In The News

Digital Services Act: European Commission Publishes Final Delegated Regulation on Conducting Independent Audits

October 21, 2023
Authored by
Siddhant Chatterjee
Public Policy Strategist at Holistic AI
Digital Services Act: European Commission Publishes Final Delegated Regulation on Conducting Independent Audits

On 20 October 2023, the European Commission published its final version of the Delegated Regulation on conducting Independent Audits.

Pursuant to Article 37 (1) of the Digital Services Act (DSA), these rules seek to provide guidance to designated Very large Online Platforms (VLOPs) and Search Engines (VLOSEs) (Audited Providers) and external auditors (Auditing Organisations) on how such audits will be conducted.

In doing so, the Commission provides clarity on the relationship between the two entities, the reporting templates that should be used to conduct these audits (Contained in Annex I), and procedural details on the Final Audit Report, Audit Conclusions, Opinions, Risks Analysis and Quality of Evidence.

The DSA audit process: Rules for assessing algorithmic systems

With the institutionalisation of independent auditing requirements under the DSA, the Commission seeks to bring about a “step change in the transparency and accountability” of online platforms and “offer a comparative basis for public scrutiny”.

The rules also acknowledge the diversity of methodologies that need to be deployed by auditing organisations, and to that end, allow for audits to be adapted “specifically to the nature of the specific service audited, and the risks inherent to it”.

That said, the Commission is firm on the level of substantiveness and precision that it envisages to maintain for these audits, and mandates Auditing Organisations to ensure the highest level of rigour and depth of analysis, i.e., a reasonable level of assurance.

The rules also emphasise the need to holistically assess and audit algorithmic systems (such as recommender systems, adtech algorithms and generative models) and directs Auditing Organisations to develop necessary tools and expertise for assessing not only the technical specification of these systems, but also the broader societal impacts associated with their deployment.

For a more in-depth understanding of conducting independent audits under the DSA, check out our recent blog on the topic.

Stakeholder concerns addressed in the final draft

The Commission notes that the initial iteration of the Delegated Regulation received over 40 public comments from a variety of actors – ranging from VLOPs/VLOSEs, potential auditors and civil society entities – that primarily focused on the level of assurance, need for standards and compliance benchmarks involved with conducting these audits. Particularly, further clarity on the auditing criteria was unanimous across stakeholders, with most concerns about comparability of results and possible compromises on the independence of auditors. The rules largely address these concerns, with notable changes highlighted in the table below:

Provision Draft Version Final Version
Article 3, Scope of Audit and Reasonable Level of Assurance The audit shall cover the period starting immediately after the period covered by the previous audit and ending on a date that allows the auditing organisation to assert its assessment pursuant to paragraph 1 based on the evidence collected and audit procedures conducted during that period. Modification to Article 3 (2):

The Audit shall cover the period starting immediately after the period covered by the previous audit and ending on a date that allows the auditing organisation to perform the audit within the time frame required by Article 37(1) of the DSA, including by asserting its assessment pursuant to paragraph 1 based on the evidence collected and audit procedures conducted during that period, and by completing and submitting the audit report pursuant to Article 37(4) of that regulation to the audited provider.
Article 5, Cooperation and assistance between the audited provider and the auditing organisation Inclusion of Article 5 (1c):

The audited provider will have to transmit:

Information about any relevant decision-making structures, competences of departments of the provider, including the compliance function pursuant to Article 41 of the DSA, relevant IT Systems, data sources, processing and storage, as well as explanations of relevant algorithmic systems and their interactions
Article 8, Audit opinion, audit conclusions and recommendations Positive with comments, where the auditing organisation concludes with a reasonable level of assurance that the audited provider has complied with an audited obligation or commitment, but:

  • the auditing organisation recommends improvements that do not have a substantive effect on its conclusion;
  • the auditing organisation indicates that is has applied audit criteria pursuant to Article 10(2), point (a), which are different from the benchmarks for compliance communicated by the audited provider pursuant to Article 5(1), point (a).
    		•  Modifications to Article 8 (1b ( i, ii)) [Positive with Comments]

    Positive with comments, where the auditing organisation concludes with a reasonable level of assurance that the audited provider has complied with an audited obligation or commitment, but:

  • the auditing organisation includes remarks on the benchmarks provided by the audited provider pursuant to Article 5(1a); or
  • the auditing organisation recommends improvements that do not have a substantive effect on its conclusion.
    		•
    Article 10, Appropriate audit methodologies Inclusion of Article 10 (6):

