keyboard_tab Digital Service Act 2022/2065 EN

1.   Providers of very large online_platforms and of very large online_search_engines shall be subject, at their own expense and at least once a year, to independent audits to assess compliance with the following:

(a)	the obligations set out in Chapter III;

(b)	any commitments undertaken pursuant to the codes of conduct referred to in Articles 45 and 46 and the crisis protocols referred to in Article 48.

2.   Providers of very large online_platforms and of very large online_search_engines shall afford the organisations carrying out the audits pursuant to this Article the cooperation and assistance necessary to enable them to conduct those audits in an effective, efficient and timely manner, including by giving them access to all relevant data and premises and by answering oral or written questions. They shall refrain from hampering, unduly influencing or undermining the performance of the audit.

Such audits shall ensure an adequate level of confidentiality and professional secrecy in respect of the information obtained from the providers of very large online_platforms and of very large online_search_engines and third parties in the context of the audits, including after the termination of the audits. However, complying with that requirement shall not adversely affect the performance of the audits and other provisions of this Regulation, in particular those on transparency, supervision and enforcement. Where necessary for the purpose of the transparency reporting pursuant to Article 42(4), the audit report and the audit implementation report referred to in paragraphs 4 and 6 of this Article shall be accompanied with versions that do not contain any information that could reasonably be considered to be confidential.

3.   Audits performed pursuant to paragraph 1 shall be performed by organisations which:

(a)

are independent from, and do not have any conflicts of interest with, the provider of very large online_platforms or of very large online_search_engines concerned and any legal person connected to that provider; in particular: (i) have not provided non-audit services related to the matters audited to the provider of very large online_platform or of very large online_search_engine concerned and to any legal person connected to that provider in the 12 months’ period before the beginning of the audit and have committed to not providing them with such services in the 12 months’ period after the completion of the audit; (ii) have not provided auditing services pursuant to this Article to the provider of very large online_platform or of very large online_search_engine concerned and any legal person connected to that provider during a period longer than 10 consecutive years; (iii) are not performing the audit in return for fees which are contingent on the result of the audit;

(b)	have proven expertise in the area of risk management, technical competence and capabilities;

(c)	have proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards.

4.   Providers of very large online_platforms and of very large online_search_engines shall ensure that the organisations that perform the audits establish an audit report for each audit. That report shall be substantiated, in writing, and shall include at least the following:

(a)	the name, address and the point of contact of the provider of the very large online_platform or of the very large online_search_engine subject to the audit and the period covered;

(b)	the name and address of the organisation or organisations performing the audit;

(c)	a declaration of interests;

(d)	a description of the specific elements audited, and the methodology applied;

(e)	a description and a summary of the main findings drawn from the audit;

(f)	a list of the third parties consulted as part of the audit;

(g)	an audit opinion on whether the provider of the very large online_platform or of the very large online_search_engine subject to the audit complied with the obligations and with the commitments referred to in paragraph 1, namely ‘positive’, ‘positive with comments’ or ‘negative’;

(h)	where the audit opinion is not ‘positive’, operational recommendations on specific measures to achieve compliance and the recommended timeframe to achieve compliance.

5.   Where the organisation performing the audit was unable to audit certain specific elements or to express an audit opinion based on its investigations, the audit report shall include an explanation of the circumstances and the reasons why those elements could not be audited.

6.   Providers of very large online_platforms or of very large online_search_engines receiving an audit report that is not ‘positive’ shall take due account of the operational recommendations addressed to them with a view to take the necessary measures to implement them. They shall, within one month from receiving those recommendations, adopt an audit implementation report setting out those measures. Where they do not implement the operational recommendations, they shall justify in the audit implementation report the reasons for not doing so and set out any alternative measures that they have taken to address any instances of non-compliance identified.

7.   The Commission is empowered to adopt delegated acts in accordance with Article 87 to supplement this Regulation by laying down the necessary rules for the performance of the audits pursuant to this Article, in particular as regards the necessary rules on the procedural steps, auditing methodologies and reporting templates for the audits performed pursuant to this Article. Those delegated acts shall take into account any voluntary auditing standards referred to in Article 44(1), point (e).

1.   Providers of very large online_platforms or of very large online_search_engines shall publish the reports referred to in Article 15 at the latest by two months from the date of application referred to in Article 33(6), second subparagraph, and thereafter at least every six months.

