FAQEU DSA

DSA VLOP Risk Assessment Article 34 FAQ

A VLOP or VLOSE risk assessment is not a generic compliance memo. Article 34 requires a service-specific assessment of systemic risks, repeated at least annually and before deploying functionality likely to critically affect those risks.

Use this FAQ to connect risk categories, mitigation choices, audit preparation, public reporting, researcher access, and evidence records without inventing unsupported deadlines or penalties.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
4

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Under the EU Digital Services Act, designated very large online platforms and very large online search engines must identify, analyse, and assess systemic risks linked to their services. The assessment should feed Article 35 mitigation measures, the internal compliance function, independent audits, public transparency reporting, and records preserved for regulator review.

Search this module

Find a question or answer quickly

4 of 4 questions
Question 1

What does a DSA VLOP risk assessment have to cover?

Article 34 requires designated VLOPs and VLOSEs to assess systemic risks that are specific to their services and proportionate to the severity and probability of those risks. The risk categories include dissemination of illegal content, negative effects on fundamental rights, negative effects on civic discourse, electoral processes and public security, and negative effects involving gender-based violence, public health, minors, and physical or mental well-being.

The assessment also has to examine how the design and operation of the service influence those risks. For a practical record, map each risk to the affected surface, such as search ranking, recommender systems, ads delivery, content moderation, notice handling, marketplace listings, user reporting, account creation, age assurance, or high-reach sharing features.

  • Record the designated service, VLOP or VLOSE status, and the service surfaces covered by the assessment.
  • Create one line per Article 34 risk category and explain whether the risk is present, foreseeable, not applicable, or still under investigation.
  • For each present or foreseeable risk, capture the triggering product feature, user group, geography or language market, data source, severity, probability, and uncertainty.
  • Include intentional manipulation, inauthentic use, automated exploitation, and rapid amplification where they can influence the risk profile.
Citations
Question 2

How should the risk assessment connect to Article 35 mitigation?

The assessment should not stop at a risk register. Article 35 requires reasonable, proportionate, and effective mitigation measures tailored to the specific Article 34 risks, with particular consideration for fundamental-rights impacts.

Useful mitigation records show why a control was selected or rejected. Examples supported by the DSA include adapting service design or functioning, recommender systems, terms enforcement, content moderation processes, notice-processing resources, advertising systems, crisis response, and child-protection tools such as age verification, parental controls, abuse-signalling tools, or support tools where appropriate.

  • Link each material Article 34 risk to one or more Article 35 mitigation measures and a control owner.
  • State whether the mitigation changes the product interface, ranking or recommendation logic, ads process, moderation workflow, staffing model, policy enforcement, user support, or child-safety control.
  • Document residual risk after mitigation and explain why the measure is proportionate to the risk and to affected fundamental rights.
  • For election-related risks, align the assessment with Commission Article 35 guidance on electoral-process mitigation where the service can affect civic discourse or elections.
Citations
Question 3

What evidence should the VLOP or VLOSE keep?

Keep evidence that lets the provider, auditor, Commission, and Digital Services Coordinator understand how the assessment was performed and why the mitigation response fits the risk. Article 34 requires supporting documents to be preserved for at least three years and communicated to the Commission and the Digital Services Coordinator of establishment on request.

A practical evidence pack should include the risk-assessment report, risk register, source data, internal controls, product and policy change logs, governance approvals, consultations used to design mitigations, and links to audit workpapers or audit implementation actions where available.

  • Assessment inputs: incident trends, notice and action data, statement-of-reasons data, user complaints, moderation quality results, recommender or ranking metrics, ad repository checks, integrity investigations, and relevant researcher findings.
  • Methodology records: risk definitions, severity and probability scoring, impacted groups, regional or linguistic factors, assumptions tested, and uncertainty notes.
  • Mitigation records: selected controls, rejected alternatives, deployment dates, owner, control tests, residual-risk rationale, and management-body or compliance-function approvals.
  • Audit records: auditor information requests, internal-control evidence, algorithmic-system tests where relevant, audit conclusions, operational recommendations, and implementation-report actions.
Citations
Question 4

How do audits, supervision, and publication fit into the assessment cycle?

The risk assessment feeds a public accountability cycle. VLOPs and VLOSEs are subject to independent audits at least once a year. After receiving an audit report, they must make public the risk-assessment report, mitigation measures, audit report, audit implementation report, and information about consultations no later than three months after receipt, subject to the DSA rules on confidential information.

Supervision is not limited to public reports. The DSA also links the assessment to the compliance function, management-body oversight, Commission and Digital Services Coordinator access to supporting documents, data access for vetted researchers, and independent audit testing of internal controls and mitigation effectiveness.