    Where obligations or commitments referred to in Article 37(1) of the DSA require the audited provider to report certain information publicly, the auditing methodologies shall include an assessment of whether the reported information is free from material error or omission which might otherwise render them misleading.
    Article 12, Sampling Methods Inclusion of Article 12(2f):

    The Sample size and methodology for sampling.......in consideration of the following:

  • The representation and appropriate analysis of concerns related to particular groups as appropriate, such as minors or vulnerable groups and minorities, in relation to the audited obligation or commitment.
    		•
    Article 14, Specific methodologies for auditing compliance with Article 35 of the DSA on mitigation of risks The assessment of the audited provider’s compliance with Article 35 of Regulation (EU) 2022/2065 shall include, but not be limited to, an analysis of all of the following:
  • whether the mitigation measures put in place by the audited provider are reasonable, proportionate and effective for mitigating risks, including by assessing whether they respond collectively to all the risks, with particular consideration of the risks concerning the exercise of fundamental rights
    		•  Inclusions of points to Article 14(1c):

    The assessment..... of all the following:

  • Whether the mitigation measures put in place by the audited provider are reasonable, proportionate and effective for mitigating the respective risks, including by
    • Assessing whether they respond collectively to all the risks, with particular consideration of the risks concerning the exercise of fundamental rights;
    • Assessing comparatively how the risks were addressed before and after the specific risk mitigation measures were put in place;
    • Whether the risk mitigation measures were appropriately designed and executed.

    DSA Audits with Holistic AI

    As leaders in the fields of AI Assurance and Algorithm Auditing, Holistic AI provides comprehensive and tailored solutions to support your business with compliance obligations under the Digital Services Act.

    How do we achieve this? By considering several factors, such as the complexity and novelty of conducting such audits, the need to deploy socio-technical methods to audit certain provisions, and the timeline for the application of obligations, among others.

    Pursuant to the Delegated Regulation on Independent Audits under the DSA, Holistic AI provides the following services to covered entities:

    • An independent annual audit of due diligence obligations set out in Chapter III (Articles 11 to 48) of the Digital Services Act (DSA)
    • Compliance with any commitments undertaken pursuant to codes of conduct or crises protocols, where applicable, and
    • A Final Audit Report, in line with the guidance and template provided by the Draft Delegated Regulation at the end of the audit period, including:
      • Audit Conclusions and operational recommendations on measures (with timeframes to achieve compliance) for corresponding audited obligations.
      • Cumulative Audit Opinion for the report, assessing the entity’s compliance with all audited obligations, as mentioned in Article 37(1(a)) of the DSA.
      • An explanation of the circumstances and reasons why certain elements could not be audited, if applicable.
      • Audits Risks Analysis on inherent risks, control risks and detection risks to ensure compliance with the regulation.
      • Methodologies, criteria and other technical and operational details of implementing these audits.
      • Any other information, as required by the Draft Delegated Regulation on Independent Audits.
      • A full version (for EU authorities and internal use) and a redacted/shortened version (for publication) of the Final Report, as required under Articles 37 and 42(5) of the DSA.

    Take a closer look at our tailored DSA Audit solution for more details and schedule a call with one of our compliance specialists to find out more.

    Download our comments here

    DISCLAIMER: This blog article is for informational purposes only. This blog article is not intended to, and does not, provide legal advice or a legal opinion. It is not a do-it-yourself guide to resolving legal issues or handling litigation. This blog article is not a substitute for experienced legal counsel and does not provide legal advice regarding any situation or employer.

    Subscriber to our Newsletter
    Join our mailing list to receive the latest news and updates.
    We’re committed to your privacy. Holistic AI uses this information to contact you about relevant information, news, and services. You may unsubscribe at anytime. Privacy Policy.

    Discover how we can help your company

    Schedule a call with one of our experts

    Schedule a call
    product
    Holistic AI Governance PlatformHolistic AI SafeguardHolistic AI TrackerHolistic AI Audits
    Resources
    BlogResearch & PapersNewsEvents & WebinarsGitHubDocumentationEU AI Act Risk Calculator
    COmpany
    About Holistic AI
    Careers
    We're Hiring
    Press
    legal
    Privacy PolicyTerms & Conditions
    we@holisticai.com
    © Holistic AI. All rights reserved.

    DISCLAIMER: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser; Holistic AI does not recommend or endorse the contents of the third-party sites.

    Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, contributing law firms, or committee members and their respective employers.

    The views expressed at, or through, this site are those of the individual authors writing in their individual capacities only – not those of their respective employers, Holistic AI, or committee/task force as a whole. All liability with respect to actions taken or not taken based on the contents of this site are hereby expressly disclaimed. The content on this posting is provided "as is;" no representations are made that the content is error-free.