VLOSEs) designated in April 2023 must publish their annual risk assessment and audit reports for the first time, under the Digital Services Act (DSA).
These reports must include the assessments that providers of VLOPs and VLOSEs carried out to identify and analyse the risks stemming from their services, such as the dissemination of illegal content, disinformation or the protection of minors. These reports also outline the measures VLOPs and VLOSEs have put in place to mitigate the identified risks.
With the publication of these reports, the DSA is set to bring a new era of transparency and accountability to the tech industry, helping to protect users and society from potential harm and promoting a safer, more responsible online environment.
More information about the reports and publication obligations is here.
The Commission will also organise workshops where the providers of these designated services are invited to present the published risk assessments to the national Digital Services Coordinators, civil society organisations and other stakeholders. These workshops are expected to take place at the beginning of 2025.
Q&A on audit reports under Digital Services Act
Questions & Answers on the publication of risk assessment reports, audit reports and audit implementation reports under Article 42 of the Digital Services Act (DSA).
Audit Reports under DSA
Do providers of Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) – have an obligation to publish the reports resulting from the risk assessments and audits of their services?
Yes. Starting in the second year in which the specific DSA obligations for VLOPs and VLOSEs apply to them, their providers have an obligation to publish each year reports on their risk assessments of the ongoing year, their risk mitigation measures, as well as their audit reports and audit implementation reports.
Where applicable, they also must publish information about consultations they conducted with external experts in support of the risk assessments and the design of risk mitigation measures.
For context: Providers of VLOPs and VLOSEs must assess systemic risks stemming from their services at least once a year, and in any event always prior to deploying new functionalities that are likely to have an impact on the risks they are obliged to identify under the DSA, and they must put in place mitigation measures tailored to the risks they identified as part of that risk assessment. The DSA also requires providers of VLOPs and VLOSEs to ensure that their services undergo a compliance audit at least once a year, leading to an audit report by an independent auditing organisation, The providers must transmit it to the Commission and the Digital Services Coordinator of establishment without undue delay upon completion. Where auditors make recommendations concerning compliance with the DSA, providers must present their reactions to those recommendations in an audit implementation report.
Relevant Articles: 34, 35, 37 and 42(4) of Regulation (EU) 2022/2065 (“DSA”). The specific DSA obligations for VLOPs and VLOSEs are those contained in Section 5, Chapter III of the DSA.
When do providers of VLOPs and VLOSEs have to publish the reports?
The publication should take place at the latest three months after the receipt of the report on the yearly compliance audit that each VLOP and VLOSE must undergo. This means that for each service, the publication date depends on when the independent auditing organisation is required to send its audit report to the provider.
The DSA requires providers of VLOPs and VLOSEs to ensure that their services undergo an independent audit at least once a year, leading to an audit report by the auditing organisation. For the first 19 VLOPs and VLOSEs designated by the Commission in April 2023, the DSA became
applicable in August 2023 and the audit reports were due between 28 August and 04 September 2024 at the latest, depending on the date the provider acknowledged receipt of the designation decision.
In any event, providers of VLOPs and VLOSEs must transmit the reports concerning their risk assessments (including the ad hoc risk assessment reports prior to deploying new functionalities), risk mitigation measures and compliance audits to their Digital Services Coordinator of establishment and to the Commission without undue delay upon completion.
Relevant Articles: Arts. 34, 37 and 42(4) of Regulation (EU) 2022/2065 (“DSA”)
How should providers of VLOPs and VLOSEs approach confidentiality needs and redactions under Article 42(5) DSA?
The DSA pursues broad transparency and public scrutiny goals, as confirmed by the Vice-President of the Court of Justice of the European Union in its orders in Cases C‑639/23 P(R), C-511/24 P(R)), and C-620/24 P(R) concerning interim relief requested in relation to the obligation laid down in Article 39 DSA. Moreover, recital 100 DSA states that providers of VLOPs and VLOSEs should report “comprehensively” on their risk assessment.
The publication of reports concerning the risk assessments and risk mitigation measures by providers of VLOPs and VLOSEs and their yearly DSA compliance audits are crucial for informing the public (including civil society organisations, media representatives, researchers) and for fostering a societal debate about the systemic risks stemming from VLOPs and VLOSEs and the risk mitigation measures adopted by their providers.
Therefore, the reports that the providers publish must be as complete as possible. At the same time, providers of VLOPs and VLOSEs may remove information from the reports that they must publish when such information might:
- result in the disclosure of confidential information of the provider or of recipients of the service;
- cause significant vulnerabilities for the security of the service;
- undermine public security; or
- harm recipients of the service.
