--- title: "DSA VLOP Audit Pack Workflow: Risk, Mitigation, Audit, and Transparency Records" canonical_url: "https://www.sorena.io/artifacts/eu/digital-services-act/vlop-audit-pack-workflow" source_url: "https://www.sorena.io/artifacts/eu/digital-services-act/vlop-audit-pack-workflow" author: "Sorena AI" description: "Build a DSA VLOP or VLOSE audit pack covering Article 34 risk assessments, Article 35 mitigations, independent-audit evidence, transparency reports, data access, and compliance governance." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Digital Services Act" - "DSA" - "VLOP audit" - "VLOSE audit" - "Article 34 risk assessment" - "Article 35 mitigation" - "Article 37 audit" - "Article 40 data access" - "Article 42 transparency report" - "VLOP" - "VLOSE" - "independent audit" - "risk assessment" - "transparency report" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # DSA VLOP Audit Pack Workflow: Risk, Mitigation, Audit, and Transparency Records Build a DSA VLOP or VLOSE audit pack covering Article 34 risk assessments, Article 35 mitigations, independent-audit evidence, transparency reports, data access, and compliance governance. *Audit Workflow* *EU DSA* ## DSA VLOP and VLOSE Audit Pack Workflow A workflow for assembling the records a designated VLOP or VLOSE needs before, during, and after an independent DSA audit. Use it to connect systemic-risk assessments, mitigation controls, transparency reports, data-access handling, compliance-function governance, and audit implementation records. This workflow is for a provider preparing an audit pack for a designated very large online platform or very large online search engine under the Digital Services Act. The pack should let an independent auditor trace each audited obligation from legal trigger to owner, control, evidence, finding, recommendation, and implementation response. ## 1. Confirm the designated service and audit perimeter Start the pack at service level, not company level. Record the Commission designation, the service name, whether the service is treated as a VLOP or VLOSE, and the EU user-number basis used for designation or continued monitoring. The audit perimeter should then list the DSA obligations and commitments to be tested for that service: Chapter III obligations, VLOP/VLOSE systemic-risk duties, and any commitments under codes of conduct or crisis protocols that the provider has undertaken. - Trigger record: Commission designation status, service name, VLOP or VLOSE classification, and the latest EU average-monthly-active-recipient publication. - Coverage record: obligations in scope for the audited service, including risk assessment, mitigation, independent audit, data access, compliance function, and transparency reporting. - Exclusion record: obligations or commitments not applicable to the audited service, with the source-linked reason and approver. - Confidentiality record: identify evidence that needs a public version and a confidential supervisory or auditor version. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Article 33 sets the VLOP/VLOSE designation threshold and Articles 34 to 42 define the risk, audit, data-access, compliance-function, and transparency records covered by this workflow. - [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Commission overview describing the VLOP/VLOSE threshold, designation effects, and enhanced obligations after designation. ## 2. Build the Article 34 risk-assessment evidence file The risk-assessment file should show how the provider identified, analysed, and assessed systemic risks for the audited service. It should not be a summary memo alone; it needs the underlying data, assumptions, tests, consultations, and sign-offs that explain how the assessment was reached. Create one evidence row per risk category and per relevant system factor. The row should name the affected service feature, risk hypothesis, data used, regional or linguistic consideration, severity and probability assessment, control owner, and preserved supporting documents. - Risk categories: illegal content; fundamental-rights effects; civic discourse, electoral processes, and public security; gender-based violence, public health, minors, and physical or mental wellbeing. - System factors: recommender systems, other algorithmic systems, content moderation systems, terms enforcement, advertising selection and presentation, and data-related practices. - Critical-change trigger: before deploying a functionality likely to have a critical impact on identified risks, add a pre-deployment risk-assessment record. - Retention control: preserve supporting documents for risk assessments for at least three years and keep them ready for Commission or Digital Services Coordinator requests. