§ Digital Services Act · Article 40

DSA Article 40: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2065, Article 40 · All obligations · Digital Services Act
At a glance
Article 40 of the DSA imposes 16 obligations on Digital Services Coordinator of establishment, Digital Services Coordinator of the Member State of the research organisation, Digital Services Coordinator that awarded the status and 4 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 40

Obligation 1
Provide the Digital Services Coordinator of establishment or the Commission access to data necessary to monitor and assess compliance with the Regulation, at their reasoned request and within a reasonable period. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Providers of very large online platforms or of very large online search engines
Size threshold
very large
Sector scope
online platforms or online search engines
Action required
provide access
Deadline
within a reasonable period specified in the request
Penalty
Obligation 2
Use data accessed pursuant to paragraph 1 only for the purpose of monitoring and assessing compliance with the Regulation, taking due account of rights and interests including personal data protection and trade secrets. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Digital Services Coordinators and the Commission
Action required
use data
Deadline
Penalty
Obligation 3
Explain the design, logic, functioning, and testing of their algorithmic systems, including recommender systems, at the request of the Digital Services Coordinator of establishment or the Commission. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Providers of very large online platforms or of very large online search engines
Size threshold
very large
Sector scope
online platforms or online search engines
Action required
explain
Deadline
Penalty
Obligation 4
Provide access to data to vetted researchers who meet the requirements in paragraph 8, for the sole purpose of conducting research on systemic risks and risk mitigation measures, within a reasonable period specified in the request. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Providers of very large online platforms or of very large online search engines
Size threshold
very large
Sector scope
online platforms or online search engines
Action required
provide access
Deadline
within a reasonable period specified in the request
Penalty
Obligation 5
Request the Digital Services Coordinator of establishment to amend a data access request if unable to provide access due to lack of data or significant security/confidentiality vulnerabilities, within 15 days of receipt. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Providers of very large online platforms or of very large online search engines
Size threshold
very large
Sector scope
online platforms or online search engines
Action required
request amendment
Deadline
within 15 days following receipt of the request
Penalty
Obligation 6
Decide on a request for amendment pursuant to paragraph 5 within 15 days and communicate the decision, including any amended request and new compliance period, to the provider. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Digital Services Coordinator of establishment
Action required
decide
Deadline
within 15 days
Penalty
Obligation 7
Facilitate and provide access to data pursuant to paragraphs 1 and 4 through appropriate interfaces specified in the request, including online databases or application programming interfaces. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Providers of very large online platforms or of very large online search engines
Size threshold
very large
Sector scope
online platforms or online search engines
Action required
facilitate and provide access
Deadline
Penalty
Obligation 8
Grant researchers the status of ‘vetted researchers’ and issue a reasoned request for data access if they demonstrate they meet all conditions listed in paragraph 8, including affiliation, independence, funding disclosure, security capabilities, and public availability of results. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Digital Services Coordinator of establishment
Action required
grant status
Deadline
Penalty
Obligation 9
Inform the Commission and the Board upon receipt of an application for vetted researcher status pursuant to paragraph 8. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Digital Services Coordinator of establishment
Action required
inform
Deadline
upon receipt of the application
Penalty
Obligation 10
Conduct an initial assessment of whether researchers meet the conditions in paragraph 8 upon receiving an application, and subsequently send the application, supporting documents, and initial assessment to the Digital Services Coordinator of establishment. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Digital Services Coordinator of the Member State of the research organisation
Action required
conduct assessment
Deadline
Penalty
Obligation 11
Take a decision whether to award a researcher the status of ‘vetted researcher’ without undue delay, taking due account of the initial assessment provided by the other Digital Services Coordinator. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Digital Services Coordinator of establishment
Action required
take decision
Deadline
without undue delay
Penalty
Obligation 12
Issue a decision terminating data access if it determines that a vetted researcher no longer meets the conditions in paragraph 8, after allowing the researcher to react to the findings and intention to terminate. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Digital Services Coordinator that awarded the status
Action required
terminate access
Deadline
Penalty
Obligation 13
Inform the provider of the very large online platform or very large online search engine concerned of the decision to terminate data access. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Digital Services Coordinator that awarded the status
Action required
inform
Deadline
Penalty
Obligation 14
Communicate to the Board the names and contact information of vetted researchers and the purpose of their research, or communicate information regarding terminated access. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Digital Services Coordinators of establishment
Action required
communicate
Deadline
Penalty
Obligation 15
Give access without undue delay to publicly accessible data, including real-time data where technically possible, to researchers who comply with specific conditions and use data solely for research on systemic risks. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
Providers of very large online platforms or of very large online search engines
Size threshold
very large
Sector scope
online platforms or online search engines
Action required
give access
Deadline
without undue delay
Penalty
Obligation 16
Adopt delegated acts supplementing the Regulation by laying down technical conditions for data sharing pursuant to paragraphs 1 and 4, including conditions for compliance with GDPR and relevant objective indicators. Regulation (EU) 2022/2065, Article 40, Article 40
Obligated entity
The Commission
Action required
adopt delegated acts
Deadline
Penalty
§ Frequently asked

Questions about Article 40

Who must comply with Article 40 of the DSA? +
Digital Services Coordinator of establishment, Digital Services Coordinator of the Member State of the research organisation, Digital Services Coordinator that awarded the status, Digital Services Coordinators and the Commission, Digital Services Coordinators of establishment, Providers of very large online platforms or of very large online search engines, The Commission.
What does Article 40 of the DSA require? +
provide access use data explain
What is the compliance deadline for DSA Article 40? +
upon receipt of the application; within 15 days; within 15 days following receipt of the request; within a reasonable period specified in the request; without undue delay
Need a cross-border briefing on DSA Article 40?
Search Fontvera ↵
All EU obligation pages  ·  All Digital Services Act articles