In the News
Authored By
Siddhant Chatterjee
,
Published on
October 21, 2023
Share this

ON this page

Heading 2
News
In the News
Digital Services Act: European Commission Publishes Final Delegated Regulation on Conducting Independent Audits

Digital Services Act: European Commission Publishes Final Delegated Regulation on Conducting Independent Audits

On 20 October 2023, the European Commission published its final version of the Delegated Regulation on conducting Independent Audits.

Pursuant to Article 37 (1) of the Digital Services Act (DSA), these rules seek to provide guidance to designated Very large Online Platforms (VLOPs) and Search Engines (VLOSEs) (Audited Providers) and external auditors (Auditing Organisations) on how such audits will be conducted.

In doing so, the Commission provides clarity on the relationship between the two entities, the reporting templates that should be used to conduct these audits (Contained in Annex I), and procedural details on the Final Audit Report, Audit Conclusions, Opinions, Risks Analysis and Quality of Evidence.

The DSA audit process: Rules for assessing algorithmic systems

With the institutionalisation of independent auditing requirements under the DSA, the Commission seeks to bring about a “step change in the transparency and accountability” of online platforms and “offer a comparative basis for public scrutiny”.

The rules also acknowledge the diversity of methodologies that need to be deployed by auditing organisations, and to that end, allow for audits to be adapted “specifically to the nature of the specific service audited, and the risks inherent to it”.

That said, the Commission is firm on the level of substantiveness and precision that it envisages to maintain for these audits, and mandates Auditing Organisations to ensure the highest level of rigour and depth of analysis, i.e., a reasonable level of assurance.

The rules also emphasise the need to holistically assess and audit algorithmic systems (such as recommender systems, adtech algorithms and generative models) and directs Auditing Organisations to develop necessary tools and expertise for assessing not only the technical specification of these systems, but also the broader societal impacts associated with their deployment.

For a more in-depth understanding of conducting independent audits under the DSA, check out our recent blog on the topic.

Stakeholder concerns addressed in the final draft

The Commission notes that the initial iteration of the Delegated Regulation received over 40 public comments from a variety of actors – ranging from VLOPs/VLOSEs, potential auditors and civil society entities – that primarily focused on the level of assurance, need for standards and compliance benchmarks involved with conducting these audits. Particularly, further clarity on the auditing criteria was unanimous across stakeholders, with most concerns about comparability of results and possible compromises on the independence of auditors. The rules largely address these concerns, with notable changes highlighted in the table below:

Provision Draft Version Final Version
Article 3, Scope of Audit and Reasonable Level of Assurance The audit shall cover the period starting immediately after the period covered by the previous audit and ending on a date that allows the auditing organisation to assert its assessment pursuant to paragraph 1 based on the evidence collected and audit procedures conducted during that period. Modification to Article 3 (2):

The Audit shall cover the period starting immediately after the period covered by the previous audit and ending on a date that allows the auditing organisation to perform the audit within the time frame required by Article 37(1) of the DSA, including by asserting its assessment pursuant to paragraph 1 based on the evidence collected and audit procedures conducted during that period, and by completing and submitting the audit report pursuant to Article 37(4) of that regulation to the audited provider.
Article 5, Cooperation and assistance between the audited provider and the auditing organisation Inclusion of Article 5 (1c):

The audited provider will have to transmit:

Information about any relevant decision-making structures, competences of departments of the provider, including the compliance function pursuant to Article 41 of the DSA, relevant IT Systems, data sources, processing and storage, as well as explanations of relevant algorithmic systems and their interactions
Article 8, Audit opinion, audit conclusions and recommendations Positive with comments, where the auditing organisation concludes with a reasonable level of assurance that the audited provider has complied with an audited obligation or commitment, but:

