EU’s Digital Services Act Moves from Reports to Penalties as Platforms File Risk Disclosures 

Most Very Large Online Platforms (VLOPs) have now publicly released their 2025 reports on assessing and mitigating “systemic risk,” disclosures mandated by Articles 34 and 35 of the DSA. The law requires the largest platforms and search services to identify risks tied to how their products operate at scale, and to outline the controls they claim will reduce those risks.

As reviewed by TechPolicy Press, the disclosures repeatedly address risks to minors. The outlet also points to recurring attention to researcher access, user appeals (including out-of-court dispute resolution bodies), reporting channels for “trusted flaggers,” and privacy.

We’d love to be your preferred source for news.

Please add us to your preferred sources list so our news, data and interviews show up in your feed. Thanks!

Add as Preferred Source

Beyond those procedural obligations, the reports address information integrity, election-related threats, and crisis planning—topics where regulators are likely to ask whether mitigations are working in practice rather than merely described on paper.

The filings are also imperfect instruments. Comparisons across platforms and across years can be hard to make with confidence because the companies are still revising report structures, methodologies, categorizations, and data inputs. “None of the platforms appears to be fully transparent about their data and calculations,” TechPolicy notes, adding that some platforms continue to redact key content-moderation figures, making public auditing impossible.

Still, the documents matter because they force companies to put sensitive risk judgments in writing. Per TechPolicy, “the reports remain rare documents where tech companies publicly confront the societal risks their platforms may pose.” In a supervisory model built around investigations, audits, and sanctions, what platforms say in these filings can shape the questions regulators ask next and the evidence they demand when claims look thin.

TechPolicy Press’s review of the 2025 reports also highlights what is missing. Despite rapid advances in photorealistic synthetic media, the outlet found surprisingly little new discussion of generative-AI risks “as a whole,” with Google described as an exception. Where AI did appear, it tended to be attached to specific problems, such as “nudifier” apps, scams, or synthetic impersonation of public figures.

For the digital economy, the implications extend beyond a single enforcement action. The DSA is pushing the largest intermediaries toward supervised risk governance: documentation, mitigation testing, stakeholder engagement, and the prospect of fines if regulators conclude that harms are being under-managed.

That shift will increase compliance costs and accelerate product changes around youth protections, reporting and appeals systems, and transparency reporting. It may also deepen transatlantic divergence, as firms try to reconcile EU risk obligations with U.S. political and legal debates about platform speech. Either way, the DSA’s next phase will be judged less by what platforms publish and more by what regulators prove and enforce.