The Digital Services Act (Regulation 2022/2065) imposes specific obligations on online platforms using AI systems, including recommender system transparency (Article 27), the right to opt out of profiling-based recommendations (Article 38), prohibition of dark patterns (Article 25), systemic risk assessments for very large platforms (Article 34), independent algorithmic audits (Article 37), and advertising transparency for AI-targeted ads (Article 26).
Digital Services Act (DSA) and AI: Platform Obligations for Algorithmic Systems
DSA's Approach to AI on Platforms
The Digital Services Act does not regulate AI systems generally (that is the AI Act's role) but imposes obligations on intermediary services, hosting services, online platforms, and very large online platforms (VLOPs) and search engines (VLOSEs) that use algorithmic systems. The DSA's AI-relevant provisions focus on transparency, user autonomy, and systemic risk management. VLOPs (platforms with 45+ million monthly active users in the EU) and VLOSEs face the most stringent obligations. The DSA became fully applicable on February 17, 2024.
Recommender System Transparency
Article 27 requires online platforms to set out in their terms of service the main parameters used in recommender systems and any options for recipients to modify or influence those parameters. This includes the criteria for ranking, relevance scoring, and personalization. Where multiple options are available, the platform must provide an easily accessible functionality to select and modify the parameters. For AI-powered recommendation engines, this means disclosing the general logic (not source code) of the recommendation algorithm, the types of input data used, and the available user controls.
Non-Profiling Recommendation Option
Article 38 requires VLOPs and VLOSEs that use recommender systems to provide at least one option that is not based on profiling (as defined in GDPR Article 4(4)). This means users must be able to access a recommendation feed that does not use their personal data for personalization. For AI systems, this requires maintaining a non-personalized recommendation pathway alongside the personalized default, which has significant architectural implications for platforms whose engagement models depend on personalized AI recommendations.
| DSA Obligation | Article | Applies To | AI Relevance |
|---|---|---|---|
| Recommender transparency | Art. 27 | All online platforms | Disclose AI recommendation parameters |
| Non-profiling option | Art. 38 | VLOPs/VLOSEs | Provide non-personalized AI recommendation |
| Dark pattern prohibition | Art. 25 | All online platforms | Prohibit AI-driven manipulative interfaces |
| Ad transparency | Art. 26 | All online platforms | Disclose AI targeting parameters for ads |
| Systemic risk assessment | Art. 34 | VLOPs/VLOSEs | Assess risks from AI systems including recommenders |
| Independent audit | Art. 37 | VLOPs/VLOSEs | Annual audit of compliance including algorithmic systems |
| Data access for researchers | Art. 40 | VLOPs/VLOSEs | Provide data access to study systemic risks of AI |
Systemic Risk Assessment and Mitigation
Article 34 requires VLOPs and VLOSEs to identify, analyze, and assess systemic risks stemming from the design, functioning, and use of their services, including: dissemination of illegal content; negative effects on fundamental rights (privacy, non-discrimination, child protection); negative effects on civic discourse and electoral processes; negative effects on public health and gender-based violence; and actual or foreseeable negative effects on minors. AI-powered content recommendation, moderation, and amplification systems are central to this assessment. Article 35 requires reasonable, proportionate, and effective mitigation measures.
Independent Algorithmic Audits
Article 37 requires VLOPs and VLOSEs to undergo independent audits at least annually. Audits assess compliance with the DSA including algorithmic system obligations. The Commission Delegated Regulation on auditing (2023) specifies audit procedures, methodology, and report templates. Auditors must have expertise in algorithmic systems and data analysis. Audit reports are transmitted to the Digital Services Coordinator and the Commission, and a public audit implementation report is published by the platform. This creates an unprecedented external oversight mechanism for AI systems operated by major platforms.
Advertising Transparency and AI Targeting
Article 26 requires platforms to ensure that advertisements are clearly identifiable and that users can identify: who paid for the ad, who the ad is presented on behalf of, and the main parameters used to determine the recipient. For AI-powered ad targeting systems, this requires disclosing the targeting criteria (demographics, interests, behaviors) used by the algorithm to select the ad recipient. Article 26(3) prohibits presenting advertisements based on profiling using special categories of personal data (Article 9(1) GDPR: racial origin, political opinions, health, sexual orientation). This directly constrains AI ad targeting models.
Enforcement and Penalties
The DSA establishes a dual enforcement structure: national Digital Services Coordinators (DSCs) supervise platforms established in their member state, while the European Commission directly supervises VLOPs and VLOSEs. Penalties for VLOPs and VLOSEs can reach up to 6% of global annual turnover. The Commission has initiated formal proceedings under the DSA against several major platforms, examining compliance with algorithmic transparency and systemic risk obligations. Periodic penalty payments of up to 5% of average daily turnover can be imposed for non-compliance with interim measures.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.