CHAPTER III - Due Diligence Obligations for a transparent and safe online environment (Art. 11 - 48)
- Section 1 – Provisions applicable to all providers of intermediary services
- Article 11 – Points of contact for Member States’ authorities, the Commission and the Board
- Article 12 – Points of contact for recipients of the service
- Article 13 – Legal representatives
- Article 14 – Terms and conditions
- Article 15 – Transparency reporting obligations for providers of intermediary services
- Section 2 – Additional provisions applicable to providers of hosting services, including online platforms
- Article 16 – Notice and action mechanisms
- Article 17 – Statement of reasons
- Article 18 – Notification of suspicions of criminal offences
- Section 3 – Additional provisions applicable to providers of online platforms
- Article 19 – Exclusion for micro and small enterprises
- Article 20 – Internal complaint-handling system
- Article 21 – Out-of-court dispute settlement
- Article 22 – Trusted flaggers
- Article 23 – Measures and protection against misuse
- Article 24 – Transparency reporting obligations for providers of online platforms
- Article 25 – Online interface design and organisation
- Article 26 – Advertising on online platforms
- Article 27 – Recommender system transparency
- Article 28 – Online protection of minors
- Section 4 – Additional provisions applicable to providers of online platforms allowing consumers to conclude distance contracts with traders
- Article 29 – Exclusion for micro and small enterprises
- Article 30 – Traceability of traders
- Article 31 – Compliance by design
- Article 32 – Right to information
- Section 5 – Additional obligations for providers of very large online platforms and of very large online search engines to manage systemic risks
- Article 33 – Very large online platforms and very large online search engines
- Article 34 – Risk assessment
- Article 35 – Mitigation of risks
- Article 36 – Crisis response mechanism
- Article 37 – Independent audit
- Article 38 – Recommender systems
- Article 39 – Additional online advertising transparency
- Article 40 – Data access and scrutiny
- Article 41 – Compliance function
- Article 42 – Transparency reporting obligations
- Article 43 – Supervisory fee
- Section 6 – Other provisions concerning due diligence obligations
- Article 44 – Standards
- Article 45 – Codes of conduct
- Article 46 – Codes of conduct for online advertising
- Article 47 – Codes of conduct for accessibility
- Article 48 – Crisis protocols
- Section 1 – Competent authorities and national Digital Services Coordinators
- Article 49 – Competent authorities and Digital Services Coordinators
- Article 50 – Requirements for Digital Services Coordinators
- Article 51 – Powers of Digital Services Coordinators
- Article 52 – Penalties
- Article 53 – Right to lodge a complaint
- Article 54 – Compensation
- Article 55 – Activity reports
- Section 2 – Competences, coordinated investigation and consistency mechanisms
- Article 56 – Competences
- Article 57 – Mutual assistance
- Article 58 – Cross-border cooperation among Digital Services Coordinators
- Article 59 – Referral to the Commission
- Article 60 – Joint investigations
- Section 3 – European Board for Digital Services
- Article 61 – European Board for Digital Services
- Article 62 – Structure of the Board
- Article 63 – Tasks of the Board
- Section 4 – Supervision, investigation, enforcement and monitoring in respect of providers of very large online platforms and of very large online search engines
- Article 64 – Development of expertise and capabilities
- Article 65 – Enforcement of obligations of providers of very large online platforms and of very large online search engines
- Article 66 – Initiation of proceedings by the Commission and cooperation in investigation
- Article 67 – Requests for information
- Article 68 – Power to take interviews and statements
- Article 69 – Power to conduct inspections
- Article 70 – Interim measures
- Article 71 – Commitments
- Article 72 – Monitoring actions
- Article 73 – Non-compliance
- Article 74 – Fines
- Article 75 – Enhanced supervision of remedies to address infringements of obligations laid down in Section 5 of Chapter III
- Article 76 – Periodic penalty payments
- Article 77 – Limitation period for the imposition of penalties
- Article 78 – Limitation period for the enforcement of penalties
- Article 79 – Right to be heard and access to the file
- Article 80 – Publication of decisions
- Article 81 – Review by the Court of Justice of the European Union
- Article 82 – Requests for access restrictions and cooperation with national courts
- Article 83 – Implementing acts relating to Commission intervention
- Section 5 – Common provisions on enforcement
- Article 84 – Professional secrecy
- Article 85 – Information sharing system
- Article 86 – Representation
- Section 6 – Delegated and implementing acts
- Article 87 – Exercise of the delegation
- Article 88 – Committee procedure
Art. 37 DSA
Independent audit
- Providers of very large online platforms and of very large online search engines shall be subject, at their own expense and at least once a year, to independent audits to assess compliance with the following:
(a) the obligations set out in Chapter III;
(b) any commitments undertaken pursuant to the codes of conduct referred to in Articles 45 and 46 and the crisis protocols referred to in Article 48. - Providers of very large online platforms and of very large online search engines shall afford the organisations carrying out the audits pursuant to this Article the cooperation and assistance necessary to enable them to conduct those audits in an effective, efficient and timely manner, including by giving them access to all relevant data and premises and by answering oral or written questions. They shall refrain from hampering, unduly influencing or undermining the performance of the audit.
