FAQ item index

Search every question across sub-FAQs

Find the exact question, open the source answer card, and copy a direct link to the anchored sub-FAQ response.

Indexed coverage

24of24items

Across 6 modules • Updated May 9, 2026

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Back to sub-FAQs

DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits

What does a DSA VLOP risk assessment have to cover?

Article 34 requires designated VLOPs and VLOSEs to assess systemic risks that are specific to their services and proportionate to the severity and probability of those risks. The risk categories include dissemination of illegal content, negative effects on fundamental rights, negative effects on civic discourse, electoral processes and public security, and negative effects involving gender-based violence, public health, minors, and physical or mental well-being.

The assessment also has to examine how the design and operation of the service influence those risks. For a practical record, map each risk to the affected surface, such as search ranking, recommender systems, ads delivery, content moderation, notice handling, marketplace listings, user reporting, account creation, age assurance, or high-reach sharing features.

Record the designated service, VLOP or VLOSE status, and the service surfaces covered by the assessment.
Create one line per Article 34 risk category and explain whether the risk is present, foreseeable, not applicable, or still under investigation.
For each present or foreseeable risk, capture the triggering product feature, user group, geography or language market, data source, severity, probability, and uncertainty.
Include intentional manipulation, inauthentic use, automated exploitation, and rapid amplification where they can influence the risk profile.

Citations

Regulation (EU) 2022/2065 (Digital Services Act)

Article 34 is the source for the annual risk-assessment duty, the systemic risk categories, critical-functionality reassessment trigger, and three-year supporting-document retention rule.

European Commission - VLOPs and VLOSEs under the DSA

Commission overview confirming the 45 million monthly EU user threshold, designation effect, and the enhanced systemic-risk duties for VLOPs and VLOSEs.

Jump to answer Open module

DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits

How should the risk assessment connect to Article 35 mitigation?

The assessment should not stop at a risk register. Article 35 requires reasonable, proportionate, and effective mitigation measures tailored to the specific Article 34 risks, with particular consideration for fundamental-rights impacts.

Useful mitigation records show why a control was selected or rejected. Examples supported by the DSA include adapting service design or functioning, recommender systems, terms enforcement, content moderation processes, notice-processing resources, advertising systems, crisis response, and child-protection tools such as age verification, parental controls, abuse-signalling tools, or support tools where appropriate.

Link each material Article 34 risk to one or more Article 35 mitigation measures and a control owner.
State whether the mitigation changes the product interface, ranking or recommendation logic, ads process, moderation workflow, staffing model, policy enforcement, user support, or child-safety control.
Document residual risk after mitigation and explain why the measure is proportionate to the risk and to affected fundamental rights.
For election-related risks, align the assessment with Commission Article 35 guidance on electoral-process mitigation where the service can affect civic discourse or elections.

Citations

Regulation (EU) 2022/2065 (Digital Services Act)

Article 35 is the binding source for reasonable, proportionate, and effective mitigation measures tailored to Article 34 systemic risks.

European Commission - Electoral risk mitigation guidelines for VLOPs and VLOSEs

Commission guidance source for applying Article 35 mitigation to systemic risks that may affect electoral processes.

European Commission - Guidelines on the protection of minors

Commission guidance source for child-safety measures that may inform minor-risk mitigation, including recommender changes, private defaults, abuse reporting, and excessive-use controls.

Jump to answer Open module

DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits

What evidence should the VLOP or VLOSE keep?

Keep evidence that lets the provider, auditor, Commission, and Digital Services Coordinator understand how the assessment was performed and why the mitigation response fits the risk. Article 34 requires supporting documents to be preserved for at least three years and communicated to the Commission and the Digital Services Coordinator of establishment on request.

A practical evidence pack should include the risk-assessment report, risk register, source data, internal controls, product and policy change logs, governance approvals, consultations used to design mitigations, and links to audit workpapers or audit implementation actions where available.

Assessment inputs: incident trends, notice and action data, statement-of-reasons data, user complaints, moderation quality results, recommender or ranking metrics, ad repository checks, integrity investigations, and relevant researcher findings.
Methodology records: risk definitions, severity and probability scoring, impacted groups, regional or linguistic factors, assumptions tested, and uncertainty notes.
Mitigation records: selected controls, rejected alternatives, deployment dates, owner, control tests, residual-risk rationale, and management-body or compliance-function approvals.
Audit records: auditor information requests, internal-control evidence, algorithmic-system tests where relevant, audit conclusions, operational recommendations, and implementation-report actions.

Citations

Regulation (EU) 2022/2065 (Digital Services Act)

Article 34 supports the three-year preservation duty for risk-assessment documents; Article 40 supports researcher access for systemic-risk research and mitigation assessment.

Commission Delegated Regulation (EU) 2024/436 on DSA independent audits

Audit regulation source for the evidence auditors should analyse when assessing Article 34 risk assessments and Article 35 mitigation measures.

European Commission - How the DSA enhances transparency

Commission transparency page explaining public risk-assessment, mitigation, audit, and audit-implementation reporting by VLOPs and VLOSEs.

Jump to answer Open module

DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits

How do audits, supervision, and publication fit into the assessment cycle?

The risk assessment feeds a public accountability cycle. VLOPs and VLOSEs are subject to independent audits at least once a year. After receiving an audit report, they must make public the risk-assessment report, mitigation measures, audit report, audit implementation report, and information about consultations no later than three months after receipt, subject to the DSA rules on confidential information.

Supervision is not limited to public reports. The DSA also links the assessment to the compliance function, management-body oversight, Commission and Digital Services Coordinator access to supporting documents, data access for vetted researchers, and independent audit testing of internal controls and mitigation effectiveness.

Plan the Article 34 assessment, Article 35 mitigation record, audit evidence, and Article 42 public-reporting package as one annual control cycle.
Keep a versioned non-confidential report path separate from confidential evidence used by auditors and regulators.
Track audit recommendations by obligation, owner, due date, implementation status, evidence link, and whether the recommendation changes the next risk assessment.
Use Commission guidance, European Board material, public reports from comparable services, and vetted-research outputs as external signals when updating audit-risk and systemic-risk assumptions.

Citations

Regulation (EU) 2022/2065 (Digital Services Act)

Articles 37, 41, 42, and 40 support the annual independent audit, compliance-function, public-reporting, and researcher-access links.

Commission Delegated Regulation (EU) 2024/436 on DSA independent audits

Audit regulation source for methodology, audit evidence, audit-risk analysis, and specific audit checks for Article 34 and Article 35.

European Commission - How the DSA enhances transparency

Commission page supporting the three-month publication link between audit reports, risk-assessment reports, mitigation measures, audit implementation reports, and consultation information.

Jump to answer Open module

Page 2 of 2

Previous12Next