Rules for Independent Audits under the EU’s Digital Services Act (DSA)

October 18, 2023
Authored by
Siddhant Chatterjee
Public Policy Strategist at Holistic AI
Rules for Independent Audits under the EU’s Digital Services Act (DSA)

Seeking to ensure safe online environments for users, the Digital Services Act (DSA) sets out a comprehensive accountability and transparency regime for a variety of digital services and platforms operating in the European Union (EU). Covering a spectrum of digital platforms, the DSA harmonises the diverging national rules of European Member States that had emerged under the E-Commerce Directive of 2000. This legislation, with the Digital Markets Act and upcoming EU AI Act – seeks to usher in a new regulatory paradigm for the effective governance of digital technologies in the European Single Market.

This blog focuses on the Independent Auditing provision for Very Large Online Platforms (VLOPs) and Search Engines (VLOSEs), and how affected entities can ensure compliance with this regulation.

Key Takeaways:

  • The DSA imposes cumulative obligations on intermediary services, with different provisions for Hosting Services, Online Platforms, VLOPs, and VLOSEs.
  • VLOPs and VLOSEs with over 45 million Monthly Active Users in the EU face the most stringent requirements.
  • Special obligations for VLOPs and VLOSEs under Articles 34 to 48 came into effect from late August 2023. The DSA introduces novel tools for complying with these provisions, including risk assessments, opt-outs from personalized recommendations, algorithm transparency, data access to researchers, and independent audits.
  • Article 37 of the DSA mandates VLOPs and VLOSEs to commission external auditors to test and validate their compliance efforts annually. To this end, the European Commission released a Delegated Regulation in May 2023 to largely provide procedural guidance on conducting these audits.
  • The Delegated Regulation clarifies the relationship between Audited Platforms and External Auditors and establishes important provisions and templates on submitting the Final Audit Report, Audit Conclusions, Audit Opinions and Risks Analysis, among others.

Digital Services Act Obligations: An Overview

Taking a staggered approach, the DSA imposes cumulative obligations (Articles 11 through 48, housed in Chapter III) on intermediary services that fall under the definition of Hosting Services, Online Platforms and Very Large Online Platforms (VLOPs) and Search Engines (VLOSEs). The provisions apply differently depending on the nature of the intermediary service, with VLOPs and VLOSEs – platforms with more than 45 million Monthly Active Users in the EU -- subject to the most stringent requirements. The following diagram illustrates the many obligations for covered entities under the DSA.

In addition to complying with general Due Diligence requirements applicable to all intermediary services, the 19 VLOPs and VLOSEs – including the likes of YouTube, TikTok, Instagram, Amazon and Zalando, are subjected to a set of special obligations outlined in Articles 34 to 48 of the DSA. These came into effect from late August 2023, in line with the European Commission’s mandate for these to be enforced six months from the Date of VLOP/VLOSE designation, i.e from April 2023.

To fulfil these obligations, the DSA introduces a set of novel tools -- ranging from comprehensive risk assessments, allowing users to opt-out from personalised recommendations, mandatory algorithmic explainability and transparency, to even providing vetted researchers access to platform data through API access. Most notable among these requirements, however, is the provision for subjecting platforms to independent audits of their safety and integrity efforts, under Article 37.

Independent Audits under the EU’s Digital Services Act

Independent Auditing for VLOPs and VLOSEs under the DSA (Article 37)

A global-first, Article 37(1) of the DSA mandates VLOPs and VLOSEs (Audited Providers) to commission external auditors (Auditing Organisations) to test and validate their compliance efforts with Due Diligence Commitments under Chapter III of the legislation on an annual basis. These need to be aligned with the yearly cycle of Risk Assessments that need to be performed by VLOPs and VLOSEs under Article 34 of the DSA and be conducted for relevant Codes of Conduct and Crisis Protocols. Further, they need to be performed with a Reasonable Level of Assurance, wherein the auditing organisation should have a “high, but not absolute, level of confidence that there have been no misstatements such as omissions, misrepresentations, or errors, which were not detected in the audit”, and be submitted in the form of an Audit Report to the European Commission.

Given the novelty of this regulatory tool, the European Commission has sought to provide clarity to affected entities by releasing a Delegated Regulation on Conducting Independent Audits in May 2023.  These draft delegated rules seek to provide guidance on the procedural modalities involved, and to that end clarify the methodologies, steps and reporting templates that must be implemented for these audits. In particular, the draft rules mention the need to systematically audit algorithmic systems, which have been defined to include advertising systems, recommendation engines, content moderation technologies and other features that may use novel technologies like generative AI and foundation models.

