---
title: "DSA crisis response for VLOPs and VLOSEs"
canonical_url: "https://www.sorena.io/artifacts/eu/digital-services-act/crisis-response"
source_url: "https://www.sorena.io/artifacts/eu/digital-services-act/crisis-response"
author: "Sorena AI"
description: "EU Digital Services Act crisis response guide for VLOPs and VLOSEs: Article 36 Commission decisions, Article 48 crisis protocols, mitigation, governance, requests for information, and records."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "Digital Services Act crisis response"
  - "DSA Article 36"
  - "DSA Article 48"
  - "VLOP crisis protocol"
  - "VLOSE crisis response"
  - "systemic risk mitigation"
  - "Digital Services Act"
  - "DSA"
  - "crisis response"
  - "Article 36"
  - "Article 48"
  - "VLOP"
  - "VLOSE"
  - "systemic risk"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# DSA crisis response for VLOPs and VLOSEs

EU Digital Services Act crisis response guide for VLOPs and VLOSEs: Article 36 Commission decisions, Article 48 crisis protocols, mitigation, governance, requests for information, and records.

*Artifact Guide* *EU*

## DSA Crisis Response

A grounded guide to Digital Services Act crisis response duties for very large online platforms and very large online search engines.

Use it to separate Article 36 Commission crisis-response decisions from Article 48 voluntary crisis protocols, and to prepare the records, governance, and mitigation evidence those mechanisms depend on.

The Digital Services Act treats crisis response as an enhanced VLOP/VLOSE topic, not a generic incident clock. Article 36 allows the Commission, acting on a recommendation from the European Board for Digital Services, to require designated very large online platforms or very large online search engines to assess and limit their contribution to a serious public-security or public-health threat. Article 48 separately covers voluntary crisis protocols for extraordinary circumstances affecting public security or public health.

## When the DSA crisis response mechanism applies

Article 36 applies only where a crisis has occurred. The DSA defines that as extraordinary circumstances leading to a serious threat to public security or public health in the Union or in significant parts of it.

The mechanism is addressed to one or more providers of very large online platforms or very large online search engines. The VLOP/VLOSE designation threshold is more than 45 million average monthly users in the EU, and the Commission publishes and updates the list of designated services.

- Do not treat every trust-and-safety incident as an Article 36 crisis; first identify the public-security or public-health threat and whether the Commission has adopted a decision.
- Confirm whether the service is designated as a VLOP or VLOSE, because Article 36 is written for those providers.
- Separate Article 36 obligations from ordinary Article 34 risk assessment, Article 35 risk mitigation, and general enforcement requests.
- Keep a crisis intake record with the Commission decision, Board recommendation context if available, affected service, threat description, scope, and responsible compliance officer.

Sources for this answer:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Article 36 defines when a DSA crisis exists and when the Commission may require VLOPs or VLOSEs to assess and address contribution to the threat.
- [European Commission - VLOPs and VLOSEs under the DSA](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Commission overview for the VLOP/VLOSE threshold and the enhanced DSA obligations that apply after designation.

## What an Article 36 Commission decision can require

An Article 36 decision can require the provider to assess whether and how the functioning or use of its service significantly contributes to the serious threat, identify and apply effective and proportionate measures, and report to the Commission by the date or intervals specified in the decision.

The decision does not prescribe a universal emergency deadline for every provider. The DSA says the Commission decision must specify a reasonable period for measures, account for urgency and implementation time, and limit required actions to a period not exceeding three months, with any extension also bounded by the Article 36 process.

- Create an Article 36 response file with the assessment question, affected product surfaces, data reviewed, risk hypothesis, and evidence used to decide whether the service contributes to the threat.
- Document the exact measures selected by the provider, because Article 36 leaves the choice of specific measures with the addressed provider.
- Show proportionality: gravity of the threat, urgency, impact on users and other affected parties, and fundamental-rights considerations.
- Track the Commission reporting date or interval exactly as written in the decision instead of applying an unsourced 24-hour, 72-hour, or internal incident-response timeline.

Sources for this answer:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Article 36 lists the assessment, mitigation, reporting, proportionality, timing, monitoring, amendment, and reporting-to-Parliament/Council rules for Commission crisis-response decisions.
- [European Commission - Digital Services Act Questions and Answers](https://digital-strategy.ec.europa.eu/en/faqs/digital-services-act-questions-and-answers?ref=sorena.io) - Commission Q&A explains that crisis measures should be necessary, time-limited, and mindful of freedom of expression and information.

