← Back to all briefings
Policy 6 min read Published Updated Credibility 87/100

Platform governance alert — DSA 2025 systemic risk assessment cycle

VLOPs and VLOSEs face the 25 August 2025 DSA systemic risk assessment deadline, requiring board-governed methodologies, mitigation evidence, and regulator engagement packs.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: By 25 August 2025, Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) designated under the EU Digital Services Act (DSA) must complete their second annual systemic risk assessments and file the results with the European Commission and their Digital Services Coordinators (DSCs). Article 34 requires providers to map, quantify, and mitigate risks relating to illegal content dissemination, fundamental rights, electoral processes, gender-based violence, protection of minors, and public health. Boards need to demonstrate a controlled governance framework that integrates product, trust-and-safety, legal, compliance, and security teams, with audit-ready evidence showing that mitigation measures are implemented, tested, and reported to regulators.

Regulatory expectations

The Commission’s 2023 VLOP/VLOSE designation decisions, the April 2023 DSA enforcement guidelines, and subsequent delegated acts emphasise that risk assessments must be data-driven, cover all languages and Member States, and include impact analysis of recommender systems, advertising models, and algorithmic decision-making. Providers must document stakeholder engagement, including consultations with civil society, independent experts, and affected communities. They must align with the Code of Practice on Disinformation, the Code of Practice on Online Safety for Minors, and, where relevant, the European AI Act requirements for high-risk or general-purpose AI systems.

Failure to evidence a robust risk assessment can trigger investigations, interim measures, binding commitments, or fines up to 6% of global turnover under Article 74. Persistent non-compliance may result in service suspension within the EU. Providers should therefore maintain comprehensive evidence packs and implement control testing to withstand Commission or DSC audits.

Governance controls

Board oversight. Boards should approve the risk assessment methodology, risk appetite statements, and mitigation strategies. Meeting minutes must evidence challenge of risk tolerances, evaluation of societal impact, and alignment with corporate responsibility goals.

Designated compliance function. Article 41 requires a compliance officer. Document the officer’s mandate, reporting line to the board, and resources. Capture annual plans, escalation procedures, and coordination with internal audit.

Policy library. Maintain up-to-date policies covering content moderation, recommender systems, advertising transparency, data access, incident response, and stakeholder engagement. Each policy should reference DSA articles, responsible owners, and control objectives.

Risk taxonomy. Develop a DSA-specific risk taxonomy, mapping systemic risk categories to business units, product features, and mitigation controls. Include inherent and residual risk ratings, key risk indicators, and thresholds that require escalation.

Independent oversight. Establish an external advisory council or independent assurance reviews to validate methodology, fairness metrics, and mitigation effectiveness. Document terms of reference, meeting outputs, and management responses.

Evidence pack architecture

Create a structured repository to support regulatory inspections:

  • Methodology documentation. Detailed description of risk identification, data sources, modelling approaches, and scenario analysis techniques. Include validation of sampling, statistical robustness, and multilingual coverage.
  • Risk assessment reports. For each systemic risk category, provide narratives, quantitative indicators, geographic breakdowns, and severity ratings. Capture historical trends, emerging issues, and root-cause analyses.
  • Mitigation catalogue. Document implemented and planned measures—content moderation tools, algorithmic adjustments, human review capacity, transparency features—linked to risk categories and effectiveness metrics.
  • Stakeholder engagement records. Summaries of consultations with civil society, regulators, academic experts, and user councils. Include agendas, feedback themes, and change logs showing how insights shaped mitigations.
  • Testing and validation. Results of A/B tests, safety evaluations, adversarial testing, red-team exercises, and stress tests of recommender systems or ad targeting controls.
  • Governance artefacts. Board papers, compliance officer reports, internal audit findings, and risk committee minutes.
  • Regulatory correspondence. Submissions to the Commission and DSCs, responses to information requests, commitments under proceedings, and documentation of data access provided to vetted researchers.

