Digital Services Act

On 13 February 2024 the European Commission adopted the Digital Services Act (DSA) implementing regulation on data access, defining how vetted researchers may request and use data from Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs). The act operationalizes Article 40 of the DSA, which obliges platforms to provide access to data necessary to monitor and assess systemic risks such as disinformation, illegal content, or threats to public health. The implementing regulation sets out request formats, timelines, verification steps, safeguards for trade secrets and personal data, and enforcement mechanisms. VLOPs and VLOSEs must update governance programs immediately to ensure that by the DSA’s full applicability date of 17 February 2024 they can receive, process, and fulfil research requests lawfully and securely.

The regulation requires platforms to establish clear points of contact, publish technical documentation describing available datasets, and respond to researcher requests within 15 days (extendable to 30) with either access or a reasoned refusal. Platforms must assess whether requested data is necessary and proportionate for the stated research objective, balancing it against protections for personal data, trade secrets, and security.

If access is granted, the regulation mandates secure processing environments, audit trails, and obligations for researchers to delete or anonymise data after use. National Digital Services Coordinators (DSCs) will supervise compliance, supported by the European Board for Digital Services. Non-compliance can trigger fines up to 6% of global turnover under the DSA.

Why it matters for governance teams

Article 40 is a new regulatory vector that goes beyond traditional transparency reporting. Platforms must stand up quasi-legal discovery processes for external researchers, ensuring that data sharing follows the General Data Protection Regulation (GDPR), trade secret law, and cybersecurity obligations.

Boards should recognize that data access requests could expose sensitive algorithms, content moderation logs, or advertising performance data. Failure to handle requests properly risks enforcement actions, civil litigation, and reputational damage. The implementing regulation clarifies that unjustified denials or delays will be scrutinised, and it allows researchers to complain to DSCs, who can compel access.

The rules also require advance preparation. Platforms must publish catalogs describing the types of data they hold, including metadata, metrics, and algorithmic signals relevant to systemic risk assessments. They must maintain documentation on data schema, quality, and retention. Security teams must design controlled environments (for example, secure sandboxes or virtual data rooms) where researchers can access data without exfiltrating raw records. Legal and privacy teams must create consent assessments and anonymization procedures that satisfy both GDPR and trade secret protections.

Governance checkpoints

• Data inventory and classification: Conduct an exhaustive mapping of datasets covered by Article 40, categorising them by sensitivity (personal data, trade secrets, security-critical) and aligning each category with access conditions (for example, remote access with logging, on-premises secure room, aggregated output only). Document legal bases for sharing and residual risk mitigation.
• Access request workflow: Design a standard operating procedure (SOP) that covers intake, verification of researcher credentials, necessity assessment, approval chains, secure delivery, and closure reporting. Implement case management tooling with timelines, alerts, and audit logs to show compliance with the 15-day response requirement.
• GDPR and trade secret safeguards: Develop templated data protection impact assessments (DPIAs) for frequent request categories. Establish pseudonymization/anonymization playbooks, contract clauses prohibiting re-identification, and monitoring to detect misuse. Coordinate with intellectual property counsel to define thresholds where disclosure would undermine trade secrets and legitimate refusal is justified.
• Security architecture: Build or improve secure research environments featuring multi-factor authentication, role-based access controls, restricted data export, and continuous monitoring. Ensure logging captures all researcher activity and that logs are retained for at least five years as required by the regulation.
• Transparency and reporting: Update public transparency portals with data catalogs, contact points, and statistics on requests received and fulfilled. Prepare periodic reports for DSCs summarizing processing times, refusal grounds, and remedial actions.

Each checkpoint must align with the DSA’s broader systemic risk management framework. Boards should receive quarterly dashboards showing request volumes, approval rates, data categories accessed, and any incidents. The compliance function should rehearse escalation to DSCs, including legal arguments for refusal and supporting evidence.

Rollout plan

Immediate (February 2024): Form a cross-functional task force involving legal, privacy, security, engineering, and public policy teams. Publish or update the platform’s research data catalog. Set up dedicated contact channels and intake forms that capture required information (research objective, methodology, funding source, institutional affiliation). Draft template contracts and confidentiality agreements aligned with the implementing regulation.

