--- title: "DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits" canonical_url: "https://www.sorena.io/artifacts/eu/digital-services-act/faq/vlop-risk-assessment" source_url: "https://www.sorena.io/artifacts/eu/digital-services-act/faq/vlop-risk-assessment" author: "Sorena AI" description: "What VLOPs and VLOSEs must assess under the EU Digital Services Act, when to reassess, how Article 35 mitigation and annual audit evidence fit together, and what records to keep." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU Digital Services Act" - "DSA" - "VLOP" - "VLOSE" - "Article 34" - "Article 35" - "systemic risk assessment" - "independent audit" - "risk mitigation" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits What VLOPs and VLOSEs must assess under the EU Digital Services Act, when to reassess, how Article 35 mitigation and annual audit evidence fit together, and what records to keep. *FAQ* *EU DSA* ## DSA VLOP Risk Assessment Article 34 FAQ A VLOP or VLOSE risk assessment is not a generic compliance memo. Article 34 requires a service-specific assessment of systemic risks, repeated at least annually and before deploying functionality likely to critically affect those risks. Use this FAQ to connect risk categories, mitigation choices, audit preparation, public reporting, researcher access, and evidence records without inventing unsupported deadlines or penalties. Under the EU Digital Services Act, designated very large online platforms and very large online search engines must identify, analyse, and assess systemic risks linked to their services. The assessment should feed Article 35 mitigation measures, the internal compliance function, independent audits, public transparency reporting, and records preserved for regulator review. ## What does a DSA VLOP risk assessment have to cover? Article 34 requires designated VLOPs and VLOSEs to assess systemic risks that are specific to their services and proportionate to the severity and probability of those risks. The risk categories include dissemination of illegal content, negative effects on fundamental rights, negative effects on civic discourse, electoral processes and public security, and negative effects involving gender-based violence, public health, minors, and physical or mental well-being. The assessment also has to examine how the design and operation of the service influence those risks. For a practical record, map each risk to the affected surface, such as search ranking, recommender systems, ads delivery, content moderation, notice handling, marketplace listings, user reporting, account creation, age assurance, or high-reach sharing features. - Record the designated service, VLOP or VLOSE status, and the service surfaces covered by the assessment. - Create one line per Article 34 risk category and explain whether the risk is present, foreseeable, not applicable, or still under investigation. - For each present or foreseeable risk, capture the triggering product feature, user group, geography or language market, data source, severity, probability, and uncertainty. - Include intentional manipulation, inauthentic use, automated exploitation, and rapid amplification where they can influence the risk profile. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Article 34 is the source for the annual risk-assessment duty, the systemic risk categories, critical-functionality reassessment trigger, and three-year supporting-document retention rule. - [European Commission - VLOPs and VLOSEs under the DSA](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Commission overview confirming the 45 million monthly EU user threshold, designation effect, and the enhanced systemic-risk duties for VLOPs and VLOSEs. ## How should the risk assessment connect to Article 35 mitigation? The assessment should not stop at a risk register. Article 35 requires reasonable, proportionate, and effective mitigation measures tailored to the specific Article 34 risks, with particular consideration for fundamental-rights impacts. Useful mitigation records show why a control was selected or rejected. Examples supported by the DSA include adapting service design or functioning, recommender systems, terms enforcement, content moderation processes, notice-processing resources, advertising systems, crisis response, and child-protection tools such as age verification, parental controls, abuse-signalling tools, or support tools where appropriate. - Link each material Article 34 risk to one or more Article 35 mitigation measures and a control owner. - State whether the mitigation changes the product interface, ranking or recommendation logic, ads process, moderation workflow, staffing model, policy enforcement, user support, or child-safety control. - Document residual risk after mitigation and explain why the measure is proportionate to the risk and to affected fundamental rights. - For election-related risks, align the assessment with Commission Article 35 guidance on electoral-process mitigation where the service can affect civic discourse or elections. