Audit WorkflowEU DSA

DSA VLOP and VLOSE Audit Pack Workflow

A workflow for assembling the records a designated VLOP or VLOSE needs before, during, and after an independent DSA audit.

Use it to connect systemic-risk assessments, mitigation controls, transparency reports, data-access handling, compliance-function governance, and audit implementation records.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This workflow is for a provider preparing an audit pack for a designated very large online platform or very large online search engine under the Digital Services Act. The pack should let an independent auditor trace each audited obligation from legal trigger to owner, control, evidence, finding, recommendation, and implementation response.

Section 1

1. Confirm the designated service and audit perimeter

Start the pack at service level, not company level. Record the Commission designation, the service name, whether the service is treated as a VLOP or VLOSE, and the EU user-number basis used for designation or continued monitoring.

The audit perimeter should then list the DSA obligations and commitments to be tested for that service: Chapter III obligations, VLOP/VLOSE systemic-risk duties, and any commitments under codes of conduct or crisis protocols that the provider has undertaken.

  • Trigger record: Commission designation status, service name, VLOP or VLOSE classification, and the latest EU average-monthly-active-recipient publication.
  • Coverage record: obligations in scope for the audited service, including risk assessment, mitigation, independent audit, data access, compliance function, and transparency reporting.
  • Exclusion record: obligations or commitments not applicable to the audited service, with the source-linked reason and approver.
  • Confidentiality record: identify evidence that needs a public version and a confidential supervisory or auditor version.
Sources for this answer
Regulation (EU) 2022/2065 (Digital Services Act)
Article 33 sets the VLOP/VLOSE designation threshold and Articles 34 to 42 define the risk, audit, data-access, compliance-function, and transparency records covered by this workflow.
European Commission - DSA: Very large online platforms and search engines
Commission overview describing the VLOP/VLOSE threshold, designation effects, and enhanced obligations after designation.
Section 2

2. Build the Article 34 risk-assessment evidence file

The risk-assessment file should show how the provider identified, analysed, and assessed systemic risks for the audited service. It should not be a summary memo alone; it needs the underlying data, assumptions, tests, consultations, and sign-offs that explain how the assessment was reached.

Create one evidence row per risk category and per relevant system factor. The row should name the affected service feature, risk hypothesis, data used, regional or linguistic consideration, severity and probability assessment, control owner, and preserved supporting documents.

  • Risk categories: illegal content; fundamental-rights effects; civic discourse, electoral processes, and public security; gender-based violence, public health, minors, and physical or mental wellbeing.
  • System factors: recommender systems, other algorithmic systems, content moderation systems, terms enforcement, advertising selection and presentation, and data-related practices.
  • Critical-change trigger: before deploying a functionality likely to have a critical impact on identified risks, add a pre-deployment risk-assessment record.
  • Retention control: preserve supporting documents for risk assessments for at least three years and keep them ready for Commission or Digital Services Coordinator requests.
Sources for this answer
Regulation (EU) 2022/2065 (Digital Services Act)
Article 34 specifies the systemic-risk categories, annual and critical-change risk-assessment triggers, and supporting-document preservation requirement.
Commission Delegated Regulation (EU) 2024/436 on DSA audits
Article 13 of the delegated audit regulation describes how auditors assess Article 34 risk-assessment diligence, sources, impacted groups, timing, controls, and preserved documentation.
Section 3

3. Connect Article 35 mitigation measures to testable controls

For each systemic risk, the audit pack should show which mitigation measures were considered, which were adopted, which were rejected, and why. The record should be specific enough for an auditor to test whether the measures are reasonable, proportionate, effective, and actually operating.

Use a mitigation-control matrix rather than a narrative-only policy. Each row should identify the risk, selected mitigation, control owner, system or process touched, implementation date, testing method, evidence location, residual risk, and management review outcome.

