FAQs: DSA data access for researchers

What is the Digital Services Act (DSA)?

The Digital Services Act (DSA) is a set of rules that regulate the responsibilities of online intermediaries, including platforms such as social media networks and online marketplaces. The aim of the DSA is to create a safer digital space where the fundamental rights of all users are protected. It sets out clear due diligence obligations for platforms according to their roles, size and impact.  For example, the DSA establishes mechanisms for the removal of illegal content and the effective protection of users’ right to the freedom of expression.

The transparency and reporting obligations in the DSA create opportunities for stronger public oversight of online intermediaries, with a special set of obligations for those online platforms and search engines that reach an average of more than 45 million monthly users, which corresponds to around 10% of the EU’s population. These intermediaries are formally designated by the Commission as Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs).

Why is the DSA relevant to researchers?

The DSA includes a provision granting researchers unprecedented access to the data of VLOPs and VLOSEs under certain conditions. The aim is to enable a deeper understanding of the systemic risks which are posed to society through the online world, as well as support effective oversight of DSA compliance.

Before the DSA, this type of data allowing independent research on systemic risks was based on voluntary initiatives by the online platform providers. This resulted in limited research possibilities for third parties to analyse and monitor the impact of platform providers’ choices on the online ecosystem.

Article 40 of the DSA requires providers of VLOPs and VLOSEs to provide access to their data for the purpose of conducting research that contributes to the detection, identification and understanding of systemic risks in the EU. Research can also contribute to the assessment of the adequacy, efficiency and impacts of risk mitigation measures taken by providers of VLOPs and VLOSEs.

In addition to Article 40, the DSA has introduced a number of other transparency mechanisms that can be utilised by researchers. Notably this includes the DSA Transparency Database, which tracks content moderation actions by online platforms operating in the EU in almost real-time. To facilitate research, a number of tools, such as a dashboard, a research API and an open-source software package to support advanced data analysis, are available as part of the database.

Which platforms and search engines does Article 40 apply to?

Data access obligations apply to providers of designated VLOPs and VLOSEs. Therefore, it is possible to formulate applications to access data of VLOPs and VLOSEs only. 

What access is provided to researchers under Article 40 of the DSA?

For researchers who want to conduct research that contributes to the detection, identification and understanding of systemic risks in the European Union, Article 40 provides for different access possibilities:

• Pursuant to paragraph 12, researchers meeting all relevant conditions, including those affiliated to not-for-profit bodies, organisations and associations, meeting the relevant conditions, can get access to data that is publicly accessible in the VLOPs’ and VLOSEs’ online interfaces.
• Pursuant to paragraph 4, researchers meeting additional conditions, can apply for access to VLOPs’ and VLOSEs’ non-public data, by submitting a data access application to the relevant Digital Services Coordinator (DSC).

A delegated act specifying the procedures and technical conditions enabling the provision of data access pursuant to Article 40(4) was adopted in July 2025. 

What are the conditions to be fulfilled by researchers to get access to the data?

To access publicly available data, pursuant to Article 40 (12), researchers must:

• Be independent from commercial interests.
• Disclose the funding of their research.
• Be able to fulfil data security and confidentiality requirements and to protect personal data.
• Access only data that is proportionate and necessary to carry out their research for the purposes of the detection, identification and understanding of systemic risks as laid out in Article 34(1) of the DSA.

To become a “vetted researcher” and access data pursuant to Article 40(4), in addition to the conditions above, researchers also have to demonstrate that:

• They are affiliated with a research institution (as defined in Art. 2(1) of Directive 2019/790).
• The planned research activities will be carried out for the purposes of detection, identification and understanding of systemic risks as laid out in Article 34(1) and/or to assess risk mitigation measures as outlined in Article 35 of the DSA.
• They commit to making the research results publicly available, free of charge.

The assessment of the fulfilment of the conditions for obtaining the vetted status is done by the DSCs. 

What data can be requested in line with DSA Article 40?

