--- title: "EU Digital Services Act FAQ: DSA scope, platform duties, VLOPs, reports, and penalties" canonical_url: "https://www.sorena.io/artifacts/eu/digital-services-act/faq" source_url: "https://www.sorena.io/artifacts/eu/digital-services-act/faq/items/page/2" author: "Sorena AI" description: "Concise EU Digital Services Act FAQ covering intermediary-service scope, active-recipient thresholds, illegal-content notices, statements of reasons, trader traceability, recommender transparency, systemic-risk duties, reporting, penalties, and complaints." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU Digital Services Act" - "DSA FAQ" - "online platform duties" - "VLOP threshold" - "statements of reasons" - "online platforms" - "VLOPs" - "content moderation" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU Digital Services Act FAQ: DSA scope, platform duties, VLOPs, reports, and penalties Concise EU Digital Services Act FAQ covering intermediary-service scope, active-recipient thresholds, illegal-content notices, statements of reasons, trader traceability, recommender transparency, systemic-risk duties, reporting, penalties, and complaints. *Artifact Guide* *EU* ## EU Digital Services Act FAQ Direct answers to recurring DSA questions about service scope, online platform duties, VLOP and VLOSE designation, content moderation notices, statements of reasons, trader traceability, recommenders, risk assessments, transparency reports, penalties, and complaints. Use the cited EU sources to separate baseline intermediary duties from extra obligations for hosting services, online platforms, marketplaces, and designated very large services. This EU Digital Services Act FAQ explains the main DSA duties a website visitor is likely to search for: which services are covered, when platform-specific rules apply, what VLOP and VLOSE status changes, how illegal-content notices and statements of reasons work, what marketplaces must collect from traders, what recommender disclosures must say, what designated very large services must assess and report, how penalties are capped, and how users can complain. ## Browse sub-FAQ modules ### [DSA average monthly active recipients: what platforms must publish](/artifacts/eu/digital-services-act/faq/average-monthly-active-recipients.md) A grounded FAQ on average monthly active recipients under the EU Digital Services Act, including publication, EU recipient scope, the 45 million VLOP/VLOSE threshold, and evidence records. - 4 items ### [DSA illegal content notices: what must be included?](/artifacts/eu/digital-services-act/faq/illegal-content-notice.md) A grounded FAQ on EU Digital Services Act illegal-content notices: Article 16 notice elements, acknowledgement, decision notices, trusted flagger priority, statements of reasons, and records. - 3 items ### [DSA Marketplace Trader Traceability FAQ](/artifacts/eu/digital-services-act/faq/marketplace-trader-traceability.md) Answer to what EU Digital Services Act Article 30 requires online marketplaces to collect, verify, display, retain, and evidence for trader traceability. - 5 items ### [DSA recommender transparency FAQ: Article 27 and VLOP options](/artifacts/eu/digital-services-act/faq/recommender-transparency.md) What EU Digital Services Act recommender transparency requires: main parameters, user options, VLOP/VLOSE non-profiling choices, and evidence to keep. - 4 items ### [DSA statement of reasons FAQ](/artifacts/eu/digital-services-act/faq/statement-of-reasons.md) When DSA statements of reasons are required, what they must contain, when online platforms submit them to the DSA Transparency Database, and what appeal records to keep. - 4 items ### [DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md) What VLOPs and VLOSEs must assess under the EU Digital Services Act, when to reassess, how Article 35 mitigation and annual audit evidence fit together, and what records to keep. - 4 items Browse all indexed questions: [/artifacts/eu/digital-services-act/faq/items](/artifacts/eu/digital-services-act/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 4 of 24 items.* ### [What does a DSA VLOP risk assessment have to cover?](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md#what-does-a-dsa-vlop-risk-assessment-have-to-cover) *Module: [DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md)* Article 34 requires designated VLOPs and VLOSEs to assess systemic risks that are specific to their services and proportionate to the severity and probability of those risks. The risk categories include dissemination of illegal content, negative effects on fundamental rights, negative effects on civic discourse, electoral processes and public security, and negative effects involving gender-based violence, public health, minors, and physical or mental well-being. - Record the designated service, VLOP or VLOSE status, and the service surfaces covered by the assessment. - Create one line per Article 34 risk category and explain whether the risk is present, foreseeable, not applicable, or still under investigation. - For each present or foreseeable risk, capture the triggering product feature, user group, geography or language market, data source, severity, probability, and uncertainty. - Include intentional manipulation, inauthentic use, automated exploitation, and rapid amplification where they can influence the risk profile. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Article 34 is the source for the annual risk-assessment duty, the systemic risk categories, critical-functionality reassessment trigger, and three-year supporting-document retention rule. - [European Commission - VLOPs and VLOSEs under the DSA](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Commission overview confirming the 45 million monthly EU user threshold, designation effect, and the enhanced systemic-risk duties for VLOPs and VLOSEs. ### [How should the risk assessment connect to Article 35 mitigation?](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md#how-should-the-risk-assessment-connect-to-article-35-mitigation) *Module: [DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md)* The assessment should not stop at a risk register. Article 35 requires reasonable, proportionate, and effective mitigation measures tailored to the specific Article 34 risks, with particular consideration for fundamental-rights impacts. - Link each material Article 34 risk to one or more Article 35 mitigation measures and a control owner. - State whether the mitigation changes the product interface, ranking or recommendation logic, ads process, moderation workflow, staffing model, policy enforcement, user support, or child-safety control. - Document residual risk after mitigation and explain why the measure is proportionate to the risk and to affected fundamental rights. - For election-related risks, align the assessment with Commission Article 35 guidance on electoral-process mitigation where the service can affect civic discourse or elections. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Article 35 is the binding source for reasonable, proportionate, and effective mitigation measures tailored to Article 34 systemic risks. - [European Commission - Electoral risk mitigation guidelines for VLOPs and VLOSEs](https://digital-strategy.ec.europa.eu/en/library/guidelines-providers-vlops-and-vloses-mitigation-systemic-risks-electoral-processes?ref=sorena.io) - Commission guidance source for applying Article 35 mitigation to systemic risks that may affect electoral processes. - [European Commission - Guidelines on the protection of minors](https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-protection-minors?ref=sorena.io) - Commission guidance source for child-safety measures that may inform minor-risk mitigation, including recommender changes, private defaults, abuse reporting, and excessive-use controls. ### [What evidence should the VLOP or VLOSE keep?](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md#what-evidence-should-the-vlop-or-vlose-keep) *Module: [DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md)* Keep evidence that lets the provider, auditor, Commission, and Digital Services Coordinator understand how the assessment was performed and why the mitigation response fits the risk. Article 34 requires supporting documents to be preserved for at least three years and communicated to the Commission and the Digital Services Coordinator of establishment on request. - Assessment inputs: incident trends, notice and action data, statement-of-reasons data, user complaints, moderation quality results, recommender or ranking metrics, ad repository checks, integrity investigations, and relevant researcher findings. - Methodology records: risk definitions, severity and probability scoring, impacted groups, regional or linguistic factors, assumptions tested, and uncertainty notes. - Mitigation records: selected controls, rejected alternatives, deployment dates, owner, control tests, residual-risk rationale, and management-body or compliance-function approvals. - Audit records: auditor information requests, internal-control evidence, algorithmic-system tests where relevant, audit conclusions, operational recommendations, and implementation-report actions. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Article 34 supports the three-year preservation duty for risk-assessment documents; Article 40 supports researcher access for systemic-risk research and mitigation assessment. - [Commission Delegated Regulation (EU) 2024/436 on DSA independent audits](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R0436&ref=sorena.io) - Audit regulation source for the evidence auditors should analyse when assessing Article 34 risk assessments and Article 35 mitigation measures. - [European Commission - How the DSA enhances transparency](https://digital-strategy.ec.europa.eu/en/policies/dsa-brings-transparency?ref=sorena.io) - Commission transparency page explaining public risk-assessment, mitigation, audit, and audit-implementation reporting by VLOPs and VLOSEs. ### [How do audits, supervision, and publication fit into the assessment cycle?](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md#how-do-audits-supervision-and-publication-fit-into-the-assessment-cycle) *Module: [DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md)* The risk assessment feeds a public accountability cycle. VLOPs and VLOSEs are subject to independent audits at least once a year. After receiving an audit report, they must make public the risk-assessment report, mitigation measures, audit report, audit implementation report, and information about consultations no later than three months after receipt, subject to the DSA rules on confidential information. - Plan the Article 34 assessment, Article 35 mitigation record, audit evidence, and Article 42 public-reporting package as one annual control cycle. - Keep a versioned non-confidential report path separate from confidential evidence used by auditors and regulators. - Track audit recommendations by obligation, owner, due date, implementation status, evidence link, and whether the recommendation changes the next risk assessment. - Use Commission guidance, European Board material, public reports from comparable services, and vetted-research outputs as external signals when updating audit-risk and systemic-risk assumptions. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Articles 37, 41, 42, and 40 support the annual independent audit, compliance-function, public-reporting, and researcher-access links. - [Commission Delegated Regulation (EU) 2024/436 on DSA independent audits](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R0436&ref=sorena.io) - Audit regulation source for methodology, audit evidence, audit-risk analysis, and specific audit checks for Article 34 and Article 35. - [European Commission - How the DSA enhances transparency](https://digital-strategy.ec.europa.eu/en/policies/dsa-brings-transparency?ref=sorena.io) - Commission page supporting the three-month publication link between audit reports, risk-assessment reports, mitigation measures, audit implementation reports, and consultation information. ## FAQ Pagination - Canonical index (page 1): [/artifacts/eu/digital-services-act/faq/items](/artifacts/eu/digital-services-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/eu/digital-services-act/faq/items.md) | [2](/artifacts/eu/digital-services-act/faq/items/page/2.md) [Previous page](/artifacts/eu/digital-services-act/faq/items.md) *Recommended next step for the EU Digital Services Act* *Placement: before sources* ## Turn DSA FAQ answers into implementation evidence Sorena can help translate DSA scope, notice handling, statement-of-reasons, marketplace, recommender, VLOP/VLOSE, reporting, complaint, and penalty questions into cited controls and review records. - [Open Research Copilot for the DSA](/solutions/research-copilot.md): Ask source-linked questions about DSA scope, platform obligations, VLOP/VLOSE duties, reports, complaints, and enforcement. - [Talk through DSA implementation](/contact.md): Review your DSA service classification, notice flows, statements of reasons, marketplace controls, recommender disclosures, and reporting evidence. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-services-act/faq/items/page/2