  • Possible mitigation records include interface or feature changes, terms-enforcement changes, content-moderation resourcing and quality controls, recommender-system tests, advertising-system adjustments, cooperation with trusted flaggers or other providers, awareness measures, and child-protection measures.
  • Keep before-and-after evidence where available, especially for algorithmic systems, content-moderation processes, advertising systems, and measures targeted at minors or vulnerable groups.
  • Log measures not applied and the reason, because the delegated audit regulation expects auditors to assess whether Article 35 mitigation options were considered and whether conclusions were appropriate.
  • Tie each mitigation row to compliance-function monitoring and management-body review so governance evidence is not separated from technical evidence.
Sources for this answer
Regulation (EU) 2022/2065 (Digital Services Act)
Article 35 lists examples of risk-mitigation measures and requires reasonable, proportionate, and effective mitigation tailored to Article 34 risks.
Commission Delegated Regulation (EU) 2024/436 on DSA audits
Article 14 of the delegated audit regulation requires audit analysis of mitigation identification, applicability assessment, design, execution, and control testing.
Section 4

4. Prepare the independent-audit dossier

The independent-audit dossier should let the audit organisation verify scope, independence, methodology, evidence quality, sampling, findings, and the provider's response to recommendations. Keep a single index that links each audited obligation to the evidence set supplied to the auditor.

The dossier should also anticipate the public and confidential versions of the audit report and audit implementation report. Where information is confidential, record the reason for redaction and the evidence available to the auditor, Commission, or Digital Services Coordinator.

  • Auditor selection file: independence and conflict checks, technical competence, risk-management expertise, professional-ethics basis, and any subcontracted expertise.
  • Audit evidence index: risk assessments, mitigation reports, transparency reports, test results, algorithmic-system evidence, written and oral responses, premises observations where applicable, and Commission or Board guidance considered.
  • Methodology file: audit criteria, materiality threshold, tests, substantive analytical procedures, sampling rationale, and changes to methodology during the audit.
  • Outcome file: audit opinion, findings, elements that could not be audited, operational recommendations, recommended timeframe, and provider response.
  • Implementation file: if the audit is not positive, adopt an audit implementation report within one month from receiving recommendations, setting out measures or justified alternatives.
Sources for this answer
Regulation (EU) 2022/2065 (Digital Services Act)
Article 37 requires annual independent audits at the provider's expense, auditor cooperation, written audit reports, audit opinions, recommendations, and audit implementation reports.
Commission Delegated Regulation (EU) 2024/436 on DSA audits
The delegated regulation supplies audit-performance rules, evidence-quality expectations, methodology requirements, and templates for audit and implementation reports.
Section 5

5. Add transparency, data-access, and governance records

A VLOP/VLOSE audit pack should include the public accountability records that regulators, researchers, users, and auditors can compare against the provider's internal evidence. Keep the transparency-report, data-access, and compliance-governance records linked to the same service and reporting period as the audit.

For data access, maintain a request log that distinguishes Commission or Digital Services Coordinator access from vetted-researcher access. For governance, keep proof that the compliance function is independent from operational functions and can escalate risk or non-compliance to the management body.

  • Transparency-report file: published reports, reporting period, VLOP/VLOSE six-month cadence, human resources for content moderation by EU language where applicable, linguistic expertise, automated-moderation accuracy indicators, and Member-State active-recipient figures.
  • Template compliance file: CSV or XLSX template used, publication date, version history, corrections, and evidence that reports remain publicly available for the required retention period.
  • Data-access file: requests from the Commission, Digital Services Coordinator, or vetted researchers; requested data; algorithmic-system explanations; security or confidentiality concerns; amendment requests; interface or API access method; response deadline and completion record.
  • Compliance-function file: head of compliance contact notice to the Commission and Digital Services Coordinator, independence safeguards, management-body review, risk-management resources, and audit-supervision responsibility.
  • Publication file: risk-assessment result report, mitigation-measures report, audit report, audit implementation report, and consultation information made public or transmitted as required after audit completion.
Sources for this answer
Regulation (EU) 2022/2065 (Digital Services Act)
Articles 40, 41, and 42 support the data-access log, compliance-function governance file, and VLOP/VLOSE transparency and audit-publication records.
Commission Implementing Regulation (EU) 2024/2835 on DSA transparency reporting templates
This implementing regulation sets transparency-report templates, publication format, reporting periods, publication timing, versioning, and five-year public availability for reports.
European Commission - How the DSA enhances transparency online
Commission transparency overview linking VLOP/VLOSE transparency reports, user-number publication, statement-of-reasons transparency, data access, and risk assessment and audit reports.
Recommended next step

Use this workflow to structure DSA audit records

Sorena can help organize VLOP and VLOSE risk, mitigation, audit, transparency, data-access, and governance records into cited evidence packs for independent review or audit preparation.

