Yes. Providers of VLOPs and VLOSEs are required to publish, on an annual basis, the reports on their risk assessments, the mitigation measures put in place, the audit reports and the audit implementation reports. These were transmitted to the Commission and the Digital Services Coordinators (DSCs) of establishment during that risk assessment cycle.
Providers of VLOPs and VLOSEs must also publish, where applicable, information about consultations they conducted with external experts in support of the risk assessments and the design of risk mitigation measures.
For context: Providers of VLOPs and VLOSEs must assess systemic risks stemming from their services at least once a year, and in any event always prior to deploying new functionalities that are likely to have an impact on the risks. They are obliged to identify under the DSA, and they must put in place mitigation measures tailored to the risks they identified as part of that risk assessment. The DSA also requires providers of VLOPs and VLOSEs to ensure that their services undergo a compliance audit at least once a year, leading to an audit report by an independent auditing organisation.
Providers of VLOPs and VLOSEs must transmit the risk assessment report, the risk mitigation measures and the audit report to the Commission and the DSC of establishment without undue delay upon completion. Where auditors make recommendations concerning compliance with the DSA, providers must present their reactions to those recommendations in an audit implementation report which must also be transmitted, upon completion, to the Commission and the DSC of establishment.
Relevant Articles: 34, 35, 37 and 42(4) of Regulation (EU) 2022/2065 (“DSA”). The specific DSA obligations for VLOPs and VLOSEs are those contained in Section 5, Chapter III of the DSA.
The publication should take place at the latest three months after the receipt of the report on the yearly compliance audit that each VLOP and VLOSE must undergo. This means that for each service, the publication date depends on the date on which the independent auditing organisation submits its audit report to the provider.
The DSA requires providers of VLOPs and VLOSEs to ensure that their services undergo an independent audit at least once a year, leading to an audit report by the auditing organisation. For the first 19 VLOPs and VLOSEs designated by the Commission in April 2023, the DSA became applicable in August 2023 and the audit reports were due between 28 August and 04 September 2024 at the latest, depending on the date the provider acknowledged receipt of the designation decision.
In any event, providers of VLOPs and VLOSEs must transmit the reports concerning their risk assessments (including the ad hoc risk assessment reports prior to deploying new functionalities), risk mitigation measures and compliance audits to their Digital Services Coordinator of establishment and to the Commission without undue delay upon completion.
Providers have an obligation to publish reports on their risk assessments and their risk mitigation measures at least once a year. These reports should cover the corresponding risk assessment cycle, completed before the submission of the audit report. Any risk assessments and risk mitigation measures that have not yet been made publicly available along with their audit reports and audit implementation reports, should also be published. This also includes ad hoc risk assessment reports, (i.e. assessments performed prior to deploying new functionalities that are likely to have an impact on the risks) transmitted to the Commission and the DSC of establishment in that yearly cycle.
Relevant Articles: Arts. 34, 37 and 42(4) of Regulation (EU) 2022/2065 (“DSA”)
The DSA pursues broad transparency and public scrutiny goals, as confirmed by the Vice-President of the Court of Justice of the European Union in its orders in Cases C‑639/23 P(R), C-511/24 P(R)), and C-620/24 P(R) concerning interim relief requested in relation to the obligation laid down in Article 39 DSA. Moreover, recital 100 DSA states that providers of VLOPs and VLOSEs should report “comprehensively” on their risk assessment.
The publication of reports concerning the risk assessments and risk mitigation measures by providers of VLOPs and VLOSEs and their yearly DSA compliance audits are crucial for informing the public (including civil society organisations, media representatives, researchers) and for fostering a societal debate about the systemic risks stemming from VLOPs and VLOSEs and the risk mitigation measures adopted by their providers.
Therefore, the reports that the providers publish must be as complete as possible. At the same time, providers of VLOPs and VLOSEs may remove information from the reports that they must publish when such information might:
- result in the disclosure of confidential information of the provider or of recipients of the service;
- cause significant vulnerabilities for the security of the service;
- undermine public security; or
- harm recipients of the service.
Providers of VLOPs and VLOSEs must provide a statement of the reasons to the Digital Services Coordinator of establishment and to the Commission for the removal of information from the public version of their risk assessment reports and the mitigation measures put in place, including the ad hoc risk assessment reports, the audit reports, and the audit implementation reports. The statement of reasons must thoroughly justify each redaction and specifically explain why, in the view of the provider of the VLOPs and VLOSEs, the redactions are justified under Article 42(5) DSA.
In view of the transparency goals of the DSA, redactions may only be made exceptionally and must be justified with clear reasoning explaining all relevant conditions as set out in Article 42(5) DSA. Where redactions have been made, they should be made clearly visible by marking the removed text (e.g. through blacked-out redaction) rather than simply deleting or omitting content. This ensures that the degree of redaction is evident to the public, while still protecting the underlying confidential or security-sensitive information. Silent redactions would undermine the DSA’s transparency objective, as they obscure to the public whether and where information has been removed.
Relevant Article: Art. 42(5) of Regulation (EU) 2022/2065 (“DSA”)
According to the case-law of the Court of Justice of the European Union (see, for example: Case T-198/03, Bank Austria Creditanstalt) information is to be considered confidential where it satisfies cumulatively the following three pre-requisites for protection:
- it must be known only to a limited number of persons;
- its disclosure must be liable to cause serious harm to the person who has provided it or to third parties;
- the interests liable to be harmed by the disclosure must be objectively worthy of protection, which is to be assessed when weighing the interests opposing publication against the public interest in the publication.