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Article 35 is the binding source for reasonable, proportionate, and effective mitigation measures tailored to Article 34 systemic risks. - [European Commission - Electoral risk mitigation guidelines for VLOPs and VLOSEs](https://digital-strategy.ec.europa.eu/en/library/guidelines-providers-vlops-and-vloses-mitigation-systemic-risks-electoral-processes?ref=sorena.io) - Commission guidance source for applying Article 35 mitigation to systemic risks that may affect electoral processes. - [European Commission - Guidelines on the protection of minors](https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-protection-minors?ref=sorena.io) - Commission guidance source for child-safety measures that may inform minor-risk mitigation, including recommender changes, private defaults, abuse reporting, and excessive-use controls. ## What evidence should the VLOP or VLOSE keep? Keep evidence that lets the provider, auditor, Commission, and Digital Services Coordinator understand how the assessment was performed and why the mitigation response fits the risk. Article 34 requires supporting documents to be preserved for at least three years and communicated to the Commission and the Digital Services Coordinator of establishment on request. A practical evidence pack should include the risk-assessment report, risk register, source data, internal controls, product and policy change logs, governance approvals, consultations used to design mitigations, and links to audit workpapers or audit implementation actions where available. - Assessment inputs: incident trends, notice and action data, statement-of-reasons data, user complaints, moderation quality results, recommender or ranking metrics, ad repository checks, integrity investigations, and relevant researcher findings. - Methodology records: risk definitions, severity and probability scoring, impacted groups, regional or linguistic factors, assumptions tested, and uncertainty notes. - Mitigation records: selected controls, rejected alternatives, deployment dates, owner, control tests, residual-risk rationale, and management-body or compliance-function approvals. - Audit records: auditor information requests, internal-control evidence, algorithmic-system tests where relevant, audit conclusions, operational recommendations, and implementation-report actions. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Article 34 supports the three-year preservation duty for risk-assessment documents; Article 40 supports researcher access for systemic-risk research and mitigation assessment. - [Commission Delegated Regulation (EU) 2024/436 on DSA independent audits](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R0436&ref=sorena.io) - Audit regulation source for the evidence auditors should analyse when assessing Article 34 risk assessments and Article 35 mitigation measures. - [European Commission - How the DSA enhances transparency](https://digital-strategy.ec.europa.eu/en/policies/dsa-brings-transparency?ref=sorena.io) - Commission transparency page explaining public risk-assessment, mitigation, audit, and audit-implementation reporting by VLOPs and VLOSEs. ## How do audits, supervision, and publication fit into the assessment cycle? The risk assessment feeds a public accountability cycle. VLOPs and VLOSEs are subject to independent audits at least once a year. After receiving an audit report, they must make public the risk-assessment report, mitigation measures, audit report, audit implementation report, and information about consultations no later than three months after receipt, subject to the DSA rules on confidential information. Supervision is not limited to public reports. The DSA also links the assessment to the compliance function, management-body oversight, Commission and Digital Services Coordinator access to supporting documents, data access for vetted researchers, and independent audit testing of internal controls and mitigation effectiveness. - Plan the Article 34 assessment, Article 35 mitigation record, audit evidence, and Article 42 public-reporting package as one annual control cycle. - Keep a versioned non-confidential report path separate from confidential evidence used by auditors and regulators. - Track audit recommendations by obligation, owner, due date, implementation status, evidence link, and whether the recommendation changes the next risk assessment. - Use Commission guidance, European Board material, public reports from comparable services, and vetted-research outputs as external signals when updating audit-risk and systemic-risk assumptions. