Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Explainer

DSA: extra obligations for very large online platforms (VLOPs)

Adopted 2026-06-29 ยท ≈ 2 min read ยท Dirk Baaijen

The Digital Services Act imposes the heaviest obligations on platforms with more than 45 million monthly EU users, including annual independent audits, systemic risk assessments, and direct supervision by the European Commission.

Short answer: Platforms with more than 45 million monthly active users in the EU are designated by the European Commission as Very Large Online Platforms (VLOPs) or Very Large Online Search Engines (VLOSEs). They are subject to the heaviest obligations under the DSA (Articles 33โ€“43) and are supervised directly by the Commission rather than a national authority. The current Commission list (updated 28 May 2026) counts 23 designated VLOPs and 2 VLOSEs, including WhatsApp (designated 26 January 2026) and excluding Stripchat (designation terminated 27 May 2025).

Threshold and designation (Article 33 DSA)

A platform is designated as a VLOP once it reaches more than 45 million monthly active users in the EU over the course of a year. Designation is carried out by the European Commission through a formal decision. Designated platforms have four months to achieve full compliance with all VLOP obligations. Well-known designated VLOPs include Facebook, Instagram, YouTube, TikTok, X, LinkedIn, Amazon Store, AliExpress, Booking.com and Zalando; the two VLOSEs are Google Search and Bing.

Systemic risk assessment and mitigation (Articles 34 and 35 DSA)

VLOPs must conduct a thorough assessment of systemic risks arising from their service at least once a year. Risks covered include the spread of illegal content, harm to fundamental rights (freedom of expression, media freedom, non-discrimination), threats to public health, negative effects on electoral processes, and harm to minors. On the basis of that assessment, platforms must implement reasonable mitigation measures and report on them.

Independent annual audit (Article 37 DSA)

VLOPs and VLOSEs are required to have their compliance assessed at least once a year by an independent auditor. Platforms must implement recommendations from the audit report and produce an audit implementation report. Both the risk assessment report and the audit report must be transmitted without undue delay to the Commission and the competent national Digital Services Coordinator (DSC).

Algorithmic transparency and advertising repository (Articles 38 and 39 DSA)

VLOPs must offer users at least one option in recommender systems that is not based on profiling (Article 38). They are also required to maintain a publicly accessible repository of all advertisements displayed, including targeting parameters โ€” for the duration of the display period plus at least one year thereafter (Article 39).

Researcher data access and crisis protocol (Articles 40 and 36 DSA)

Vetted researchers and the Commission may request access to platform data to analyse systemic risks (Article 40). In the event of serious societal crises, the Commission may impose additional emergency measures (Article 36).

Supervision and enforcement

The European Commission is the exclusive supervisor for VLOPs and VLOSEs. In the event of an infringement, it may impose a fine of up to 6% of global annual turnover (Article 74 DSA). In the case of repeated infringements, temporary restriction of access to the EU market may be imposed.

Sources

  1. https://digital-strategy.ec.europa.eu/en/policies/list-designated-vlops-and-vloses
    Official Commission list of designated VLOPs and VLOSEs (updated 28 May 2026)
  2. https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng
    Regulation (EU) 2022/2065 โ€“ full DSA text on EUR-Lex
  3. https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops
    Commission overview of VLOP obligations
  4. https://digital-strategy.ec.europa.eu/en/faqs/digital-services-act-questions-and-answers
    Commission Q&A on enforcement and fines

Share on LinkedIn

Read next

W

DSA guide: does the Digital Services Act apply to your service?

The Digital Services Act (Regulation (EU) 2022/2065) has applied since 17 February 2024 to all intermediary services in the EU, with heavier duties the larger and more visible you are. This guide places you in the right tier.

A

California's CCPA rules on automated decisionmaking technology: the privacy route to AI accountability

California's privacy regulator finalised binding CCPA rules on automated decisionmaking technology (ADMT), risk assessments and cybersecurity audits. In force since 1 January 2026, they reach AI-driven decisions through privacy law, not an AI act, with phased duties from 2027.

U

DSA: notice-and-action for illegal content

The DSA obliges hosting service providers to operate an accessible reporting mechanism for illegal content and to respond to received notices within a reasonable time.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.