(fra kommisjonsforordningen) 

(1) Article 40 of Regulation (EU) 2022/2065 lays down rules regarding access to data to be granted by providers of very large online platforms and of very large online search engines. In particular, it enables researchers who have completed a process to demonstrate that they fulfil the conditions laid down in paragraph 8 of that Article (‘vetted researchers’) to be provided with such access. 

(2) Under Article 40(4) of Regulation (EU) 2022/2065, vetted researchers are to be provided with access to data to help them study systemic risks in the Union and assess the effectiveness of measures to mitigate those risks. Their findings can constitute valuable input for the enforcement of Regulation (EU) 2022/2065 and foster accountability of providers of very large online platforms and of very large online search engines. The purpose of this Regulation is to lay down the technical conditions and the procedures necessary to enable such access, in a secure and efficient manner that is consistent across all Digital Services Coordinators, and in a way that ensures equality of treatment for researchers and data providers. 

(3) To ensure that the data access process is consistent across all Digital Services Coordinators and to make that process clear and transparent for everyone, it is necessary to create a dedicated digital infrastructure (‘the DSA data access portal’). The DSA data access portal should allow researchers, data providers, and Digital Services Coordinators to participate in the data access process, have access to and disseminate relevant information, such as the details of the dedicated points of contact, and communicate with one another. The DSA data access portal should not be considered as one of the access modalities to be used for the provision of access to the data pursuant to a reasoned request. 

(4) Data providers, and researchers wishing to participate in the data access process, should create an account on the DSA data access portal for that purpose. To ensure that Digital Services Coordinators can access information submitted via the DSA data access portal without needing to create a separate account on the portal, the DSA data access portal should be interoperable with the information sharing system AGORA established in Commission Implementing Regulation (EU) 2024/607. 

(5) To ensure transparency of the data access process for all the parties involved and to monitor the effectiveness and efficiency of the data access process and compliance with Article 40(4) of Regulation (EU) 2022/2065 and this Regulation, the DSA data access portal should generate automatic notifications in relation to different steps and updates of the process. 

(6) In order to provide researchers with consistent information about the data access process, Digital Services Coordinators should make available and easily accessible on their online interfaces information concerning the data access process, including links to the DSA data access portal. To avoid creating unnecessary administrative burden, increase efficiency and facilitate communication among all parties involved in the data access process, Digital Services Coordinators are encouraged to facilitate the management of information related to the data access process, also from a linguistic perspective.

(7) In order to allow researchers to identify the relevant data for the purposes set out in Article 40(4) of Regulation (EU) 2022/2065, data providers should make available DSA data catalogues for their services. Such catalogues should be easily findable and accessible on the online interfaces of data providers, and should describe the available data assets, their data structure and metadata, access to which may be requested pursuant to Article 40(4) of Regulation (EU) 2022/2065. When making available the DSA data catalogues, data providers should have regard to risks to confidentiality, data security or personal data protection potentially deriving from such information being made public. 

(8) To contribute to the development of relevant research projects for the purposes set out in Article 40(4) of Regulation (EU) 2022/2065, the DSA data catalogues should include in particular data related to the systemic risks in the Union that data providers have identified in their annual risk assessments pursuant to Article 34 of that Regulation, as well as data related to any risk mitigation measures referred to in Article 35 of that Regulation. To ensure the relevance and timeliness of the DSA data catalogues, those catalogues should be updated regularly with due consideration to newly identified systemic risks and the evolution of systemic risks. For example, they should reflect emerging risks identified following an ad hoc risk assessment pursuant to Article 34 of Regulation (EU) 2022/2065 or following an audit report pursuant to Article 37 of that Regulation. To minimise the procedural burden on the data providers, where appropriate, such catalogues may rely on existing data documentation resources used for other purposes and audiences, such as advertising, content creation, or third-party app development. The DSA data catalogues should not be required to be exhaustive and therefore should not bind or limit applicant researchers in their data access applications. 

(9) In order to facilitate the determination of the access modalities by the Digital Services Coordinator of establishment and reduce the overall burden of the data access process on all actors involved, data providers should publish their suggested access modalities for the data described in the DSA data catalogues. These suggested access modalities should be proportionate to the sensitivity of the data and include information on the possible technical, organisational and legal conditions considered by the data providers as appropriate to enable the provision of the data. The access modalities suggested by data providers should not bind Digital Services Coordinators of establishment, who should remain competent to determine the appropriate access modalities. 

(10) To ensure that data access applications are treated equally, independently of the Digital Services Coordinator to which the data access application is submitted or from which the reasoned request originates, the timeframe for the formulation of reasoned requests should be specified to ensure consistency across all Digital Services Coordinators. If the formulation of the reasoned request requires additional time, the Digital Services Coordinator of establishment should notify the principal researcher, giving reasons for the delay. Such reasons may include the need for additional verifications by the Digital Services Coordinator of the research organisation or of establishment, for example where data access applications imply international data transfers, or where the Digital Services Coordinator of establishment has identified potential risks to the security of the Union if the data were to be shared. With a view to aligning also the steps in the data access process preceding the formulation of reasoned requests, including the assessment of data access applications and granting of vetted researcher status, Digital Services Coordinators are encouraged to develop a consistent and coordinated way of working, including common operational criteria, within the framework of the European Board for Digital Services. 