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Articles 37, 41, 42, and 40 support the annual independent audit, compliance-function, public-reporting, and researcher-access links. - [Commission Delegated Regulation (EU) 2024/436 on DSA independent audits](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R0436&ref=sorena.io) - Audit regulation source for methodology, audit evidence, audit-risk analysis, and specific audit checks for Article 34 and Article 35. - [European Commission - How the DSA enhances transparency](https://digital-strategy.ec.europa.eu/en/policies/dsa-brings-transparency?ref=sorena.io) - Commission page supporting the three-month publication link between audit reports, risk-assessment reports, mitigation measures, audit implementation reports, and consultation information. ## Primary sources - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Primary legal source for Article 34 systemic risk assessment, Article 35 mitigation, Article 37 audits, Article 40 data access, Article 41 compliance function, and Article 42 public reporting. - Quote: "This risk assessment shall be specific to their services" - [European Commission - VLOPs and VLOSEs under the DSA](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Commission overview for VLOP/VLOSE designation threshold, four-month compliance effect after designation, systemic risk duties, annual audit, data sharing, researcher access, recommender choice, and ad repository obligations. - Quote: "The designation triggers specific rules" - [Commission Delegated Regulation (EU) 2024/436 on DSA independent audits](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R0436&ref=sorena.io) - Binding audit framework for how auditors assess VLOP/VLOSE compliance with Article 34 risk assessments and Article 35 mitigation measures. - Quote: "audits conducted in accordance with Article 37" - [European Commission - How the DSA enhances transparency](https://digital-strategy.ec.europa.eu/en/policies/dsa-brings-transparency?ref=sorena.io) - Commission transparency source for public risk-assessment, mitigation, audit, and audit-implementation report publication by VLOPs and VLOSEs. - Quote: "Risk assessment and audit reports" - [European Commission - Electoral risk mitigation guidelines for VLOPs and VLOSEs](https://digital-strategy.ec.europa.eu/en/library/guidelines-providers-vlops-and-vloses-mitigation-systemic-risks-electoral-processes?ref=sorena.io) - Commission guidance source for Article 35 mitigation of systemic risks connected to electoral processes. - Quote: "mitigation of systemic risks for electoral processes" - [European Commission - Guidelines on the protection of minors](https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-protection-minors?ref=sorena.io) - Commission guidance source for child-safety measures relevant to assessing and mitigating risks to minors on online platforms. - Quote: "protect children from online risks" ## Topic Guides - [DSA Ads and Recommender Systems: transparency duties, user choice, and evidence](/artifacts/eu/digital-services-act/ads-and-recommender-systems.md): A grounded DSA guide to ad labels, targeting restrictions, recommender parameter disclosure, non-profiling options for VLOPs and VLOSEs, ad repositories, and compliance evidence. - [DSA Applicability Test: classify intermediary services, platforms, marketplaces, VLOPs and VLOSEs](/artifacts/eu/digital-services-act/applicability-test.md): A source-grounded EU Digital Services Act applicability test for classifying intermediary services, hosting services, online platforms, marketplaces, VLOPs and VLOSEs. - [DSA Article 28 minors protection guide for online platforms](/artifacts/eu/digital-services-act/minors-protection.md): EU Digital Services Act guide to Article 28 minors protection: platform scope, child-safety measures, targeted ads limits, recommender controls, and grounded evidence. - [DSA average monthly active recipients: what platforms must publish](/artifacts/eu/digital-services-act/faq/average-monthly-active-recipients.md): A grounded FAQ on average monthly active recipients under the EU Digital Services Act, including publication, EU recipient scope, the 45 million VLOP/VLOSE threshold, and evidence records. - [DSA Complaint and Dispute Workflows for Online Platforms](/artifacts/eu/digital-services-act/complaint-and-dispute-workflows.md): Build DSA complaint, appeal, statement-of-reasons, and out-of-court dispute workflows for online platform moderation decisions. - [DSA crisis response for VLOPs and VLOSEs](/artifacts/eu/digital-services-act/crisis-response.md): EU Digital Services Act crisis response guide for VLOPs and VLOSEs: Article 36 Commission decisions, Article 48 crisis protocols, mitigation, governance, requests