To gain access to VLOP and VLOSE data as a “vetted researcher”, the research project for which the data are requested under DSA Article 40 must contribute to the detection, identification and understanding of systemic risks in the EU and/or to the assessment of the adequacy, efficiency and impacts of risk mitigation measures. 

The systemic risks under consideration, as outlined Article 34(1), are:

• The dissemination of illegal content
• Negative effects for the exercise of fundamental rights, in particular the rights to:
  • Human dignity
  • Respect for private and family life
  • Protection of personal data
  • Freedom of expression and information
  • Non-discrimination
  • Respect for the rights of the child
  • A high level of consumer protection
• Negative effects on civic discourse and electoral processes, and public security
• Negative effects in relation to:
  • Gender-based violence
  • Protection of public health and minors
  • Serious negative consequences to personal physical and mental well-being.

If I am not a “vetted researcher” what data can I access?

Providers of VLOPs and VLOSEs have to give researchers access to publicly accessible data without undue delay. If it is technically possible, they should provide real-time data. 

For this type of access, the researcher must be independent from commercial interests, disclose the funding of their research, be able to fulfil data security and confidentiality requirements, and explain how access to the data and the indicated timeline is necessary and proportionate to the purposes of the research. The data must also be used solely for performing research that contributes to the detection, identification and understanding of systemic risks in the Union. 

What happens if a VLOP or VLOSE does not provide access to publicly accessible data? 

Providing access to data to researchers according to Article 40 DSA is a legal obligation for VLOPs and VLOSEs. The Commission is working to ensure VLOPs and VLOSEs fully comply with this obligation. 

If researchers consider they comply with the requirements set out in Article 40.12 of the DSA and have submitted a request to access data to a VLOP or VLOSE, they should reach out either to DSCs or to the Commission, explaining the situation. The Commission, as enforcer of the DSA for VLOPs and VLOSEs, will not express an opinion on the single cases, but it will assess whether there is a suspicion of systemic infringement and, in this case, may decide to take action in line with the provisions included in the DSA. In this sense, feedback from researchers is particularly useful to monitor compliance with the obligations under Article 40 of the DSA. 

Since the entry into force of the DSA for VLOPs and VLOSEs, formal proceedings have been opened against X, AliExpress, Meta and TikTok, all of which include suspected shortcomings in giving researchers access to publicly accessible data as mandated by Article 40.   

In July 2024, preliminary findings were released in proceedings against X, which included findings that X fails to provide access to its public data to researchers. In June 2025, the Commission accepted and made binding commitments from AliExpress to address concerns raised in formal proceedings against them. These commitments related, among others, to access to public data for researchers. 

What is a Digital Services Coordinator (DSC) and what is their role in helping researchers obtain access to data?

Digital Services Coordinators (DSCs) are independent authorities that have been appointed by each EU Member State. The DSCs are responsible for supervising DSA compliance of intermediary services established in their country. One of their responsibilities is to assess researchers’ applications to obtain the status of vetted researchers and access data, pursuant to Article 40(4). They will also act as intermediaries between the researchers, VLOPs and VLOSEs.

Researchers can submit their application for data access to one of the following DSCs:

• the DSC of the Member State where their affiliated research organisation is based,
• the DSC where the provider of the VLOP or VLOSE is established (also referred to as the “DSC of establishment”).

In either case, the DSC of establishment is responsible for the decision of whether to request data access on behalf of the researcher. When a researcher applies to the DSC of the Member State where they are based, that DSC will transmit the application, together with an initial assessment of that application, to the DSC of establishment. If approved, the DSC of establishment will formulate a reasoned request to access data and share this with the VLOP or VLOSE in question.

What type of data access is covered by the delegated act adopted in June 2025? 

The delegated act specifies the procedures and technical conditions enabling the provision of access to data for vetted researchers pursuant to Article 40(4) of the DSA.

