Data & Privacy
- Data Act
- Data Governance Act
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
Cybersecurity
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
Digital Services Act
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 3
CHAPTER II
LIABILITY OF PROVIDERS OF INTERMEDIARY SERVICESArticles 4 — 10
CHAPTER III
DUE DILIGENCE OBLIGATIONS FOR A TRANSPARENT AND SAFE ONLINE ENVIRONMENTArticles 11 — 48
CHAPTER IV
IMPLEMENTATION, COOPERATION, PENALTIES AND ENFORCEMENTArticles 49 — 88
CHAPTER V
FINAL PROVISIONSArticles 89 — 93
DSA Article 37. Independent audit
- 1.Providers of very large online platforms and of very large online search engines shall be subject, at their own expense and at least once a year, to independent audits to assess compliance with the following:
- (a)the obligations set out in Chapter III;
- (b)any commitments undertaken pursuant to the codes of conduct referred to in Articles 45 and 46 and the crisis protocols referred to in Article 48.
- 2.Providers of very large online platforms and of very large online search engines shall afford the organisations carrying out the audits pursuant to this Article the cooperation and assistance necessary to enable them to conduct those audits in an effective, efficient and timely manner, including by giving them access to all relevant data and premises and by answering oral or written questions. They shall refrain from hampering, unduly influencing or undermining the performance of the audit. Such audits shall ensure an adequate level of confidentiality and professional secrecy in respect of the information obtained from the providers of very large online platforms and of very large online search engines and third parties in the context of the audits, including after the termination of the audits. However, complying with that requirement shall not adversely affect the performance of the audits and other provisions of this Regulation, in particular those on transparency, supervision and enforcement. Where necessary for the purpose of the transparency reporting pursuant to Article 42(4), the audit report and the audit implementation report referred to in paragraphs 4 and 6 of this Article shall be accompanied with versions that do not contain any information that could reasonably be considered to be confidential.
- 3.Audits performed pursuant to paragraph 1 shall be performed by organisations which:
- (a)are independent from, and do not have any conflicts of interest with, the provider of very large online platforms or of very large online search engines concerned and any legal person connected to that provider; in particular:
(i)
have not provided non-audit services related to the matters audited to the provider of very large online platform or of very large online search engine concerned and to any legal person connected to that provider in the 12 months’ period before the beginning of the audit and have committed to not providing them with such services in the 12 months’ period after the completion of the audit;(ii)
have not provided auditing services pursuant to this Article to the provider of very large online platform or of very large online search engine concerned and any legal person connected to that provider during a period longer than 10 consecutive years;(iii)
are not performing the audit in return for fees which are contingent on the result of the audit;
- (b)have proven expertise in the area of risk management, technical competence and capabilities;
- (c)have proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards.
- 4.Providers of very large online platforms and of very large online search engines shall ensure that the organisations that perform the audits establish an audit report for each audit. That report shall be substantiated, in writing, and shall include at least the following:
- (a)the name, address and the point of contact of the provider of the very large online platform or of the very large online search engine subject to the audit and the period covered;
- (b)the name and address of the organisation or organisations performing the audit;
- (c)a declaration of interests;
- (d)a description of the specific elements audited, and the methodology applied;
- (e)a description and a summary of the main findings drawn from the audit;
- (f)a list of the third parties consulted as part of the audit;
- (g)an audit opinion on whether the provider of the very large online platform or of the very large online search engine subject to the audit complied with the obligations and with the commitments referred to in paragraph 1, namely ‘positive’, ‘positive with comments’ or ‘negative’;
- (h)where the audit opinion is not ‘positive’, operational recommendations on specific measures to achieve compliance and the recommended timeframe to achieve compliance.
- 5.Where the organisation performing the audit was unable to audit certain specific elements or to express an audit opinion based on its investigations, the audit report shall include an explanation of the circumstances and the reasons why those elements could not be audited.
- 6.Providers of very large online platforms or of very large online search engines receiving an audit report that is not ‘positive’ shall take due account of the operational recommendations addressed to them with a view to take the necessary measures to implement them. They shall, within one month from receiving those recommendations, adopt an audit implementation report setting out those measures. Where they do not implement the operational recommendations, they shall justify in the audit implementation report the reasons for not doing so and set out any alternative measures that they have taken to address any instances of non-compliance identified.
- 7.The Commission is empowered to adopt delegated acts in accordance with Article 87 to supplement this Regulation by laying down the necessary rules for the performance of the audits pursuant to this Article, in particular as regards the necessary rules on the procedural steps, auditing methodologies and reporting templates for the audits performed pursuant to this Article. Those delegated acts shall take into account any voluntary auditing standards referred to in Article 44(1), point (e).
Relevant Recitals for this Article
Given the need to ensure verification by independent experts, providers of very large online platforms and of very large online search engines should be accountable, through independent auditing, for their compliance with the obligations laid down by this Regulation and, where relevant, any complementary commitments undertaken pursuant to codes of conduct and crises protocols. In order to ensure that audits are carried out in an effective, efficient and timely manner, providers of very large online platforms and of very large online search engines should provide the necessary cooperation and assistance to the organisations carrying out the audits, including by giving the auditor access to all relevant data and premises necessary to perform the audit properly, including, where appropriate, to data related to algorithmic systems, and by answering oral or written questions. Auditors should also be able to make use of other sources of objective information, including studies by vetted researchers. Providers of very large online platforms and of very large online search engines should not undermine the performance of the audit. Audits should be performed according to best industry practices and high professional ethics and objectivity, with due regard, as appropriate, to auditing standards and codes of practice. Auditors should guarantee the confidentiality, security and integrity of the information, such as trade secrets, that they obtain when performing their tasks. This guarantee should not be a means to circumvent the applicability of audit obligations in this Regulation. Auditors should have the necessary expertise in the area of risk management and technical competence to audit algorithms. They should be independent, in order to be able to perform their tasks in an adequate and trustworthy manner. They should comply with core independence requirements for prohibited non-auditing services, firm rotation and non-contingent fees. If their independence and technical competence is not beyond doubt, they should resign or abstain from the audit engagement.
The audit report should be substantiated, in order to give a meaningful account of the activities undertaken and the conclusions reached. It should help inform, and where appropriate suggest improvements to the measures taken by the providers of the very large online platform and of the very large online search engine to comply with their obligations under this Regulation. The audit report should be transmitted to the Digital Services Coordinator of establishment, the Commission and the Board following the receipt of the audit report. Providers should also transmit upon completion without undue delay each of the reports on the risk assessment and the mitigation measures, as well as the audit implementation report of the provider of the very large online platform or of the very large online search engine showing how they have addressed the audit’s recommendations. The audit report should include an audit opinion based on the conclusions drawn from the audit evidence obtained. A ‘positive opinion’ should be given where all evidence shows that the provider of the very large online platform or of the very large online search engine complies with the obligations laid down by this Regulation or, where applicable, any commitments it has undertaken pursuant to a code of conduct or crisis protocol, in particular by identifying, evaluating and mitigating the systemic risks posed by its system and services. A ‘positive opinion’ should be accompanied by comments where the auditor wishes to include remarks that do not have a substantial effect on the outcome of the audit. A ‘negative opinion’ should be given where the auditor considers that the provider of the very large online platform or of the very large online search engine does not comply with this Regulation or the commitments undertaken. Where the audit opinion could not reach a conclusion for specific elements that fall within the scope of the audit, an explanation of reasons for the failure to reach such a conclusion should be included in the audit opinion. Where applicable, the report should include a description of specific elements that could not be audited, and an explanation of why these could not be audited.