Code of Practice on Disinformation – the next wave for audit & compliance

Independent audit of compliance with the Strengthened Code of Practice on Disinformation (the Code) will soon be a reality for any provider of very large online platforms (VLOP) and search engines (VLOSE) that is signed on. While several companies committed to be audited via Commitment 44, few if any have voluntarily carried this out so far.

Now, with some anticipating that the COPD may be adopted under the Digital Services Act (DSA) as early as Q2 of 2024, mature COPD-compliance is a possibility before the next DSA audit period commences (potentially in late June or early July depending on the audit period selected). A negative audit conclusion over any given COPD commitment will mean an overall negative result for the DSA audit in the crucial second year.

Identifying obligations and establishing benchmarks

Establishing compliance with the COPD presents a major challenge. Nested across the 44 Commitments are hundreds of Measures, Qualitative Reporting Elements (QRE) and Service Level Indicators (SLI). Even the task of determining which of these establishes a compliance obligation is not straightforward.

A further challenge is deciding on appropriate company benchmarks against which compliance will be measured. Such benchmarks are critical to facilitate sustainable compliance, and in most cases auditors will rely on these to evaluate the effectiveness of internal processes and controls. The requirements set out in the COPD can be vague, and specific benchmarks are critical to resolve this issue. For example, Commitment 6, Measure 6.3:

“Relevant Signatories will invest and participate in research to improve users’ identification and comprehension of labels, discuss the findings of said research with the Task-force, and will endeavour to integrate the results of such research into their services where relevant.”

For regulatory requirements like this, each company will need to decide clearly what compliance requires, taking account of its specific operations and risks. When doing so, companies must be alert to the fact that their benchmarks will be publicly disclosed through the independent audit report and directly comparable to industry peers. Unjustifiably lax benchmarks will attract scrutiny. There is substantial reputational risk involved in setting an inappropriate benchmark compared to peers.

Preparing the control framework for audit

One of the biggest uplifts required for the DSA continues to be the effort of embedding the measures and processes necessary to meet regulatory requirements into an operational framework that can support ongoing compliance. The text of the DSA alone did not convey the importance of this, especially for facilitating the kinds of audits that most audit providers deem appropriate. In many cases, these ‘control frameworks’ are still being designed and implemented.

The COPD will require a similar lift. Obligations must be interpreted more closely than is typically the case, articulated as sufficiently precise control objectives. Controls must then be put in place to provide reasonable assurance that the objective will be achieved on a sustained basis. Such controls must have accountable owners within the business who understand their role and how it fits into the overall compliance puzzle – potentially across multiple regulations and multiple product areas. All of this takes time, effort, monitoring, and organisational maturity to achieve. Nevertheless, from the end of August 2024, the prevailing expectation is that auditors will need to refer to these control frameworks to scrutinise that compliance measures are implemented and operationally effective.

With many competing priorities, including the DSA, the Digital Markets Act (DMA), and increasingly the UK Online Safety Act, it will be all too easy for VLOP and VLOSE to leave themselves too little time to get audit ready for the COPD. Nonetheless, the European Commission is likely to expect maturity from the very first day of the 2024-2025 audit period – especially with the COPD pre-dating the DSA itself. We also note that the Commission has drawn a direct line to DSA compliance, reportedly stating compliance with the COPD is a practical necessity for the management of some of the systemic risks in Article 34 of the DSA.

While addressing the long tail of DSA and DMA compliance challenges remains a priority, a negative audit conclusion in respect of any COPD Commitment will result in an overall negative audit opinion for the DSA independent audit.

Deloitte continues to support several providers of very large online platforms and search engines with getting ready for DSA audit and establishing sustainable compliance, while forming our approach to audits of COPD. For more information, please get in touch.