2.   The reports referred to in paragraph 1 of this Article published by providers of very large online_platforms shall, in addition to the information referred to in Article 15 and Article 24(1), specify:

(a)

the human resources that the provider of very large online_platforms dedicates to content_moderation in respect of the service offered in the Union, broken down by each applicable official language of the Member States, including for compliance with the obligations set out in Articles 16 and 22, as well as for compliance with the obligations set out in Article 20;

(b)	the qualifications and linguistic expertise of the persons carrying out the activities referred to in point (a), as well as the training and support given to such staff;

(c)	the indicators of accuracy and related information referred to in Article 15(1), point (e), broken down by each official language of the Member States.

The reports shall be published in at least one of the official languages of the Member States.

3.   In addition to the information referred to in Articles 24(2), the providers of very large online_platforms or of very large online_search_engines shall include in the reports referred to in paragraph 1 of this Article the information on the average monthly recipients of the service for each Member State.

4.   Providers of very large online_platforms or of very large online_search_engines shall transmit to the Digital_Services_Coordinator_of_establishment and the Commission, without undue delay upon completion, and make publicly available at the latest three months after the receipt of each audit report pursuant to Article 37(4):

(a)	a report setting out the results of the risk assessment pursuant to Article 34;

(b)	the specific mitigation measures put in place pursuant to Article 35(1);

(c)	the audit report provided for in Article 37(4);

(d)	the audit implementation report provided for in Article 37(6);

(e)	where applicable, information about the consultations conducted by the provider in support of the risk assessments and design of the risk mitigation measures.

5.   Where a provider of very large online_platform or of very large online_search_engine considers that the publication of information pursuant to paragraph 4 might result in the disclosure of confidential information of that provider or of the recipients of the service, cause significant vulnerabilities for the security of its service, undermine public security or harm recipients, the provider may remove such information from the publicly available reports. In that case, the provider shall transmit the complete reports to the Digital_Services_Coordinator_of_establishment and the Commission, accompanied by a statement of the reasons for removing the information from the publicly available reports.

1.   Member States shall ensure that their Digital Services Coordinators perform their tasks under this Regulation in an impartial, transparent and timely manner. Member States shall ensure that their Digital Services Coordinators have all necessary resources to carry out their tasks, including sufficient technical, financial and human resources to adequately supervise all providers of intermediary_services falling within their competence. Each Member State shall ensure that its Digital Services Coordinator has sufficient autonomy in managing its budget within the budget's overall limits, in order not to adversely affect the independence of the Digital Services Coordinator.

2.   When carrying out their tasks and exercising their powers in accordance with this Regulation, the Digital Services Coordinators shall act with complete independence. They shall remain free from any external influence, whether direct or indirect, and shall neither seek nor take instructions from any other public authority or any private party.

3.   Paragraph 2 of this Article is without prejudice to the tasks of Digital Services Coordinators within the system of supervision and enforcement provided for in this Regulation and the cooperation with other competent authorities in accordance with Article 49(2). Paragraph 2 of this Article shall not prevent the exercise of judicial review and shall also be without prejudice to proportionate accountability requirements regarding the general activities of the Digital Services Coordinators, such as financial expenditure or reporting to national parliaments, provided that those requirements do not undermine the achievement of the objectives of this Regulation.

1.   Where needed in order to carry out their tasks under this Regulation, Digital Services Coordinators shall have the following powers of investigation, in respect of conduct by providers of intermediary_services falling within the competence of their Member State:

(a)

the power to require those providers, as well as any other persons acting for purposes related to their trade, business, craft or profession that may reasonably be aware of information relating to a suspected infringement of this Regulation, including organisations performing the audits referred to in Article 37 and Article 75(2), to provide such information without undue delay;

(b)

the power to carry out, or to request a judicial authority in their Member State to order, inspections of any premises that those providers or those persons use for purposes related to their trade, business, craft or profession, or to request other public authorities to do so, in order to examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium;

(c)	the power to ask any member of staff or representative of those providers or those persons to give explanations in respect of any information relating to a suspected infringement and to record the answers with their consent by any technical means.

2.   Where needed for carrying out their tasks under this Regulation, Digital Services Coordinators shall have the following enforcement powers, in respect of providers of intermediary_services falling within the competence of their Member State:

(a)	the power to accept the commitments offered by those providers in relation to their compliance with this Regulation and to make those commitments binding;

(b)	the power to order the cessation of infringements and, where appropriate, to impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end, or to request a judicial authority in their Member State to do so;

(c)	the power to impose fines, or to request a judicial authority in their Member State to do so, in accordance with Article 52 for failure to comply with this Regulation, including with any of the investigative orders issued pursuant to paragraph 1 of this Article;

(d)

the power to impose a periodic penalty payment, or to request a judicial authority in their Member State to do so, in accordance with Article 52 to ensure that an infringement is terminated in compliance with an order issued pursuant to point (b) of this subparagraph or for failure to comply with any of the investigative orders issued pursuant to paragraph 1 of this Article;

(e)	the power to adopt interim measures or to request the competent national judicial authority in their Member State to do so, to avoid the risk of serious harm.

