The Commission has published a draft delegated act on audits to be performed very large online platforms (“VLOPs“) and very large online search engines (“VLOSEs“) pursuant to Article 37 of Digital Services Act Regulation (“DSA“) for public feedback.
Article 37 requires that VLOPs and VLOSEs engage in an annual independent audit to assess their compliance with any applicable obligations arising under Chapter 3 of the DSA and any commitments undertaken pursuant to adopted codes of conduct and crisis protocols. Article 37 provides the basic parameters for the audit process but provides that the Commission may adopt delegated acts which set out the rules for the performance of the audits. In particular, the Commission may provide for rules on the procedural steps, on auditing methodologies and on reporting templates for the audits.
The draft delegated act published by the Commission provides a framework to guide providers of VLOPs, VLOSEs and auditing organisations in the preparation and issuance of audit reports and audit implementation reports. The draft delegated act addresses the following:
- Scope of the audit required by Article 37 & level of assurance,
- Procedural rules for preparation for the audit,
- Clarification of the relationship between the auditor and the audited provider,
- Appropriate selection of an auditor,
- Principles for selection of the audit procedures and choice of methodologies,
- Sequence of steps which the auditing organisation must undertake,
- Level of detail required in the auditing report,
- Specific auditing methodologies for algorithmic systems,
- Guidance on auditing obligations, including risk assessment and risk mitigation obligations,
- Templates for audit reports and audit implementation reports,
- Requirements to provide the Digital Services Coordinator with audit report, and
- Publication requirements for audit report.
The Commission is seeking feedback from stakeholders on the draft delegated act. The Commission will also consider whether the delegated act is appropriate for audits requested pursuant to Articles 72(1) or 75(2).
The consultation will run until 2 June 2023. The Commission intends to analyse feedback received in response to the consultation with a view to adopting the delegated act before the end of the year. The Commission notes that the delegated regulation could be supplemented, as necessary, by further rules on processes, methodologies and templates, or could be further accompanied by standardisation actions.
The first audit reports are due at the latest one year after the DSA obligations start to apply for designated VLOPs and VLOSEs. The providers of the services that were designated by the Commission as VLOPs or VLOSEs on 25 April 2023 must comply with relevant obligations under the DSA from four months after the Commission’s notification of designation i.e. 25 August 2023. Therefore, they will be required to complete an audit pursuant to Article 37 of the DSA by 24 August 2024.