Transparencia Algorítmica del DSA de la UE

Why DSA is the operational frontier of algorithmic accountability The most common framing of EU AI regulation places the EU AI Act at the centre and treats the DSA as a parallel regime addressing platform content moderation. The framing captures…

Resumen ejecutivo

Why DSA is the operational frontier of algorithmic accountability

The most common framing of EU AI regulation places the EU AI Act at the centre and treats the DSA as a parallel regime addressing platform content moderation. The framing captures the formal structure and misses the operational reality entirely. The DSA is the only fully operational regime in the world for systemic algorithmic risk assessment, independent algorithmic auditing, and researcher data access, and its enforcement intensity — fines up to 6% of global annual turnover, preliminary findings against the largest digital platforms, an established Centre for Algorithmic Transparency — makes the DSA the European AI regulation with the most enforcement teeth already operational today, even before EU AI Act enforcement reaches its full intensity.

The dominant narrative reads the DSA as a content moderation regulation that happens to include some algorithmic provisions. The reading is structurally backwards. The DSA is comprehensive algorithmic accountability legislation built on top of content moderation foundations: it imposes annual systemic risk assessments specifically targeting algorithmic systems (Article 34), mandatory independent audits of compliance with all DSA obligations including algorithmic transparency (Article 37), recommender system transparency obligations across all online platforms (Article 27), opt-out from profiling-based recommendations for VLOPs (Article 38), and structured researcher data access for systemic risk research (Article 40). No other regulatory regime globally combines these elements operationally.

This matters in three concrete ways. First, the DSA enforcement architecture is operational and intensifying. The European Commission has direct enforcement authority over VLOPs and VLOSEs, with the European Centre for Algorithmic Transparency providing technical capability that no other regulatory enforcement architecture possesses. Preliminary findings against X (July 2024), Meta and TikTok (October 2025), and active investigations against multiple other VLOPs demonstrate that DSA enforcement is real and substantively engaged. Second, the DSA’s 6% fine ceiling structurally exceeds GDPR’s 4%, making it the most financially consequential AI-relevant regulation in Europe. Confirmed breach decisions against Meta could reach approximately USD 9.87 billion; against TikTok, approximately USD 1.38 billion. The financial stakes are higher than EU AI Act penalties for most provisions and create operational pressure that compounds with parallel GDPR exposure. Third, the DSA created institutional capacity that the EU AI Act inherits and extends: ECAT’s algorithmic auditing methodology, Article 40 researcher data access infrastructure, and the European Board for Digital Services coordination architecture all provide operational templates and shared expertise that EU AI Act enforcement will leverage as it ramps up through 2026-2028.

What makes the 2024-2026 enforcement cycle particularly significant is the combination of preliminary findings, secondary regulation, and institutional consolidation. The October 2025 preliminary findings against Meta and TikTok concern transparency and researcher data access — the algorithmic accountability core of the DSA. The 29 October 2025 entry into force of the delegated act on researcher access to non-public data signalled the Commission’s institutional commitment to making Article 40 operationally meaningful. EDPB Guidelines 3/2025 on DSA-GDPR interplay (September 2025) consolidated the relationship between data protection and algorithmic transparency. Code of Practice on Disinformation integration into DSA enforcement in February 2025 brought voluntary commitments under binding regulatory architecture. The trajectory is clear: the DSA is moving from regulatory framework to operational enforcement intensity faster than any other AI-adjacent regulation in Europe.

What the DSA represents in the global AI regulatory landscape, then, is the most institutionally mature algorithmic accountability regime operational today, with established enforcement architecture, dedicated technical expertise, real fines, and substantive jurisprudence consolidating across 2024-2026. The rest of this reference treats the DSA’s algorithmic provisions explicitly rather than describing the DSA as a general content moderation framework.

Article 27: recommender system transparency for online platforms

Article 27 imposes transparency obligations on all online platforms (not just VLOPs) regarding their recommender systems — the algorithmic systems that determine which content is suggested or prioritised for users.

Three core obligations.

  • Article 27(1): Online platforms must set out in their terms and conditions, in plain and intelligible language, the main parameters used in their recommender systems. The terms and conditions must include the criteria most significant in determining the information suggested to recipients of the service.
  • Article 27(2): Where multiple options are available for the recommender system, the platform must make available a way for the recipient of the service to select and modify the preferred option, including at least one option that is not based on profiling.
  • Article 27(3): Online platforms must explain why a particular recommender system functions in a particular way and which factors influence the relative importance of the parameters.