Such audits shall ensure an adequate level of confidentiality and professional secrecy in respect of the information obtained from the providers of very large online platforms and of very large online search engines and third parties in the context of the audits, including after the termination of the audits. However, complying with that requirement shall not adversely affect the performance of the audits and other provisions of this Regulation, in particular those on transparency, supervision and enforcement. Where necessary for the purpose of the transparency reporting pursuant to Article 42(4), the audit report and the audit implementation report referred to in paragraphs 4 and 6 of this Article shall be accompanied with versions that do not contain any information that could reasonably be considered to be confidential. - Audits performed pursuant to paragraph 1 shall be performed by organisations which:
(a) are independent from, and do not have any conflicts of interest with, the provider of very large online platforms or of very large online search engines concerned and any legal person connected to that provider; in particular:
(i) have not provided non-audit services related to the matters audited to the provider of very large online platform or of very large online search engine concerned and to any legal person connected to that provider in the 12 months’ period before the beginning of the audit and have committed to not providing them with such services in the 12 months’ period after the completion of the audit;
(ii) have not provided auditing services pursuant to this Article to the provider of very large online platform or of very large online search engine concerned and any legal person connected to that provider during a period longer than 10 consecutive years;
(iii) are not performing the audit in return for fees which are contingent on the result of the audit;
(b) have proven expertise in the area of risk management, technical competence and capabilities;
(c) have proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards. - Providers of very large online platforms and of very large online search engines shall ensure that the organisations that perform the audits establish an audit report for each audit.
That report shall be substantiated, in writing, and shall include at least the following:
(a) the name, address and the point of contact of the provider of the very large online platform or of the very large online search engine subject to the audit and the period covered;
(b) the name and address of the organisation or organisations performing the audit;
(c) a declaration of interests;
(d) a description of the specific elements audited, and the methodology applied;
(e) a description and a summary of the main findings drawn from the audit;
(f) a list of the third parties consulted as part of the audit;
(g) an audit opinion on whether the provider of the very large online platform or of the very large online search engine subject to the audit complied with the obligations and with the commitments referred to in paragraph 1, namely ‘positive’, ‘positive with comments’ or ‘negative’;
(h) where the audit opinion is not ‘positive’, operational recommendations on specific measures to achieve compliance and the recommended timeframe to achieve compliance. - Where the organisation performing the audit was unable to audit certain specific elements or to express an audit opinion based on its investigations, the audit report shall include an explanation of the circumstances and the reasons why those elements could not be audited.
- Providers of very large online platforms or of very large online search engines receiving an audit report that is not ‘positive’ shall take due account of the operational recommendations addressed to them with a view to take the necessary measures to implement them. They shall, within one month from receiving those recommendations, adopt an audit implementation report setting out those measures. Where they do not implement the operational recommendations, they shall justify in the audit implementation report the reasons for not doing so and set out any alternative measures that they have taken to address any instances of non-compliance identified.
- The Commission is empowered to adopt delegated acts in accordance with Article 87 to supplement this Regulation by laying down the necessary rules for the performance of the audits pursuant to this Article, in particular as regards the necessary rules on the procedural steps, auditing methodologies and reporting templates for the audits performed pursuant to this Article. Those delegated acts shall take into account any voluntary auditing standards referred to in Article 44(1), point (e).