--- title: "EU DSA Checklist" canonical_url: "https://www.sorena.io/artifacts/eu/digital-services-act/checklist" source_url: "https://www.sorena.io/artifacts/eu/digital-services-act/checklist" author: "Sorena AI" description: "An audit-ready EU Digital Services Act (DSA) compliance checklist for Regulation (EU) 2022/2065: scope memo, terms transparency." published_at: "2026-02-21" updated_at: "2026-02-21" keywords: - "EU DSA checklist" - "DSA compliance checklist" - "Digital Services Act checklist" - "DSA audit checklist" - "notice and action checklist" - "statement of reasons checklist" - "DSA transparency report checklist" - "VLOP compliance checklist" - "marketplace DSA checklist" - "DSA checklist" - "notice and action" - "statement of reasons" - "transparency reporting" - "marketplace compliance" - "VLOP audit" - "systemic risk" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU DSA Checklist An audit-ready EU Digital Services Act (DSA) compliance checklist for Regulation (EU) 2022/2065: scope memo, terms transparency. *Checklist* *EU* ## EU Digital Services Act (DSA) Checklist A checklist you can run per service and tier - and reuse for audits and enforcement questions. Structured as teams execute: scope -> workflows -> reporting -> tier upgrades (marketplace, VLOP/VLOSE). DSA compliance is a program, not a one-time policy update. Use this checklist per service (you may operate multiple services) and per tier (intermediary/hosting/platform/marketplace/VLOP). Each checklist item should have an owner, acceptance criteria, and evidence you can retrieve later. ## Checklist A - Scope memo and tiering (the "defensible baseline") Before you build controls, lock your classification and tier assumptions. This prevents scope drift and ensures you implement the right obligation set. - Inventory each service: features, recipients, and EU offering facts. - Classify per service: intermediary -> hosting -> online platform -> marketplace/search engine. - Document micro/small status analysis (if claimed) and exceptions/overrides. - Define tier trigger metrics: AMAR calculation approach (Article 24) and VLOP/VLOSE threshold monitoring (Article 33). - Produce a requirements matrix: Article -> obligation -> control -> owner -> evidence -> reporting cadence. *Recommended next step* *Placement: after the checklist block* ## Turn EU Digital Services Act (DSA) Checklist into an operational assessment Assessment Autopilot can take EU Digital Services Act (DSA) Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on EU Digital Services Act (DSA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for EU Digital Services Act (DSA) Checklist](/solutions/assessment.md): Start from EU Digital Services Act (DSA) Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through EU Digital Services Act (DSA)](/contact.md): Review your current process, evidence gaps, and next steps for EU Digital Services Act (DSA) Checklist. ## Checklist B - Terms, contact points, and operational readiness Baseline obligations are operational: recipients must be able to reach you and understand how moderation works. These are foundational because they appear in multiple reporting and redress pathways. - Single point of contact for recipients is user-friendly and not solely automated (Article 12). - If not established in the EU and offering services in the EU, designate a legal representative and publish contact details (Article 13). - Update terms and conditions to disclose content moderation policies, procedures, measures, and tools (including algorithmic decision-making + human review) in clear, plain, machine-readable format (Article 14). - Build change management: recipients are informed of significant terms changes (Article 14(2)); minors-friendly explanations where relevant (Article 14(3)). ## Checklist C - Hosting workflows: notice & action + statement of reasons If you host user-provided information, your first engineering deliverable is a notice & action system plus explainability for restrictions. Treat these as compliance workflows with SLAs, audit logs, and QA. - Notice intake mechanism is electronic, easy to access, user-friendly (Article 16(1)). - Notice form captures required elements (Article 16(2)): reasons, exact location (URLs), notifier identity (with narrow exception), and good-faith statement. - Processing is timely, diligent, non-arbitrary, objective; automation use is disclosed in notifications (Article 16(6)). - Notifiers receive