## Mitigation measures to prepare before a crisis

Crisis response depends on the provider's Article 34 and Article 35 risk machinery. VLOPs and VLOSEs must assess systemic risks from the design, functioning, and use of their services, including algorithmic systems, content moderation systems, advertising systems, terms enforcement, data practices, intentional manipulation, and rapid dissemination.

Article 35 mitigation measures can include changes to service design, terms enforcement, content moderation speed and quality, recommender systems, advertising systems, internal resources, cooperation with trusted flaggers or other providers, user-facing information, child-protection measures, and markings for generated or manipulated media.

- Keep crisis-ready views of the systems most likely to contribute to rapid spread: recommender ranking, search, trends, ads delivery, live or short-form distribution, account creation, and content moderation queues.
- Predefine evidence owners for trust and safety, ranking/recommender systems, advertising integrity, policy, legal, data science, communications, compliance, and executive review.
- Prepare measure playbooks that can be activated proportionately: reduce amplification, adjust recommendations, add authoritative information panels, increase moderation resources, tune notice handling, or pause specific advertising or monetisation features where justified.
- Test whether each measure can be measured for implementation and impact, because Article 36 reporting can ask for qualitative and quantitative impact.

Sources for this answer:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Articles 34 and 35 identify the systemic-risk assessment factors and the types of reasonable, proportionate, and effective mitigation measures relevant to crisis response.
- [European Commission - VLOPs and VLOSEs under the DSA](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Commission overview confirms that VLOPs and VLOSEs must assess systemic risks, put mitigation measures in place, and maintain internal compliance functions.

## Governance, requests for information, and records

The crisis owner should be the VLOP/VLOSE compliance function, with direct escalation to management. Article 41 requires an independent compliance function with sufficient authority, resources, and access to the management body, and requires compliance officers to ensure Article 34 risks are reported and Article 35 mitigation measures are taken.

Commission requests can arrive outside the Article 36 decision itself. Article 67 allows the Commission to request information by simple request or decision; Article 72 allows monitoring actions, including access to databases and algorithms and retention of documents necessary to assess implementation and compliance.

- Maintain a Commission-request log with legal basis, purpose, requested information, deadline, responder, source systems, privilege/confidentiality review, and completeness checks.
- Keep supporting documents for Article 34 risk assessments for at least three years after the assessment, and be ready to provide them to the Commission or the Digital Services Coordinator of establishment on request.
- Preserve crisis evidence in a reviewable package: decision received, measures considered, measures rejected, proportionality analysis, user-rights safeguards, implementation timestamps, metrics, communications, and Commission submissions.
- Align crisis records with audit and transparency reporting, because VLOPs/VLOSEs must publish risk assessment results, specific Article 35 mitigation measures, audit reports, audit implementation reports, and consultation information after audit reporting events.

Sources for this answer:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Articles 34, 41, 42, 67, and 72 support the page's recordkeeping, compliance-function, transparency, request-for-information, and monitoring guidance.
- [European Commission - DSA enforcement framework](https://digital-strategy.ec.europa.eu/en/policies/dsa-enforcement?ref=sorena.io) - Commission enforcement overview describes RFIs, algorithm and data access orders, inspections, and possible fines for incorrect, misleading, incomplete, or late responses.
- [European Commission - How the DSA enhances transparency online](https://digital-strategy.ec.europa.eu/en/policies/dsa-brings-transparency?ref=sorena.io) - Commission transparency overview explains public risk assessment, mitigation, audit, implementation, and consultation reporting for VLOPs and VLOSEs.

## How Article 48 crisis protocols differ

Article 48 is about voluntary crisis protocols, not a standing order that every provider must follow in every emergency. The European Board for Digital Services may recommend that the Commission initiate protocols for extraordinary circumstances affecting public security or public health, and the Commission facilitates participation by VLOPs, VLOSEs, and where appropriate other online platforms or search engines.

A usable protocol should specify the extraordinary circumstance and objective, participant roles, activation procedure, period of measures, fundamental-rights safeguards, and public reporting after the crisis.

- Protocol measures may include prominent display of crisis information from Member State, Union-level, or other reliable bodies.
- The protocol should identify a crisis-management point of contact, which may be the Article 11 electronic point of contact or, for VLOPs/VLOSEs, the Article 41 compliance officer.
- Resource adjustments should be tied to DSA workflows affected by the crisis, including notice handling, complaints, trusted-flagger processing, repeat misuse, and Article 35 mitigation.
- After termination, retain the public report on measures taken, duration, and outcomes with the internal activation and deactivation record.

