DSA: VLOP Obligations

VLOP and VLOSE Obligations [Art 33-43]

Rule: Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) with 45M+ monthly EU users face enhanced obligations including risk assessments, independent audits, and additional transparency.

VLOP/VLOSE Threshold [Art 33]

A platform/search engine is designated VLOP/VLOSE when:

Average monthly active recipients in the EU ≥ 45 million

• Calculated over 6 months
• Commission publishes methodology
• Designated VLOPs/VLOSEs publicly listed

Currently Designated VLOPs/VLOSEs (as of 2024)

VLOPs	VLOSEs
Facebook, Instagram, TikTok, X/Twitter, LinkedIn, Pinterest, Snapchat	Google Search, Bing
YouTube, Amazon, AliExpress, Zalando, Booking.com
Google Play, App Store, Google Maps, Google Shopping
Wikipedia

Risk Assessment [Art 34]

VLOPs/VLOSEs must identify, analyze, and assess systemic risks stemming from:

Risk Category	Examples
Illegal content	Dissemination of child abuse material, terrorism, illegal hate speech
Fundamental rights	Impacts on dignity, privacy, expression, non-discrimination
Civic discourse & elections	Disinformation, manipulation of elections
Public health & minors	Health misinformation, harm to children’s wellbeing
Gender-based violence	Online harassment, intimate image abuse

Risk Assessment Scope [Art 34(2)]

Must consider:

• Design of recommender systems
• Content moderation systems
• Terms and conditions and enforcement
• Advertising systems
• Data-related practices

Risk Mitigation [Art 35]

Must put in place reasonable, proportionate, and effective mitigation measures:

Measure Type	Examples
Content moderation	Enhanced review, detection systems
Recommender adjustment	Reduce amplification of risky content
T&C changes	Clearer rules, better enforcement
Advertising	Restrict certain ad categories
User empowerment	Better controls, transparency tools
Cooperation	Work with trusted flaggers, authorities

Independent Audits [Art 37]

VLOPs/VLOSEs must undergo annual independent audits:

Requirement	Detail
Frequency	At least annually
Scope	Compliance with Chapter III obligations
Auditor	Independent, no conflicts of interest
Report	Written audit report + implementation report
Publication	Publish audit report within 1 month

Additional VLOP Transparency [Art 42]

Enhanced transparency reports including:

• Resources dedicated to content moderation
• Qualifications and training of moderators
• Accuracy metrics for automated systems
• Disaggregation by Member State and language

Crisis Response [Art 36]

Commission may require VLOPs/VLOSEs to:

• Assess contribution to serious threat
• Adopt specific mitigation measures
• Report on actions taken
• Applies during extraordinary circumstances (war, public health emergency)

Data Access for Researchers [Art 40]

Must provide access to data for:

• Vetted researchers studying systemic risks
• Via Digital Services Coordinator request
• Subject to data protection safeguards

Supervisory Fee [Art 43]

VLOPs/VLOSEs pay an annual fee to fund oversight:

• Capped at 0.05% of worldwide annual net income
• Funds Commission supervision activities

Compliance Timeline

Obligation	Deadline
Designation takes effect	4 months after notification
First risk assessment	Within 4 months of designation
First audit	Within 4 months of designation
All obligations apply	4 months after designation

Citation

Articles 33-43, Digital Services Act