--- title: "DSA researcher data access for VLOPs and VLOSEs" canonical_url: "https://www.sorena.io/artifacts/eu/digital-services-act/researcher-data-access" source_url: "https://www.sorena.io/artifacts/eu/digital-services-act/researcher-data-access" author: "Sorena AI" description: "Article 40 DSA guide to vetted researcher data access for VLOPs and VLOSEs: DSC requests, eligibility checks, amendment grounds, confidentiality, security, and evidence records." published_at: "2026-05-09" updated_at: "2026-05-26" keywords: - "Digital Services Act Article 40" - "DSA researcher data access" - "vetted researchers" - "VLOP data access" - "VLOSE data access" - "Digital Services Coordinator" - "Digital Services Act" - "DSA" - "Article 40" - "researcher data access" - "VLOP" - "VLOSE" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # DSA researcher data access for VLOPs and VLOSEs Article 40 DSA guide to vetted researcher data access for VLOPs and VLOSEs: DSC requests, eligibility checks, amendment grounds, confidentiality, security, and evidence records. *Artifact Guide* *EU* ## DSA Researcher Data Access A grounded Article 40 guide for VLOPs and VLOSEs handling data-access requests for vetted researchers studying systemic risks in the EU. Use it to separate DSC and Commission access, vetted researcher requests, public-data access, amendment grounds, confidentiality controls, and the records a platform should keep. Article 40 of the Digital Services Act creates data-access duties for providers of very large online platforms and very large online search engines. The operational task is not to publish a general-purpose research API. It is to respond to reasoned requests from the Digital Services Coordinator of establishment or the Commission, handle vetted researcher requests through the DSC process, protect personal data and confidential information, and keep a record showing why access was granted, amended, limited, or terminated. Timings in this page are source-linked; verify current legal source language before implementation decisions. ## When Article 40 researcher access applies Researcher data access under Article 40 is a VLOP and VLOSE duty. The Commission describes VLOPs and VLOSEs as platforms and search engines with over 45 million users in the EU, and designation triggers the DSA's stricter obligations for those services. For researcher access, the core trigger is a reasoned request from the Digital Services Coordinator of establishment for data access by vetted researchers. The research purpose must contribute to detecting, identifying, and understanding systemic risks in the Union, or to assessing the adequacy, efficiency, and impacts of mitigation measures. - Confirm the service is a designated VLOP or VLOSE before treating Article 40 researcher access as the controlling workflow. - Separate regulator access from researcher access: Article 40 also covers DSC and Commission requests needed to monitor and assess compliance. - Map the request to systemic-risk research, not general market research, product analytics, journalism, or ordinary user-data export. - Do not assume an always-open API obligation; Article 40 refers to access through appropriate interfaces specified in the request, including online databases or APIs. Sources for this answer: - [Regulation (EU) 2022/2065, Article 40](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Primary legal text for Article 40 data access, vetted researcher access, amendment grounds, and delegated technical conditions. - [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Commission VLOP/VLOSE overview supporting the 45 million EU user threshold and the enhanced duties, including data sharing and vetted researcher access. ## Vetted researcher request governance The vetted researcher route runs through a Digital Services Coordinator, not directly through a platform self-certification form. Researchers must make a duly substantiated application, and the DSC of establishment grants vetted researcher status for the specific research and issues the reasoned request to the provider. Researchers may also apply through the DSC of the Member State of their research organisation. That DSC performs an initial assessment and sends the application and supporting documents to the DSC of establishment, which makes the final decision on vetted researcher status. - Require the DSC request, the specific research purpose, the provider/service covered, requested data categories, access timeframe, and any interface named in the request. - Check that the application record covers research-organisation affiliation, independence from commercial interests, funding disclosure, necessity and proportionality, and the planned public availability of results. - Keep a separate record of the security and confidentiality measures proposed by the researcher for