receipt confirmation and decision notification with redress options (Article 16(4)-(5)). - Affected recipients receive a clear, specific statement of reasons for restrictions (Article 17) including grounds, facts, automation use, and redress options. - Criminal threat reporting process exists for serious suspected offences (Article 18). ## Checklist D - Platform layer: transparency reporting + interface integrity Online platforms carry additional transparency and integrity duties, often requiring data pipelines and UI changes. Make reporting a product: define data owners, validation, and sign-off. - Annual transparency report (Article 15) is produced and published; covers orders, notices, complaints, automated moderation, and error/accuracy indicators. - If you are an online platform: include Article 24 additions (out-of-court dispute settlement metrics, suspensions) and publish AMAR every 6 months (Article 24(2)). - Submit Article 17 statements of reasons for inclusion in the Commission database (Article 24(5)), ensuring no personal data is included. - Interface is designed to avoid manipulative patterns (Article 25): termination not harder than subscription, no repeated coercive popups, etc. - Ads transparency (Article 26) and recommender transparency (Article 27) controls are implemented if applicable. ## Checklist E - Marketplace layer (distance contracts with traders) If consumers can conclude distance contracts with traders, trader traceability and compliance-by-design become core controls. Plan for KYC-like onboarding, verification, suspension, retention and deletion. - Trader onboarding collects Article 30 information (identity/contact, register IDs, payment account details, self-certification). - Best-effort reliability checks are implemented using official databases and supporting documents (Article 30(2)). - Suspension workflow for missing/inaccurate trader info exists (Article 30(2)-(3)) and complaint path is documented (Article 30(4)). - Consumer-facing trader info is displayed on listings (Article 30(7)). - Interface enables traders to provide required product safety/compliance information (Article 31) and supports random illegality checks (Article 31(3)). - Consumer notification/redress workflow exists when illegal products/services are discovered (Article 32). ## Checklist F - VLOP/VLOSE layer (systemic risk, audits, and enhanced transparency) VLOP/VLOSE compliance is a governance and risk-management program with an annual audit cycle. If you could be designated, build the calendar and evidence model early. - AMAR methodology is defensible and published at least every 6 months (Article 24(2)); prepare for Commission requests (Article 24(3)). - Risk assessment is completed at designation application date and at least annually; repeated before major feature launches (Article 34). - Risk mitigation measures are defined, owned, and monitored (Article 35) with a clear measurement plan. - Independent audit is performed and an audit implementation report is produced (Article 37). - Enhanced transparency reporting cadence is established (Article 42): at least every 6 months plus publication of risk assessment, mitigation, audit and implementation reports (with confidentiality carve-outs). - Recommender non-profiling option exists for each recommender system (Article 38) and ad repository exists with search tool + APIs (Article 39). ## Checklist G - Enforcement readiness (the evidence pack) Enforcement risk drops when you can explain your decisions and produce evidence quickly. Build an evidence pack that maps to workflows and reporting outputs. - Policy evidence: terms transparency, moderation policies, redress policies, marketplace policies. - Workflow evidence: notice processing logs, decision timestamps, statement-of-reasons records, appeals outcomes. - Reporting evidence: dataset definitions, QA checks, sign-offs, and published reports. - Security and privacy: ensure DSA submissions (e.g., statement-of-reasons database) exclude personal data where required. - Governance: owners, RACI, review cadence, and change management for scope and control updates. ## Primary sources - [Regulation (EU) 2022/2065 (Digital Services Act) - Official Journal](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Primary legal text for obligations and evidence expectations referenced in this checklist (Articles 12-18, 15/24/42 reporting, 25-28 platform duties, 30-32 marketplace, 33-39 VLOP/VLOSE, 52 