Join the Digital Public Sphere Working Group for a discussion on the Digital Services Act (DSA) with John Albert (University of Amsterdam).
The Digital Services Act (DSA) establishes systemic risk assessment and mitigation as a central pillar of platform governance. Yet two years into implementation, the regulatory ecosystem needed to evaluate the quality of those processes (benchmarks, shared methodologies, and a robust evidence base) remains under construction. This paper illustrates that early DSA systemic risk enforcement has therefore taken on a distinctly procedural character. Rather than assessing whether platforms’ risk assessments and mitigations are substantively 'good enough', enforcement largely focuses on whether required processes exist, are documented, and can be externally demonstrated by companies tasked with compliance.
Building on analysis of first-round Article 37 audit reports, emerging second-round audits, and early Commission investigations (particularly those concerning X, including around the deployment of the Grok chatbot) the paper shows how procedural gaps are becoming primary enforcement hooks. Where platforms appear not to have carried out or updated risk assessments prior to deploying features with potentially critical impact, the Commission can plausibly move toward interim measures on a prima facie basis, without yet adjudicating the adequacy of underlying risk management choices.
What value do DSA audits under Article 37 add to this broader enforcement logic? Audits can (to the extent they function at all) help surface process failures, but do not yet operate with stable benchmarks for evaluating substantive performance and, in practice, rarely go much further than confirming whether required processes exist. This setup affords platforms substantial discretion in defining their own risk management practices; nonetheless, some companies portray even these procedural constraints as ideological censorship or overreach.
The paper concludes by reflecting on what this situation portends for the future trajectory of systemic risk governance under the DSA, and on the potential role of audits, researcher data access, and regulatory guidance in gradually hardening expectations.
Speaker
John Albert is an Associate Researcher at the Institute for Information Law (IViR) where he contributes to the Digital Services Act (DSA) Observatory —an independent hub for scholarly input and expert discussions around this landmark legislation. His research examines the practical application of the DSA’s risk-based approach to platform governance, and how this impacts fundamental rights and democratic discourse. Previously, he worked at AlgorithmWatch, a nonprofit watchdog based in Berlin and Zürich, where he advocated for civil society perspectives in public debates and supported the DSA’s framework for platform accountability and risk oversight. Prior to that, he was a Research Fellow at the Hertie School Centre for Digital Governance, where he earned a Master's degree in Public Policy in 2021.
Register