for information, and records. - [DSA Dark Patterns: interface design checks for online platforms](/artifacts/eu/digital-services-act/dark-patterns.md): Article 25 DSA guidance for reviewing online platform interfaces for deceptive, manipulative, or choice-distorting design patterns. - [DSA Enforcement and Penalties in the EU](/artifacts/eu/digital-services-act/enforcement-penalties-and-investigations.md): How Digital Services Act enforcement works: Commission and Digital Services Coordinator roles, VLOP and VLOSE investigations, fines, periodic penalty payments, and evidence readiness. - [DSA illegal content notices: what must be included?](/artifacts/eu/digital-services-act/faq/illegal-content-notice.md): A grounded FAQ on EU Digital Services Act illegal-content notices: Article 16 notice elements, acknowledgement, decision notices, trusted flagger priority, statements of reasons, and records. - [DSA Marketplace Trader Traceability FAQ](/artifacts/eu/digital-services-act/faq/marketplace-trader-traceability.md): Answer to what EU Digital Services Act Article 30 requires online marketplaces to collect, verify, display, retain, and evidence for trader traceability. - [DSA Marketplace Trader Traceability Guide](/artifacts/eu/digital-services-act/marketplace-trader-traceability.md): EU Digital Services Act guide for online marketplaces collecting, checking, displaying, storing, and evidencing trader traceability information. - [DSA notice and action plus statements of reasons guide](/artifacts/eu/digital-services-act/notice-and-action-plus-statements-of-reasons.md): A grounded Digital Services Act guide for notice intake, moderation decisions, statements of reasons, DSA Transparency Database submission, complaints, appeals, trusted flaggers, and records. - [DSA Notice and Action Workflow for Hosting Services and Online Platforms](/artifacts/eu/digital-services-act/notice-and-action-workflow.md): A grounded DSA notice-and-action workflow covering notice intake, completeness checks, trusted flaggers, decisions, user communications, statements of reasons, appeals, and records. - [DSA recommender transparency FAQ: Article 27 and VLOP options](/artifacts/eu/digital-services-act/faq/recommender-transparency.md): What EU Digital Services Act recommender transparency requires: main parameters, user options, VLOP/VLOSE non-profiling choices, and evidence to keep. - [DSA researcher data access for VLOPs and VLOSEs](/artifacts/eu/digital-services-act/researcher-data-access.md): Article 40 DSA guide to vetted researcher data access for VLOPs and VLOSEs: DSC requests, eligibility checks, amendment grounds, confidentiality, security, and evidence records. - [DSA service tier classifier for platforms, marketplaces, VLOPs and VLOSEs](/artifacts/eu/digital-services-act/service-tier-classifier-workflow.md): Classify a digital service under the EU Digital Services Act as intermediary, hosting, online platform, marketplace, VLOP or VLOSE, with EU recipient-count evidence and obligation outputs. - [DSA statement of reasons FAQ](/artifacts/eu/digital-services-act/faq/statement-of-reasons.md): When DSA statements of reasons are required, what they must contain, when online platforms submit them to the DSA Transparency Database, and what appeal records to keep. - [DSA statement of reasons log workflow for online platforms](/artifacts/eu/digital-services-act/statement-of-reasons-log-workflow.md): Build a DSA statement of reasons log for moderation decisions, Transparency Database submission, complaint links, retention, and QA controls. - [DSA transparency report template fields and cadence](/artifacts/eu/digital-services-act/dsa-transparency-report-template.md): A source-grounded template outline for Digital Services Act transparency reports, covering applicable service tiers, reporting periods, CSV/XLSX format, retention, statement-of-reasons links, and required evidence tables. - [DSA Transparency Reporting Obligations by Provider Tier](/artifacts/eu/digital-services-act/transparency-reporting.md): A grounded guide to EU Digital Services Act transparency reports, active-recipient publication, statements-of-reasons submissions, VLOP/VLOSE reports, templates, cadence, and evidence. - [DSA VLOP and VLOSE Risk Assessments and Mitigation Guide](/artifacts/eu/digital-services-act/risk-assessments-and-mitigation.md): Grounded guide to Digital Services Act systemic risk assessments, mitigation measures, audits, transparency reports, data access, and governance evidence for VLOPs and VLOSEs. - [DSA VLOP Audit Pack Workflow: Risk, Mitigation, Audit, and Transparency Records](/artifacts/eu/digital-services-act/vlop-audit-pack-workflow.md): Build a DSA VLOP or VLOSE audit pack covering Article 34 risk assessments, Article 35 mitigations, independent-audit evidence, transparency