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Article 34 specifies the systemic-risk categories, annual and critical-change risk-assessment triggers, and supporting-document preservation requirement. - [Commission Delegated Regulation (EU) 2024/436 on DSA audits](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R0436&ref=sorena.io) - Article 13 of the delegated audit regulation describes how auditors assess Article 34 risk-assessment diligence, sources, impacted groups, timing, controls, and preserved documentation. ## 3. Connect Article 35 mitigation measures to testable controls For each systemic risk, the audit pack should show which mitigation measures were considered, which were adopted, which were rejected, and why. The record should be specific enough for an auditor to test whether the measures are reasonable, proportionate, effective, and actually operating. Use a mitigation-control matrix rather than a narrative-only policy. Each row should identify the risk, selected mitigation, control owner, system or process touched, implementation date, testing method, evidence location, residual risk, and management review outcome. - Possible mitigation records include interface or feature changes, terms-enforcement changes, content-moderation resourcing and quality controls, recommender-system tests, advertising-system adjustments, cooperation with trusted flaggers or other providers, awareness measures, and child-protection measures. - Keep before-and-after evidence where available, especially for algorithmic systems, content-moderation processes, advertising systems, and measures targeted at minors or vulnerable groups. - Log measures not applied and the reason, because the delegated audit regulation expects auditors to assess whether Article 35 mitigation options were considered and whether conclusions were appropriate. - Tie each mitigation row to compliance-function monitoring and management-body review so governance evidence is not separated from technical evidence. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Article 35 lists examples of risk-mitigation measures and requires reasonable, proportionate, and effective mitigation tailored to Article 34 risks. - [Commission Delegated Regulation (EU) 2024/436 on DSA audits](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R0436&ref=sorena.io) - Article 14 of the delegated audit regulation requires audit analysis of mitigation identification, applicability assessment, design, execution, and control testing. ## 4. Prepare the independent-audit dossier The independent-audit dossier should let the audit organisation verify scope, independence, methodology, evidence quality, sampling, findings, and the provider's response to recommendations. Keep a single index that links each audited obligation to the evidence set supplied to the auditor. The dossier should also anticipate the public and confidential versions of the audit report and audit implementation report. Where information is confidential, record the reason for redaction and the evidence available to the auditor, Commission, or Digital Services Coordinator. - Auditor selection file: independence and conflict checks, technical competence, risk-management expertise, professional-ethics basis, and any subcontracted expertise. - Audit evidence index: risk assessments, mitigation reports, transparency reports, test results, algorithmic-system evidence, written and oral responses, premises observations where applicable, and Commission or Board guidance considered. - Methodology file: audit criteria, materiality threshold, tests, substantive analytical procedures, sampling rationale, and changes to methodology during the audit. - Outcome file: audit opinion, findings, elements that could not be audited, operational recommendations, recommended timeframe, and provider response. - Implementation file: if the audit is not positive, adopt an audit implementation report within one month from receiving recommendations, setting out measures or justified alternatives. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Article 37 requires annual independent audits at the provider's expense, auditor cooperation, written audit reports, audit opinions, recommendations, and audit implementation reports. - [Commission Delegated Regulation (EU) 2024/436 on DSA audits](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R0436&ref=sorena.io) - The delegated regulation supplies audit-performance rules, evidence-quality expectations, methodology requirements, and templates for audit and implementation reports. ## 5. Add transparency, data-access, and governance records A VLOP/VLOSE audit pack should include the public accountability records that regulators, researchers, users, and auditors can compare against the provider's internal evidence. Keep the transparency-report, data-access, and compliance-governance records linked to the same service and reporting period as the audit. For data access, maintain a request log that distinguishes Commission or Digital Services Coordinator access from vetted-researcher access. For governance, keep proof that the compliance function is independent from operational functions and can escalate risk or non-compliance to the management body. - Transparency-report file: published