Sources for this answer:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Article 48 defines voluntary crisis protocols, their public-security/public-health boundary, participant roles, activation and duration procedures, safeguards, and post-crisis public reporting.
- [European Commission - Electoral systemic-risk guidelines for VLOPs and VLOSEs](https://digital-strategy.ec.europa.eu/en/library/guidelines-providers-vlops-and-vloses-mitigation-systemic-risks-electoral-processes?ref=sorena.io) - Commission guidelines identify Articles 36 and 48 as relevant crisis-response mechanisms alongside Article 35 systemic-risk mitigation for election-related risks.

*Recommended next step*

*Placement: before sources*

## Turn Article 36 and Article 48 duties into reviewable records

Sorena can help structure DSA crisis-response records around Commission requests, systemic-risk measures, proportionality checks, public reporting, and evidence retrieval.

- [Open Research Copilot for DSA crisis response](/solutions/research-copilot.md): Ask source-linked questions about Article 36 decisions, Article 48 protocols, VLOP/VLOSE obligations, Commission RFIs, and evidence records.
- [Talk through implementation](/contact.md): Review your DSA crisis-response governance, mitigation evidence, reporting records, and source gaps with Sorena.

## Primary sources

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Primary legal source for DSA Articles 34, 35, 36, 41, 42, 48, 67, and 72 covering systemic-risk assessment, mitigation, crisis response, crisis protocols, compliance governance, reporting, RFIs, monitoring, and records.
  - Quote: "Crisis response mechanism"
- [European Commission - VLOPs and VLOSEs under the DSA](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Commission source for the VLOP/VLOSE threshold and enhanced obligations that make crisis response operational for designated services.
  - Quote: "over 45 million users in the EU"
- [European Commission - Digital Services Act Questions and Answers](https://digital-strategy.ec.europa.eu/en/faqs/digital-services-act-questions-and-answers?ref=sorena.io) - Commission Q&A support for VLOP/VLOSE crisis response, disinformation-risk context, investigatory powers, and time-limited rights-sensitive crisis measures.
  - Quote: "putting in place a crisis response mechanism"
- [European Commission - DSA enforcement framework](https://digital-strategy.ec.europa.eu/en/policies/dsa-enforcement?ref=sorena.io) - Commission source for RFIs, access orders, interviews, inspections, sanctions for defective replies, and the point that investigatory steps do not themselves establish infringement.
  - Quote: "send a request for information"
- [European Commission - How the DSA enhances transparency online](https://digital-strategy.ec.europa.eu/en/policies/dsa-brings-transparency?ref=sorena.io) - Commission source for VLOP/VLOSE public risk assessment, mitigation, audit, audit implementation, and consultation reporting.
  - Quote: "Risk assessment and audit reports"
- [European Commission - Electoral systemic-risk guidelines for VLOPs and VLOSEs](https://digital-strategy.ec.europa.eu/en/library/guidelines-providers-vlops-and-vloses-mitigation-systemic-risks-electoral-processes?ref=sorena.io) - Commission guidance confirming that crisis-response mechanisms and protocols can be relevant alongside Article 35 systemic-risk mitigation for election-related risks.
  - Quote: "Articles 36 and 48 on Crisis Response Mechanisms and Protocols"

