CR-online.de Blog

DSA – Risk Assessment & Mitigation: 3 Thoughts on the first Reportings

avatar  Dr. Daniel Holznagel
RiKG
25.6.2025 – 11:54

The DSA’s risk mitigation regime is the heart of the DSA and its potentially most impactful regulatory angle. Unlike most other DSA obligations, it does not just ask for specific add-ons (Do this! Report that!). Instead, Art. 34 f. DSA requires platforms to continuously conduct a  360-degree evaluation of their functionalities and designs, and – if the risk assessment is negative – to ultimately alter or even discontinue functionalities as such.

However, Art. 34 f. DSA’s level of abstraction implies legal uncertainty. It is one thing to require platforms to assess and mitigate risks. It is another thing, if, one day, the European Commission, with an ex post view, determines that a platform’s prior risk assessment (conducted ex ante) was insufficient. Apart from super-clear cases, this might create tensions with the principle of legal clarity (see, e.g. decisions in cases C-570/20 para 38 and C-194/14 para 39). Or all the uncertainties implied in Art. 34 f. DSA might impede the assumption of negligence, which could then at least protect platforms against repressive sanctions.

Therefore, fact-finding and consensus-building is crucial for making Art. 34 f. DSA a success.

With that in mind, I come to the actual topic of this blog post: The first round of (public) DSA – risk assessment & mitigation reportings by which I mean, the specific reporting that, under Art. 42(4) DSA, only VLOPs (and VLOSEs) have to conduct and make publicly available: 

  • the results of the risk assessment pursuant to Art. 34, 
  • the specific mitigation measures put in place pursuant to Art. 35(1), 

(see links here on the European Commission website for published reports).

By nature, these reports serve as a starting point for effective risk-mitigation, as they provide the platforms’ perspectives. Any risk assessed and any measure proposed in these reports should indicate (though not necessarily prove) a minimum standard under Art. 34 f. DSA. Furthermore, any gaps or evasiveness in the reports should raise suspicions about potential shortcomings in risk mitigation itself, indicating the need for further investigation.

There have been some very good publications on the first reportings. For in-depth explanations of the framework, see, for example, the blog posts by John Albert as well as Magdalena Jóźwiak. A comprehensive initial analysis of the reports has been conducted by the DSA Civil Society Coordination Group (“Civil Society Responds to DSA Risk Assessment Reports: An Initial Feedback Brief”). For the related topic of discussion the first DSA auditing see my blog post here.

In this blog post, I want to share three observations from reviewing some (though not all) of the risk assessment/mitigation reports:

1) Two in One – Risk Assessment & Mitigation in one Report

Art. 42(4) DSA requires to “make publicly available”

  • a report setting out the results of the risk assessment pursuant to Art. 34 DSA;
  • the specific mitigation measures put in place pursuant to Art. 35(1) DSA.

Theoretically therefore, platforms could (and perhaps should) publish two distinct reports here. However, major platforms decided to put reporting into one publication, e.g. Facebook’s “Systemic Risk Assessment and Mitigation Report” (italic here).

This ‚Two-in-One‘ approach is likely no coincidence. Consolidating both reports into a single publication serves platforms‘ interests, as it makes it easier to overshadow the limited substance of the risk assessment reporting:

  • Increasing volume: Firstly, the ‚Two-in-One‘ approach allows for an increase in the volume of the single report published.
  • Blurring the lines: Secondly, the ‚Two-in-One‘ approach allows for the blurring of lines between assessment and mitigation reporting, which, in turn, makes it more difficult for readers to grasp the substance of the assessment conducted.
  • Flood the report with measures: In their reports, platforms steer discussions from talking about assessment to talking about mitigation. Through this, often, without really explaining, platforms might at best very reluctantly imply some sort of risk assessment: If there is a measure, someone must have – assessed – an issue?

2) Limited Substance of reported Risk Assessment

Regarding the substance of the reports, my impression is one of a lack of ambition, concerning…

  • Assessment: There is little truly serious risk assessment to be found in the reports. While Art. 34(1) DSA requires platforms to ‚diligently identify, analyse and assess,‘ the reported information often appears generic, lacking substantial detail.
  • Metrics and Methodology: Reported risk assessments often appear unverifiable, as platforms rarely explain their metrics or methodology thoroughly. Take as an example Facebook, where, at parts of its first report, methodology seems limited to having conducted a series of interviews and workshops (“50+”) with “internal stakeholders”.
  • Discussion of services / design: It is noteworthy how little platforms seem to question the fundamental existence of current functionalities. Instead, they take platform design as a given and discuss add-ons or external measures. Admittedly, it would be surprising for a company to question whether the risks of its own products remain acceptable. However, Art. 34 DSA requires such ‚unusual‘ self-reflection.
  • Recommender systems: Art. 34 DSA makes it very clear that assessing risks stemming from recommender systems must be a primary focus of the assessment, especially concerning the risk of manipulation through inauthentic use resulting in a viral spread of harmful content (Art. 34(2) S. 2 DSA). The reports mostly seem to underestimate the significance of this specific requirement.

3) No Proof of weak Risk Assessment?

Observers might be tempted to conclude non-compliance with Art. 34 DSA (risk assessment) based on the weak substance of reported risk assessment.

However, it’s not that simple. First, the actual risk assessment might be better than the reports (perhaps we are only seeing poor reporting, while the assessment itself was robust). Second, the reports are indeed only required to contain the ‚results‘ of the assessment (see Art. 42(4)(a) DSA). The reports do not need to include all processes and findings involved that yielded these ‚results‘.

Of course, notable weaknesses in the reports might still indicate insufficiencies in the underlying risk assessment. However, to definitively prove this, at a practical level, regulators might need to investigate further, for example, by requesting the supporting documents of the risk assessments (Art. 34(3) DSA).

Dr. Daniel Holznagel, Richter am Kammergericht (v.a. KartellR). Er war zuvor 4 Jahre im Bundesministerium der Justiz als Referent für die Entwürfe und anschließende Umsetzung des NetzDG zuständig. Er publiziert regelmäßig zum Recht der Online-Plattformen und unterstützt zivilgesellschaftliche Akteur:innen wie HateAid bei der Positionierung zu digitalpolitischen Themen. Er unterrichtet zudem zu Fragen Plattformregulierung an der Freien Universität Berlin.
Beitrag von Dr. Daniel Holznagel vom – 11:54. Rubrik: Allgemein. Lesezeichen: Permalink. Kommentare: RSS-Feed. Trackbacks sind deaktiviert, aber Sie können einen Kommentar schreiben.

Schreiben Sie einen Kommentar

Sie müssen sich einloggen um einen Kommentar schreiben zu können.


Twitter, Facebook, ...
Service
© Verlag Dr. Otto Schmidt, Köln