Operational consequence. Article 27 makes recommender system transparency a horizontal obligation across all online platforms, not just the largest. The required disclosure must be substantive: not generic statements that «engagement matters» but specific identification of the parameters that determine ranking and content selection. Vague disclosure can constitute non-compliance even where some transparency information is provided.

Interaction with GDPR Article 22. Many recommender systems also constitute Article 22 ADM where the recommendation effectively determines a downstream decision affecting the user (content shown, ads served, accounts suspended). EDPB Guidelines 3/2025 on DSA-GDPR interplay (September 2025) consolidate the relationship: DSA Article 27 transparency operates alongside GDPR Article 22 safeguards, and platforms must satisfy both regimes. Recommender systems often face concurrent obligations under DSA Article 27 (transparency about parameters), DSA Article 38 (non-profiling option for VLOPs), and GDPR Article 22 (safeguards for ADM with significant effects).

Article 34: systemic risk assessments for VLOPs and VLOSEs

Article 34 imposes the annual systemic risk assessment obligation on VLOPs and VLOSEs. The provision is the principal substantive vehicle for algorithmic accountability under the DSA.

Annual cadence. VLOPs and VLOSEs must, on an annual basis, diligently identify, analyse, and assess any systemic risks stemming from the design, functioning, or use of their services and related systems, including algorithmic systems.

Categories of systemic risk. The Commission’s First Annual Report on systemic risks (Article 35(2) DSA, published late 2025) consolidated the recurring systemic risk categories in four areas:

  • Dissemination of illegal content — illegal products, terrorist content, child sexual abuse material (CSAM), hate speech
  • Impacts on fundamental rights — freedom of expression, non-discrimination, privacy, consumer protection
  • Risks to civic discourse, elections, and public security — disinformation, foreign information manipulation, algorithmic amplification
  • Risks related to gender-based violence, public health, protection of minors, and mental well-being

Systemic risks concern platform design, functioning, and large-scale effects rather than individual pieces of content. The Commission emphasised this distinction: Article 34 risk assessments are about the systemic level (how the platform operates as a system), not the content moderation level (whether specific items should be removed).

Assessment factors. When carrying out risk assessments, platforms must factor in how their terms and conditions, advertising selection systems, and recommender or algorithmic systems can influence systemic risks. They must also consider the risk of intentional manipulation of their services, including through rapid spread of disinformation.

First annual risk assessments. VLOPs and VLOSEs were required to carry out and submit their first annual risk assessments to the European Commission by 25 August 2023. Subsequent annual assessments have followed each August.

Operational consequence. Article 34 has bore substantial enforcement fruit. As of early 2026, 27% of all DSA enforcement actions against VLOPs/VLOSEs concerned Article 34 (17 requests for information, 7 sets of formal proceedings opened in the name of Article 34 alone), focused on recommender systems, protection of minors, and illegal content systemic risks.

Article 35: risk mitigation measures

Article 35 requires VLOPs and VLOSEs to implement reasonable, proportionate, and effective mitigation measures in response to systemic risks identified under Article 34. Mitigation measures must address the specific systemic risks identified and must be tailored to the platform’s design and functioning.

Mitigation measure categories include:

  • Adapting design, functioning, or terms and conditions to reduce systemic risk exposure
  • Adapting content moderation processes including human resources allocation, automated tools, and processing time
  • Adapting recommender systems to limit amplification of systemic risk content
  • Adapting advertising systems to reduce risks (e.g., excluding certain advertisers from sensitive contexts)
  • Promoting visibility of authoritative information sources in critical contexts (elections, public health)
  • Adopting cooperative measures with researchers, civil society, and other stakeholders

The Article 35(2) annual report from the European Board for Digital Services (late 2025) consolidates emerging best practice on mitigation measures. The Code of Practice on Disinformation, integrated into DSA enforcement in February 2025, provides one operational framework for mitigation in the disinformation domain.

Article 37: independent audits

Article 37 imposes the annual independent audit obligation on VLOPs and VLOSEs. This is the most operationally distinctive feature of the DSA’s algorithmic accountability architecture: VLOPs and VLOSEs must commission, at their own expense, annual audits of compliance with all DSA obligations, including algorithmic transparency, systemic risk assessment, and mitigation measures.

