Government & Policy

Europe names 19 platforms that must report algorithmic risks under DSA


TikTok logo seen on an Android mobile device screen with the European Union (EU) flag in the background.
Image Credits: Chukrut Budrul/SOPA Images/LightRocket / Getty Images

The European Union has confirmed the names of over a dozen platforms that will face the strictest level of regulation under its recently rebooted and expanded e-commerce rules, aka the Digital Services Act (DSA).

The list is a mix of familiar digital services, from social media apps to search engines and app stores — with no real surprises. The lion’s share of regulated platforms are developed by U.S. based for-profit firms, with a few international (mostly European) players in the mix, and one non-profit (the online encyclopedia Wikipedia).

The full list of 19 platforms which are being designated in this first wave is as follows:

  • Alibaba AliExpress
  • Amazon Store
  • Apple AppStore
  • Bing
  • Facebook
  • Google Play
  • Google Maps
  • Google Search
  • Google Shopping
  • Instagram
  • LinkedIn
  • Pinterest
  • Snapchat
  • TikTok
  • Twitter
  • Wikipedia
  • YouTube
  • Zalando

The listed platforms that have been confirmed meet the criteria as either very large online platforms (VLOPs) or very large online search engines (VLOSEs), in the regulation’s jargon. (Actually, just two VLOSE are being designated at this point (Bing and Google Search); the other 17 are all VLOPs.)

A VLOP or VLOSE designation carries extra requirements to assess and mitigate systemic risks attached to the use of algorithms and AIs, meaning the platforms must be proactive about analyzing and reporting potential issues related to the operation of technologies like content ranking tools and recommender systems.

The EU’s idea is to use mandatory algorithmic transparency requirements to drive accountability — meaning regulated platforms won’t be able to turn a blind eye to AI-amplified harms as the law also requires they put in place “reasonable, proportionate and effective mitigation measures” for identified risks, with their reporting and mitigation plans subject to independent audit and oversight by the European Commission (with the support of a newly opened European Center for Algorithmic Transparency). While penalties for non-compliance can scale up to 6% of global annual turnover.

Europe spins up AI research hub to apply accountability rules on Big Tech

Risks regulated VLOPs/VLOSEs must consider include AI-driven or algorithmic harms to fundamental rights like freedom of expression; civic discourse and electoral processes; public security and public health; gender-based violence; child safety; and mental health.

The DSA also imposes some limits on microtargeted advertising — with a prohibition on processing sensitive data for ad targeting or the use of children’s information. While marketplaces have some requirements to check the identity of sellers.

Users of VLOPS/VLOSE must also be provided with clear information on why they are recommended certain content; and have the right to opt-out from recommendation systems based on profiling — applying pressure to ad-funded business models, such as Meta’s, which hinge on tracking and profiling web users.

Elsewhere, the regulation demands platforms have clear T&Cs — and enforce them diligently and non-arbitrarily.

The principle criteria for being regulated as a VLOP/VLOSE is to have more than 45 million monthly active users in the EU. Platforms were required to report their numbers to the EU back in February so the Commission could begin the process of designation.

To say that some of the named platforms may be rather unprepared for this special regime of DSA compliance is an understatement: The Commission already warned Twitter last November of the “huge work” it faces to comply with the bloc’s rules.

Since then Twitter’s erratic owner, Elon Musk, has only continued to channel abject chaos — such as, for example, dismantling the platform’s legacy verification system which had granted Blue Checks to notable accounts and replacing that long-standing authenticity signal with a scammers’ paradise since anyone willing to pay Twitter $8 a month can now buy a faux Blue Check which mimics the look of the old system but does not involve any meaningful verification check.

Musk has also demonstrated a penchant for making arbitrary and even spiteful decisions — banning users at whim and even removing some legacy verifications sooner than others (apparently just for the lols) while also paying for a handful of celebrities to retain their Blue Checks, creating the (false) impression that they have paid Musk for the badge — none of which seem likely to sit well with DSA requirements for plain and fair dealing.

Another requirement that VLOPs have a mechanism for users to flag illegal content and act on notifications expeditiously similarly looks tricky for Twitter under Musk — given it’s already facing enforcement by the German government for failing to take down illegal hate speech under the country’s illegal hate speech regime.

Germany accuses Twitter of failing to remove illegal hate speech

The pan-EU DSA also requires VLOPs to support researchers by, in the first instance, providing access to publicly available data — and later on (via delegated act) establishing a special mechanism for vetted researchers so they can conduct research into systemic risks in the EU. And, yet again, Musk has raced in the opposite direction — drastically reducing third party researchers’ access to platform data by cranking up the cost of using Twitter’s APIs.

It’s almost as if the regulation was drafted with Musk in mind. But of course its drafting long predates the billionaire shit-poster’s tenure at Twitter.

While the DSA certainly has its critics, the prospect of a broader backlash against the EU’s approach to updating its digital rulebook seems rather less likely than it might have been had Musk not taken his accelerated wrecking ball to Twitter over the past half year or so.

In other words, suddenly the prospect of responsible, non-arbitrary management being a requirement that’s imposed on major platforms start to look kind of necessary/prescient.

