Developing a scalable approach to DSA vetted researcher data access

A central goal of the Digital Services Act (DSA) is to create a safer online environment in the EU. A key way of achieving this is through leveraging civil society to assist regulators in identifying and monitoring online risks. Indeed, Renate Nikolay, Deputy Director-General at DG CONNECT, has described this element of the regime as “…a first of its kind comprehensive framework for researchers to access data from Very Large Operating Platforms’ and Search Engines, allowing the whole society for a better understanding of the systemic risks they may cause.” To that end, the DSA mandates that these regulated entities grant researchers access to data for specific research purposes related to systemic risks.

This year has seen the long-awaited finalisation of this researcher access regime. The DSA establishes two data access routes for researchers. The first enables access to publicly available data, which will be a familiar process for many services already. The second and more onerous route seeks to grant “vetted researchers” access to non-public data to support research into systemic risks and their mitigation. The Commission’s recently adopted Delegated Act, which comes into effect in October 2025, details the practical implementation of this second method. Given the clock is now ticking, it is important that affected companies have in place the processes needed to respond to future requests.

How does the process work?

This regulatory process involves several key steps (see Figure 1). Researchers begin by submitting an application to a Member State Digital Services Coordinator (DSC) – i.e. the relevant national regulatory body under the DSA – which will first ensure the researcher meets the required criteria before granting the status of vetted researcher. The first researchers can begin to be vetted from October.

Following successful vetting, and provided the data access application meets specific criteria, the DSC will submit a “reasoned request” to the relevant VLOP or VLOSE on the researcher’s behalf. This request will specify the required data and data access method. Having received the request, VLOPs and VLOSEs can only request amendments based on lack of access to the data or due to security or confidentiality issues. Ultimately, in order to comply with requirements under the DSA, the VLOP or VLOSE must provide the requested data, along with any necessary supporting documentation to ensure data accessibility and understandability.

Figure 1 – Simplified overview of the data access request process

How can affected companies prepare?

The Delegated Act places significant responsibilities on VLOPs and VLOSEs. To ensure readiness for incoming data access requests, these organisations should proactively:

• Develop robust data access processes: This includes establishing clear procedures for handling requests, assigning responsibilities, and maintaining records.
• Enhance data management and technological capabilities: Platforms must ensure they have the technical capacity to extract, transform, and deliver data in the requested format within the set timelines, alongside essential supporting documentation such as codebooks and changelogs.
• Foster cross-functional collaboration: Effective responses necessitate collaboration between data, privacy, security, compliance, and legal teams.
• Prioritise transparency and auditability: The entire process should be transparent and auditable to demonstrate compliance. This includes clear communication with researchers and DSCs, including through a new DSA Data Access Portal.

Successfully meeting these requirements demands careful planning and execution, whilst non-compliance risks enforcement action. This may include the Commission requiring that a company take measures to address any breach of these requirements, as well as fines up to 6% of worldwide turnover. Organisations may need to implement new processes and invest in technology to ensure compliance, requiring significant effort across multiple teams and departments. Given this, firms should begin developing their approach immediately.

Deloitte’s multi-disciplinary Digital Regulation team, comprised of regulatory and data transformation experts, offers unparalleled expertise to navigate the requirements of vetted researcher Data Access. For expert guidance and support in navigating these new requirements, please reach out to one of the contacts listed below.