the specific request. - Record communications with the DSC of establishment, the Commission, and the Board where Article 40 requires notice or coordination. Sources for this answer: - [Regulation (EU) 2022/2065, Article 40](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Supports the vetted researcher conditions, the role of the DSC of establishment, the alternate application route through the research organisation's Member State DSC, and Board communication. - [European Commission - Digital Services Coordinators](https://digital-strategy.ec.europa.eu/en/policies/dsa-dscs?ref=sorena.io) - Commission explanation of DSC supervision and cooperation with the Board, the Commission, and other national authorities. ## Platform response, amendment grounds, and access methods A platform should treat the DSC's reasoned request as the controlling specification for what data must be provided, when, and through which interface. Article 40 says providers must give access within the reasonable period specified in the request. The DSA gives providers a narrow amendment route. Within 15 days after receiving a researcher-access request, the provider may ask the DSC of establishment to amend it if the provider does not have access to the data, or if giving access would create significant vulnerabilities for service security or protection of confidential information, especially trade secrets. - Run a data-availability check before accepting the request as written. - If amendment is needed, propose alternative access to the requested data or other data that is appropriate and sufficient for the research purpose. - Do not create invented API fields or undocumented datasets; tie each access method to data the platform actually holds and to the interface specified or accepted by the DSC. - Track the DSC's decision on any amendment request, the amended scope if any, and the new compliance period. Sources for this answer: - [Regulation (EU) 2022/2065, Article 40](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Supports the reasonable-period response rule, 15-day amendment request window, amendment grounds, alternative access proposals, and interface language. - [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Commission overview listing VLOP/VLOSE duties to share data with the Commission and national authorities and allow vetted researcher access for systemic-risk research. ## Confidentiality, personal data, and service-security constraints Article 40 does not override every confidentiality or security concern. DSCs and the Commission must use data accessed under Article 40 only for monitoring and assessing DSA compliance, while taking account of personal data protection, confidential information including trade secrets, and service security. For vetted researchers, the application must show that the researchers can meet request-specific data security and confidentiality requirements, protect personal data, and describe the technical and organisational measures they have in place. Those controls should be evaluated against the actual data, access channel, retention expectations, and publication plan. - Classify requested data by personal data, confidential information, trade-secret sensitivity, security impact, and public-interface availability. - Require request-specific access controls, authentication, logging, least-privilege permissions, secure transfer, and revocation procedures before provisioning access. - Review whether planned publication of results can be free of charge while still respecting recipients' rights and interests under data-protection law. - Escalate any security or trade-secret objection through the Article 40 amendment process instead of silently narrowing the data. Sources for this answer: - [Regulation (EU) 2022/2065, Article 40](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Supports limits on use by regulators, confidentiality/security considerations, personal-data safeguards, and researcher security and confidentiality criteria. - [Register of delegated acts](https://webgate.ec.europa.eu/regdel/?ref=sorena.io) - Explains the EU delegated-act process relevant to Article 40(13), where the Commission is empowered to supplement technical data-sharing conditions after consultation. ## Evidence records to keep for researcher access A useful evidence file should let a reviewer reconstruct the Article 40 path without asking product, security, or legal teams to recreate the decision from memory. The file should show the request, the research purpose, the DSC route, the dataset decision, the security review, and the final access state. Keep public-data access separate from vetted researcher access. Article 40 also requires access without undue delay to publicly accessible interface data, including real-time data where technically possible, for researchers who meet specified