The European Commission has adopted a Delegated Act under Article 40 of the DSA, creating a new framework for vetted researchers to access non-public data from Very Large Online Platforms and Very Large Search Engines. This move aims to enhance transparency and accountability by enabling independent research into systemic risks such as illegal content, threats to fundamental rights, and harms to public discourse. Through a centralized Data Access Portal and strict procedural safeguards, the Act seeks to balance research needs with data protection and platform security. While a major regulatory milestone, challenges around implementation, definitional clarity, and operational feasibility remain.
After months of anticipation, and following extensive public consultation that addressed critical concerns regarding data access needs, application procedures, data formats, and researcher involvement, the European Commission has adopted its Delegated Act on researcher access to non-public data from Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) under Article 40 of Regulation (EU) 2022/2065 (DSA).
While public data access under Article 40(12) remains outside the scope, the Delegated Act introduces key elements such as the creation of a DSA Data Access Portal, clear guidelines on eligible data types and formats, and procedures for mediation and independent oversight.
This marks a significant and unprecedented step in platform transparency, setting a regulatory benchmark for how vetted researchers may access data under the DSA.
Chapter 1 How did we get here?
The DSA has introduced new transparency obligations for VLOP/SEs including a particularly ambitious requirement: they must now grant vetted researchers access to their non-public data through a formal procedure outlined in Article 40 DSA and its accompanying (and newly adopted) Delegated Act.
The DSA is thus moving beyond the previous framework where platforms voluntarily collaborated with researchers on mutually beneficial terms. The stated objective is to facilitate independent research into systemic risks that VLOP/SEs may pose, including concerns around information integrity, fundamental rights considerations, and impacts on public discourse. Researchers are also tasked with evaluating the effectiveness of providers' existing risk mitigation measures.
According to the European Commission, the impact of Article 40 DSA is twofold. First, it empowers vetted researchers with access to previously undisclosed or under-disclosed data, unlocking new opportunities for independent research and public-interest knowledge. Second, the findings from such research are expected to directly support regulators and competent authorities in their supervisory and enforcement duties – particularly in evaluating how well VLOP/SEs comply with their obligations. The aim of this dual purpose is to strengthen both transparency and accountability across the digital ecosystem.
In this context, while the regulatory intent behind these provisions is understandable, the practical implementation has revealed significant challenges that industry stakeholders have been highlighting. Despite the well-intentioned goals of enhancing transparency and accountability, the mechanism faces substantial operational hurdles that could compromise both its effectiveness and providers' ability to comply efficiently – starting off with definitional clarity: what are systemic risks beyond the literal wording of Article 34 DSA?
Chapter 2 Systemic Risks?
Requests from vetted researchers cannot cover any data, but only those necessary to research that contributes to the detection, identification, and understanding of "systemic risks", or the evaluation of risk mitigation measures.
Under the DSA, systemic risks refer to serious and wide-reaching harms that may result from the operation of VLOP/SEs. Assessing and mitigating such risks is a core obligation for these providers. As set out in Article 34 and further elaborated in Recitals 80 to 83, systemic risks encompass four main categories – which are non-exhaustive examples: the dissemination of illegal content (such as hate speech or counterfeit goods); threats to fundamental rights (including freedom of expression and child protection); adverse effects on democratic discourse and electoral processes; and harms to public health and safety, such as those arising from addictive or manipulative platform design.
The Delegated Act does not provide for a definition of "systemic risk", so the DSA remains the reference framework for their identification. However, their broad and multifaceted scope can complicate data access requests. Industry stakeholders have raised concerns about the potential for “fishing expeditions”, requests that are overly broad or speculative in nature, lacking a clearly defined research objective. On the other hand, researchers warn that an overly restrictive application of these provisions could undermine the very purpose of Article 40, as requiring excessively precise data requests may prevent researchers from identifying risks that are not yet well understood or anticipated.
Chapter 3 Key obligations and procedures under the Delegated Act: roles and responsibilities of researchers, DSCs, and providers
Spanning 16 Articles, the Delegated Act lays out a detailed framework for regulating data access under Article 40(4) DSA – covering everything from (some) definitions and points of contact to mediation procedures, expert consultations, the content of reasoned requests and the requirements for data provisions.
The European Commission begins with general provisions (Articles 1–2), then establishes the DSA Data Access Portal and the related information and data protection obligations (Articles 3–6). It goes on to detail how reasoned requests must be formulated, assessed, and made public (Articles 7–11), alongside rules for amendment requests (Article 12), mediation (Article 13), and independent expert input (Article 14). Article 15 defines the requirements for data provision to vetted researchers, including documentation and data management obligations, while Article 16 sets out the entry into force.
The Delegated Act's stated objective is to enable access "in a secure and efficient manner that is consistent across all Digital Services Coordinators, and in a way that ensures equality of treatment for researchers and data providers." This standardized approach represents a reasonable attempt to ensure regulatory coherence across EU member states, avoiding the administrative complexity that would arise from divergent national implementations of the data access requirements.