Audit timing. First audits had to be completed within one year of designation, by 25 August 2024. Subsequent annual audits have followed each year.

Public reporting. VLOPs and VLOSEs have 3 months from receipt of the audit report to prepare and publish a public report on the outcome of the risk assessment, mitigation measures, audit findings, and audit implementation actions taken. This creates an operational transparency layer that is publicly accessible.

Auditor independence. Auditors must be independent organisations, with technical capability sufficient for DSA audit work. The Commission has progressively published guidance on auditor independence and audit methodology, with ECAT providing technical input on what constitutes substantive auditing of algorithmic systems versus formalistic process review.

Article 37 audit and ISO/IEC 42001. The substantive overlap between Article 37 audit scope (algorithmic transparency, risk assessment, mitigation measures) and ISO/IEC 42001 AI management system requirements (governance, risk management, lifecycle controls) means that organisations with mature ISO/IEC 42001 implementations are operationally better positioned for DSA audits. Accredited ISO/IEC 42001 certification is increasingly referenced in DSA audit methodology discussions as the international assurance standard most directly relevant.

Article 38: recommender system non-profiling option

Article 38 imposes a specific obligation on VLOPs and VLOSEs that goes beyond the horizontal Article 27 transparency requirement: VLOPs and VLOSEs must provide at least one option for their recommender systems that is not based on profiling (within the meaning of Article 4(4) GDPR).

Operational implications.

  • The non-profiling option must be a genuine alternative, not a degraded version of the profiling-based system
  • Users must be able to easily access and select the non-profiling option
  • Default settings can lawfully be the profiling-based system, but the non-profiling option must remain available and accessible
  • The non-profiling alternative must be substantively functional — e.g., chronological feeds, popularity-based feeds, or other algorithmic alternatives that do not rely on individual user profiling

Article 38 represents the most direct algorithmic obligation in the DSA: it constrains what VLOPs and VLOSEs can offer users, requiring at least one technological choice that respects user autonomy from individualised profiling.

Article 40: researcher data access

Article 40 establishes structured researcher access to platform data for systemic risk research. The provision creates the institutional infrastructure for empirical AI accountability research outside the platform itself.

Two access tiers.

  • Article 40(4): Vetted researchers can request access to non-public platform data necessary for research contributing to detection, identification, and understanding of systemic risks in the EU. The implementing delegated act on data access entered into force on 29 October 2025.
  • Article 40(12): All researchers can access publicly available platform data through reasonable mechanisms provided by VLOPs and VLOSEs.

Vetted researcher status. Article 40 requires Member States’ Digital Services Coordinators to vet researchers before granting non-public data access. Vetting criteria include institutional affiliation, research methodology, data security capability, and absence of commercial conflict of interest.

Operational consequence. The October 2025 preliminary findings against Meta and TikTok focused substantially on Article 40 implementation: the Commission found that both platforms had implemented overly burdensome and restrictive procedures that effectively limited researcher access to public data, contrary to the Article 40(12) obligation. The findings demonstrated that procedural friction can constitute substantive non-compliance.

VLOP/VLOSE designations and the Irish DSC role

The DSA’s enforcement architecture concentrates the largest digital platforms under direct European Commission enforcement, with national Digital Services Coordinators handling smaller services and supporting Commission enforcement.

Initial designations (April 2023). 17 VLOPs and 2 VLOSEs were designated based on the Article 33 threshold of 45 million average monthly active users in the EU. The initial VLOPs included Facebook, Instagram, TikTok, X, YouTube, Snapchat, LinkedIn, Pinterest, Amazon Store, Booking.com, Zalando, Google Play, Google Maps, Google Shopping, AliExpress, and additional platforms. The initial VLOSEs were Google Search and Bing.

Subsequent designations. The Commission has progressively designated additional VLOPs as platforms reach the user threshold. The list expands rather than contracting: VLOP designation is operationally permanent for active platforms.

Irish concentration. 13 of the 17 originally designated VLOPs are headquartered in Ireland, making Ireland’s Coimisiún na Meán the principal national Digital Services Coordinator for major US tech platforms. The Irish DSC works in close coordination with the European Commission for VLOP enforcement and serves as the lead DSC for cross-border issues affecting Ireland-headquartered platforms. The Irish DSC’s role in the October 2025 preliminary findings against Meta and TikTok was substantively significant.

