Article 41

Compliance function

Previous Article Next Article

Evaluation Scenarios (7 total)

Paragraph 1

Providers of very large online platforms or of very large online search engines shall establish a compliance function, which is independent from their operational functions and composed of one or more compliance officers, including the head of the compliance function. That compliance function shall have sufficient authority, stature and resources, as well as access to the management body of the provider of the very large online platform or of the very large online search engine to monitor the compliance of that provider with this Regulation.

Obligations (1)
Establish an independent, well-resourced compliance function with direct access to the management body Priority: 65
1 evaluation scenario
Evaluation Scenarios (1)
1 scenario
Compliance function structure, resourcing, and reporting lines satisfy Article 41 requirements
dsa-41-1-compliance-function-setup-v1
Given
  • The provider is designated as a very large online platform or very large online search engine
  • Organisational charts and budgets document compliance function structure and reporting lines
When
  • Reviewing the compliance function's annual charter and resource plan
Then
  • The compliance function reports directly to the management body and remains separate from operational teams
  • Staffing, funding, and tooling levels are sufficient to oversee all DSA obligations for each covered service
  • The compliance function charter grants authority to access senior leadership and escalate compliance risks
Platform Types
all
Paragraph 2

The management body of the provider of the very large online platform or of the very large online search engine shall ensure that compliance officers have the professional qualifications, knowledge, experience and ability necessary to fulfil the tasks referred to in paragraph 3.

The management body of the provider of the very large online platform or of the very large online search engine shall ensure that the head of the compliance function is an independent senior manager with distinct responsibility for the compliance function.

The head of the compliance function shall report directly to the management body of the provider of the very large online platform or of the very large online search engine, and may raise concerns and warn that body where risks referred to in Article 34 or non-compliance with this Regulation affect or may affect the provider of the very large online platform or of the very large online search engine concerned, without prejudice to the responsibilities of the management body in its supervisory and managerial functions.

The head of the compliance function shall not be removed without prior approval of the management body of the provider of the very large online platform or of the very large online search engine.

Obligations (1)
Appoint qualified, independent compliance leadership with protected reporting lines Priority: 63
1 evaluation scenario
Evaluation Scenarios (1)
1 scenario
Compliance officers and the head of compliance meet qualification and independence requirements
dsa-41-2-compliance-staffing-v1
Given

Role descriptions and CVs exist for compliance officers and the head of compliance

When
  • Validating staffing for the compliance function
Then
  • Compliance officers collectively demonstrate expertise in DSA risk management, audit coordination, and regulatory engagement
  • The head of compliance is an independent senior manager with a formal mandate and protected reporting line to the management body
  • Any removal or reassignment of the head of compliance includes documented approval from the management body
Platform Types
all
Paragraph 3

Compliance officers shall have the following tasks:

(a) cooperating with the Digital Services Coordinator of establishment and the Commission for the purpose of this Regulation;
(b) ensuring that all risks referred to in Article 34 are identified and properly reported on and that reasonable, proportionate and effective risk-mitigation measures are taken pursuant to Article 35;
(c) organising and supervising the activities of the provider of the very large online platform or of the very large online search engine relating to the independent audit pursuant to Article 37;
(d) informing and advising the management and employees of the provider of the very large online platform or of the very large online search engine about relevant obligations under this Regulation;
(e) monitoring the compliance of the provider of the very large online platform or of the very large online search engine with its obligations under this Regulation;
(f) where applicable, monitoring the compliance of the provider of the very large online platform or of the very large online search engine with commitments made under the codes of conduct pursuant to Articles 45 and 46 or the crisis protocols pursuant to Article 48.
Obligations (1)
Operate the compliance function to fulfil statutory coordination, risk, and audit responsibilities Priority: 64
1 evaluation scenario
Evaluation Scenarios (1)
1 scenario
Compliance officers deliver required risk, audit, and advisory activities under Article 41(3)
dsa-41-3-compliance-operations-v1
Given

Compliance officers maintain activity logs for regulator engagement, risk assessments, and audits

When
  • Auditing the compliance function's operational outputs for the current cycle
Then
  • Cooperation with the Digital Services Coordinator and Commission is documented with timely responses and follow-up actions
  • Risk assessments, mitigation tracking, audit coordination, and advisory outputs are recorded and reviewed by management
  • Staff training and awareness sessions on DSA obligations are scheduled and evidenced
Platform Types
all
Paragraph 4

Providers of very large online platforms or of very large online search engines shall communicate the name and contact details of the head of the compliance function to the Digital Services Coordinator of establishment and to the Commission.