independence, funding, security, proportionality, and research-purpose conditions. - DSC request pack: requesting authority, provider and service, research title, systemic-risk purpose, data categories, timeframe, interface, and response deadline. - Eligibility pack: researcher affiliation, independence statement, funding disclosure, necessity and proportionality analysis, security measures, confidentiality measures, and publication commitment. - Data pack: data inventory, availability check, excluded data rationale, amendment request if any, alternative access proposal, and DSC decision. - Access pack: provisioning approval, access method, authentication and logging evidence, incident/escalation owner, access termination criteria, and revocation record. - Public-data pack: record of publicly accessible data made available to qualifying researchers, technical feasibility notes for real-time access, and limits needed to preserve security and rights. Sources for this answer: - [Regulation (EU) 2022/2065, Article 40](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Supports the access file structure: reasoned requests, researcher eligibility, amendment handling, access interfaces, public-interface data, and termination of access. - [European Centre for Algorithmic Transparency](https://algorithmic-transparency.ec.europa.eu/index_en?ref=sorena.io) - Commission ECAT page connecting Article 40 researcher access to VLOP/VLOSE systemic-risk research and Commission technical expertise on algorithmic transparency. *Recommended next step* *Placement: before sources* ## Use this Article 40 guide to structure request intake and access evidence Use the cited sources listed here to verify obligations and the supporting evidence requirements. - [Open Research Copilot for DSA](/solutions/research-copilot.md): Verify the following areas from the cited sources: Article 40 researcher access, DSC workflows, amendment grounds, and evidence records using the cited sources on this page. - [Review a DSA researcher-access workflow](/contact.md): Walk through your VLOP or VLOSE researcher-access intake, data-security review, and access evidence with Sorena. ## Primary sources - [Regulation (EU) 2022/2065, Article 40](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Primary legal source for DSA data access and scrutiny, including DSC and Commission access, vetted researcher requests, researcher eligibility, amendment grounds, public-interface data, and delegated technical conditions. - Quote: "Data access and scrutiny" - [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Commission overview for VLOP/VLOSE threshold, designation effects, systemic-risk duties, regulator data sharing, and vetted researcher access. - Quote: "allow vetted researchers to access platform data" - [European Commission - Digital Services Coordinators](https://digital-strategy.ec.europa.eu/en/policies/dsa-dscs?ref=sorena.io) - Commission explanation of DSC roles, cooperation with the Commission and Board, and the Commission's exclusive competence for VLOP/VLOSE enhanced due-diligence obligations. - Quote: "The Commission and the national Digital Service Coordinators (DSCs) are responsible for supervising, enforcing and monitoring the DSA." - [European Centre for Algorithmic Transparency](https://algorithmic-transparency.ec.europa.eu/index_en?ref=sorena.io) - Commission ECAT page linking Article 40 data access for researchers to systemic-risk research on VLOPs and VLOSEs. - Quote: "Under Article 40 of the Digital Services Act (DSA), vetted researchers will be able to request data" - [Register of delegated acts](https://webgate.ec.europa.eu/regdel/?ref=sorena.io) - EU register explaining the delegated-act process relevant to Article 40(13)'s technical data-sharing conditions. - Quote: "Delegated acts supplement or amend existing legislation" ## Related Topic Guides - [DSA Ads and Recommender Systems: transparency duties, user choice, and evidence](/artifacts/eu/digital-services-act/ads-and-recommender-systems.md): A grounded DSA guide to ad labels, targeting restrictions, recommender parameter disclosure, non-profiling options for VLOPs and VLOSEs, ad repositories, and compliance evidence. - [DSA Applicability Test: classify intermediary services, platforms, marketplaces, VLOPs and VLOSEs](/artifacts/eu/digital-services-act/applicability-test.md): A source-grounded EU Digital Services Act applicability test for classifying intermediary services, hosting services, online platforms, marketplaces, VLOPs and VLOSEs. - [DSA Article 28 minors protection guide for online platforms](/artifacts/eu/digital-services-act/minors-protection.md): EU Digital Services Act guide to Article 28 minors protection: platform scope, child-safety measures, targeted ads limits, recommender controls, and grounded evidence. - [DSA average monthly active