EU Digital Services Act: Are you ready for audit? | Deloitte UK has been saved
Limited functionality available
The EU Digital Services Act will come into force in January 2024 and will be directly applicable across all Member States to intermediary service providers, established in or outside the EU, who provide services to recipients with establishment or residence in the Union. The Act imposes new transparency and accountability requirements on the providers of intermediary services, with additional specific annual audit requirements for very large platforms.
The Digital Services Act was agreed on 23rd April 2022 by the European Council and the European Parliament. The Act builds on the existing E-commerce Directive, adding further requirements on content moderation, algorithm reviews, reporting, complaint handling and policing of goods and services. Whilst most rules under the Act will apply to all intermediary services providers, some further obligations will apply specifically to very large platforms; those catering to 45 million active monthly users or more.
This article will mainly focus on summarising the aspects of the Act which are subject to annual independent audit requirements for very large online platforms, as set forth in Article 28. The annual audit requirement is divided into two sections:
Auditors are required to provide their findings in the form of an “opinion” which has to be provided as “positive”, “positive with comments” or “negative”.
The Act further mandates that where an audit opinion is not positive, operational recommendations on specific measures to achieve compliance should be included. The very large online platforms shall, within one month from receiving those recommendations, adopt an audit implementation report that sets out those measures.
Chapter III of the Digital Services Act is split into 5 sections, each addressing different aspects of transparency and accountability requirements.
Sections 1 to 3 apply uniformly to all intermediary service providers, regardless of size, whilst section 4 requirements are specific to very large platforms. Section 5 addresses the future standards, codes of conduct and crisis protocols in this area, which platforms may have to regularly report on once established.
More specifically, Section 1 mandates a number of detailed requirements for intermediary service providers, with limited scope for interpretation. These requirements include, amongst others, establishment of a single point of contact and legal representatives in the Member States. Additionally, intermediaries will have to publish their Terms and Conditions for use including information on policies, procedures, measures and tools used for content moderation, algorithmic decision-making and human review. Section 1 further requires organisations to publish annual reports detailing the number of complaints received, and the decisions taken to remediate identified issues.
Section 2 handles the tracking and addressing of notices flagged to hosting services providers and online plaforms, warning of illegal content being shared on their platform. Unlike the more specific terms of Section 1, Section 2 requirements provide more scope for ambiguity and interpretation. Section 2 requires the hosting service providers to have in place “user-friendly” and “easy-to-access” mechanisms to notify them of illegal activities. Subsequently, the hosting service providers and online plaforms are required to process the notices in “timely and objective” manner. The Act does not clarify what “timely” would mean, opening up scope for inconsistent interpretation across the industry.
Section 3 delves into additional provisions for internal complaint-handling systems and the use of out-of-court resolution bodies (certified by the Digital Services Coordinators) for online plaforms. The regulator requires the online platforms to deal with complaints in a “timely, diligent and objective manner” and to inform the complainants of their decision without “undue delay.” Comparable provisions had been previously instigated within the financial services industry through MiFID II, where “timely” was interpreted as being 8 weeks by the FCA in the UK. It remains to be seen, however, whether financial services legislation can be used as a guidance for the terms used in Digital Services Act or whether regulators will tailor specific rules to the Digital Services industry.
Measures against “misuse” are further mandated under Section 3, requiring online platforms to suspend access to services for a “reasonable time period” for those recipients who “frequently” provide illegal content. Firms will be expected to define what these terms mean for their operations, and to implement their approach consistently.
Section 4 is relevant to the very large platforms, as defined by average active monthly users amounting to about 10% of the EU population, most of which mandate heightened transparency and accountability requirements. They will be further required to perform annual risk assessments, implement effective risk mitigation plans, and to appoint one or more compliance officers with appropriate qualifications, knowledge, and experience in the field.
Finally, Section 5 of Chapter III introduces standards, codes of conduct, and crisis protocols that firms may be required to commit to in the future. The European Commission and the European Board for Digital Services will facilitate the drafting of these, their implementation and promotion within online platforms. There will be an expectation for external auditors to review firms’ commitments to these standards, codes of conduct and crisis protocols. It is also expected that independent opinions on hosting services providers’ compliance with these standards will become part of their broader annual reports.
Firms will be required to be compliant with the Digital Services Act requirements when they come into force in 2024. The specific parameters and audit methodology required to produce the required independent audit opinion have not been laid out in the Act and so firms and their chosen auditors will need to consider the format, approach and detailed methodology required to meet these requirements ahead of the audit execution.
Deloitte has been tracking the development of Digital Services regulation for a number of years. We have extensive experience in algorithms and AI system assurance, including supporting firms enhance their existing controls frameworks and assess conformance with regulatory requirements.
You will find our previous blogs and our insights packs on algorithmic and AI assurance here. If you would like to discuss this topic further with us, don’t hesitate to get in touch with any of the authors.
 DISP Handbook 1.6 Complaints time limit rules
Mark is a Partner in our Banking & Capital Markets Audit & Assurance Group in London. He is our Global Algorithm Assurance Leader with 20 years of experience across financial services audit and assurance, regulatory compliance, regulatory investigations and disputes. He has led the development of our assurance practice as it relates to our approach to assisting firms gain confidence over their algorithmic and AI systems and processes. He has a particular sub-sector specialism in the area of algorithmic trading with varied experience supporting firms enhance their governance and control environments, as well as investigate and validate such systems. More recently he has supported and led our work across a number of emerging AI assurance related engagements.
Barry is a Director in our Banking & Capital Markets Audit and Assurance Group in London and has over 15 years’ experience spread across industry and financial services. Barry has led several large projects specifically focused on enhancing our clients AI & Algorithm control frameworks and assessing their design and operating effectiveness to ensure full regulatory compliance.
Lenka is a Senior Manager in our Banking & Capital Markets Audit Group in London. Lenka is a US qualified lawyer with 9 years’ experience working across financial services regulatory compliance, regulatory investigations and audit and assurance. She has worked with various UK and US investment banks to enhance their control frameworks and 1LOD and 2LOD procedures. Currently, Lenka works as a part of the Deloitte’s Algorithm Assurance team assisting clients to comply with recent requirements under MiFiD II (RTS 6) and PRA SS 5/18.