reports, reporting period, VLOP/VLOSE six-month cadence, human resources for content moderation by EU language where applicable, linguistic expertise, automated-moderation accuracy indicators, and Member-State active-recipient figures. - Template compliance file: CSV or XLSX template used, publication date, version history, corrections, and evidence that reports remain publicly available for the required retention period. - Data-access file: requests from the Commission, Digital Services Coordinator, or vetted researchers; requested data; algorithmic-system explanations; security or confidentiality concerns; amendment requests; interface or API access method; response deadline and completion record. - Compliance-function file: head of compliance contact notice to the Commission and Digital Services Coordinator, independence safeguards, management-body review, risk-management resources, and audit-supervision responsibility. - Publication file: risk-assessment result report, mitigation-measures report, audit report, audit implementation report, and consultation information made public or transmitted as required after audit completion. Sources for this answer: - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Articles 40, 41, and 42 support the data-access log, compliance-function governance file, and VLOP/VLOSE transparency and audit-publication records. - [Commission Implementing Regulation (EU) 2024/2835 on DSA transparency reporting templates](https://eur-lex.europa.eu/eli/reg_impl/2024/2835/oj/eng?ref=sorena.io) - This implementing regulation sets transparency-report templates, publication format, reporting periods, publication timing, versioning, and five-year public availability for reports. - [European Commission - How the DSA enhances transparency online](https://digital-strategy.ec.europa.eu/en/policies/dsa-brings-transparency?ref=sorena.io) - Commission transparency overview linking VLOP/VLOSE transparency reports, user-number publication, statement-of-reasons transparency, data access, and risk assessment and audit reports. *Recommended next step* *Placement: before sources* ## Use this workflow to structure DSA audit records Sorena can help organize VLOP and VLOSE risk, mitigation, audit, transparency, data-access, and governance records into cited evidence packs for independent review or audit preparation. - [Open Research Copilot for the DSA](/solutions/research-copilot.md): Ask source-linked questions about VLOP/VLOSE audit scope, risk records, mitigation evidence, transparency reports, and data-access obligations. - [Review audit-pack structure](/contact.md): Check whether your DSA audit records connect obligations, controls, owners, evidence, recommendations, and implementation responses. ## Primary sources - [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng?ref=sorena.io) - Primary legal source for VLOP/VLOSE designation, Article 34 risk assessment, Article 35 mitigation, Article 37 audit, Article 40 data access, Article 41 compliance function, and Article 42 transparency obligations. - Quote: "very large online platforms" - [Commission Delegated Regulation (EU) 2024/436 on DSA audits](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R0436&ref=sorena.io) - Audit-performance regulation used for the audit-pack methodology, evidence, sampling, audit-report, and audit-implementation-report records. - Quote: "performance of audits" - [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Commission overview used for VLOP/VLOSE threshold, designation consequences, and enhanced duties such as audits, data sharing, researcher access, recommender options, and ad repositories. - Quote: "Obligations for VLOPs and VLOSEs" - [Commission Implementing Regulation (EU) 2024/2835 on DSA transparency reporting templates](https://eur-lex.europa.eu/eli/reg_impl/2024/2835/oj/eng?ref=sorena.io) - Source for transparency-report templates, CSV/XLSX publication format, reporting periods, publication timing, versioning, and public availability requirements. - Quote: "transparency reporting obligations" - [European Commission - How the DSA enhances transparency online](https://digital-strategy.ec.europa.eu/en/policies/dsa-brings-transparency?ref=sorena.io) - Commission overview used to connect transparency reports, user numbers, statement-of-reasons transparency, data access, and risk assessment and audit reports. - Quote: "enhances transparency online" ## Related Topic Guides - [DSA Ads and Recommender Systems: transparency duties, user choice, and evidence](/artifacts/eu/digital-services-act/ads-and-recommender-systems.md): A grounded DSA guide to ad labels, targeting restrictions, recommender parameter disclosure, non-profiling options for VLOPs and VLOSEs, ad repositories, and compliance evidence. - [DSA Applicability Test: classify intermediary services, platforms, marketplaces, VLOPs and VLOSEs](/artifacts/eu/digital-services-act/applicability-test.md): A source-grounded EU Digital Services Act applicability test for classifying intermediary