recipients: what platforms must publish](/artifacts/eu/digital-services-act/faq/average-monthly-active-recipients.md): A grounded FAQ on average monthly active recipients under the EU Digital Services Act, including publication, EU recipient scope, the 45 million VLOP/VLOSE threshold, and evidence records. - [DSA Complaint and Dispute Workflows for Online Platforms](/artifacts/eu/digital-services-act/complaint-and-dispute-workflows.md): Build DSA complaint, appeal, statement-of-reasons, and out-of-court dispute workflows for online platform moderation decisions. - [DSA crisis response for VLOPs and VLOSEs](/artifacts/eu/digital-services-act/crisis-response.md): EU Digital Services Act crisis response guide for VLOPs and VLOSEs: Article 36 Commission decisions, Article 48 crisis protocols, mitigation, governance, requests for information, and records. - [DSA Dark Patterns: interface design checks for online platforms](/artifacts/eu/digital-services-act/dark-patterns.md): Article 25 DSA guidance for reviewing online platform interfaces for deceptive, manipulative, or choice-distorting design patterns. - [DSA Enforcement and Penalties in the EU](/artifacts/eu/digital-services-act/enforcement-penalties-and-investigations.md): How Digital Services Act enforcement works: Commission and Digital Services Coordinator roles, VLOP and VLOSE investigations, fines, periodic penalty payments, and evidence readiness. - [DSA illegal content notices: what must be included?](/artifacts/eu/digital-services-act/faq/illegal-content-notice.md): A grounded FAQ on EU Digital Services Act illegal-content notices: Article 16 notice elements, acknowledgement, decision notices, trusted flagger priority, statements of reasons, and records. - [DSA Marketplace Trader Traceability FAQ](/artifacts/eu/digital-services-act/faq/marketplace-trader-traceability.md): Answer to what EU Digital Services Act Article 30 requires online marketplaces to collect, verify, display, retain, and evidence for trader traceability. - [DSA Marketplace Trader Traceability Guide](/artifacts/eu/digital-services-act/marketplace-trader-traceability.md): EU Digital Services Act guide for online marketplaces collecting, checking, displaying, storing, and evidencing trader traceability information. - [DSA notice and action plus statements of reasons guide](/artifacts/eu/digital-services-act/notice-and-action-plus-statements-of-reasons.md): A grounded Digital Services Act guide for notice intake, moderation decisions, statements of reasons, DSA Transparency Database submission, complaints, appeals, trusted flaggers, and records. - [DSA Notice and Action Workflow for Hosting Services and Online Platforms](/artifacts/eu/digital-services-act/notice-and-action-workflow.md): A grounded DSA notice-and-action workflow covering notice intake, completeness checks, trusted flaggers, decisions, user communications, statements of reasons, appeals, and records. - [DSA recommender transparency FAQ: Article 27 and VLOP options](/artifacts/eu/digital-services-act/faq/recommender-transparency.md): What EU Digital Services Act recommender transparency requires: main parameters, user options, VLOP/VLOSE non-profiling choices, and evidence to keep. - [DSA service tier classifier for platforms, marketplaces, VLOPs and VLOSEs](/artifacts/eu/digital-services-act/service-tier-classifier-workflow.md): Classify a digital service under the EU Digital Services Act as intermediary, hosting, online platform, marketplace, VLOP or VLOSE, with EU recipient-count evidence and obligation outputs. - [DSA statement of reasons FAQ](/artifacts/eu/digital-services-act/faq/statement-of-reasons.md): When DSA statements of reasons are required, what they must contain, when online platforms submit them to the DSA Transparency Database, and what appeal records to keep. - [DSA statement of reasons log workflow for online platforms](/artifacts/eu/digital-services-act/statement-of-reasons-log-workflow.md): Build a DSA statement of reasons log for moderation decisions, Transparency Database submission, complaint links, retention, and QA controls. - [DSA transparency report template fields and cadence](/artifacts/eu/digital-services-act/dsa-transparency-report-template.md): A source-grounded template outline for Digital Services Act transparency reports, covering applicable service tiers, reporting periods, CSV/XLSX format, retention, statement-of-reasons links, and required evidence tables. - [DSA Transparency Reporting Obligations by Provider Tier](/artifacts/eu/digital-services-act/transparency-reporting.md): A grounded guide to EU Digital Services Act transparency reports, active-recipient publication, statements-of-reasons submissions, VLOP/VLOSE reports, templates, cadence, and evidence. - [DSA VLOP and VLOSE Risk Assessments and Mitigation Guide](/artifacts/eu/digital-services-act/risk-assessments-and-mitigation.md): Grounded