  • Plan the Article 34 assessment, Article 35 mitigation record, audit evidence, and Article 42 public-reporting package as one annual control cycle.
  • Keep a versioned non-confidential report path separate from confidential evidence used by auditors and regulators.
  • Track audit recommendations by obligation, owner, due date, implementation status, evidence link, and whether the recommendation changes the next risk assessment.
  • Use Commission guidance, European Board material, public reports from comparable services, and vetted-research outputs as external signals when updating audit-risk and systemic-risk assumptions.
Citations
Recommended next step

Prepare DSA risk assessment records before the audit cycle closes

Sorena can help structure Article 34 risk lines, Article 35 mitigation owners, audit evidence requests, public-reporting links, and source-linked review prompts for VLOP and VLOSE compliance work.

Research workflow
Open Research Copilot for the EU DSA

Ask source-linked questions about VLOP and VLOSE risk categories, mitigation records, audit evidence, public reports, and researcher-access links.

Explore next step
Talk to Sorena
Talk through DSA implementation

Review your Article 34 assessment structure, Article 35 mitigation backlog, and audit evidence gaps with Sorena.

Explore next step
Primary sources

References and citations

European Commission - Guidelines on the protection of minors
digital-strategy.ec.europa.eu
Referenced sections
  • Commission guidance source for child-safety measures that may inform minor-risk mitigation, including recommender changes, private defaults, abuse reporting, and excessive-use controls.
"proportionate and appropriate measures to protect children"
European Commission - How the DSA enhances transparency
digital-strategy.ec.europa.eu
Referenced sections
  • Commission page supporting the three-month publication link between audit reports, risk-assessment reports, mitigation measures, audit implementation reports, and consultation information.
"at the latest three months after"
European Commission - VLOPs and VLOSEs under the DSA
digital-strategy.ec.europa.eu
Referenced sections
  • Commission overview confirming the 45 million monthly EU user threshold, designation effect, and the enhanced systemic-risk duties for VLOPs and VLOSEs.
"over 45 million users in the EU"
Related guides

