A grounded Article 40 guide for VLOPs and VLOSEs handling data-access requests for vetted researchers studying systemic risks in the EU.
Use it to separate DSC and Commission access, vetted researcher requests, public-data access, amendment grounds, confidentiality controls, and the records a platform should keep.
Structured answer sets in this page tree.
Cited legal and guidance references.
Article 40 of the Digital Services Act creates data-access duties for providers of very large online platforms and very large online search engines. The operational task is not to publish a general-purpose research API. It is to respond to reasoned requests from the Digital Services Coordinator of establishment or the Commission, handle vetted researcher requests through the DSC process, protect personal data and confidential information, and keep a record showing why access was granted, amended, limited, or terminated. Timings in this page are source-linked; verify current legal source language before implementation decisions.
Researcher data access under Article 40 is a VLOP and VLOSE duty. The Commission describes VLOPs and VLOSEs as platforms and search engines with over 45 million users in the EU, and designation triggers the DSA's stricter obligations for those services.
For researcher access, the core trigger is a reasoned request from the Digital Services Coordinator of establishment for data access by vetted researchers. The research purpose must contribute to detecting, identifying, and understanding systemic risks in the Union, or to assessing the adequacy, efficiency, and impacts of mitigation measures.
The vetted researcher route runs through a Digital Services Coordinator, not directly through a platform self-certification form. Researchers must make a duly substantiated application, and the DSC of establishment grants vetted researcher status for the specific research and issues the reasoned request to the provider.
Researchers may also apply through the DSC of the Member State of their research organisation. That DSC performs an initial assessment and sends the application and supporting documents to the DSC of establishment, which makes the final decision on vetted researcher status.
A platform should treat the DSC's reasoned request as the controlling specification for what data must be provided, when, and through which interface. Article 40 says providers must give access within the reasonable period specified in the request.
The DSA gives providers a narrow amendment route. Within 15 days after receiving a researcher-access request, the provider may ask the DSC of establishment to amend it if the provider does not have access to the data, or if giving access would create significant vulnerabilities for service security or protection of confidential information, especially trade secrets.
Article 40 does not override every confidentiality or security concern. DSCs and the Commission must use data accessed under Article 40 only for monitoring and assessing DSA compliance, while taking account of personal data protection, confidential information including trade secrets, and service security.
For vetted researchers, the application must show that the researchers can meet request-specific data security and confidentiality requirements, protect personal data, and describe the technical and organisational measures they have in place. Those controls should be evaluated against the actual data, access channel, retention expectations, and publication plan.
A useful evidence file should let a reviewer reconstruct the Article 40 path without asking product, security, or legal teams to recreate the decision from memory. The file should show the request, the research purpose, the DSC route, the dataset decision, the security review, and the final access state.
Keep public-data access separate from vetted researcher access. Article 40 also requires access without undue delay to publicly accessible interface data, including real-time data where technically possible, for researchers who meet specified independence, funding, security, proportionality, and research-purpose conditions.
No. Article 40 provides a specific amendment route, not a broad preference-based refusal. Within 15 days, the provider may ask the DSC of establishment to amend the request if it does not have access to the data or if access would create significant service-security or confidentiality vulnerabilities, and it must propose alternative means or sufficient alternative data.
No. Article 40 refers to access through appropriate interfaces specified in the request, including online databases or APIs. The evidence record should show which interface was specified or approved, which data it exposes, and why the access method fits the DSC request and security constraints.
The Digital Services Coordinator of establishment grants vetted researcher status for the specific research and issues the reasoned request to the VLOP or VLOSE. If the researcher applies through the DSC in the Member State of their research organisation, that DSC conducts an initial assessment, but the DSC of establishment makes the final decision.
Use the cited sources listed here to verify obligations and the supporting evidence requirements.
Verify the following areas from the cited sources: Article 40 researcher access, DSC workflows, amendment grounds, and evidence records using the cited sources on this page.
Walk through your VLOP or VLOSE researcher-access intake, data-security review, and access evidence with Sorena.
"vetted researchers will be able to request data"
"Together, the Digital Services Coordinators ensure that the DSA is properly enforced throughout the EU."
"allow vetted researchers to access platform data"
"Delegated acts supplement or amend existing legislation"
"Researchers may also submit their application to the Digital Services Coordinator of the Member State of the research organisation to which they are affiliated."