In particular, it sets out the procedures to be followed by DSCs for the formulation of reasoned requests for data access to VLOPs and VLOSEs. It also clarifies and harmonises the procedures for the management of the data access process, and establishes the DSA data access portal, to underpin the different steps in that process. Moreover, the delegated act sets out the legal, organisational and technical conditions to be taken into account by the DSC of establishment when determining the appropriate access modalities for the provision of access to data. To this end, the delegated act sets out rules for the interactions between the DSC of establishment and the providers of VLOPs or VLOSEs in the processing of the reasoned request for data access.

The delegated act aims at establishing a consistent and uniform process for data access for vetted researchers, which will protect the rights and interests of those involved, with safeguards against any form of abuse.  

Data access for vetted researchers under article 40(4) of the DSA 

What is the DSA data access portal? 

The DSA data access portal is the main tool to support this new data access process provided for in the DSA. It allows researchers to access relevant information and to send their application for data access to the relevant DSCs. The DSA data access portal also allows VLOPs, VLOSEs and DSCs to participate in the data access process, have access to and disseminate relevant information, such as the details of the dedicated points of contact, and communicate with one another.  

Through the DSA data access portal, the data access process is consistent across all DSCs. 

Any researcher who would like to apply for vetted researcher data access can create an application here. 

When will researchers be able to gain data access? 

With its adoption on 2 July 2025, the delegated act entered the scrutiny period for the Parliament and Council, which will last for three months. The rules will enter into force at the end of this period, with the publication in the Official Journal. This is when the first researchers can be vetted.

How will vetted researchers know what data they can request?  

In order to allow researchers to identify relevant data, VLOPs and VLOSEs should make available DSA data catalogues.

DSA data catalogues are collections of available data assets, with data structure and metadata, to which researchers may request access. VLOPs and VLOSEs should ensure they are easily findable and accessible on their online interfaces. When making DSA data catalogues, VLOPs and VLOSEs should also assess and minimise potential risks to confidentiality, data security or personal data protection arising from the publication of these data.

The DSA data catalogues should include, in particular, data related to the systemic risks in the EU that the VLOP or VLOSE has identified in their annual risk assessments, as well as data related to any relevant risk mitigation measures. DSA data catalogues should be updated regularly with due consideration to newly identified systemic risks and the evolution of systemic risks. For example, they should reflect emerging risks identified following an ad-hoc risk assessment or following an audit report.

To minimise the procedural burden on VLOPs and VLOSEs, these catalogues can, when suitable, rely on existing data documentation resources used for other purposes and audiences, such as advertising, content creation, or third-party app development. The catalogues should not be required to be exhaustive and therefore should not bind or limit applicant researchers in their data access applications.

To enable vetted researchers to use the requested data for research purposes and to provide relevant context information, VLOPs and VLOSEs should provide vetted researchers with the relevant metadata and documentation describing the data made available, such as codebooks, changelogs, and architectural documentation.

How will researchers access the data once their request has been approved? 

The DSC of establishment will specify in the reasoned request sent to the VLOP or VLOSE the so-called “access modalities,” that are the specific conditions under which vetted researchers will access the data.

To ensure the access modalities are adequate to address the sensitivity of the specific data requested in a data access application, DSCs perform a case-by-case assessment, based on the information provided in the data access application. The access modalities established in the reasoned request should be appropriate to fulfil the requirements of data security, data confidentiality and protection of personal data while also enabling the research objectives of the research project.

Access to data may take place, for example:

• Through data transmission to the vetted researchers via an interface or data storage.
• Via a secure processing environment operated by the data provider or by a third-party provider. In this case, while vetted researchers are given access to data, no data would be transmitted to them.

When specifying the access modalities, the DSC should also list any legal, technical, or organisational access conditions. If the data access involves a transfer of personal data to third countries or international organisations within the meaning of Chapter V of the EU’s General Data Protection Regulation (GDPR), the access modalities should also inform about appropriate transfer mechanism, to ensure GDPR compliance.