services, hosting services, online platforms, marketplaces, VLOPs and VLOSEs. - [DSA Article 28 minors protection guide for online platforms](/artifacts/eu/digital-services-act/minors-protection.md): EU Digital Services Act guide to Article 28 minors protection: platform scope, child-safety measures, targeted ads limits, recommender controls, and grounded evidence. - [DSA average monthly active recipients: what platforms must publish](/artifacts/eu/digital-services-act/faq/average-monthly-active-recipients.md): A grounded FAQ on average monthly active recipients under the EU Digital Services Act, including publication, EU recipient scope, the 45 million VLOP/VLOSE threshold, and evidence records. - [DSA Complaint and Dispute Workflows for Online Platforms](/artifacts/eu/digital-services-act/complaint-and-dispute-workflows.md): Build DSA complaint, appeal, statement-of-reasons, and out-of-court dispute workflows for online platform moderation decisions. - [DSA crisis response for VLOPs and VLOSEs](/artifacts/eu/digital-services-act/crisis-response.md): EU Digital Services Act crisis response guide for VLOPs and VLOSEs: Article 36 Commission decisions, Article 48 crisis protocols, mitigation, governance, requests for information, and records. - [DSA Dark Patterns: interface design checks for online platforms](/artifacts/eu/digital-services-act/dark-patterns.md): Article 25 DSA guidance for reviewing online platform interfaces for deceptive, manipulative, or choice-distorting design patterns. - [DSA Enforcement and Penalties in the EU](/artifacts/eu/digital-services-act/enforcement-penalties-and-investigations.md): How Digital Services Act enforcement works: Commission and Digital Services Coordinator roles, VLOP and VLOSE investigations, fines, periodic penalty payments, and evidence readiness. - [DSA illegal content notices: what must be included?](/artifacts/eu/digital-services-act/faq/illegal-content-notice.md): A grounded FAQ on EU Digital Services Act illegal-content notices: Article 16 notice elements, acknowledgement, decision notices, trusted flagger priority, statements of reasons, and records. - [DSA Marketplace Trader Traceability FAQ](/artifacts/eu/digital-services-act/faq/marketplace-trader-traceability.md): Answer to what EU Digital Services Act Article 30 requires online marketplaces to collect, verify, display, retain, and evidence for trader traceability. - [DSA Marketplace Trader Traceability Guide](/artifacts/eu/digital-services-act/marketplace-trader-traceability.md): EU Digital Services Act guide for online marketplaces collecting, checking, displaying, storing, and evidencing trader traceability information. - [DSA notice and action plus statements of reasons guide](/artifacts/eu/digital-services-act/notice-and-action-plus-statements-of-reasons.md): A grounded Digital Services Act guide for notice intake, moderation decisions, statements of reasons, DSA Transparency Database submission, complaints, appeals, trusted flaggers, and records. - [DSA Notice and Action Workflow for Hosting Services and Online Platforms](/artifacts/eu/digital-services-act/notice-and-action-workflow.md): A grounded DSA notice-and-action workflow covering notice intake, completeness checks, trusted flaggers, decisions, user communications, statements of reasons, appeals, and records. - [DSA recommender transparency FAQ: Article 27 and VLOP options](/artifacts/eu/digital-services-act/faq/recommender-transparency.md): What EU Digital Services Act recommender transparency requires: main parameters, user options, VLOP/VLOSE non-profiling choices, and evidence to keep. - [DSA researcher data access for VLOPs and VLOSEs](/artifacts/eu/digital-services-act/researcher-data-access.md): Article 40 DSA guide to vetted researcher data access for VLOPs and VLOSEs: DSC requests, eligibility checks, amendment grounds, confidentiality, security, and evidence records. - [DSA service tier classifier for platforms, marketplaces, VLOPs and VLOSEs](/artifacts/eu/digital-services-act/service-tier-classifier-workflow.md): Classify a digital service under the EU Digital Services Act as intermediary, hosting, online platform, marketplace, VLOP or VLOSE, with EU recipient-count evidence and obligation outputs. - [DSA statement of reasons FAQ](/artifacts/eu/digital-services-act/faq/statement-of-reasons.md): When DSA statements of reasons are required, what they must contain, when online platforms submit them to the DSA Transparency Database, and what appeal records to keep. - [DSA statement of reasons log workflow for online platforms](/artifacts/eu/digital-services-act/statement-of-reasons-log-workflow.md): Build a DSA statement of reasons log for moderation decisions, Transparency Database submission, complaint links, retention, and QA controls. - [DSA transparency report template fields and cadence](/artifacts/eu/digital-services-act/dsa-transparency-report-template.md): A source-grounded template outline for Digital Services Act transparency reports, covering applicable service tiers, reporting