penalties). - [European Commission - The enforcement framework under the Digital Services Act](https://digital-strategy.ec.europa.eu/en/policies/dsa-enforcement?ref=sorena.io) - Commission overview of enforcement and supervision, including VLOP supervision, investigations, and transparency expectations. ## Related Topic Guides - [DSA Ads & Recommender Systems | Article 26, 27, 38 & 39 Compliance](/artifacts/eu/digital-services-act/ads-and-recommender-systems.md): A deep compliance guide for DSA advertising and recommender system obligations: ad transparency (Article 26), recommender system transparency (Article 27). - [DSA Applicability Test | Is the EU Digital Services Act Applicable to You?](/artifacts/eu/digital-services-act/applicability-test.md): A step-by-step applicability test for the EU Digital Services Act (DSA, Regulation (EU) 2022/2065): EU offering triggers. - [DSA Enforcement & Investigations | DSCs, Commission Powers, Audits & Procedures](/artifacts/eu/digital-services-act/enforcement-penalties-and-investigations.md): A practical guide to DSA enforcement (Regulation (EU) 2022/2065): how Digital Services Coordinators (DSCs) supervise services. - [DSA Notice & Action Workflow | Article 16 Requirements + Templates](/artifacts/eu/digital-services-act/notice-and-action-workflow.md): A deep implementation guide for DSA notice & action (Regulation (EU) 2022/2065, Article 16): intake design, required notice elements. - [DSA Penalties & Fines | Digital Services Act Enforcement Exposure (6% / 1% / 5%)](/artifacts/eu/digital-services-act/penalties-and-fines.md): How DSA penalties work under Regulation (EU) 2022/2065. - [DSA Transparency Report Template | Article 15 + Article 24 + VLOP Article 42](/artifacts/eu/digital-services-act/dsa-transparency-report-template.md): Copy and paste ready DSA transparency report template aligned to Regulation (EU) 2022/2065 and Implementing Regulation (EU) 2024/2835. - [DSA Transparency Reporting | Articles 15, 24 & 42 Reporting Requirements](/artifacts/eu/digital-services-act/transparency-reporting.md): A practical guide to EU Digital Services Act transparency reporting: what to publish for Article 15, what to add for Article 24. - [DSA vs DMA | Digital Services Act vs Digital Markets Act (What's the Difference?)](/artifacts/eu/digital-services-act/dsa-vs-dma.md): A practical comparison of the EU Digital Services Act (DSA, Regulation (EU) 2022/2065) and the EU Digital Markets Act (DMA. - [DSA vs UK Online Safety Act | EU vs UK Online Safety Compliance](/artifacts/eu/digital-services-act/dsa-vs-uk-online-safety-act.md): A practical comparison of the EU Digital Services Act (DSA, Regulation (EU) 2022/2065) and the UK Online Safety Act: scope (EU recipients vs UK users). - [EU Digital Services Act (DSA) Requirements | Obligations by Service Type & Tier](/artifacts/eu/digital-services-act/requirements.md): A practical breakdown of DSA requirements (Regulation (EU) 2022/2065): obligations for intermediary services, hosting services, online platforms. - [EU DSA Compliance Guide | Digital Services Act Implementation Playbook](/artifacts/eu/digital-services-act/compliance.md): A practical EU Digital Services Act (DSA) compliance guide for Regulation (EU) 2022/2065: scope memo and tiering. - [EU DSA Deadlines & Compliance Calendar | Key Dates, Cadence and Milestones](/artifacts/eu/digital-services-act/deadlines-and-compliance-calendar.md): A DSA compliance calendar for Regulation (EU) 2022/2065: entry into force, general applicability, Digital Services Coordinator designation, Article 15, 24. - [EU DSA FAQ | Digital Services Act Questions & Answers (Practical)](/artifacts/eu/digital-services-act/faq.md): Practical answers to the most searched EU Digital Services Act (DSA) questions: who is in scope, what "hosting" and "online platform" mean. - [EU DSA Service Types & Scope | Hosting vs Platform vs Marketplace](/artifacts/eu/digital-services-act/service-types-and-scope.md): How to classify your service under the EU Digital Services Act (DSA, Regulation (EU) 2022/2065): intermediary service types (mere conduit, caching, hosting). - [VLOP/VLOSE Systemic Risk Assessment (DSA) | Articles 34-36 + Mitigation](/artifacts/eu/digital-services-act/risk-assessments-and-mitigation.md): A deep guide to DSA systemic risk management for VLOPs/VLOSEs: how to run the Article 34 systemic risk assessment (risk categories, frequency. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-services-act/checklist