In order to facilitate meaningful research by the vetted researchers, also by enabling the combination of the data requested with data available through other sources, data providers should not impose any restrictions on the analytical tools employed by vetted researchers, including relevant software libraries, and should not impose archiving, storage, refresh and deletion requirements, unless they are explicitly mentioned in the DSC’s access modalities.

How long will it take between the submission of a request and a response? 

Within 80 working days from the submission of a data access application, the DSC will either;   

• formulate a reasoned request, submit it to the data provider and notify the principal researcher of the submission of the reasoned request. 
• inform the principal researcher of the reasons why the reasoned request could not be formulated.  

Where the DSC needs additional time to formulate a reasoned request, it should notify the principal researcher as soon as possible and indicate the reasons for the delay as well as a new date for the process to be completed.  

Will it be possible to see the outcomes of other researchers’ data access requests? 

Yes, an overview of each reasoned request, including any amendments and updates to it, will be made publicly available in the DSA data access portal by the DSC who issued the respective reasoned request. 

What happens if a VLOP or VLOSE does not want to provide the data as specified in a reasoned data access request from a DSC?  

A VLOP or VLOSE can submit amendment requests to the DSC who issued a reasoned data access request. Amendment requests need to be supported by specified reasons.

Specifically, when a VLOP or VLOSE submits an amendment request based on their alleged lack of data access,, the DSC should be in a position to examine whether the request is duly justified, for example, because the data does not exist or due to technical restrictions such as encryption. The DSC should also have the information necessary to consider whether the VLOP’s or VLOSE’s lack of access is permanent or temporary. It should be clear, in this respect, that commercial considerations should not be considered as a ground to automatically refuse access to requested data but rather as a ground to modify the means of providing access to the data, which may result in imposing additional data security and confidentiality requirements.

To ensure disputes are resolved with mutually acceptable solutions, VLOPs and VLOSEs can ask the DSC to participate in mediation. Such participation is voluntary and is not binding for the DSC, which remains competent to decide on the amendment requests. All parties involved in the mediation process should engage in good faith and strive to reach a fair and mutually acceptable agreement.

To prevent mediation from indefinitely prolonging the data access process, the transmission of the written request for mediation, the selection of the mediator and the mediation process itself should take place within specified timeframes. The DSC should set appropriate time limits has the authority to terminate the mediation process in specific circumstances.

The DSC should ensure that the proposed mediator meet the requirements of impartiality, independence and possess relevant expertise on the subject matter of the mediation.

Will DSCs be able to consult external experts?  

To help make informed and effective decisions in relation to the data access process, DSCs have the possibility to request expert opinions on specific elements of the data access process. This includes the determination of the access modalities, including appropriate interfaces, the formulation of the reasoned request, and any amendment requests by the data provider. The experts consulted should possess proven expertise in the matter on which their opinion is sought and should be independent. In particular, they should not have any conflict of interests, for example due to any ties with the applicant researchers or with the VLOP or VLOSE.

Who has informed the development of the delegated act? 

Over the two years preceding the adoption of this delegated act, the Commission has collected views from a wide range of different stakeholders, including providers of digital services, such as providers of VLOPs or VLOSEs, providers of other online platforms and other intermediary service providers, businesses, civil society organisations as well as an expert group of academics and researchers.   

A public call for evidence was conducted in spring 2023, followed by a feedback period on a draft of the delegated act in the autumn of 2024. All contributions can be accessed on the Commission’s Have your say portal.  

The Commission also had targeted consultations with specialised stakeholders in the field of research and access to data, including DSCs, to gather further technical views and identify areas that would benefit from further specification in this delegated act. Consultations took place with academics, civil society actors and intermediary service providers.   

This delegated act addresses the main points raised by stakeholders with a view to ensuring that an efficient and harmonised process is in place, balancing the rights and interests of all actors involved for the provision of access to data for vetted researchers as required by the DSA.