What to Do with the Long-Awaited DSA Systemic Risk Assessments

Arguably the most innovative and potentially impactful part of the EU’s Digital Services Act (DSA) is the one that requires very large online platforms and search engines (VLOPSEs) to assess and mitigate systemic risk of an extensive list of potential harms to individuals and society. Though the 19 tech firms initially designated as VLOPSEs completed their first risk assessments by the end of summer 2023, so far, we have only had hints of what these showed in the form of requests for information or investigations instigated by the European Commission.

Any day now, the Commission should release the much-anticipated public versions of the first round of risk assessments along with their audit reports. This public disclosure should provide civil society groups, academics, and other key stakeholders (including the Digital Services Coordinators in EU Member States that don’t host VLOPSEs) with their first glimpse into how very large digital services understand and address systemic risks. Are we going to be disappointed? Probably. Hopes are high. Never before have we had such a chance to see how these pervasive services are conceptualizing and mitigating risk.

Drawing on the report we authored with Daniel Schnurr and Andrea Calef entitled “Cross-Cutting Issues for DSA Systemic Risk Management: An Agenda for Cooperation,” we set out the key things we argue should be considered when reading these reports and what should be done with the data they provide.

Acknowledgement that systemic risk is interconnected

All the VLOPSEs are operating in integrated platform ecosystems in which they are connected to a variety of other actors through relationships of shared value creation or value exchange and over which they have different levels or mechanisms of control. As reporting for the DSA is a compliance exercise, VLOPSE providers will have an incentive to focus narrowly and internally on areas where they have the most control, such as the enforcement of terms of use or internal content moderation systems. However, for systemic risk assessment to enable effective risk management in the broad areas of nearly everything we hold dear in democratic societies, they should consider the contribution of each VLOPSE to the propagation or mitigation of risk in the wider ecosystem.

When we finally see the reports, we will be looking to see whether they have assessed their contribution to risk in three interlinking layers:

1. The level of the service ecosystem – the very large online platform or search engine, its users, and its complementors;
2. The level of integrated ecosystems of VLOPSEs under common ownership (where applicable) – which may share common goals, leadership, shareholders, resources, infrastructure, and data; and
3. The wider interconnected digital services landscape – where VLOPSEs and other digital services are connected through shared resources, such as the use of common third-party services, and multi-homing users and complementors.

The third layer will look very different for different types of services, but the importance of identifying shared resources and vulnerabilities is the same. For example, if one service outsourced some content moderation to a third party, it may not be an issue, but if multiple social media or video-sharing platforms outsourced content moderation to the same third party, this becomes a common vulnerability and a possible source of heightened risk. It would matter if it were a commercial entity or a collaborative resource and what kind of accountability or quality controls were in place. Similarly, there may be heightened risk if multiple online retail platforms are exposed to several of the same large-scale sellers.

Enabling learning and improvements in mitigation

The DSA requires risk assessments to be conducted annually, and Article 40 contains provisions to enable unprecedented access to platform data for researchers doing work related to the DSA. There is a much-needed opportunity for continual incremental improvement in the mitigation of risk and adaptation to change. This will require meta-analysis across designated services, especially those of similar types, by independent researchers, Digital Services Coordinators, and civil society groups. The risk assessment reports will likely only be a point of departure in terms of providing data points for such analysis, but they can then be used to direct data access requests and combined with examination of data in the Transparency Database or even experimentation.

Our research identified several priority areas for meta-analysis:

• The effectiveness of extensions to engagement-based recommender systems and algorithmic curation systems, specifically user control, explicit preference elicitation, and bridging-based algorithms;
• The benefits and vulnerabilities from decentralization, especially of content moderation and governance of user behavior, and the outcome of various balances and mixes between decentralized and centralized governance mechanisms, as well as the use of outsourcing;
• The role of advertising business models, especially mitigations related to targeting and ad libraries;
• The mitigation of risks stemming from automated cross-posting, generative AI, and inauthentic use;
• The mitigation of risks from data sharing and agglomeration; and
• Overall aversion risk and user flight or changes in use in response to mitigations in the broader interconnected digital services landscape.

The publication of the risk assessments also provides the VLOPSE service providers with the chance to learn from each other. Several vehicles for exchange exist, especially among the industry's trust and safety professionals. The DSA’s risk assessment and mitigation cycle can serve to focus on those and even out access to information within them.

Filling in gaps and gaining momentum

The first set of risk assessment reports may not be revolutionary in terms of what they reveal, but we need to push for them to be better each year. If there is insufficient evidence of risk assessment across the three layers mentioned above this time or enough data to establish some good practices and areas for improvement in mitigation, then we must point out the gaps. We also need to ensure the risk assessments are a springboard for cooperation in addressing common vulnerabilities and sources of risk. Collaboration may be challenging when it is mainly a compliance exercise with heavy penalties at stake, but if the DSA’s risk management approach is to be effective overall, it will be necessary.

Related reading

• Assessing Systemic Risk Under the Digital Services Act
• Understanding Systemic Risks under the Digital Services Act
• Unpacking “Systemic Risk” Under the EU’s Digital Service Act
• The European Commission's Approach to DSA Systemic Risk is Concerning for Freedom of Expression
• Unpacking the Principles of the Digital Services Act with Martin Husovec