reports, data access, and compliance governance. - [DSA vs DMA Platform Rules](/artifacts/eu/digital-services-act/dsa-vs-dma.md): Compare the EU Digital Services Act and Digital Markets Act by scope, designation thresholds, obligations, enforcement, evidence, and practical team ownership. - [DSA vs GDPR: online-platform governance and personal-data obligations](/artifacts/eu/digital-services-act/dsa-vs-gdpr.md): Compare the EU Digital Services Act and EU GDPR by scope, ads, recommenders, minors, transparency, complaints, enforcement, and evidence. - [DSA vs P2B Regulation: EU platform obligations compared](/artifacts/eu/digital-services-act/dsa-vs-p2b.md): Compare the EU Digital Services Act with the Platform-to-Business Regulation for platform scope, business-user terms, content moderation, ranking transparency, complaints, enforcement, and evidence. - [DSA vs Terrorist Content Online Regulation: notice-and-action vs removal orders](/artifacts/eu/digital-services-act/dsa-vs-terrorist-content-online-regulation.md): Compare DSA content-governance duties with the EU Terrorist Content Online Regulation removal-order workflow for scope, timing, evidence, authorities, and team ownership. - [EU Digital Services Act checklist for platforms and hosting services](/artifacts/eu/digital-services-act/checklist.md): A grounded DSA checklist for classifying service tiers, notice-and-action, statements of reasons, complaints, transparency reports, ads, recommenders, trader traceability, VLOP/VLOSE duties, and evidence records. - [EU Digital Services Act Compliance Guide](/artifacts/eu/digital-services-act/compliance.md): DSA compliance guide for intermediary services, hosting providers, online platforms, marketplaces, and VLOP/VLOSE teams: obligations, controls, and evidence to keep. - [EU Digital Services Act FAQ: DSA scope, platform duties, VLOPs, reports, and penalties](/artifacts/eu/digital-services-act/faq.md): Concise EU Digital Services Act FAQ covering intermediary-service scope, active-recipient thresholds, illegal-content notices, statements of reasons, trader traceability, recommender transparency, systemic-risk duties, reporting, penalties, and complaints. - [EU Digital Services Act penalties and fines: caps and enforcement roles](/artifacts/eu/digital-services-act/penalties-and-fines.md): DSA penalty caps and enforcement roles: Member State fines, Commission fines for VLOPs and VLOSEs, 1% procedural fines, and 5% periodic penalty payments. - [EU Digital Services Act requirements by service tier](/artifacts/eu/digital-services-act/requirements.md): Overview of DSA obligations for intermediary services, hosting providers, online platforms, marketplaces, VLOPs and VLOSEs, including notices, complaints, ads, transparency reports, audits, data access and enforcement. - [EU Digital Services Act service types and scope](/artifacts/eu/digital-services-act/service-types-and-scope.md): Classify DSA service scope across mere conduit, caching, hosting, online platforms, marketplaces, online search engines, and VLOP/VLOSE threshold duties. - [EU DSA deadlines and compliance calendar: application dates, reporting cycles, and VLOP clocks](/artifacts/eu/digital-services-act/deadlines-and-compliance-calendar.md): Calendar view of grounded EU Digital Services Act dates: full application, user-number publication, VLOP/VLOSE designation clocks, statements of reasons, and transparency reporting cycles. - [EU DSA Transparency Calendar: reporting, SoR database, AMAR updates](/artifacts/eu/digital-services-act/transparency-calendar.md): Build a DSA transparency calendar for annual reports, statement-of-reasons database submissions, active-recipient updates, and VLOP/VLOSE audit touchpoints. - [EU DSA vs UK Online Safety Act: scope, duties, regulator, and evidence](/artifacts/eu/digital-services-act/dsa-vs-uk-online-safety-act.md): Compare the EU Digital Services Act and UK Online Safety Act for platform scope, risk assessments, child protection, transparency, regulators, enforcement, and owners. *Recommended next step* *Placement: before sources* ## Prepare DSA risk assessment records before the audit cycle closes Sorena can help structure Article 34 risk lines, Article 35 mitigation owners, audit evidence requests, public-reporting links, and source-linked review prompts for VLOP and VLOSE compliance work. - [Open Research Copilot for the EU DSA](/solutions/research-copilot.md): Ask source-linked questions about VLOP and VLOSE risk categories, mitigation records, audit evidence, public reports, and researcher-access links. - [Talk through DSA implementation](/contact.md): Review your Article 34 assessment structure, Article 35 mitigation backlog, and audit evidence gaps with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-services-act/faq/vlop-risk-assessment