Obligations (1)
Keep regulator contact details for the head of compliance accurate and up to date Priority: 61
1 evaluation scenario
Evaluation Scenarios (1)
1 scenario
Regulator contact information for the head of compliance is promptly submitted and maintained
dsa-41-4-compliance-contact-disclosure-v1
Given

Regulatory submission channels exist for communicating contact updates

When
  • A head of compliance is appointed or changes contact details
Then
  • The name and contact details are submitted to the Digital Services Coordinator of establishment and the Commission without undue delay
  • Submission receipts are archived and contact directories kept in sync with internal records
  • Any subsequent change triggers an updated notification within the provider's defined SLA
Platform Types
all
Paragraph 5

The management body of the provider of the very large online platform or of the very large online search engine shall define, oversee and be accountable for the implementation of the provider's governance arrangements that ensure the independence of the compliance function, including the division of responsibilities within the organisation of the provider of very large online platform or of very large online search engine, the prevention of conflicts of interest, and sound management of systemic risks identified pursuant to Article 34.

Obligations (1)
Implement governance arrangements that preserve compliance function independence and manage conflicts of interest Priority: 63
1 evaluation scenario
Evaluation Scenarios (1)
1 scenario
Governance controls prevent conflicts and ensure compliance independence
dsa-41-5-compliance-governance-v1
Given

Governance policies detail responsibility allocation and conflict-of-interest safeguards

When
  • Evaluating governance documentation during annual review
Then
  • Clear segregation of duties exists between compliance and operational teams with conflict mitigation controls
  • Systemic risk management processes align with Article 34 outputs and escalate through defined governance forums
  • Management attestations confirm accountability for compliance function independence and resource allocation
Platform Types
all
Paragraph 6

The management body shall approve and review periodically, at least once a year, the strategies and policies for taking up, managing, monitoring and mitigating the risks identified pursuant to Article 34 to which the very large online platform or the very large online search engine is or might be exposed to.

Obligations (1)
Conduct annual management-body reviews of risk strategies and policies Priority: 62
1 evaluation scenario
Evaluation Scenarios (1)
1 scenario
Annual review cadence for DSA risk strategies is documented and completed
dsa-41-6-risk-policy-review-v1
Given

Risk policies and Article 34 assessment outputs are available for management review

When
  • Performing the yearly risk strategy review
Then
  • Minutes show formal approval of risk strategies and policy updates by the management body at least once per year
  • Follow-up actions from the review are tracked to completion with assigned owners and timelines
  • Revisions reflect current systemic risk findings and mitigation performance
Platform Types
all
Paragraph 7

The management body shall devote sufficient time to the consideration of the measures related to risk management. It shall be actively involved in the decisions related to risk management, and shall ensure that adequate resources are allocated to the management of the risks identified in accordance with Article 34.

Obligations (1)
Demonstrate active management-body oversight of DSA risk management decisions and resourcing Priority: 63
1 evaluation scenario
Evaluation Scenarios (1)
1 scenario
Management body dedicates agenda time and resources to DSA risk management
dsa-41-7-risk-governance-oversight-v1
Given

Board and executive committee agendas include DSA risk topics

When
  • Reviewing governance evidence for risk oversight
Then
  • Meeting materials show substantive discussion and decisions on DSA risk management initiatives
  • Budget or staffing approvals reflect allocation of resources to mitigate Article 34 risks
  • Tracking mechanisms confirm execution of management directives on risk mitigation
Platform Types
all
Regulations List
Previous Article Next Article