This section offers a practical and structured overview of the Delegated Act's most salient provisions from the perspective of each stakeholder group.
- Vetted Researchers
For researchers, the Delegated Act clarifies both the eligibility criteria and the procedural obligations required to obtain access to data. Vetted status is available only to researchers affiliated with a research organisation, and who can demonstrate independence from commercial interests in relation to the specific research project. Researchers must also commit to publishing their results free of charge. The responsibility of defining and justifying data access requests rests with the researchers themselves (Article 7, Delegated Act), who also have to demonstrate the necessity and proportionality of the access in relation to their research objectives and justify why the requested data cannot be obtained from alternative sources. Importantly, the request must also address how the researcher intends to safeguard data security, confidentiality, and personal data protection, particularly where the data includes sensitive or personal information. Where personal data is involved, the application must identify a lawful basis under the GDPR, and may require a data protection impact assessment.
- DSCs
DSCs play a central role in the functioning of the Article 40 data access mechanism. Their primary responsibility is to assess data access applications submitted by researchers and, where appropriate, to issue a formal reasoned request to the relevant data provider within 80 working days. Where necessary, DSCs may consult supervisory data protection authorities or independent experts on technical or legal matters, such as the adequacy of access modalities or the sensitivity of requested data. They may also engage in a mediation process if a provider submits an amendment request contesting the scope or feasibility of a reasoned request. Finally, the DSC is responsible for ensuring transparency by publishing an overview of each reasoned request, along with access modalities, in the DSA Data Access Portal. This portal serves as the central infrastructure for managing the data access process and ensuring coordination among all involved stakeholders.
- Data Providers
A key practical obstacle for researchers seeking data access under Article 40 might lie in the difficulty of knowing what data to request in the first place. Given the complexity of platform infrastructures, researchers often lack the insight necessary to identify relevant datasets that contribute to the study of systemic risks or the evaluation of mitigation measures. To address this asymmetry of information, the Delegated Regulation requires VLOP/SEs to make available data catalogues. These catalogues must be easily findable and accessible through the providers’ online interfaces and should describe the available data assets, their structure and metadata, including those linked to systemic risks and risk mitigation measures. To maintain relevance, data catalogues must be regularly updated to reflect evolving risks, such as those uncovered in risk assessments (Article 34 DSA) or audits (Article 37 DSA). While they support transparency and facilitate targeted applications, data catalogues do not limit the scope of researchers’ data requests. Nevertheless, data providers are entitled to limit disclosures in the catalogues where publication would compromise confidentiality, data security, or personal data protection.
In addition to publishing data catalogues, providers must suggest potential access modalities tailored to the sensitivity of the data. While these suggestions are non-binding, they may influence the DSC’s determination of appropriate safeguards. Once a reasoned request is issued, providers are obliged to provide the requested data under the modalities specified by the DSC. Providers may request an amendment to a reasoned request under Article 40(5) DSA if they can substantiate that they lack access to the requested data or that granting access would expose significant vulnerabilities, subject to assessment by the DSCs.
Chapter 4 Let's get critical
The adoption of the Delegated Act represents a significant milestone in the implementation of the DSA's data access provisions.
The European Commission's efforts to accommodate stakeholder feedback demonstrate a commitment to striking a balance between the different interests at stake. In this context, the establishment of a harmonized framework across all Member States, with detailed procedural specifications, is both commendable and essential for ensuring equitable access to research data and equal treatment of VLOP/SEs across the EU.
At the same time, the unprecedented nature of this transparency requirement and the fact that VLOP/SEs have never before disclosed such data means that practical implementation remains largely untested. The European Commission's prescient inclusion of a dedicated mediation provision suggests an awareness of potential conflicts ahead, and the early glimpse provided by German courts in the proceedings involving X offers telling into the resistance that may emerge. Although centered on Article 40(12) – which falls outside the scope of the Delegated Act and enables researchers who do not qualify as "vetted researchers" to directly access publicly available data – X's vigorous opposition to the requests of two civil society organisations and the decision issued by the Berlin regional court demonstrated a possible reluctance in the context of data access.
Moreover, while the inclusion of data catalogues and illustrative examples of relevant datasets in the Delegated Act represents a meaningful step towards transparency and usability, these tools fall short of fully resolving the uncertainties created by the inherently broad and evolving concept of “systemic risks” under the DSA. Although data catalogues are intended to guide researchers in identifying accessible data, they are explicitly non-exhaustive and do not limit the scope of data that may be requested. In parallel, the Delegated Act's examples of data categories – ranging from user profiles and engagement data to A/B testing results, content moderation records, and advertising pricing metrics – are undeniably helpful, but remain wide-ranging and non-binding. This breadth reinforces the regulatory tension between the need to support exploratory and flexible research on one hand, and the demand for legal certainty, data protection, and providers' operational security on the other.
One thing is certain: the Delegated Act is just the beginning, and the real test of Article 40 DSA lies ahead.
