The path to audit for very large online platforms and search engines

The Digital Services Act (DSA), a landmark EU online safety regulation, came into force on 16^th November 2022.¹ Very large online platforms (“VLOPs”) and search engines (“VLSEs”), defined as platforms and search engines servicing more than 45 million active recipients monthly, will have to perform their first risk assessment, assessing the risk of their products and services to society, within four months of their designation as such an entity. One year following the first risk assessment, VLOPs and VLSEs will be subject to their first independent audit, which will assess their compliance with the requirements of Chapter III of the DSA and the related Codes of Conduct and Crisis Protocols to which they committed.²

Today, 17^th February 2022, companies must publish the number of average monthly EU-based active recipients across their products and services. The European Commission will then assess these numbers to determine which companies meet the VLOP and VLSE definitions. Those that do will be designated as VLOPs and VLSEs in the Official Journal of the European Union and will be subject to the entirety of the DSA Chapter III requirements.³

In this article, we introduce key considerations for VLOPs and VLSEs as they prepare for the DSA and the scrutiny of an audit.

Key considerations for DSA audit readines

1. Consider the audit evidence and audit trail

Although the audit methodology has not been communicated by the Commission yet, VLOPs and VLSEs can expect that an auditor may require an explanation and evidence of how the firm has met any given DSA requirement. Consequently, firms should consider the type of documentation and evidence needed to demonstrate their compliance. In this respect, firms may create traceability documentation that links regulatory requirements to internal policies, processes and controls with further explanation on how each regulatory requirement is met. Firms may further link the repositories of systems against each regulatory requirement; this may cover the list of algorithms, AI systems or trusted flaggers’ alerts systems for the moderation of illegal content. Where elements of the policy or control framework do not currently exist, firms should consider an approach now to developing and putting them in place.

2. Invite challenge in good time

Implementing the DSA, especially preparing for independent audit, is a complex task requiring a multidisciplinary approach. Inviting challenge from internal stakeholders, such as Internal Audit functions, will be important. Other personnel across trust & safety, legal, technical, and policy functions may offer insights that could provide invaluable challenges about whether the firm’s approach to readiness efforts is fit-for-purpose.

As VLOPs/VLSEs’ DSA implementation and readiness efforts complete, they may consider performing a pre-assessment review to identify if there are any outstanding gaps within their policies, processes and controls. Such a review may also identify areas where an external auditor may find it difficult to understand and gain comfort over the compliance framework. Firms should consider how to bring an objective perspective to this process, which could help check and challenge their overall approach. Pre-assessment should be conducted before the DSA audit, allowing sufficient time for the firm to implement any recommendations.

3. Agile planning and governance

VLOPs and VLSEs know better than anyone the diversity and complexity of their businesses, products, services and systems. Eventually, compliance requirements for each individual offering will need to be thoroughly considered, since each may require tailored risk assessment and mitigation plans. For now, firms should start to assess which of their businesses, products, services and systems are in scope. The firms should subsequently regularly review their scoping approach and be ready to pivot effectively as the industry’s definition of what should or should not be in scope evolves.

As part of the preparation for external audit, firms should consolidate their governance structure and identify key stakeholders within and outside of the organisation that will play role in demonstrating DSA compliance. The firms should ensure there are appropriate accountability structures as well as executive level sponsorship that can be evidenced. The auditors may request, for instance, evidence that the management body periodically reviews and approves the strategies and policies for the oversight, management and monitoring of the key systemic risks and are actively involved in risk management.

The path to audit is likely to be a challenging one, complicated by the fact that the European Commission plans to release a delegated regulation on the audit procedures, methodology and templates later this year. ⁴ However, given the timelines, VLOPs and VLSEs should start their audit-readiness journey now, building towards effective evidencing of their compliance with the DSA provisions

Our team has extensive experience helping firms gain comfort over complex regulation, algorithms and AI. If you would like to discuss any aspects of DSA audit-readiness, please feel free to get in touch with any of our contacts below:

___________________________________________________________________________

¹ DSA: landmark rules for online platforms enter into force (europa.eu)

² Art 37, Publications Office (europa.eu)

³ Art 24 and 33, Publications Office (europa.eu)

⁴ Initiative details (europa.eu)