The European Board for Digital Services. Coordinates the consistent application of the DSA across Member States. The Board is composed of all DSCs and chaired by the Commission. Article 35(2) annual reports on systemic risks are prepared by the Board.

The European Centre for Algorithmic Transparency (ECAT). Launched 2023 within the European Commission’s Joint Research Centre. ECAT provides scientific and technical expertise to support DSA enforcement, including algorithmic system testing, risk assessment methodology, and audit framework development. ECAT is the world’s first dedicated public-sector algorithmic auditing capability.

Enforcement: 6% fines and the 2024-2026 cycle

The DSA’s enforcement teeth are substantively higher than GDPR’s and have been progressively activated through 2024-2026.

Penalty structure. Article 74 establishes administrative fines up to 6% of total worldwide annual turnover for VLOPs and VLOSEs. This is structurally above GDPR’s 4% maximum and substantially above EU AI Act penalties for most provisions. Periodic penalty payments can be imposed to compel ongoing compliance.

X (Twitter) preliminary findings, July 2024. The first DSA preliminary findings against any platform. The Commission found preliminary breaches concerning transparency obligations and user protection. The X case was particularly notable for the contentious public exchange between the Commission and Elon Musk that followed.

Meta and TikTok preliminary findings, 24 October 2025. Landmark enforcement action covering:

  • Researcher data access (Article 40): both Meta (Facebook, Instagram) and TikTok preliminarily found to have implemented overly burdensome procedures restricting researcher access to public data
  • User notice and action mechanisms (Meta): Facebook and Instagram preliminarily found to lack user-friendly mechanisms for users to notify illegal content
  • Content moderation appeals (Meta): Facebook and Instagram preliminarily found to lack effective challenge mechanisms, including the inability for users to provide explanations or supporting evidence
  • Dark patterns (Meta): certain interface design choices preliminarily found to constitute manipulation of user choice

If confirmed, fines could reach approximately USD 9.87 billion for Meta and USD 1.38 billion for TikTok.

Code of Practice on Disinformation integration, February 2025. The voluntary 2022 Code of Practice on Disinformation, signed by VLOPs including TikTok, Meta, and YouTube, was formally integrated into DSA enforcement in February 2025, bringing voluntary commitments under binding regulatory architecture and creating substantive accountability for disinformation mitigation.

Article 43 supervisory fees. The Commission charges VLOPs and VLOSEs an annual supervisory fee to fund DSA enforcement infrastructure. Several VLOPs (Alphabet, ByteDance, Meta, Zalando) have brought legal challenges against the fee structure. The cases test the Commission’s authority to fund enforcement through supervisory fees.

Intersections with other regimes

Five intersections shape how the DSA operates within the broader European AI regulatory architecture.

EU AI Act. The DSA and EU AI Act apply concurrently. AI systems used by VLOPs or VLOSEs may be subject to EU AI Act high-risk obligations (e.g., AI used in recruiting, credit, or other Annex III sectors) plus DSA Article 27 transparency, Article 34 systemic risk assessment, and Article 38 non-profiling option simultaneously. The two regimes operate cumulatively. EU AI Act conformity assessment provides the technology-specific layer; DSA Article 34 risk assessment provides the systemic platform-level layer.

GDPR. Concurrent application across most DSA-regulated processing. EDPB Guidelines 3/2025 on DSA-GDPR interplay (September 2025) consolidate the relationship: DSA Article 27 transparency operates alongside GDPR Article 22 ADM safeguards; DSA Article 38 non-profiling option dovetails with GDPR Article 22(2)(b) requirements for safeguards on automated decisions; researcher data access under DSA Article 40 must comply with GDPR data protection principles for personal data involved. See Reference R15 for GDPR-specific analysis.

Code of Practice on Disinformation. Voluntary 2022 instrument formally integrated into DSA enforcement February 2025. Signatories include VLOPs and major non-VLOP platforms. The Code provides operational frameworks for DSA Article 34 systemic risk mitigation in the disinformation domain.

Code of Conduct on Countering Illegal Hate Speech Online. 2016 voluntary instrument that operated as a precursor to DSA Article 34/35. Increasingly integrated with DSA-driven mitigation measures.

ISO/IEC 42001 and international standards. Substantively relevant for VLOP and VLOSE Article 37 audit preparation. The mapping between ISO/IEC 42001 AI management system requirements and DSA algorithmic accountability obligations is a developing operational area, with auditors increasingly referencing ISO/IEC 42001 maturity in DSA audit methodology.