As regards the first subparagraph, points (c) and (d), Digital Services Coordinators shall also have the enforcement powers set out in those points in respect of the other persons referred to in paragraph 1 for failure to comply with any of the orders issued to them pursuant to that paragraph. They shall only exercise those enforcement powers after providing those other persons in good time with all relevant information relating to such orders, including the applicable period, the fines or periodic payments that may be imposed for failure to comply and the possibilities for redress.

3.   Where needed for carrying out their tasks under this Regulation, Digital Services Coordinators shall, in respect of providers of intermediary_services falling within the competence of their Member State, where all other powers pursuant to this Article to bring about the cessation of an infringement have been exhausted and the infringement has not been remedied or is continuing and is causing serious harm which cannot be avoided through the exercise of other powers available under Union or national law, also have the power to take the following measures:

(a)	to require the management body of those providers, without undue delay, to examine the situation, adopt and submit an action plan setting out the necessary measures to terminate the infringement, ensure that the provider takes those measures, and report on the measures taken;

(b)

where the Digital Services Coordinator considers that a provider of intermediary_services has not sufficiently complied with the requirements referred to in point (a), that the infringement has not been remedied or is continuing and is causing serious harm, and that that infringement entails a criminal offence involving a threat to the life or safety of persons, to request that the competent judicial authority of its Member State order the temporary restriction of access of recipients to the service concerned by the infringement or, only where that is not technically feasible, to the online_interface of the provider of intermediary_services on which the infringement takes place.

The Digital Services Coordinator shall, except where it acts upon the Commission’s request referred to in Article 82, prior to submitting the request referred to in the first subparagraph, point (b), of this paragraph invite interested parties to submit written observations within a period that shall not be less than two weeks, describing the measures that it intends to request and identifying the intended addressee or addressees thereof. The provider of intermediary_services, the intended addressee or addressees and any other third party demonstrating a legitimate interest shall be entitled to participate in the proceedings before the competent judicial authority. Any measure ordered shall be proportionate to the nature, gravity, recurrence and duration of the infringement, without unduly restricting access to lawful information by recipients of the service concerned.

The restriction of access shall be for a period of four weeks, subject to the possibility for the competent judicial authority, in its order, to allow the Digital Services Coordinator to extend that period for further periods of the same lengths, subject to a maximum number of extensions set by that judicial authority. The Digital Services Coordinator shall only extend the period where, having regard to the rights and interests of all parties affected by that restriction and all relevant circumstances, including any information that the provider of intermediary_services, the addressee or addressees and any other third party that demonstrated a legitimate interest may provide to it, it considers that both of the following conditions have been met:

(a)	the provider of intermediary_services has failed to take the necessary measures to terminate the infringement;

(b)	the temporary restriction does not unduly restrict access to lawful information by recipients of the service, having regard to the number of recipients affected and whether any adequate and readily accessible alternatives exist.

Where the Digital Services Coordinator considers that the conditions set out in the third subparagraph, points (a) and (b), have been met but it cannot further extend the period pursuant to the third subparagraph, it shall submit a new request to the competent judicial authority, as referred to in the first subparagraph, point (b).

4.   The powers listed in paragraphs 1, 2 and 3 shall be without prejudice to Section 3.

5.   The measures taken by the Digital Services Coordinators in the exercise of their powers listed in paragraphs 1, 2 and 3 shall be effective, dissuasive and proportionate, having regard, in particular, to the nature, gravity, recurrence and duration of the infringement or suspected infringement to which those measures relate, as well as the economic, technical and operational capacity of the provider of the intermediary_services concerned where relevant.

6.   Member States shall lay down specific rules and procedures for the exercise of the powers pursuant to paragraphs 1, 2 and 3 and shall ensure that any exercise of those powers is subject to adequate safeguards laid down in the applicable national law in compliance with the Charter and with the general principles of Union law. In particular, those measures shall only be taken in accordance with the right to respect for private life and the rights of defence, including the rights to be heard and of access to the file, and subject to the right to an effective judicial remedy of all affected parties.

1.   The Digital_Services_Coordinator_of_establishment may launch and lead joint investigations with the participation of one or more other Digital Services Coordinators concerned:

(a)	at its own initiative, to investigate an alleged infringement of this Regulation by a given provider of intermediary_services in several Member States; or

(b)	upon recommendation of the Board, acting on the request of at least three Digital Services Coordinators alleging, based on a reasonable suspicion, an infringement by a given provider of intermediary_services affecting recipients of the service in their Member States.