Explore more topics

DSA Ads and Recommender Systems: transparency duties, user choice, and evidence
A grounded DSA guide to ad labels, targeting restrictions, recommender parameter disclosure, non-profiling options for VLOPs and VLOSEs, ad repositories, and compliance evidence.
DSA Applicability Test: classify intermediary services, platforms, marketplaces, VLOPs and VLOSEs
A source-grounded EU Digital Services Act applicability test for classifying intermediary services, hosting services, online platforms, marketplaces, VLOPs and VLOSEs.
DSA Article 28 minors protection guide for online platforms
EU Digital Services Act guide to Article 28 minors protection: platform scope, child-safety measures, targeted ads limits, recommender controls, and grounded evidence.
DSA average monthly active recipients: what platforms must publish
A grounded FAQ on average monthly active recipients under the EU Digital Services Act, including publication, EU recipient scope, the 45 million VLOP/VLOSE threshold, and evidence records.
DSA Complaint and Dispute Workflows for Online Platforms
Build DSA complaint, appeal, statement-of-reasons, and out-of-court dispute workflows for online platform moderation decisions.
DSA crisis response for VLOPs and VLOSEs
EU Digital Services Act crisis response guide for VLOPs and VLOSEs: Article 36 Commission decisions, Article 48 crisis protocols, mitigation, governance, requests for information, and records.
DSA Dark Patterns: interface design checks for online platforms
Article 25 DSA guidance for reviewing online platform interfaces for deceptive, manipulative, or choice-distorting design patterns.
DSA Enforcement and Penalties in the EU
How Digital Services Act enforcement works: Commission and Digital Services Coordinator roles, VLOP and VLOSE investigations, fines, periodic penalty payments, and evidence readiness.
DSA illegal content notices: what must be included?
A grounded FAQ on EU Digital Services Act illegal-content notices: Article 16 notice elements, acknowledgement, decision notices, trusted flagger priority, statements of reasons, and records.
DSA Marketplace Trader Traceability FAQ
Answer to what EU Digital Services Act Article 30 requires online marketplaces to collect, verify, display, retain, and evidence for trader traceability.
DSA Marketplace Trader Traceability Guide
EU Digital Services Act guide for online marketplaces collecting, checking, displaying, storing, and evidencing trader traceability information.
DSA notice and action plus statements of reasons guide
A grounded Digital Services Act guide for notice intake, moderation decisions, statements of reasons, DSA Transparency Database submission, complaints, appeals, trusted flaggers, and records.
DSA Notice and Action Workflow for Hosting Services and Online Platforms
A grounded DSA notice-and-action workflow covering notice intake, completeness checks, trusted flaggers, decisions, user communications, statements of reasons, appeals, and records.
DSA recommender transparency FAQ: Article 27 and VLOP options
What EU Digital Services Act recommender transparency requires: main parameters, user options, VLOP/VLOSE non-profiling choices, and evidence to keep.
DSA researcher data access for VLOPs and VLOSEs
Article 40 DSA guide to vetted researcher data access for VLOPs and VLOSEs: DSC requests, eligibility checks, amendment grounds, confidentiality, security, and evidence records.
DSA service tier classifier for platforms, marketplaces, VLOPs and VLOSEs
Classify a digital service under the EU Digital Services Act as intermediary, hosting, online platform, marketplace, VLOP or VLOSE, with EU recipient-count evidence and obligation outputs.
DSA statement of reasons FAQ
When DSA statements of reasons are required, what they must contain, when online platforms submit them to the DSA Transparency Database, and what appeal records to keep.
DSA statement of reasons log workflow for online platforms
Build a DSA statement of reasons log for moderation decisions, Transparency Database submission, complaint links, retention, and QA controls.
DSA transparency report template fields and cadence
A source-grounded template outline for Digital Services Act transparency reports, covering applicable service tiers, reporting periods, CSV/XLSX format, retention, statement-of-reasons links, and required evidence tables.
DSA Transparency Reporting Obligations by Provider Tier
A grounded guide to EU Digital Services Act transparency reports, active-recipient publication, statements-of-reasons submissions, VLOP/VLOSE reports, templates, cadence, and evidence.
DSA VLOP and VLOSE Risk Assessments and Mitigation Guide
Grounded guide to Digital Services Act systemic risk assessments, mitigation measures, audits, transparency reports, data access, and governance evidence for VLOPs and VLOSEs.
DSA VLOP Audit Pack Workflow: Risk, Mitigation, Audit, and Transparency Records
Build a DSA VLOP or VLOSE audit pack covering Article 34 risk assessments, Article 35 mitigations, independent-audit evidence, transparency reports, data access, and compliance governance.
DSA vs DMA Platform Rules
Compare the EU Digital Services Act and Digital Markets Act by scope, designation thresholds, obligations, enforcement, evidence, and practical team ownership.
DSA vs GDPR: online-platform governance and personal-data obligations
Compare the EU Digital Services Act and EU GDPR by scope, ads, recommenders, minors, transparency, complaints, enforcement, and evidence.
DSA vs P2B Regulation: EU platform obligations compared
Compare the EU Digital Services Act with the Platform-to-Business Regulation for platform scope, business-user terms, content moderation, ranking transparency, complaints, enforcement, and evidence.
DSA vs Terrorist Content Online Regulation: notice-and-action vs removal orders
Compare DSA content-governance duties with the EU Terrorist Content Online Regulation removal-order workflow for scope, timing, evidence, authorities, and team ownership.
EU Digital Services Act checklist for platforms and hosting services
A grounded DSA checklist for classifying service tiers, notice-and-action, statements of reasons, complaints, transparency reports, ads, recommenders, trader traceability, VLOP/VLOSE duties, and evidence records.
EU Digital Services Act Compliance Guide
DSA compliance guide for intermediary services, hosting providers, online platforms, marketplaces, and VLOP/VLOSE teams: obligations, controls, and evidence to keep.
EU Digital Services Act FAQ: DSA scope, platform duties, VLOPs, reports, and penalties
Concise EU Digital Services Act FAQ covering intermediary-service scope, active-recipient thresholds, illegal-content notices, statements of reasons, trader traceability, recommender transparency, systemic-risk duties, reporting, penalties, and complaints.
EU Digital Services Act penalties and fines: caps and enforcement roles
DSA penalty caps and enforcement roles: Member State fines, Commission fines for VLOPs and VLOSEs, 1% procedural fines, and 5% periodic penalty payments.
EU Digital Services Act requirements by service tier
Overview of DSA obligations for intermediary services, hosting providers, online platforms, marketplaces, VLOPs and VLOSEs, including notices, complaints, ads, transparency reports, audits, data access and enforcement.
EU Digital Services Act service types and scope
Classify DSA service scope across mere conduit, caching, hosting, online platforms, marketplaces, online search engines, and VLOP/VLOSE threshold duties.
EU DSA deadlines and compliance calendar: application dates, reporting cycles, and VLOP clocks
Calendar view of grounded EU Digital Services Act dates: full application, user-number publication, VLOP/VLOSE designation clocks, statements of reasons, and transparency reporting cycles.
EU DSA Transparency Calendar: reporting, SoR database, AMAR updates
Build a DSA transparency calendar for annual reports, statement-of-reasons database submissions, active-recipient updates, and VLOP/VLOSE audit touchpoints.
EU DSA vs UK Online Safety Act: scope, duties, regulator, and evidence
Compare the EU Digital Services Act and UK Online Safety Act for platform scope, risk assessments, child protection, transparency, regulators, enforcement, and owners.