Digital Services Act – auditing very large online platforms and search engines

KEY POINTS

Independent audits are an important tool for supervising the compliance of VLOPs and VLOSEs with the rules laid down in the DSA. Under the DSA, providers of VLOPs and VLOSEs must submit to independent audits at their own expense at least once a year.

VLOPs and VLOSEs are defined as those having more than 45 million users in the European Union (EU) based on average monthly active recipients of the service. They must undergo regular audits to ensure adherence to their responsibilities under the DSA. The regulation specifies the scope, procedures and methodologies for these audits, ensuring that the results are consistent, transparent and comparable across the industry.

The audit process involves several phases, including the preparation phase, where the audit plan is drawn, the reporting phase, where the auditor provides a detailed audit report, and an implementation phase, in which the audited provider reports on steps it is taking or has taken following the recommendations of the auditor. These reports are shared with the European Commission and relevant regulatory bodies.

Audit scope and selection of auditors

• The audit must be conducted to evaluate the provider’s compliance with obligations, with a reasonable level of assurance.
• Audits must be conducted at least once a year.
• Audits should cover the period since the previous audit and end at a date that allows timely completion of the audit to ensure that there is at least one audit report per year.
• If there has been no previous audit, the audit obligation starts four months after a service was designated as a VLOP or VLOSE and an audit must be completed within a year from that date.
• The provider must select an auditing organisation that meets DSA requirements, in particular the independence, expertise and ethics requirements.
• If the auditing organisation includes multiple entities or subcontractors, they must individually meet legal requirements and jointly meet collective requirements.

Cooperation

• Before the audit, the provider must give the auditor relevant information on internal controls, risk analysis and IT systems.
• The provider must grant full access to data, personnel and systems for auditing purposes.
• The provider must assist the auditing organisation in analysing and testing the provided information.
• The provider and auditor must agree in writing on the audit scope, responsibilities and timeline, and this agreement is to be annexed to the audit report.
• Any changes made to the agreement during the audit must be noted in the report.

Methodologies

The delegated regulation outlines comprehensive audit procedures to ensure robust and consistent assessments. Auditing organisations must adhere to strict independence requirements and demonstrate that they have no conflicts of interest. Auditing organisations must assess the risks that they reach wrong audit conclusions and minimise this audit risk when they develop their audit methodologies. For some DSA provisions, the rules on audit methodologies and procedures include specific requirements, such as the following.

• Risk assessment. Auditors must assess the platforms’ compliance with risk management obligations regarding systemic risks such as the risk of disseminating illegal content.
• Mitigation of risks. Auditors evaluate how providers address risks through effective mitigation measures, which may rely, for example, on content moderation practices and algorithm transparency.
• Crisis response mechanisms. Auditors examine the provider's ability to respond to crises, such as peaks in the prevalence of disinformation during elections or public health emergencies.

The text also specifies requirements around auditor independence, access to information, sampling methods and templates for the audit report and audit implementation report.

Conclusions and recommendations

• The audit report must be detailed and include justifications for findings following a specific template.
• The regulation provides templates for audit reports, ensuring that all platforms and auditors follow a consistent reporting format, making it easier to compare results across different audits and organisations.
• The auditing organisation must issue overall audit opinions on compliance with the DSA obligations and any voluntary commitments under codes of conduct or crisis protocols.
• Audit conclusions on compliance with each audited obligation or commitment are categorised as:
  • positive: compliance is met;
  • positive with comments: compliance is met, but with remarks or suggestions for improvement;
  • negative: compliance is not met, with advice on how to improve.
• Recommendations must address specific issues identified during the audit, explaining their impact.

Three months after the audit is completed, providers of VLOPs and VLOSEs must publish the audit report, contributing to increased transparency. The Commission and other supervisory authorities can take the audit results into account in supervising compliance with the DSA.