A practical guide to the Digital Services Act duties for designated very large online platforms and very large online search engines: risk categories, mitigation measures, audit evidence, transparency publication, data access, and compliance governance.
Use it to shape evidence records for legal, trust and safety, product, recommender, advertising, data science, audit, public policy, and compliance teams without mixing VLOP/VLOSE systemic-risk duties with baseline platform obligations.
Structured answer sets in this page tree.
Cited legal and guidance references.
Under the Digital Services Act, systemic risk assessment and mitigation duties sit in the enhanced VLOP/VLOSE regime. They apply to online platforms and online search engines designated by the Commission after meeting the Article 33 scale threshold, not to every intermediary service. The core evidence file should show how the provider identified Article 34 systemic risks, selected Article 35 mitigation measures, tested and documented them, prepared for Article 37 independent audit, supported Article 40 data access, and kept Article 41 governance accountable.
Article 33 applies the enhanced VLOP/VLOSE section to online platforms and online search engines with average monthly active recipients in the Union equal to or higher than 45 million, once designated by the Commission. The Commission VLOP/VLOSE overview also describes very large platforms and search engines as services with over 45 million users in the EU.
After designation, the service has four months before the enhanced duties in that section apply. A scope record should therefore identify the designated service, provider, EU main establishment, recipient-count basis, designation status, service features covered by the risk assessment, and the Digital Services Coordinator of establishment where relevant.
The assessment must identify, analyse, and assess systemic risks in the Union stemming from the design or functioning of the service and related systems, including algorithmic systems, and from the use made of the service. It must be service-specific and proportionate to severity and probability.
The Article 34 categories are not a generic enterprise risk list. They cover dissemination of illegal content; actual or foreseeable negative effects on fundamental rights; actual or foreseeable negative effects on civic discourse, electoral processes, and public security; and actual or foreseeable negative effects linked to gender-based violence, public health, protection of minors, and serious consequences for physical and mental well-being.
Article 34 requires assessments by the applicable date for the designated service, at least annually thereafter, and before deploying functionalities likely to have a critical impact on the identified risks. It also requires supporting documents to be preserved for at least three years after each assessment.
A useful evidence file should let an auditor trace each conclusion from risk signal to mitigation choice: service map, feature inventory, algorithmic-system descriptions, content moderation metrics, advertising-system review, recommender testing, complaint and notice data, consultation inputs, data-governance records, severity and probability rationale, and management approval.
Mitigation must be reasonable, proportionate, effective, tailored to the specific Article 34 risks, and assessed with particular consideration for fundamental-rights impacts. The evidence should explain why the measure fits the risk and why a less intrusive or more targeted measure would not achieve the same result.
Article 35 examples include adapting service design and interfaces, terms and enforcement, content moderation processes and resources, algorithmic and recommender systems, advertising systems, internal processes and supervision, cooperation with trusted flaggers and dispute-settlement decisions, codes of conduct or crisis protocols, user awareness and interface information, child-protection measures, and markings or reporting functions for generated or manipulated media.
Article 37 requires VLOPs and VLOSEs to undergo independent audits at their own expense at least once a year. Audit reports must include the period covered, auditor identity, interests declaration, elements audited, methodology, findings, consulted third parties, an audit opinion, and operational recommendations where the opinion is not positive.
Article 42 connects the risk program to public transparency. VLOPs and VLOSEs must transmit completed risk assessment results, mitigation measures, audit reports, audit implementation reports, and consultation information to the Digital Services Coordinator of establishment and the Commission, and make them public no later than three months after receiving each audit report, subject to permitted confidentiality redactions with reasons sent to authorities.
No. Article 34 is in the DSA section for designated very large online platforms and very large online search engines. Other DSA obligations may still apply to intermediary services, hosting services, online platforms, or marketplaces, but they are not a substitute for VLOP/VLOSE systemic-risk duties.
It should be able to show the Article 34 risk categories assessed, the service and system evidence used, the severity and probability rationale, the Article 35 mitigation measures chosen, management and compliance-function oversight, supporting documents retained for at least three years, and the audit and publication package required by Articles 37 and 42.
Article 41 requires an independent compliance function with authority, resources, and access to the management body. The head of compliance reports directly to the management body and may warn it about Article 34 risks or non-compliance. The management body remains accountable for governance arrangements, risk-management policies, periodic review, and adequate resources.
A mature DSA risk program therefore needs governance evidence as much as product evidence: named compliance officers, reporting lines, management-body minutes, risk-policy approval, conflicts controls, resource decisions, audit supervision, and documented follow-up on risk, audit, and regulator findings.
Sorena can help map Article 34 risks, Article 35 mitigations, audit evidence, transparency publication, data-access readiness, and compliance governance into one cited DSA workflow.
Ask source-linked questions about VLOP/VLOSE risk categories, mitigation measures, audit evidence, reporting, governance, and data access using the cited sources on this page.
Review your DSA systemic-risk assessment, mitigation evidence, audit readiness, and publication workflow with Sorena.
"internal controls"
"Algorithmic transparency and accountability"
"enhanced due diligence obligations"
"illegal content"
"risks linked to electoral processes"
"Risk assessment and audit reports"
"designated Very Large Online Platforms"
"independent from their operational functions"