## ⚖️ How Zertia operates within the EU DSA algorithmic accountability environment

Built for DSA algorithmic accountability from day one

Accreditations and memberships: 🎖️ ANAB-accredited (US) · 🎖️ UKAS process (UK) · 🎖️ ENAC process (EU) · 🏛️ IAPP member · 🏛️ INCITS member · 🏛️ UKAI member · 📜 EU AI Pact signatory

Zertia is an ANAB-accredited AI management system certification body, with offices in Boston, Madrid, and London, and ANAB accreditation in the United States. Active accreditation processes are underway with UKAS (United Kingdom) and ENAC (Spain/EU). The DSA algorithmic accountability environment — mandatory annual systemic risk assessments under Article 34, mandatory annual independent audits under Article 37, recommender system transparency under Article 27, non-profiling options under Article 38, structured researcher data access under Article 40, and 6% fines on global annual turnover — makes accredited certification and standards-based assurance directly relevant for VLOPs, VLOSEs, and the broader ecosystem of digital platforms operating in the EU.

Certification — ISO/IEC 42001, AIUC-1, ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 22301. Accredited ISO/IEC 42001 certification maps substantively to DSA Article 34 systemic risk assessment processes, Article 35 mitigation measures, and Article 37 audit scope, providing the international AI management system foundation that DSA auditors increasingly recognise. AIUC-1 provides agent-level technical assurance directly relevant for VLOPs deploying autonomous AI in recommender systems, content moderation, and advertising. ISO/IEC 27701 complements ISO/IEC 42001 with privacy-specific controls aligned to GDPR obligations that operate alongside DSA Article 27 transparency and Article 38 non-profiling requirements.

Regulatory frameworks — EU AI Act Conformity Assessment, NIST AI RMF Attestation, ISO/IEC 23894 Risk Assessment, Algorithmic Impact Assessment, Pre-Certification Assessment. Algorithmic Impact Assessments structured to satisfy DSA Article 34 annual systemic risk assessment requirements concurrently with EU AI Act fundamental rights impact assessment and GDPR Article 35 DPIA, producing unified high-risk AI documentation that supports parallel DSA, EU AI Act, and GDPR compliance review. EU AI Act Conformity Assessment integrates with DSA Article 34/35 processes for VLOPs deploying high-risk AI systems.

Audit — AI Management System audits, High-Risk AI System audits, AI Model audits, EU AI Act audits, NIST AI risk audits. Independent audits structured to support DSA Article 37 audit preparation, EU AI Act conformity, and GDPR enforcement contexts. Particularly relevant for VLOPs and VLOSEs preparing for or undergoing Article 37 audits, and for the broader ecosystem of online platforms approaching the 45 million EU monthly active user threshold.

Training — AI Governance, Data Governance, Privacy Governance through Zertia Academy. Programmes treat the DSA algorithmic accountability framework explicitly, including the Article 34 systemic risk assessment methodology, Article 37 audit preparation, Article 27 recommender system transparency, Article 38 non-profiling architecture, Article 40 researcher data access, the European Centre for Algorithmic Transparency role, and integration with the EU AI Act and GDPR for organisations operating across multiple European regulatory regimes. Particularly relevant for legal, compliance, trust and safety, and AI governance teams in VLOPs, VLOSEs, and digital platforms approaching VLOP designation.

Zertia operates from Boston, Madrid, and London, with ANAB accreditation in the United States and active accreditation processes with UKAS and ENAC. Member of IAPP, INCITS, and UKAI. Signatory to the EU AI Pact.

🎯 Take action

🔍 Diagnose your VLOP exposure 📊 Build the audit-ready evidence
Pre-Certification Assessment → ISO/IEC 42001 + AIUC-1 →
Independent diagnosis of DSA Article 37 audit readiness, Article 34 systemic risk assessment, and the algorithmic transparency intersection between DSA and AI Act for VLOPs and VLOSEs. Integrated certification combining ISO/IEC 42001 (AI management) with AIUC-1 (agent certification) for organisations operating algorithmic systems at the scale where DSA and AI Act obligations apply simultaneously.

Discuss DSA algorithmic accountability and integrated EU regulatory positioning →

Regulación que entiendes es regulación que puedes convertir en ventaja competitiva.

¿No estás seguro de si este marco aplica a tu organización? Hablemos.