← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 40/100

Data Strategy Briefing — February 13, 2024

The European Commission adopted the Digital Services Act data-access implementing regulation on 13 February 2024, setting timelines and safeguards for researcher requests that VLOPs and VLOSEs must embed into governance, transparency, and security controls.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On the European Commission adopted the Digital Services Act (DSA) implementing regulation on data access, defining how vetted researchers may request and use data from Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs). The act operationalises Article 40 of the DSA, which obliges platforms to provide access to data necessary to monitor and assess systemic risks such as disinformation, illegal content, or threats to public health. The implementing regulation sets out request formats, timelines, verification steps, safeguards for trade secrets and personal data, and enforcement mechanisms. VLOPs and VLOSEs must update governance programmes immediately to ensure that by the DSA’s full applicability date of they can receive, process, and fulfil research requests lawfully and securely.

The regulation requires platforms to establish clear points of contact, publish technical documentation describing available datasets, and respond to researcher requests within 15 days (extendable to 30) with either access or a reasoned refusal. Platforms must assess whether requested data is necessary and proportionate for the stated research objective, balancing it against protections for personal data, trade secrets, and security. If access is granted, the regulation mandates secure processing environments, audit trails, and obligations for researchers to delete or anonymise data after use. National Digital Services Coordinators (DSCs) will supervise compliance, supported by the European Board for Digital Services. Non-compliance can trigger fines up to 6% of global turnover under the DSA.

Why it matters for governance teams

Article 40 is a new regulatory vector that goes beyond traditional transparency reporting. Platforms must stand up quasi-legal discovery processes for external researchers, ensuring that data sharing aligns with the General Data Protection Regulation (GDPR), trade secret law, and cybersecurity obligations. Boards should recognise that data access requests could expose sensitive algorithms, content moderation logs, or advertising performance data. Failure to handle requests properly risks enforcement actions, civil litigation, and reputational damage. The implementing regulation clarifies that unjustified denials or delays will be scrutinised, and it allows researchers to complain to DSCs, who can compel access.

The rules also require proactive preparation. Platforms must publish catalogues describing the types of data they hold, including metadata, metrics, and algorithmic signals relevant to systemic risk assessments. They must maintain documentation on data schema, quality, and retention. Security teams must design controlled environments (e.g., secure sandboxes or virtual data rooms) where researchers can access data without exfiltrating raw records. Legal and privacy teams must create consent assessments and anonymisation procedures that satisfy both GDPR and trade secret protections.

Governance checkpoints

  • Data inventory and classification: Conduct an exhaustive mapping of datasets covered by Article 40, categorising them by sensitivity (personal data, trade secrets, security-critical) and aligning each category with access conditions (e.g., remote access with logging, on-premises secure room, aggregated output only). Document legal bases for sharing and residual risk mitigation.
  • Access request workflow: Design a standard operating procedure (SOP) that covers intake, verification of researcher credentials, necessity assessment, approval chains, secure delivery, and closure reporting. Implement case management tooling with timelines, alerts, and audit logs to demonstrate compliance with the 15-day response requirement.
  • GDPR and trade secret safeguards: Develop templated data protection impact assessments (DPIAs) for frequent request categories. Establish pseudonymisation/anonymisation playbooks, contract clauses prohibiting re-identification, and monitoring to detect misuse. Coordinate with intellectual property counsel to define thresholds where disclosure would undermine trade secrets and legitimate refusal is justified.
  • Security architecture: Build or enhance secure research environments featuring multi-factor authentication, role-based access controls, restricted data export, and continuous monitoring. Ensure logging captures all researcher activity and that logs are retained for at least five years as required by the regulation.
  • Transparency and reporting: Update public transparency portals with data catalogues, contact points, and statistics on requests received and fulfilled. Prepare periodic reports for DSCs summarising processing times, refusal grounds, and remedial actions.

Each checkpoint must align with the DSA’s broader systemic risk management framework. Boards should receive quarterly dashboards showing request volumes, approval rates, data categories accessed, and any incidents. The compliance function should rehearse escalation to DSCs, including legal arguments for refusal and supporting evidence.

Implementation roadmap

Immediate (February 2024): Form a cross-functional task force involving legal, privacy, security, engineering, and public policy teams. Publish or update the platform’s research data catalogue. Set up dedicated contact channels and intake forms that capture required information (research objective, methodology, funding source, institutional affiliation). Draft template contracts and confidentiality agreements aligned with the implementing regulation.

Q2 2024: Deploy secure research environments and test them with internal teams or pilot researchers. Conduct DPIAs for high-risk datasets and integrate mitigations (e.g., synthetic data, aggregated outputs). Implement automated tracking of deadlines and reminders for request handling. Train staff on evaluation criteria and documentation standards.

Second half 2024: Perform internal audits to assess compliance with Article 40 processes. Evaluate whether refusal justifications withstand regulatory scrutiny. Update transparency reporting, including machine-readable disclosures on request statistics. Coordinate with DSCs to clarify expectations and participate in EU-level working groups shaping best practices.

2025 and beyond: Integrate lessons learned into platform governance strategies. Expand support for cross-border research collaborations, ensuring contractual terms address data transfers outside the EU. Continuously update catalogues and security measures as new systemic risks emerge (e.g., election interference, AI-generated content).

The regulation also clarifies cost recovery: platforms may only charge researchers for marginal costs necessary to generate or facilitate access, and must publish fee schedules in advance. Finance teams should align billing systems, document cost calculations, and ensure fee policies are non-discriminatory to avoid allegations of obstructing legitimate research.

Risk watch

Monitor guidance from the Commission and the European Board for Digital Services, which may publish templates, FAQs, or case law interpretations. Track enforcement actions against platforms that mishandle requests; early decisions will set precedents on acceptable safeguards. Keep an eye on interplay with the EU AI Act, which introduces transparency and risk management obligations for recommender systems that may overlap with Article 40 disclosures.

By building disciplined data access governance now, VLOPs and VLOSEs can demonstrate accountability, foster academic collaboration, and reduce the likelihood of coercive enforcement while contributing to healthier online ecosystems.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Digital Services Act
  • Article 40 data access
  • VLOP compliance
  • Researcher transparency
  • EU platform governance
Back to curated briefings