periods, CSV/XLSX format, retention, statement-of-reasons links, and required evidence tables. - [DSA Transparency Reporting Obligations by Provider Tier](/artifacts/eu/digital-services-act/transparency-reporting.md): A grounded guide to EU Digital Services Act transparency reports, active-recipient publication, statements-of-reasons submissions, VLOP/VLOSE reports, templates, cadence, and evidence. - [DSA VLOP and VLOSE Risk Assessments and Mitigation Guide](/artifacts/eu/digital-services-act/risk-assessments-and-mitigation.md): Grounded guide to Digital Services Act systemic risk assessments, mitigation measures, audits, transparency reports, data access, and governance evidence for VLOPs and VLOSEs. - [DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md): What VLOPs and VLOSEs must assess under the EU Digital Services Act, when to reassess, how Article 35 mitigation and annual audit evidence fit together, and what records to keep. - [DSA vs DMA Platform Rules](/artifacts/eu/digital-services-act/dsa-vs-dma.md): Compare the EU Digital Services Act and Digital Markets Act by scope, designation thresholds, obligations, enforcement, evidence, and practical team ownership. - [DSA vs GDPR: online-platform governance and personal-data obligations](/artifacts/eu/digital-services-act/dsa-vs-gdpr.md): Compare the EU Digital Services Act and EU GDPR by scope, ads, recommenders, minors, transparency, complaints, enforcement, and evidence. - [DSA vs P2B Regulation: EU platform obligations compared](/artifacts/eu/digital-services-act/dsa-vs-p2b.md): Compare the EU Digital Services Act with the Platform-to-Business Regulation for platform scope, business-user terms, content moderation, ranking transparency, complaints, enforcement, and evidence. - [DSA vs Terrorist Content Online Regulation: notice-and-action vs removal orders](/artifacts/eu/digital-services-act/dsa-vs-terrorist-content-online-regulation.md): Compare DSA content-governance duties with the EU Terrorist Content Online Regulation removal-order workflow for scope, timing, evidence, authorities, and team ownership. - [EU Digital Services Act checklist for platforms and hosting services](/artifacts/eu/digital-services-act/checklist.md): A grounded DSA checklist for classifying service tiers, notice-and-action, statements of reasons, complaints, transparency reports, ads, recommenders, trader traceability, VLOP/VLOSE duties, and evidence records. - [EU Digital Services Act Compliance Guide](/artifacts/eu/digital-services-act/compliance.md): DSA compliance guide for intermediary services, hosting providers, online platforms, marketplaces, and VLOP/VLOSE teams: obligations, controls, and evidence to keep. - [EU Digital Services Act FAQ: DSA scope, platform duties, VLOPs, reports, and penalties](/artifacts/eu/digital-services-act/faq.md): Concise EU Digital Services Act FAQ covering intermediary-service scope, active-recipient thresholds, illegal-content notices, statements of reasons, trader traceability, recommender transparency, systemic-risk duties, reporting, penalties, and complaints. - [EU Digital Services Act penalties and fines: caps and enforcement roles](/artifacts/eu/digital-services-act/penalties-and-fines.md): DSA penalty caps and enforcement roles: Member State fines, Commission fines for VLOPs and VLOSEs, 1% procedural fines, and 5% periodic penalty payments. - [EU Digital Services Act requirements by service tier](/artifacts/eu/digital-services-act/requirements.md): Overview of DSA obligations for intermediary services, hosting providers, online platforms, marketplaces, VLOPs and VLOSEs, including notices, complaints, ads, transparency reports, audits, data access and enforcement. - [EU Digital Services Act service types and scope](/artifacts/eu/digital-services-act/service-types-and-scope.md): Classify DSA service scope across mere conduit, caching, hosting, online platforms, marketplaces, online search engines, and VLOP/VLOSE threshold duties. - [EU DSA deadlines and compliance calendar: application dates, reporting cycles, and VLOP clocks](/artifacts/eu/digital-services-act/deadlines-and-compliance-calendar.md): Calendar view of grounded EU Digital Services Act dates: full application, user-number publication, VLOP/VLOSE designation clocks, statements of reasons, and transparency reporting cycles. - [EU DSA Transparency Calendar: reporting, SoR database, AMAR updates](/artifacts/eu/digital-services-act/transparency-calendar.md): Build a DSA transparency calendar for annual reports, statement-of-reasons database submissions, active-recipient updates, and VLOP/VLOSE audit touchpoints. - [EU DSA vs UK Online Safety Act: scope, duties, regulator, and evidence](/artifacts/eu/digital-services-act/dsa-vs-uk-online-safety-act.md): Compare the EU Digital Services Act and UK Online Safety Act for platform scope, risk assessments, child protection, transparency, regulators, enforcement, and owners. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-services-act/vlop-audit-pack-workflow