## Related Topic Guides

- [DSA Ads and Recommender Systems: transparency duties, user choice, and evidence](/artifacts/eu/digital-services-act/ads-and-recommender-systems.md): A grounded DSA guide to ad labels, targeting restrictions, recommender parameter disclosure, non-profiling options for VLOPs and VLOSEs, ad repositories, and compliance evidence.
- [DSA Applicability Test: classify intermediary services, platforms, marketplaces, VLOPs and VLOSEs](/artifacts/eu/digital-services-act/applicability-test.md): A source-grounded EU Digital Services Act applicability test for classifying intermediary services, hosting services, online platforms, marketplaces, VLOPs and VLOSEs.
- [DSA Article 28 minors protection guide for online platforms](/artifacts/eu/digital-services-act/minors-protection.md): EU Digital Services Act guide to Article 28 minors protection: platform scope, child-safety measures, targeted ads limits, recommender controls, and grounded evidence.
- [DSA average monthly active recipients: what platforms must publish](/artifacts/eu/digital-services-act/faq/average-monthly-active-recipients.md): A grounded FAQ on average monthly active recipients under the EU Digital Services Act, including publication, EU recipient scope, the 45 million VLOP/VLOSE threshold, and evidence records.
- [DSA Complaint and Dispute Workflows for Online Platforms](/artifacts/eu/digital-services-act/complaint-and-dispute-workflows.md): Build DSA complaint, appeal, statement-of-reasons, and out-of-court dispute workflows for online platform moderation decisions.
- [DSA Dark Patterns: interface design checks for online platforms](/artifacts/eu/digital-services-act/dark-patterns.md): Article 25 DSA guidance for reviewing online platform interfaces for deceptive, manipulative, or choice-distorting design patterns.
- [DSA Enforcement and Penalties in the EU](/artifacts/eu/digital-services-act/enforcement-penalties-and-investigations.md): How Digital Services Act enforcement works: Commission and Digital Services Coordinator roles, VLOP and VLOSE investigations, fines, periodic penalty payments, and evidence readiness.
- [DSA illegal content notices: what must be included?](/artifacts/eu/digital-services-act/faq/illegal-content-notice.md): A grounded FAQ on EU Digital Services Act illegal-content notices: Article 16 notice elements, acknowledgement, decision notices, trusted flagger priority, statements of reasons, and records.
- [DSA Marketplace Trader Traceability FAQ](/artifacts/eu/digital-services-act/faq/marketplace-trader-traceability.md): Answer to what EU Digital Services Act Article 30 requires online marketplaces to collect, verify, display, retain, and evidence for trader traceability.
- [DSA Marketplace Trader Traceability Guide](/artifacts/eu/digital-services-act/marketplace-trader-traceability.md): EU Digital Services Act guide for online marketplaces collecting, checking, displaying, storing, and evidencing trader traceability information.
- [DSA notice and action plus statements of reasons guide](/artifacts/eu/digital-services-act/notice-and-action-plus-statements-of-reasons.md): A grounded Digital Services Act guide for notice intake, moderation decisions, statements of reasons, DSA Transparency Database submission, complaints, appeals, trusted flaggers, and records.
- [DSA Notice and Action Workflow for Hosting Services and Online Platforms](/artifacts/eu/digital-services-act/notice-and-action-workflow.md): A grounded DSA notice-and-action workflow covering notice intake, completeness checks, trusted flaggers, decisions, user communications, statements of reasons, appeals, and records.
- [DSA recommender transparency FAQ: Article 27 and VLOP options](/artifacts/eu/digital-services-act/faq/recommender-transparency.md): What EU Digital Services Act recommender transparency requires: main parameters, user options, VLOP/VLOSE non-profiling choices, and evidence to keep.
- [DSA researcher data access for VLOPs and VLOSEs](/artifacts/eu/digital-services-act/researcher-data-access.md): Article 40 DSA guide to vetted researcher data access for VLOPs and VLOSEs: DSC requests, eligibility checks, amendment grounds, confidentiality, security, and evidence records.
- [DSA service tier classifier for platforms, marketplaces, VLOPs and VLOSEs](/artifacts/eu/digital-services-act/service-tier-classifier-workflow.md): Classify a digital service under the EU Digital Services Act as intermediary, hosting, online platform, marketplace, VLOP or VLOSE, with EU recipient-count evidence and obligation outputs.
- [DSA statement of reasons FAQ](/artifacts/eu/digital-services-act/faq/statement-of-reasons.md): When DSA statements of reasons are required, what they must contain, when online platforms submit them to the DSA Transparency Database, and what appeal records to keep.
- [DSA statement of reasons log workflow for online platforms](/artifacts/eu/digital-services-act/statement-of-reasons-log-workflow.md): Build a DSA statement of reasons log for moderation decisions, Transparency Database submission, complaint links, retention, and QA controls.
- [DSA transparency report template fields and cadence](/artifacts/eu/digital-services-act/dsa-transparency-report-template.md): A source-grounded template outline for Digital Services Act transparency reports, covering applicable service tiers, reporting periods, CSV/XLSX format, retention, statement-of-reasons links, and required evidence tables.
