On 20 October 2023, the European Commission published its final version of the Delegated Regulation on conducting Independent Audits.
Pursuant to Article 37 (1) of the Digital Services Act (DSA), these rules seek to provide guidance to designated Very large Online Platforms (VLOPs) and Search Engines (VLOSEs) (Audited Providers) and external auditors (Auditing Organisations) on how such audits will be conducted.
In doing so, the Commission provides clarity on the relationship between the two entities, the reporting templates that should be used to conduct these audits (Contained in Annex I), and procedural details on the Final Audit Report, Audit Conclusions, Opinions, Risks Analysis and Quality of Evidence.
The DSA audit process: Rules for assessing algorithmic systems
With the institutionalisation of independent auditing requirements under the DSA, the Commission seeks to bring about a “step change in the transparency and accountability” of online platforms and “offer a comparative basis for public scrutiny”.
The rules also acknowledge the diversity of methodologies that need to be deployed by auditing organisations, and to that end, allow for audits to be adapted “specifically to the nature of the specific service audited, and the risks inherent to it”.
That said, the Commission is firm on the level of substantiveness and precision that it envisages to maintain for these audits, and mandates Auditing Organisations to ensure the highest level of rigour and depth of analysis, i.e., a reasonable level of assurance.
The rules also emphasise the need to holistically assess and audit algorithmic systems (such as recommender systems, adtech algorithms and generative models) and directs Auditing Organisations to develop necessary tools and expertise for assessing not only the technical specification of these systems, but also the broader societal impacts associated with their deployment.
Stakeholder concerns addressed in the final draft
The Commission notes that the initial iteration of the Delegated Regulation received over 40 public comments from a variety of actors – ranging from VLOPs/VLOSEs, potential auditors and civil society entities – that primarily focused on the level of assurance, need for standards and compliance benchmarks involved with conducting these audits. Particularly, further clarity on the auditing criteria was unanimous across stakeholders, with most concerns about comparability of results and possible compromises on the independence of auditors. The rules largely address these concerns, with notable changes highlighted in the table below:
DSA Audits with Holistic AI
As leaders in the fields of AI Assurance and Algorithm Auditing, Holistic AI provides comprehensive and tailored solutions to support your business with compliance obligations under the Digital Services Act.
How do we achieve this? By considering several factors, such as the complexity and novelty of conducting such audits, the need to deploy socio-technical methods to audit certain provisions, and the timeline for the application of obligations, among others.
Pursuant to the Delegated Regulation on Independent Audits under the DSA, Holistic AI provides the following services to covered entities:
Authored by Siddhant Chatterjee, Policy & Governance Strategist at Holistic AI.