A grounded guide to Digital Services Act crisis response duties for very large online platforms and very large online search engines.
Use it to separate Article 36 Commission crisis-response decisions from Article 48 voluntary crisis protocols, and to prepare the records, governance, and mitigation evidence those mechanisms depend on.
Structured answer sets in this page tree.
Cited legal and guidance references.
The Digital Services Act treats crisis response as an enhanced VLOP/VLOSE topic, not a generic incident clock. Article 36 allows the Commission, acting on a recommendation from the European Board for Digital Services, to require designated very large online platforms or very large online search engines to assess and limit their contribution to a serious public-security or public-health threat. Article 48 separately covers voluntary crisis protocols for extraordinary circumstances affecting public security or public health.
Article 36 applies only where a crisis has occurred. The DSA defines that as extraordinary circumstances leading to a serious threat to public security or public health in the Union or in significant parts of it.
The mechanism is addressed to one or more providers of very large online platforms or very large online search engines. The VLOP/VLOSE designation threshold is more than 45 million average monthly users in the EU, and the Commission publishes and updates the list of designated services.
An Article 36 decision can require the provider to assess whether and how the functioning or use of its service significantly contributes to the serious threat, identify and apply effective and proportionate measures, and report to the Commission by the date or intervals specified in the decision.
The decision does not prescribe a universal emergency deadline for every provider. The DSA says the Commission decision must specify a reasonable period for measures, account for urgency and implementation time, and limit required actions to a period not exceeding three months, with any extension also bounded by the Article 36 process.
Crisis response depends on the provider's Article 34 and Article 35 risk machinery. VLOPs and VLOSEs must assess systemic risks from the design, functioning, and use of their services, including algorithmic systems, content moderation systems, advertising systems, terms enforcement, data practices, intentional manipulation, and rapid dissemination.
Article 35 mitigation measures can include changes to service design, terms enforcement, content moderation speed and quality, recommender systems, advertising systems, internal resources, cooperation with trusted flaggers or other providers, user-facing information, child-protection measures, and markings for generated or manipulated media.
The crisis owner should be the VLOP/VLOSE compliance function, with direct escalation to management. Article 41 requires an independent compliance function with sufficient authority, resources, and access to the management body, and requires compliance officers to ensure Article 34 risks are reported and Article 35 mitigation measures are taken.
Commission requests can arrive outside the Article 36 decision itself. Article 67 allows the Commission to request information by simple request or decision; Article 72 allows monitoring actions, including access to databases and algorithms and retention of documents necessary to assess implementation and compliance.
Article 48 is about voluntary crisis protocols, not a standing order that every provider must follow in every emergency. The European Board for Digital Services may recommend that the Commission initiate protocols for extraordinary circumstances affecting public security or public health, and the Commission facilitates participation by VLOPs, VLOSEs, and where appropriate other online platforms or search engines.
A usable protocol should specify the extraordinary circumstance and objective, participant roles, activation procedure, period of measures, fundamental-rights safeguards, and public reporting after the crisis.
No. Article 36 uses a Commission decision for VLOPs and VLOSEs in a defined crisis and requires reporting by the date or intervals specified in that decision. Article 48 protocols must define the period for activated measures, limited to what is necessary for the extraordinary circumstances.
Keep the Article 36 decision or Article 48 protocol, threat assessment, affected service surfaces, selected and rejected measures, proportionality and rights-safeguard analysis, implementation evidence, impact metrics, Commission submissions, request-for-information responses, and public reporting after protocol termination.
Sorena can help structure DSA crisis-response records around Commission requests, systemic-risk measures, proportionality checks, public reporting, and evidence retrieval.
Ask source-linked questions about Article 36 decisions, Article 48 protocols, VLOP/VLOSE obligations, Commission RFIs, and evidence records.
Review your DSA crisis-response governance, mitigation evidence, reporting records, and source gaps with Sorena.
"measures cannot go beyond what is necessary"
"send a request for information"
"Articles 36 and 48 on Crisis Response Mechanisms and Protocols"
"publish their audit report together with the risk assessment reports"
"identify, analyse, and assess systemic risks"
"voluntary crisis protocols for addressing crisis situations"