Workflow GuideEU

EU Digital Services Act (DSA) Notice & Action Workflow

How to implement Article 16 notice & action in a way that is fast, fair, and auditable.

Includes intake design, triage patterns, notification templates, and evidence logging expectations.

Back to main artifact Review sources

Author

Sorena AI

Published

Feb 21, 2026

Updated

Feb 21, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Feb 21, 2026

Updated Feb 21, 2026

Overview

For hosting services, DSA notice & action is the core compliance workflow. Article 16 requires easy, electronic notice submission mechanisms, specific notice elements, and timely, diligent, objective processing (with automation disclosures). This guide turns Article 16 into an implementation blueprint you can build and operate at scale.

Section 1

What Article 16 requires (minimum viable compliant workflow)

Article 16 requires hosting services to provide a mechanism for any individual or entity to notify specific items of information they consider to be illegal content.

The mechanism must be easy to access, user-friendly, and allow notices exclusively by electronic means.

Provide electronic notice submission (Article 16(1)) with a clear UI entry point.
Facilitate sufficiently precise and adequately substantiated notices by collecting required elements (Article 16(2)).
Confirm receipt (where contact info is provided) and notify decisions with redress information (Article 16(4)-(5)).
Process notices in a timely, diligent, non-arbitrary and objective manner; disclose automation use in the notification (Article 16(6)).

Section 2

Designing the notice form (Article 16(2) required elements)

Your notice form should be "structured enough to be actionable" and "simple enough to be used".

Article 16(2) specifies the minimum elements your mechanism must enable and facilitate.

Reasoned allegation: a sufficiently substantiated explanation of why the content is illegal.
Exact location: clear indication of electronic location (exact URL(s)); add fields for identifiers when URLs are not sufficient (e.g., post ID, listing ID).
Notifier identity: name and email address, with the narrow exception for certain child sexual abuse offences referenced by the DSA.
Good-faith statement: confirmation that allegations are accurate and complete to the best of the notifier's belief.
UX tip: include examples of "good notices" and validation errors to increase notice quality and reduce triage load.

Section 3

Triage and decisioning (timeliness + non-arbitrariness as controls)

Article 16(6) sets the standard: timely, diligent, non-arbitrary, objective processing and decision-making.

To meet that standard at scale, build triage as a control system with measurable outcomes.

Queueing: prioritize by severity, risk to life/safety, virality, and repeat patterns; document your prioritization policy.
Consistency checks: create decision guidelines and sampling reviews to detect drift between moderators/teams.
SLA metrics: time-to-receipt-confirmation, time-to-first-action, time-to-decision notification; segment by content type and market.
Training + support: ensure moderators understand legal vs terms grounds; track and reduce error drivers.

Section 4

Automation disclosures (when you use automated means)

If you use automated means for processing or decision-making, Article 16 requires you to include information on such use in the decision notification.

Treat automation disclosure as structured metadata, not vague language.

Record: whether automation was used in triage, detection, decision recommendation, or final decision.
Explain: which stage used automation and what the purpose was (e.g., spam filtering, similarity matching).
Safeguards: document human review triggers, overrides, and sampling QA; include these concepts in your transparency reporting metrics.

Section 5

Notifications to the notifier (receipt + decision) (Article 16(4)-(5))

If the notice includes electronic contact information, you must confirm receipt without undue delay and later notify your decision with redress information.

These messages are part of your compliance evidence.

Receipt confirmation: include notice ID, timestamp, and a link to view status (without exposing personal data).
Decision notification: include outcome, action taken (if any), and how to appeal or seek redress.
Avoid over-disclosure: protect confidential information and personal data while still being clear and useful.

Section 6

Pairing notice & action with statement of reasons (Article 17)

Notice handling often results in restrictions: removal, demotion, disabling access, account actions, or payment restrictions.

Article 17 requires a clear and specific statement of reasons to affected recipients for those restrictions.

Create a shared decision object: notice -> assessment -> decision -> statement of reasons -> redress.
Include grounds: legal ground (illegal content) or contractual ground (terms) and explain why it applies.
Include facts and context: whether the decision followed an Article 16 notice or own-initiative investigation; disclose automation use.
Include redress options: internal complaints, out-of-court settlement and judicial redress where applicable.

Section 7

Criminal offence suspicions (Article 18) - escalation path

If you become aware of information giving rise to a suspicion of certain serious criminal offences involving threats to life or safety, Article 18 requires prompt notification to law enforcement/judicial authorities.

This requires a clear escalation and evidence handling path.

Define escalation triggers and who can invoke them (trust & safety, legal, security).
Record: what information created the suspicion, when it was discovered, and what was transmitted.
Privacy/security: maintain strict access control and logging for escalated cases.

Section 8

Evidence pack (what to retain for audits and enforcement)

The fastest way to reduce enforcement risk is to be able to prove your workflow works and is applied consistently.

Treat logs and templates as compliance artifacts.

Notice intake schema and validation rules (including Article 16(2) element capture).
Workflow logs: timestamps, queue states, reviewer assignments, decision outcomes, automation use flags.
Notification templates and samples; change history for templates.
Moderator guidance materials and QA sampling results.
Metrics used for transparency reporting (Article 15) and the definitions behind them.

Recommended next step

Turn EU Digital Services Act (DSA) Notice & Action Workflow into an operational assessment

Assessment Autopilot can take EU Digital Services Act (DSA) Notice & Action Workflow from turning this guidance into an operational assessment workflow to a reusable workflow inside Sorena. Teams working on EU Digital Services Act (DSA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for EU Digital Services Act (DSA) Notice & Action Workflow

Start from EU Digital Services Act (DSA) Notice & Action Workflow and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through EU Digital Services Act (DSA)

Review your current process, evidence gaps, and next steps for EU Digital Services Act (DSA) Notice & Action Workflow.

Explore next step

Primary sources