(11) In order to streamline the procedures for the formulation of reasoned requests, all Digital Services Coordinators of establishment should be required to verify that certain common elements of the data access process were duly covered in the data access applications. To that end, the Digital Services Coordinators of establishment should verify that all applicant researchers who are mentioned in the data access application demonstrated their affiliation to a research organisation, for example by providing documentary evidence of employment contracts or any other form of legal association with the research organisation. The Digital Services Coordinators of establishment should also verify that the applicant researchers demonstrated their independence from commercial interests, for example, by means of a declaration to that effect. 

(12) The Digital Services Coordinator of establishment should verify that the funding of the research project for which the data are requested is disclosed in the data access application. The information provided by the applicant researchers should include details of the contributions, such as the funding entity, the amount, the nature and duration of the contribution, including whether the funding has already been awarded or whether an application for funding is still under evaluation, as well as, where applicable, relevant references to Union funded projects. Where available, the data access application should also include the outcomes of evaluations conducted by the entity or entities providing the funding. 

(13) The Digital Services Coordinator of establishment should verify that the data access application describes how the data and data format are selected, with reference to the requirements of necessity for, and proportionality to, the purpose of the envisaged research. Where the requested data are also available through other sources, the Digital Services Coordinator of establishment should assess whether the request for such data in the data access application is duly justified, having regard to the information in the data access application. Possible justifications may include evidence of poor quality or unreliability of such data deriving from other sources or the unsuitability of the format in which such data may be retrieved from other sources for the purposes of the research project, which would hinder the performance of the research project. Data that can be requested in order to study systemic risks or their mitigation in the Union may evolve in the future. Current examples of such data include data related to users of the services, such as profile information, relationship networks, individual-level content exposure and engagement histories; interaction data such as comments or other engagements; data related to content recommendations, including data used to personalise recommendations; data related to the targeting of advertisements and profiling, including cost per click data and other measures of advertising prices; data related to the testing of new features prior to their deployment, including the results of A/B tests; data related to content moderation and governance, such as data on algorithmic or other content moderation systems and processes, including changelogs, archives or repositories documenting moderated content, including accounts as well as data related to prices, quantities and characteristics of goods or services provided or intermediated by the data provider. 

(14) The Digital Services Coordinator of establishment should verify whether the data access application provides for sufficient information that demonstrate that the researcher is capable of fulfilling the specific requirements of confidentiality, security and protection of personal data with respect to the requested data, identifies possible risks deriving from accessing and processing of such data for the purposes of the research, and documents any access modalities proposed, including the legal, organisational and technical conditions that will be put in place to minimise identified risks, for instance by means of a commitment letter from the research organisation confirming access to means that can constitute relevant safeguards, or other supporting documents. 

(15) Where personal data are requested, the Digital Services Coordinator of establishment should verify that the data access application includes information on the legal basis for the processing of personal data, including special categories of personal data, where applicable, and whether such legal basis is in line with Article 6(1), point (e) or (f), and where applicable Article 9(2), point (g) or (j), of Regulation (EU) 2016/679. In addition, the Digital Services Coordinator of establishment should verify that the data access application contains sufficient indication that the researchers have assessed risks to personal data protection. For example, this could be demonstrated by a data protection impact assessment within the meaning of Article 35 of that Regulation. To ensure that personal data can be accessed in compliance with Regulation (EU) 2016/679, Digital Services Coordinators should be allowed to consult the relevant supervisory authorities established pursuant to Article 51 of that Regulation, which remain competent to assess compliance with Regulation (EU) 2016/679. 

(16) To facilitate the formulation of the reasoned request and preserve the integrity of the information included in the data access application the Digital Services Coordinator of establishment should verify whether the data access application includes a summary. Such summary should contain an overview of the information that will be part of the reasoned request, published in the DSA data access portal, in cases where the assessment of the data access application leads to the formulation of a reasoned request. 

(17) In order to ensure that the access modalities the Digital Services Coordinator of establishment determines are adequate to address the sensitivity of the specific data requested in a data access application, the Digital Services Coordinator of establishment should perform a case-by-case assessment, based on the information provided in the data access application. The access modalities established in the reasoned request should be appropriate to fulfil the requirements of data security, data confidentiality and protection of personal data and, at the same time, enable the attainment of the research objectives of the research project. Access to data may take place for example through data transmission to the vetted researchers via an appropriate interface and appropriate data storage; transmission of the data to, and storage in, a secure processing environment operated by the data provider or by a third party provider to which vetted researchers have access but where no data transmission to the vetted researchers takes place, or other access modalities to be set up or facilitated by the data provider. When specifying the access modalities, the Digital Services Coordinator of establishment should also list any legal, technical or organisational conditions to which access is to be subject. In cases where providing access involves a transfer of personal data to third countries or international organisations within the meaning of Chapter V of Regulation (EU) 2016/679, the access modalities should also include information on the need to put in place an appropriate transfer mechanism, to ensure that the data provider takes the necessary action to comply with that Regulation. 