Providers of VLOPs and VLOSEs must provide a statement of the reasons to the Digital Services Coordinator of establishment and to the Commission for the removal of information from the public version of their risk assessment reports. The statements of reasons must thoroughly justify each redaction and specifically explain why, in the view of the provider of the VLOPs and VLOSEs, the redactions are justified under Article 42(5) DSA.
In view of the transparency goals of the DSA, redactions may only be made exceptionally and must be justified with clear reasoning explaining all relevant conditions as set out in Article 42(5) DSA.
Relevant Article: Art. 42(5) of Regulation (EU) 2022/2065 (“DSA”)
What is considered as confidential information that may be redacted from reports that providers of VLOPs and VLOSEs must publish under the DSA?
According to the case-law of the Court of Justice of the European Union (see, for example: Case T-198/03, Bank Austria Creditanstalt) information is to be considered confidential where it satisfies cumulatively the following three pre-requisites for protection:
- it must be known only to a limited number of persons;
- its disclosure must be liable to cause serious harm to the person who has provided it or to third parties;
- the interests liable to be harmed by the disclosure must be objectively worthy of protection, which is to be assessed when weighing the interests opposing publication against the public interest in the publication.
Exceptions to the obligation of publication are to be interpreted restrictively. Justifications for redactions must be clear and well-explained. Each redaction has to be assessed on a case-by-case basis and an explanation of the reasons for that redaction, in view of the conditions outlined in Article 42(5) DSA, has to be provided. Where providers of VLOPs and VLOSEs redact information on the basis of confidentiality claims, they must substantiate their claims that the information qualifies as confidential (i.e. that it fulfils all three conditions enumerated above) in the statements of reasons that they submit to the Digital Services Coordinator of establishment and to the Commission. Incomplete, unsubstantiated, generic or only partially substantiated claims cannot be deemed to justify redactions. Providers of VLOPs and VLOSEs must justify confidentiality claims concerning specific parts of text in their reports. For example, confidentiality cannot be claimed on the risk assessment reports as a whole.
Where absolutely necessary to protect information which has been deemed to constitute confidential information, providers can paraphrase the text at issue in the public versions of the reports.
Relevant Article: Art. 42(5) of Regulation (EU) 2022/2065 (“DSA”)
What are the consequences if a VLOP or VLOSE provider redacts information which would not fulfil the conditions of Article 42(5) when publishing its risk assessment report pursuant to Article 42 DSA?
Where the Commission considers that redactions are unjustified and thus that the provider of a VLOP or VLOSE has not fully complied with its transparency obligations, it may consider such action to constitute an infringement of the regulation.
Relevant Article: Art. 42 of Regulation (EU) 2022/2065 (“DSA”)
Must providers of VLOPs and VLOSEs that carried out a risk assessment a year before their first audit report was due also publish that risk assessment?
Article 42(4) DSA establishes a yearly publishing cycle of reports, with the aim of ensuring transparency. The purpose of that publishing cycle is to enable the public to compare the risk assessment reports of VLOPs and VLOSEs referred to in Article 34 DSA with the independent audit reports of VLOPs and VLOSEs referred to in Article 37(4) DSA.
Moreover, Article 37 DSA requires providers of VLOPs and VLOSEs to ensure that their services undergo audits at least once a year, resulting in mandatory audit reports. The first yearly audit report is due one year after the rules for VLOPs and VLOSEs began to apply to the service in question. Article 42(4) DSA requires providers of VLOPs and VLOSEs to publish their audit reports at the latest three months after their receipt from the auditing organisation. Three months after the date of receipt of the audit report, the provider of VLOPs and VLOSEs must also publish the other reports listed in Article 42(4) DSA, including “a report setting out the risk assessment pursuant to Article 34”. Both the audit report and the other reports mentioned in Article 42(4) DSA that providers of VLOPs and VLOSEs must publish, including the risk assessment report, are those of the ongoing year.
Given that an audit report only needs to be compiled and published one full year following the entry into application of the rules for VLOPs and VLOSEs to a designated service, the obligation to publish the risk assessment report in Article 42(4) DSA also only applies as of one year after that date. Consequently, while providers of services designated as VLOPs and VLOSEs in April 2023 were obliged to compile their first risk assessment reports in August/September 2023, Article 42(4) DSA only requires those providers to publish their risk assessment reports for 2024 alongside their audit reports for 2024. The Commission nevertheless encourages providers of VLOPs and VLOSEs to also publish their risk assessment reports of the first year in which the rules for VLOPs and VLOSEs apply to their services even if their annual audit report was not yet due.
Relevant Articles: Arts. 37(4) and 42(4) of Regulation (EU) 2022/2065 (“DSA”). The specific DSA obligations for VLOPs and VLOSEs are those contained in Section 5, Chapter III of the DSA.
Related content
How the Digital Services Act enhances transparency online