Risk assessment methodology

Adopt a repeatable methodology aligned with Article 34 guidance:

  1. Scoping. Define products, services, geographic markets, and user segments covered. Identify new features or policy changes since the previous assessment.
  2. Data collection. Gather platform telemetry, user reports, enforcement data, ad library statistics, and outcomes from trusted flagger programmes. Ensure multilingual, multimodal coverage.
  3. Risk identification. Use thematic analysis, machine learning classification, and expert workshops to detect emerging risks, including cross-platform coordination, inauthentic behaviour, or AI-generated content abuse.
  4. Impact analysis. Quantify user exposure, severity, and societal impact using metrics such as prevalence, engagement, vulnerable audience reach, and potential harm scenarios. Model worst-case events around elections, public health crises, or violent extremism.
  5. Mitigation effectiveness. Evaluate existing controls, assessing detection rates, enforcement timeliness, false positive/negative ratios, and user satisfaction. Integrate feedback from appeals processes and independent audits.
  6. Residual risk and prioritisation. Assign residual risk ratings and prioritise mitigation actions with timelines, budgets, and accountable owners.
  7. Reporting and attestation. Prepare a comprehensive report for board approval and regulatory submission. Include assurance statements from compliance, legal, and trust-and-safety leads.

Mitigation planning and controls

Risk mitigation should combine policy, technology, and human interventions:

  • Content moderation enhancements. Expand language coverage, integrate contextual AI models, and maintain human review capability for nuanced assessments. Document quality assurance sampling and reviewer training.
  • Recommender system governance. Implement explainability tools, user choice options, and safeguard parameters limiting amplification of harmful content. Record algorithmic impact assessments, fairness testing, and rollback procedures.
  • Advertising transparency. Maintain real-time ad libraries, label political advertising, and verify advertiser identity. Track compliance metrics and enforcement actions.
  • Protection of minors. Enforce age assurance measures, default privacy protections, and content filters. Capture parental control uptake, incident response logs, and collaboration with child safety organisations.
  • Fraud and consumer protection. Deploy identity verification, payment monitoring, and takedown workflows for scams. Measure detection rates, restitution processes, and coordination with law enforcement.
  • Crisis protocols. Maintain rapid-response playbooks for elections, public health emergencies, or terrorist incidents, including escalation thresholds and cross-functional communication channels.

Reporting workflow

Design a reporting workflow that ensures timely approvals and regulator submissions:

  1. Monthly risk committee. Review incident trends, enforcement metrics, and mitigation progress. Update risk register entries and escalate high-priority issues.
  2. Quarterly board updates. Present risk dashboard, mitigation investments, and assurance results. Document decisions and resource allocations.
  3. Draft assessment production (May–June). Trust-and-safety teams compile data, analytics teams validate metrics, and compliance drafts the narrative. Legal reviews for privilege and disclosure obligations.
  4. Assurance (June–July). Internal audit or independent assessors review methodology, data integrity, and control evidence. Capture findings and management responses.
  5. Board approval (July). Final report presented to the board, with attestation from the compliance officer. Minutes should note challenges, residual risks, and follow-up actions.
  6. Submission (August). File the risk assessment with the Commission and relevant DSCs, alongside mitigation implementation plans and key metrics. Archive submission receipts and supporting datasets.
  7. Post-submission monitoring. Track regulator feedback, commitments, and deadlines. Update the risk register and integrate actions into product roadmaps.

Data governance and transparency

Ensure data governance supports transparency obligations. Maintain data inventories showing sources, processing purposes, retention, and access controls. Implement privacy-by-design principles and conduct data protection impact assessments for data used in risk assessments. Provide secure portals for vetted researchers, fulfilling Article 40 obligations, with logging, consent management, and output reviews.

Transparency reporting should align with Article 42 requirements. Produce quarterly or semi-annual public reports summarising enforcement statistics, algorithmic changes, and risk mitigation outcomes. Ensure consistency between public disclosures and regulator submissions.

Stakeholder engagement

Develop engagement plans covering civil society, academic experts, and user communities. Document workshops, advisory panels, and feedback incorporation. For elections, coordinate with EU and national authorities via the Rapid Alert System and the European Cooperation Network on Elections. Track commitments made in Codes of Practice and align deliverables with risk mitigation timelines.

Pre-August 2025 checklist

  • Update systemic risk taxonomy and align it with current threat intelligence and societal trends.
  • Refresh data pipelines to cover new content formats (short-form video, generative AI outputs) and emerging languages or dialects.
  • Conduct independent validation of recommender system safeguards and advertising transparency controls.
  • Complete stakeholder consultations and capture documented feedback.
  • Run tabletop exercises simulating Commission inspections and DSC information requests.
  • Prepare consolidated regulator submission packs with executive summaries, dashboards, and annexed evidence.

Zeph Tech supports DSA-designated services with systemic risk governance, analytics validation, and regulator-ready documentation so the August 2025 assessment demonstrates credible mitigation of societal harms.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • EU Digital Services Act
  • Online platforms
  • Systemic risk assessments
  • Content governance
Back to curated briefings