Research workflow
Open Research Copilot for the DSA

Ask source-linked questions about VLOP/VLOSE audit scope, risk records, mitigation evidence, transparency reports, and data-access obligations.

Explore next step
Talk to Sorena
Review audit-pack structure

Check whether your DSA audit records connect obligations, controls, owners, evidence, recommendations, and implementation responses.

Explore next step
Primary sources

References and citations

European Commission - How the DSA enhances transparency online
digital-strategy.ec.europa.eu
Referenced sections
  • Commission transparency overview linking VLOP/VLOSE transparency reports, user-number publication, statement-of-reasons transparency, data access, and risk assessment and audit reports.
"Risk assessment and audit reports"
Regulation (EU) 2022/2065 (Digital Services Act)
eur-lex.europa.eu
Referenced sections
  • Articles 40, 41, and 42 support the data-access log, compliance-function governance file, and VLOP/VLOSE transparency and audit-publication records.
"Data access and scrutiny"
Related guides

Explore more topics

DSA Ads and Recommender Systems: transparency duties, user choice, and evidence
A grounded DSA guide to ad labels, targeting restrictions, recommender parameter disclosure, non-profiling options for VLOPs and VLOSEs, ad repositories, and compliance evidence.
DSA Applicability Test: classify intermediary services, platforms, marketplaces, VLOPs and VLOSEs
A source-grounded EU Digital Services Act applicability test for classifying intermediary services, hosting services, online platforms, marketplaces, VLOPs and VLOSEs.
DSA Article 28 minors protection guide for online platforms
EU Digital Services Act guide to Article 28 minors protection: platform scope, child-safety measures, targeted ads limits, recommender controls, and grounded evidence.
DSA average monthly active recipients: what platforms must publish
A grounded FAQ on average monthly active recipients under the EU Digital Services Act, including publication, EU recipient scope, the 45 million VLOP/VLOSE threshold, and evidence records.
DSA Complaint and Dispute Workflows for Online Platforms
Build DSA complaint, appeal, statement-of-reasons, and out-of-court dispute workflows for online platform moderation decisions.
DSA crisis response for VLOPs and VLOSEs
EU Digital Services Act crisis response guide for VLOPs and VLOSEs: Article 36 Commission decisions, Article 48 crisis protocols, mitigation, governance, requests for information, and records.
DSA Dark Patterns: interface design checks for online platforms
Article 25 DSA guidance for reviewing online platform interfaces for deceptive, manipulative, or choice-distorting design patterns.
DSA Enforcement and Penalties in the EU
How Digital Services Act enforcement works: Commission and Digital Services Coordinator roles, VLOP and VLOSE investigations, fines, periodic penalty payments, and evidence readiness.
DSA illegal content notices: what must be included?
A grounded FAQ on EU Digital Services Act illegal-content notices: Article 16 notice elements, acknowledgement, decision notices, trusted flagger priority, statements of reasons, and records.
DSA Marketplace Trader Traceability FAQ
Answer to what EU Digital Services Act Article 30 requires online marketplaces to collect, verify, display, retain, and evidence for trader traceability.
DSA Marketplace Trader Traceability Guide
EU Digital Services Act guide for online marketplaces collecting, checking, displaying, storing, and evidencing trader traceability information.
DSA notice and action plus statements of reasons guide
A grounded Digital Services Act guide for notice intake, moderation decisions, statements of reasons, DSA Transparency Database submission, complaints, appeals, trusted flaggers, and records.
DSA Notice and Action Workflow for Hosting Services and Online Platforms
A grounded DSA notice-and-action workflow covering notice intake, completeness checks, trusted flaggers, decisions, user communications, statements of reasons, appeals, and records.
DSA recommender transparency FAQ: Article 27 and VLOP options
What EU Digital Services Act recommender transparency requires: main parameters, user options, VLOP/VLOSE non-profiling choices, and evidence to keep.
DSA researcher data access for VLOPs and VLOSEs
Article 40 DSA guide to vetted researcher data access for VLOPs and VLOSEs: DSC requests, eligibility checks, amendment grounds, confidentiality, security, and evidence records.
DSA service tier classifier for platforms, marketplaces, VLOPs and VLOSEs