(18) To ensure that the data access modalities are appropriate to address specific sensitivities in terms of data protection, of data security or of confidentiality, the Digital Services Coordinator of establishment, on the basis of the information received in the data access application, should be able to require, that access to data be provided via secure processing environments. In such cases, the Digital Services Coordinator of establishment should ensure that the chosen environment operates in line with the most appropriate technology and it allows the vetted researchers to attain the objectives of their research. 

(19) In order to ensure consistency of the information transmitted by the Digital Services Coordinators of establishment to the data providers, it is necessary to specify the content of the reasoned requests. 

(20) In order to safeguard the interests of data providers and to reduce the frequency of amendment requests over time and facilitate the formulation of relevant data access applications by researchers, an overview of each reasoned request, including any amendments and updates to it, should be made publicly available in the DSA data access portal by the Digital Services Coordinator of establishment who issued the respective reasoned requests. 

(21) In order to ensure that the Digital Services Coordinator of establishment has the relevant information to evaluate an amendment request and to facilitate a uniform approach in the evaluation of amendment requests, the data provider should be required to specify the reasons for such request, as referred to in Article 40(5) of Regulation (EU) 2022/2065. More specifically, when assessing an amendment request submitted on the basis of a data provider’s lack of access to the data, the Digital Service Coordinator of establishment should be in a position to examine whether the alleged impossibility is duly justified, for example by the non-existence of the requested data, or by technical restrictions such as encryption and it should have the information necessary to consider whether the lack of access is permanent or temporary. It should be clear, in this respect, that commercial considerations should not be considered as a ground to automatically refuse access to requested data but rather as a ground to modify the means of providing access to the data, which may result in imposing additional data security and confidentiality requirements. 

(22) In order to ensure an efficient resolution of disputes and to encourage the identification of a mutually acceptable solution, following an amendment request, data providers should be able to ask the Digital Services Coordinators of establishment to participate in mediation. Such participation should be voluntary throughout the entire mediation process and should not result in any binding outcome for the Digital Services Coordinator of establishment, which remain competent to decide on the amendment requests. All parties involved in the mediation process should engage in good faith and strive to reach a fair and mutually acceptable agreement. 

(23) In order to prevent that mediation indefinitely prolong the data access process, the transmission of the written request for mediation, the selection of the mediator and the mediation process itself should take place within specified timeframes. The Digital Services Coordinators of establishment should set a time limit for the mediation process in relation to a given reasoned request and the mediator should have the authority to terminate the mediation process in specific circumstances. 

(24) In order to maintain mutual trust among the parties involved in the mediation, the Digital Services Coordinator of establishment should ensure that the proposed mediator meet the requirements of impartiality, independence and possess relevant expertise on the subject matter of the mediation. 

(25) For the purposes of facilitating informed and effective decision-making in relation to the data access process, Digital Services Coordinators should have the possibility to request expert opinions on specific elements of the data access process, such as the determination of the access modalities, including appropriate interfaces, the formulation of the reasoned request and any amendment requests by the data provider. The experts consulted should possess proven expertise in the matter on which their opinion is sought and should be independent. In particular, they should not have any conflict of interests, deriving for example from any ties with the applicant researchers or with the data provider. 

(26) In order to increase transparency and allow Digital Services Coordinators to build on their expertise acquired over time, each expert consultation request and the follow-up generated by it should be registered in AGORA. 

(27) In order to facilitate the effective supervision of compliance with the conditions set out in the reasoned request, the data provider should notify the Digital Services Coordinator of establishment within three working days of the date on which access has been provided to the vetted researchers and of the date of the access its termination. 

(28) In order to enable the vetted researchers to use the requested data for the purposes of the research and to provide relevant context information, data providers should provide vetted researchers with the relevant metadata and documentation describing the data made available, such as codebooks, changelogs and architectural documentation. 

(29) In order to facilitate meaningful research by the vetted researchers, also by enabling the combination of the data requested with data available through other sources, data providers should not impose any restrictions on the analytical tools employed by vetted researchers, including relevant software libraries, and should not impose archiving, storage, refresh and deletion requirements, unless they are explicitly mentioned in the access modalities identified in the reasoned request. 

(30) Where the data provided to the vetted researchers include personal data within the meaning of Article 4 of Regulation (EU) 2016/679, the data provider should observe the rules laid down in that Regulation. In particular, Article 40(4) of Regulation (EU) 2022/2065 creates a legal obligation within the meaning of Article 6(1), point (c) of Regulation (EU) 2016/679 for any processing of personal data necessary for the data provider to provide access to the data specified in the reasoned request. Where special categories of personal data within the meaning of Article 9 of Regulation (EU) 2016/679 are to be processed, this Regulation meets the requirement of Article 9(2), point (g) of Regulation (EU) 2016/679. 

(31) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council4 and delivered an opinion on 4 December 2024. 

(32) After consulting the European Board for Digital Services in accordance with Article 40(13) of Regulation (EU) 2022/2065 and following its endorsement,