Exceptions to the obligation of publication are to be interpreted restrictively. Justifications for redactions must be clear and well-explained. Each redaction has to be assessed on a case-by-case basis and an explanation of the reasons for that redaction, in view of the conditions outlined in Article 42(5) DSA, has to be provided. Where providers of VLOPs and VLOSEs redact information on the basis of confidentiality claims, they must substantiate their claims that the information qualifies as confidential (i.e. that it fulfils all three conditions enumerated above) in the statements of reasons that they submit to the Digital Services Coordinator of establishment and to the Commission. Incomplete, unsubstantiated, generic or only partially substantiated claims cannot be deemed to justify redactions. Providers of VLOPs and VLOSEs must justify confidentiality claims concerning specific parts of text in their reports. For example, confidentiality cannot be claimed on the risk assessment reports as a whole.
Where absolutely necessary to protect information which has been deemed to constitute confidential information, providers can paraphrase the text at issue in the public versions of the reports.
Relevant Article: Art. 42(5) of Regulation (EU) 2022/2065 (“DSA”)
Where the Commission considers that redactions are unjustified and thus that the provider of a VLOP or VLOSE has not fully complied with its transparency obligations, it may consider such action to constitute an infringement of the regulation.
Relevant Article: Art. 42 of Regulation (EU) 2022/2065 (“DSA”)
Article 42(4) DSA establishes a yearly publishing cycle of reports, with the aim of ensuring transparency. The purpose of that publishing cycle is to enable the public to compare the risk assessment reports of VLOPs and VLOSEs referred to in Article 34 DSA with the independent audit reports of VLOPs and VLOSEs referred to in Article 37(4) DSA.
Moreover, Article 37 DSA requires providers of VLOPs and VLOSEs to ensure that their services undergo audits at least once a year, resulting in mandatory audit reports. The first yearly audit report is due one year after the rules for VLOPs and VLOSEs began to apply to the service in question. Article 42(4) DSA requires providers of VLOPs and VLOSEs to publish their audit reports at the latest three months after their receipt from the auditing organisation. Three months after the date of receipt of the audit report, the provider of VLOPs and VLOSEs must also publish the other reports listed in Article 42(4) DSA, including “a report setting out the risk assessment pursuant to Article 34”. Both the audit report and the other reports mentioned in Article 42(4) DSA that providers of VLOPs and VLOSEs must publish, including the risk assessment report, are those of the ongoing year.
Given that an audit report only needs to be compiled and published one full year following the entry into application of the rules for VLOPs and VLOSEs to a designated service, the obligation to publish the risk assessment report in Article 42(4) DSA also only applies as of one year after that date. Consequently, while providers of services designated as VLOPs and VLOSEs in April 2023 were obliged to compile their first risk assessment reports in August/September 2023, Article 42(4) DSA only requires those providers to publish their risk assessment reports for 2024 alongside their audit reports for 2024. The Commission nevertheless encourages providers of VLOPs and VLOSEs to also publish their risk assessment reports of the first year in which the rules for VLOPs and VLOSEs apply to their services even if their annual audit report was not yet due.
Relevant Articles: Arts. 37(4) and 42(4) of Regulation (EU) 2022/2065 (“DSA”). The specific DSA obligations for VLOPs and VLOSEs are those contained in Section 5, Chapter III of the DSA.
To fulfil the transparency objectives of the DSA, providers of VLOPs and VLOSEs should make their reports publicly available. Once published, recipients should be able to access those reports. For instance, this takes the form of a dedicated DSA compliance or transparency page on the VLOP’s or VLOSE’s online interface. Such page ensures that civil society representatives, researchers, media representatives, and users can easily locate and access relevant reports. Under Article 42(4) DSA, providers of VLOPs and VLOSEs should not prevent recipients from accessing the risk assessment, mitigation, audit and audit implementation reports.
Providers may also inform the Commission and the Digital Services Coordinator of establishment once publication has taken place.
Relevant Articles: Arts. 34, 35, 37 and 42(4) of Regulation (EU) 2022/2065 (“DSA”).
Providers of VLOPs and VLOSEs must make publicly available the results of the latest risk assessment performed when publication is due, even if the period covered by it does not coincide with the independently audited period. As clarified in Recital 100 DSA, the goal of the reporting obligations listed in Article 42(4) DSA is to ensure transparency. Specially, in respect to the systemic risks identified by the providers of VLOPs and VLOSEs and the mitigation measures adopted to counter those. Publishing the most recent and up-to-date information is the most suitable action to meet the transparency reporting obligations contained in that provision, by ensuring that users have access to all the available information at that time, even if, for purely factual reasons, it has not yet been independently audited.
The different risk assessment and auditing cycles do not impede the possibility to compare the results of the risk assessment performed by the providers themselves and the independent audit reports, as they will all be eventually published.
Relevant Articles: Arts. 34, 35, 37 and 42(4) of Regulation (EU) 2022/2065 (“DSA”).
Related content
The Digital Services Act (DSA) details a range of actions to promote transparency and accountability of online services, without hindering innovation and competitiveness.