Q2 2024: Deploy secure research environments and test them with internal teams or pilot researchers. Conduct DPIAs for high-risk datasets and integrate mitigations (for example, synthetic data, aggregated outputs). Implement automated tracking of deadlines and reminders for request handling. Train staff on evaluation criteria and documentation standards.

Second half 2024: Perform internal audits to assess compliance with Article 40 processes. Evaluate whether refusal justifications withstand regulatory scrutiny. Update transparency reporting, including machine-readable disclosures on request statistics. Coordinate with DSCs to clarify expectations and participate in EU-level working groups shaping good practices.

2025 and beyond: Integrate lessons learned into platform governance strategies. Expand support for cross-border research collaborations, ensuring contractual terms address data transfers outside the EU. Continuously update catalogs and security measures as new systemic risks emerge (for example, election interference, AI-generated content).

The regulation also clarifies cost recovery: platforms may only charge researchers for marginal costs necessary to generate or help access, and must publish fee schedules in advance. Finance teams should align billing systems, document cost calculations, and ensure fee policies are non-discriminatory to avoid allegations of obstructing legitimate research.

Risk watch

Monitor guidance from the Commission and the European Board for Digital Services, which may publish templates, FAQs, or case law interpretations. Track enforcement actions against platforms that mishandle requests; early decisions will set precedents on acceptable safeguards. Keep an eye on interplay with the EU AI Act, which introduces transparency and risk management obligations for recommender systems that may overlap with Article 40 disclosures.

By building disciplined data access governance now, VLOPs and VLOSEs can show accountability, foster academic collaboration, and reduce the likelihood of coercive enforcement while contributing to healthier online ecosystems.

Researcher Access Framework

The DSA implementing regulation establishes vetted researcher access procedures for platform data. Very large online platforms must enable systemic risk research through secure data access mechanisms. Technical specifications ensure consistent data formats and access protocols across platforms.

Compliance Architecture

Platforms implement secure data access infrastructure with researcher authentication and authorization controls. Audit logging tracks all data access for compliance demonstration. Data anonymization techniques protect user privacy while enabling research objectives.

Research Governance

Researchers must demonstrate affiliation with recognized institutions and propose research methodologies meeting ethical standards. Platform data access committees review requests and establish appropriate conditions. Output review procedures ensure research publications do not expose protected information.

You may also find useful

Hand-picked articles on adjacent topics.

Data Strategy · Credibility 73/100 · February 8, 2024

ANPD regulatory agenda

Brazil's ANPD published its regulatory agenda, signaling upcoming guidance on data transfers, AI, and sector-specific rules. Understanding regulatory priorities helps with compliance planning in the Brazilian market.

Data Strategy · Credibility 73/100 · February 23, 2024

International data transfers

Brazil’s ANPD adopted Resolution 15 to operationalize the LGPD’s international transfer regime, requiring modular SCCs, a centralized transfer registry, and new assurance obligations over third-country adequacy and…

Data Strategy · Credibility 87/100 · January 18, 2024

TEFCA interoperability — First QHINs cleared to exchange nationwide

ONC and The Sequoia Project designated six Qualified Health Information Networks under the Trusted Exchange Framework and Common Agreement, activating nationwide FHIR-based exchange obligations for participants…

Data Strategy · Credibility 73/100 · January 17, 2024

CMS prior authorization

CMS’s final prior authorization rule compels payers to deploy FHIR APIs, meet seven-day decisions, publish metrics, and reengineer utilization management ahead of 2026–2027 compliance deadlines.

Data Strategy · Credibility 73/100 · March 15, 2024

Data Strategy — EU regulation

EU institutions reached a provisional agreement on the European Health Data Space, setting governance for primary and secondary health-data use across Member States.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

February 13, 2024

Coverage pillar

Data Strategy

Source credibility

91/100 — high confidence

Topics

Digital Services Act · Article 40 data access · VLOP compliance · Researcher transparency · EU platform governance

Sources cited

3 sources (eur-lex.europa.eu, digital-strategy.ec.europa.eu)

Reading time

6 min

Documentation

1. Digital Services Act — eur-lex.europa.eu
2. DSA Implementation — ec.europa.eu
3. GDPR — eur-lex.europa.eu