Classify a digital service under the EU Digital Services Act as intermediary, hosting, online platform, marketplace, VLOP or VLOSE, with EU recipient-count evidence and obligation outputs.
DSA statement of reasons FAQ
When DSA statements of reasons are required, what they must contain, when online platforms submit them to the DSA Transparency Database, and what appeal records to keep.
DSA statement of reasons log workflow for online platforms
Build a DSA statement of reasons log for moderation decisions, Transparency Database submission, complaint links, retention, and QA controls.
DSA transparency report template fields and cadence
A source-grounded template outline for Digital Services Act transparency reports, covering applicable service tiers, reporting periods, CSV/XLSX format, retention, statement-of-reasons links, and required evidence tables.
DSA Transparency Reporting Obligations by Provider Tier
A grounded guide to EU Digital Services Act transparency reports, active-recipient publication, statements-of-reasons submissions, VLOP/VLOSE reports, templates, cadence, and evidence.
DSA VLOP and VLOSE Risk Assessments and Mitigation Guide
Grounded guide to Digital Services Act systemic risk assessments, mitigation measures, audits, transparency reports, data access, and governance evidence for VLOPs and VLOSEs.
DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits
What VLOPs and VLOSEs must assess under the EU Digital Services Act, when to reassess, how Article 35 mitigation and annual audit evidence fit together, and what records to keep.
DSA vs DMA Platform Rules
Compare the EU Digital Services Act and Digital Markets Act by scope, designation thresholds, obligations, enforcement, evidence, and practical team ownership.
DSA vs GDPR: online-platform governance and personal-data obligations
Compare the EU Digital Services Act and EU GDPR by scope, ads, recommenders, minors, transparency, complaints, enforcement, and evidence.
DSA vs P2B Regulation: EU platform obligations compared
Compare the EU Digital Services Act with the Platform-to-Business Regulation for platform scope, business-user terms, content moderation, ranking transparency, complaints, enforcement, and evidence.
DSA vs Terrorist Content Online Regulation: notice-and-action vs removal orders
Compare DSA content-governance duties with the EU Terrorist Content Online Regulation removal-order workflow for scope, timing, evidence, authorities, and team ownership.
EU Digital Services Act checklist for platforms and hosting services
A grounded DSA checklist for classifying service tiers, notice-and-action, statements of reasons, complaints, transparency reports, ads, recommenders, trader traceability, VLOP/VLOSE duties, and evidence records.
EU Digital Services Act Compliance Guide
DSA compliance guide for intermediary services, hosting providers, online platforms, marketplaces, and VLOP/VLOSE teams: obligations, controls, and evidence to keep.
EU Digital Services Act FAQ: DSA scope, platform duties, VLOPs, reports, and penalties
Concise EU Digital Services Act FAQ covering intermediary-service scope, active-recipient thresholds, illegal-content notices, statements of reasons, trader traceability, recommender transparency, systemic-risk duties, reporting, penalties, and complaints.
EU Digital Services Act penalties and fines: caps and enforcement roles
DSA penalty caps and enforcement roles: Member State fines, Commission fines for VLOPs and VLOSEs, 1% procedural fines, and 5% periodic penalty payments.
EU Digital Services Act requirements by service tier
Overview of DSA obligations for intermediary services, hosting providers, online platforms, marketplaces, VLOPs and VLOSEs, including notices, complaints, ads, transparency reports, audits, data access and enforcement.
EU Digital Services Act service types and scope
Classify DSA service scope across mere conduit, caching, hosting, online platforms, marketplaces, online search engines, and VLOP/VLOSE threshold duties.
EU DSA deadlines and compliance calendar: application dates, reporting cycles, and VLOP clocks
Calendar view of grounded EU Digital Services Act dates: full application, user-number publication, VLOP/VLOSE designation clocks, statements of reasons, and transparency reporting cycles.
EU DSA Transparency Calendar: reporting, SoR database, AMAR updates
Build a DSA transparency calendar for annual reports, statement-of-reasons database submissions, active-recipient updates, and VLOP/VLOSE audit touchpoints.
EU DSA vs UK Online Safety Act: scope, duties, regulator, and evidence
Compare the EU Digital Services Act and UK Online Safety Act for platform scope, risk assessments, child protection, transparency, regulators, enforcement, and owners.