- [DSA Transparency Reporting Obligations by Provider Tier](/artifacts/eu/digital-services-act/transparency-reporting.md): A grounded guide to EU Digital Services Act transparency reports, active-recipient publication, statements-of-reasons submissions, VLOP/VLOSE reports, templates, cadence, and evidence.
- [DSA VLOP and VLOSE Risk Assessments and Mitigation Guide](/artifacts/eu/digital-services-act/risk-assessments-and-mitigation.md): Grounded guide to Digital Services Act systemic risk assessments, mitigation measures, audits, transparency reports, data access, and governance evidence for VLOPs and VLOSEs.
- [DSA VLOP Audit Pack Workflow: Risk, Mitigation, Audit, and Transparency Records](/artifacts/eu/digital-services-act/vlop-audit-pack-workflow.md): Build a DSA VLOP or VLOSE audit pack covering Article 34 risk assessments, Article 35 mitigations, independent-audit evidence, transparency reports, data access, and compliance governance.
- [DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md): What VLOPs and VLOSEs must assess under the EU Digital Services Act, when to reassess, how Article 35 mitigation and annual audit evidence fit together, and what records to keep.
- [DSA vs DMA Platform Rules](/artifacts/eu/digital-services-act/dsa-vs-dma.md): Compare the EU Digital Services Act and Digital Markets Act by scope, designation thresholds, obligations, enforcement, evidence, and practical team ownership.
- [DSA vs GDPR: online-platform governance and personal-data obligations](/artifacts/eu/digital-services-act/dsa-vs-gdpr.md): Compare the EU Digital Services Act and EU GDPR by scope, ads, recommenders, minors, transparency, complaints, enforcement, and evidence.
- [DSA vs P2B Regulation: EU platform obligations compared](/artifacts/eu/digital-services-act/dsa-vs-p2b.md): Compare the EU Digital Services Act with the Platform-to-Business Regulation for platform scope, business-user terms, content moderation, ranking transparency, complaints, enforcement, and evidence.
- [DSA vs Terrorist Content Online Regulation: notice-and-action vs removal orders](/artifacts/eu/digital-services-act/dsa-vs-terrorist-content-online-regulation.md): Compare DSA content-governance duties with the EU Terrorist Content Online Regulation removal-order workflow for scope, timing, evidence, authorities, and team ownership.
- [EU Digital Services Act checklist for platforms and hosting services](/artifacts/eu/digital-services-act/checklist.md): A grounded DSA checklist for classifying service tiers, notice-and-action, statements of reasons, complaints, transparency reports, ads, recommenders, trader traceability, VLOP/VLOSE duties, and evidence records.
- [EU Digital Services Act Compliance Guide](/artifacts/eu/digital-services-act/compliance.md): DSA compliance guide for intermediary services, hosting providers, online platforms, marketplaces, and VLOP/VLOSE teams: obligations, controls, and evidence to keep.
- [EU Digital Services Act FAQ: DSA scope, platform duties, VLOPs, reports, and penalties](/artifacts/eu/digital-services-act/faq.md): Concise EU Digital Services Act FAQ covering intermediary-service scope, active-recipient thresholds, illegal-content notices, statements of reasons, trader traceability, recommender transparency, systemic-risk duties, reporting, penalties, and complaints.
- [EU Digital Services Act penalties and fines: caps and enforcement roles](/artifacts/eu/digital-services-act/penalties-and-fines.md): DSA penalty caps and enforcement roles: Member State fines, Commission fines for VLOPs and VLOSEs, 1% procedural fines, and 5% periodic penalty payments.
- [EU Digital Services Act requirements by service tier](/artifacts/eu/digital-services-act/requirements.md): Overview of DSA obligations for intermediary services, hosting providers, online platforms, marketplaces, VLOPs and VLOSEs, including notices, complaints, ads, transparency reports, audits, data access and enforcement.
- [EU Digital Services Act service types and scope](/artifacts/eu/digital-services-act/service-types-and-scope.md): Classify DSA service scope across mere conduit, caching, hosting, online platforms, marketplaces, online search engines, and VLOP/VLOSE threshold duties.
- [EU DSA deadlines and compliance calendar: application dates, reporting cycles, and VLOP clocks](/artifacts/eu/digital-services-act/deadlines-and-compliance-calendar.md): Calendar view of grounded EU Digital Services Act dates: full application, user-number publication, VLOP/VLOSE designation clocks, statements of reasons, and transparency reporting cycles.
- [EU DSA Transparency Calendar: reporting, SoR database, AMAR updates](/artifacts/eu/digital-services-act/transparency-calendar.md): Build a DSA transparency calendar for annual reports, statement-of-reasons database submissions, active-recipient updates, and VLOP/VLOSE audit touchpoints.
- [EU DSA vs UK Online Safety Act: scope, duties, regulator, and evidence](/artifacts/eu/digital-services-act/dsa-vs-uk-online-safety-act.md): Compare the EU Digital Services Act and UK Online Safety Act for platform scope, risk assessments, child protection, transparency, regulators, enforcement, and owners.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/digital-services-act/crisis-response