guide to Digital Services Act systemic risk assessments, mitigation measures, audits, transparency reports, data access, and governance evidence for VLOPs and VLOSEs. - [DSA VLOP Audit Pack Workflow: Risk, Mitigation, Audit, and Transparency Records](/artifacts/eu/digital-services-act/vlop-audit-pack-workflow.md): Build a DSA VLOP or VLOSE audit pack covering Article 34 risk assessments, Article 35 mitigations, independent-audit evidence, transparency reports, data access, and compliance governance. - [DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md): What VLOPs and VLOSEs must assess under the EU Digital Services Act, when to reassess, how Article 35 mitigation and annual audit evidence fit together, and what records to keep. - [DSA vs DMA Platform Rules](/artifacts/eu/digital-services-act/dsa-vs-dma.md): Compare the EU Digital Services Act and Digital Markets Act by scope, designation thresholds, obligations, enforcement, evidence, and practical team ownership. - [DSA vs GDPR: online-platform governance and personal-data obligations](/artifacts/eu/digital-services-act/dsa-vs-gdpr.md): Compare the EU Digital Services Act and EU GDPR by scope, ads, recommenders, minors, transparency, complaints, enforcement, and evidence. - [DSA vs P2B Regulation: EU platform obligations compared](/artifacts/eu/digital-services-act/dsa-vs-p2b.md): Compare the EU Digital Services Act with the Platform-to-Business Regulation for platform scope, business-user terms, content moderation, ranking transparency, complaints, enforcement, and evidence. - [DSA vs Terrorist Content Online Regulation: notice-and-action vs removal orders](/artifacts/eu/digital-services-act/dsa-vs-terrorist-content-online-regulation.md): Compare DSA content-governance duties with the EU Terrorist Content Online Regulation removal-order workflow for scope, timing, evidence, authorities, and team ownership. - [EU Digital Services Act checklist for platforms and hosting services](/artifacts/eu/digital-services-act/checklist.md): A grounded DSA checklist for classifying service tiers, notice-and-action, statements of reasons, complaints, transparency reports, ads, recommenders, trader traceability, VLOP/VLOSE duties, and evidence records. - [EU Digital Services Act Compliance Guide](/artifacts/eu/digital-services-act/compliance.md): DSA compliance guide for intermediary services, hosting providers, online platforms, marketplaces, and VLOP/VLOSE teams: obligations, controls, and evidence to keep. - [EU Digital Services Act FAQ: DSA scope, platform duties, VLOPs, reports, and penalties](/artifacts/eu/digital-services-act/faq.md): Concise EU Digital Services Act FAQ covering intermediary-service scope, active-recipient thresholds, illegal-content notices, statements of reasons, trader traceability, recommender transparency, systemic-risk duties, reporting, penalties, and complaints. - [EU Digital Services Act penalties and fines: caps and enforcement roles](/artifacts/eu/digital-services-act/penalties-and-fines.md): DSA penalty caps and enforcement roles: Member State fines, Commission fines for VLOPs and VLOSEs, 1% procedural fines, and 5% periodic penalty payments. - [EU Digital Services Act requirements by service tier](/artifacts/eu/digital-services-act/requirements.md): Overview of DSA obligations for intermediary services, hosting providers, online platforms, marketplaces, VLOPs and VLOSEs, including notices, complaints, ads, transparency reports, audits, data access and enforcement. - [EU Digital Services Act service types and scope](/artifacts/eu/digital-services-act/service-types-and-scope.md): Classify DSA service scope across mere conduit, caching, hosting, online platforms, marketplaces, online search engines, and VLOP/VLOSE threshold duties. - [EU DSA deadlines and compliance calendar: application dates, reporting cycles, and VLOP clocks](/artifacts/eu/digital-services-act/deadlines-and-compliance-calendar.md): Calendar view of grounded EU Digital Services Act dates: full application, user-number publication, VLOP/VLOSE designation clocks, statements of reasons, and transparency reporting cycles. - [EU DSA Transparency Calendar: reporting, SoR database, AMAR updates](/artifacts/eu/digital-services-act/transparency-calendar.md): Build a DSA transparency calendar for annual reports, statement-of-reasons database submissions, active-recipient updates, and VLOP/VLOSE audit touchpoints. - [EU DSA vs UK Online Safety Act: scope, duties, regulator, and evidence](/artifacts/eu/digital-services-act/dsa-vs-uk-online-safety-act.md): Compare the EU Digital Services Act and UK Online Safety Act for platform scope, risk assessments, child protection, transparency, regulators, enforcement, and owners. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-services-act/researcher-data-access