  • the auditing organisation recommends improvements that do not have a substantive effect on its conclusion;
  • the auditing organisation indicates that is has applied audit criteria pursuant to Article 10(2), point (a), which are different from the benchmarks for compliance communicated by the audited provider pursuant to Article 5(1), point (a).
    		•  Modifications to Article 8 (1b ( i, ii)) [Positive with Comments]

    Positive with comments, where the auditing organisation concludes with a reasonable level of assurance that the audited provider has complied with an audited obligation or commitment, but:

  • the auditing organisation includes remarks on the benchmarks provided by the audited provider pursuant to Article 5(1a); or
  • the auditing organisation recommends improvements that do not have a substantive effect on its conclusion.
    		•
    Article 10, Appropriate audit methodologies Inclusion of Article 10 (6):

    Where obligations or commitments referred to in Article 37(1) of the DSA require the audited provider to report certain information publicly, the auditing methodologies shall include an assessment of whether the reported information is free from material error or omission which might otherwise render them misleading.
    Article 12, Sampling Methods Inclusion of Article 12(2f):

    The Sample size and methodology for sampling.......in consideration of the following:

  • The representation and appropriate analysis of concerns related to particular groups as appropriate, such as minors or vulnerable groups and minorities, in relation to the audited obligation or commitment.
    		•
    Article 14, Specific methodologies for auditing compliance with Article 35 of the DSA on mitigation of risks The assessment of the audited provider’s compliance with Article 35 of Regulation (EU) 2022/2065 shall include, but not be limited to, an analysis of all of the following:
  • whether the mitigation measures put in place by the audited provider are reasonable, proportionate and effective for mitigating risks, including by assessing whether they respond collectively to all the risks, with particular consideration of the risks concerning the exercise of fundamental rights
    		•  Inclusions of points to Article 14(1c):

    The assessment..... of all the following:

  • Whether the mitigation measures put in place by the audited provider are reasonable, proportionate and effective for mitigating the respective risks, including by
    • Assessing whether they respond collectively to all the risks, with particular consideration of the risks concerning the exercise of fundamental rights;
    • Assessing comparatively how the risks were addressed before and after the specific risk mitigation measures were put in place;
    • Whether the risk mitigation measures were appropriately designed and executed.

    DSA Audits with Holistic AI

    As leaders in the fields of AI Assurance and Algorithm Auditing, Holistic AI provides comprehensive and tailored solutions to support your business with compliance obligations under the Digital Services Act.

    How do we achieve this? By considering several factors, such as the complexity and novelty of conducting such audits, the need to deploy socio-technical methods to audit certain provisions, and the timeline for the application of obligations, among others.

    Pursuant to the Delegated Regulation on Independent Audits under the DSA, Holistic AI provides the following services to covered entities:

    • An independent annual audit of due diligence obligations set out in Chapter III (Articles 11 to 48) of the Digital Services Act (DSA)
    • Compliance with any commitments undertaken pursuant to codes of conduct or crises protocols, where applicable, and
    • A Final Audit Report, in line with the guidance and template provided by the Draft Delegated Regulation at the end of the audit period, including:
      • Audit Conclusions and operational recommendations on measures (with timeframes to achieve compliance) for corresponding audited obligations.
      • Cumulative Audit Opinion for the report, assessing the entity’s compliance with all audited obligations, as mentioned in Article 37(1(a)) of the DSA.
      • An explanation of the circumstances and reasons why certain elements could not be audited, if applicable.
      • Audits Risks Analysis on inherent risks, control risks and detection risks to ensure compliance with the regulation.
      • Methodologies, criteria and other technical and operational details of implementing these audits.
      • Any other information, as required by the Draft Delegated Regulation on Independent Audits.
      • A full version (for EU authorities and internal use) and a redacted/shortened version (for publication) of the Final Report, as required under Articles 37 and 42(5) of the DSA.

    Take a closer look at our tailored DSA Audit solution for more details and schedule a call with one of our compliance specialists to find out more.

    Stay informed with the Latest News & Updates