The Delegated Rules clarify the relationship between Audited Providers and Auditing Organisations, and lay down provisions for selecting auditors, as well as mechanisms on data sharing and cooperation between the two. Due to the complex and specific nature of such audits, the draft permits Audited Providers to contract different Auditing Organisations or a consortium of auditors to conduct the same.

The table below describes the important aspects of the delegated regulation:

Elements of the Delegated Regulation Description
Pre-Audit Procedure
Before conducting an audit, the Audited Provider is required to supply the following information to the Auditing Organisation:

  • Description of internal controls for each audited obligation, including historical data and benchmark metrics to measure performance
  • Preliminary analysis of inherent and control risks
  • Access to all data necessary for the performance of the audit, which may include personal data and information on internal processes and testing environments, among others
  • Final Audit Report and Audit Implementation Report
  • The Auditing Organisation is required to send a Final Report of the audit conducted to the Audited Provider, a template for which was provided alongside the draft procedures.
  • The Audited Provider in turn, must submit this report to the European Commission and Digital Services Coordinator of its Member State within a month of receipt.
  • Additionally, the Audited Provider is required to publicly publish an Audit Implementation Report of the Final Report within three months from the date of receipt.
  • Audit Risks Analysis
    The Final Report shall also include a Risk Analysis conducted by the auditor for the assessment of the Audited Provider’s compliance with each obligation. These should be conducted before and during the audit, and should consider the following:

  • Inherent Risks: Risks of non-compliance arising from the nature and use of the audited service, and the context it used in
  • Control Risks: Misstatements that have not been prevented or detected by the provider’s internal controls, and
  • Detection risks: Misstatements that have not been detected by the auditor.
  • Audit Conclusions
    Auditing Organisations are directed to submit Audit Conclusions in the Final Report, which shall be either:

  • Positive, where the auditor has concluded that the provider has complied with an audited obligation or commitment
  • Positive with comments, where auditing obligations have been satisfied, but:
    • The auditor recommends improvements on meeting certain obligations, or
    • The auditor uses the Audit Criteria mentioned in Article 10(2) of the draft
  • Negative, where obligations have not been complied with
  • Cumulative Audit Opinion
    Auditing Organisations also need to provide Cumulative Audit Opinions, which can either be:

  • Positive, if the auditing organisation has reached a positive audit conclusion for all the audited obligations;
  • Positive with comments, if the auditing organisation has reached at least one audit conclusion that is positive with comments for an audited obligation, and has not reached a negative audit conclusion for any of the audited obligations or commitments;
  • Negative, if the auditing organisation reached a negative audit conclusion for at least one audited obligation or commitment
  • We’re a part of the Solution

    Pursuant to the Delegated Draft Regulation on Independent Audits under the DSA, Holistic AI provides the following services to covered entities:

    • Conduct an independent annual audit of due diligence obligations set out in Chapter III (Articles 11 to 48) of the Digital Services Act (DSA)
    • Cover compliance with any commitments undertaken pursuant to codes of conduct or crises protocols, where applicable, and
    • Provide a Final Audit Report, in line with the guidance and template provided by the Draft Delegated Regulation at the end of the audit period, which would include:

      • Audit Conclusions and operational recommendations on measures (with timeframes for to achieve compliance) for corresponding audited obligations,
      • Cumulative Audit Opinion for the report, assessing the entity’s compliance with all audited obligations, as mentioned in Article 37(1(a)) of the DSA
      • An explanation of the circumstances and reasons why certain elements could not be audited, if applicable
      • Audits Risks Analysis on inherent risks, control risks and detection risks to ensure compliance with the regulation
      • Methodologies, criteria and other technical and operational details of implementing these audits
      • Any other information, as required by the Draft Delegated Regulation on Independent Audits
      • A full version (for EU authorities and internal use) and a redacted/shortened version (for publication) of the Final Report, as required under Articles 37 and 42(5) of the DSA

    Schedule a demo with our experts to find out more.

    DISCLAIMER: This blog article is for informational purposes only. This blog article is not intended to, and does not, provide legal advice or a legal opinion. It is not a do-it-yourself guide to resolving legal issues or handling litigation. This blog article is not a substitute for experienced legal counsel and does not provide legal advice regarding any situation or employer.

    Subscriber to our Newsletter
    Join our mailing list to receive the latest news and updates.
    We’re committed to your privacy. Holistic AI uses this information to contact you about relevant information, news, and services. You may unsubscribe at anytime. Privacy Policy.

    Discover how we can help your company

    Schedule a call with one of our experts

    Schedule a call