2.   Any Digital Services Coordinator that proves that it has a legitimate interest in participating in a joint investigation pursuant to paragraph 1 may request to do so. The joint investigation shall be concluded within three months from its launch, unless otherwise agreed amongst the participants.

The Digital_Services_Coordinator_of_establishment shall communicate its preliminary position on the alleged infringement no later than one month after the end of the deadline referred to in the first subparagraph to all Digital Services Coordinators, the Commission and the Board. The preliminary position shall take into account the views of all other Digital Services Coordinators participating in the joint investigation. Where applicable, this preliminary position shall also set out the enforcement measures envisaged.

3.   The Board may refer the matter to the Commission pursuant to Article 59, where:

(a)	the Digital_Services_Coordinator_of_establishment failed to communicate its preliminary position within the deadline set out in paragraph 2;

(b)	the Board substantially disagrees with the preliminary position communicated by the Digital_Services_Coordinator_of_establishment; or

(c)	the Digital_Services_Coordinator_of_establishment failed to initiate the joint investigation promptly following the recommendation by the Board pursuant to paragraph 1, point (b).

4.   In carrying out the joint investigation, the participating Digital Services Coordinators shall cooperate in good faith, taking into account, where applicable, the indications of the Digital_Services_Coordinator_of_establishment and the Board’s recommendation. The Digital Services Coordinators of destination participating in the joint investigation shall be entitled, at the request of or after having consulted the Digital_Services_Coordinator_of_establishment, to exercise their investigative powers referred to in Article 51(1) in respect of the providers of intermediary_services concerned by the alleged infringement, with regard to information and premises located within their territory.

1.   For the purposes of carrying out the tasks assigned to it under this Section, the Commission may take the necessary actions to monitor the effective implementation and compliance with this Regulation by providers of the very large online_platform and of the very large online_search_engines. The Commission may order them to provide access to, and explanations relating to, its databases and algorithms. Such actions may include, imposing an obligation on the provider of the very large online_platform or of the very large online_search_engine to retain all documents deemed to be necessary to assess the implementation of and compliance with the obligations under this Regulation.

2.   The actions pursuant to paragraph 1 may include the appointment of independent external experts and auditors, as well as experts and auditors from competent national authorities with the agreement of the authority concerned, to assist the Commission in monitoring the effective implementation and compliance with the relevant provisions of this Regulation and to provide specific expertise or knowledge to the Commission.

1.   By 18 February 2027, the Commission shall evaluate and report to the European Parliament, the Council and the European Economic and Social Committee on the potential effect of this Regulation on the development and economic growth of small and medium-sized enterprises.

By 17 November 2025, the Commission shall evaluate and report to the European Parliament, the Council and the European Economic and Social Committee on:

(a)	the application of Article 33, including the scope of providers of intermediary_services covered by the obligations set out in Section 5 of Chapter III of this Regulation;

(b)	the way that this Regulation interacts with other legal acts, in particular the acts referred to in Article 2(3) and (4).

2.   By 17 November 2027, and every five years thereafter, the Commission shall evaluate this Regulation, and report to the European Parliament, the Council and the European Economic and Social Committee.

This report shall address in particular:

(a)	the application of paragraph 1, second subparagraph, points (a) and (b);

(b)	the contribution of this Regulation to the deepening and efficient functioning of the internal market for intermediary_services, in particular as regards the cross-border provision of digital services;

(c)	the application of Articles 13, 16, 20, 21, 45 and 46;

(d)	the scope of the obligations on small and micro enterprises;

(e)	the effectiveness of the supervision and enforcement mechanisms;

(f)	the impact on the respect for the right to freedom of expression and information.

3.   Where appropriate, the report referred to in paragraphs 1 and 2 shall be accompanied by a proposal for amendment of this Regulation.

4.   The Commission shall, in the report referred to in paragraph 2 of this Article, also evaluate and report on the annual reports on their activities by the Digital Services Coordinators provided to the Commission and the Board pursuant to Article 55(1).

5.   For the purpose of paragraph 2, Member States and the Board shall send information on the request of the Commission.

6.   In carrying out the evaluations referred to in paragraph 2, the Commission shall take into account the positions and findings of the European Parliament, the Council, and other relevant bodies or sources, and shall pay specific attention to small and medium-sized enterprises and the position of new competitors.

7.   By 18 February 2027, the Commission, after consulting the Board, shall carry out an assessment of the functioning of the Board and of the application of Article 43, and shall report it to the European Parliament, the Council and the European Economic and Social Committee, taking into account the first years of application of the Regulation. On the basis of the findings and taking utmost account of the opinion of the Board, that report shall, where appropriate, be accompanied by a proposal for amendment of this Regulation with regard to the structure of the Board.