There is still a grace period before these larger platforms are expected to be compliant with the DSA — but it’s now just a matter of months: Firms that have been designated VLOPs/VLOSEs have four months to comply with obligations under the DSA — which includes publishing their first risk assessments — so the 19 listed services (and dozen companies plus one non-profit) face a busy summer ahead if they’re to meet the August 25 compliance deadline without breaking a sweat.

Twitter certainly has its work cut out if it’s to avoid a world of regulatory pain falling on it in the EU — coupled with the existential risk, were Musk were to opt to keep flouting the rules, of a regional shutdown being imposed. (Albeit, no political body is going to want to be the one ordering a Twitter shutdown so there would likely be an extended showdown of financial enforcements prior to such a terminal step.)

VLOPs/VLOSEs must also comply with the general provisions of the DSA, which will apply more broadly to digital services and smaller platforms from early next year, placing obligations on how they must respond to reports of illegal content, as well as in areas like notice and action mechanisms and complaint handling, in addition to transparency obligations and plenty more.

More VLOPs incoming?

While the first wave of VLOPs/VLOSEs don’t yet number 20 more could be coming: The Commission has suggested (via Politico) there could be a second batch of VLOPs/VLOSE designations in the next few weeks as it said it will be conducting checks on some other platforms which told it they do not meet the criteria in order to confirm whether that’s the case.

One type of large digital service that’s currently missing from the list of designations is adult content.

Asked about this during a briefing with journalists, a Commission official confirmed it is engaging with a number of adult content services but declined to specify which platforms it’s seeking more information from at this stage as regards their self declared user numbers.

They added the idea is to better understand the methodologies being used for calculating regional usage — saying adult sites that have declared figures to the Commission are largely claiming usage is below the 45M monthly actives threshold.

The EU’s executive declined to provide details of any other platforms it’s looking at for possible designation. However, earlier today, Politico reported remarks by internal market commissioner Thierry Breton which suggests Pornhub is one adult platform that’s being looked at in Brussels as a possible addition to the VLOPs list, along with Airbnb, Spotify and Telegram.

While bounded messaging apps are not obviously in scope of the platform component of the regulation — hence (presumably) the lack of a designation for Meta-owned WhatsApp — a Commission official said the DSA recognizes that messenger services may be architected in such a way that they could be considered platforms, i.e. if content can reach a potentially unlimited number of users.

Telegram’s app, for instance, includes a social media-style channels feature which lets users broadcast content to large numbers of subscribers. However the company has so far reported a lower level of regional users to the EU than the VLOP threshold (~33 million). And a Commission official told TechCrunch it is in the process of following up to understand how the platform arrived at this figure.

While it remains to be seen how many extra VLOPs may be named in the coming weeks, where designations have been made the Commission said it will be engaging with all the platforms to assess their readiness for compliance in the coming months.

It added that it will be paying particular attention to child safety by asking companies to prioritize sharing information about how they are preparing to ensure they are taking steps to protection minors online.

Here it also remains to be seen what that might mean in practical terms. But it could, for example, encourage designated platforms to apply tougher age assurance measures — or even adopt hard-stop age verification technologies — in a bid to shrink their compliance risks in a stated priority area for EU regulators.

In additional remarks, the Commission confirmed that no platforms are falling into a non-responsive/non-cooperative category as yet — with official saying all have been engaging with its overtures so far. But it will be interesting to see whether early cooperation keeps up (or not). And, indeed, whether the Commission gets the level of required detail for it to be able to smoothly and effectively carry out the intended oversight of platform power.

There are some early signs that self reporting will throw curve balls for regulators: E-commerce marketplace Zalando, for instance, reported two sets of usage numbers to the Commission — one of which was below the threshold for being designated and which it apparently argued for (with the Commission taking the opposite view and confirming the e-commerce marketplace as a VLOP).

Commission officials also noted that Apple recently updated its self reported numbers in a way that breaks down usage for its App Store per device. Again, though, the EU’s executive is treating it a single platform for the purposes of the DSA — arguing that Apple’s content moderation policies are essentially the same regardless of where its App Store is being accessed.

During the briefing, the Commission reiterated another detail we reported on earlier: That OpenAI’s ChatGPT is not itself currently considered a platform, under the DSA definition — and will be more directly regulated under the bloc’s incoming AI Act (so not for likely a couple of years) — however the EU is stipulating that generative AI technologies could end up being regulated indirectly under the DSA. Such as if a regulated search engine (like Bing; which is now confirmed as a VLOSE) incorporates the tech into its service.

That would then trigger requirements on Bing’s owner, Microsoft, to ensure it is robustly assessing systemic risks of integrating generative AI — such as the embedded tendency for these chatbots to hallucinate when they lack information to provide a correct answer, with the risk they end up amplifying disinformation in search results say. So while the regulation was clearly not drafted with the latest AI hype in mind, it could apply some guardrails on major platforms’ use of the tech from as soon as this fall.

What about when we might seen the first DSA enforcements landing on rule-breaking VLOPs/VLOSEs? (And Twitter would be the obvious early bet for inviting a world of pain.)

There’s no official word form the Commission on when (or where) orders and/or penalties might start to land, beyond the technical compliance deadline of late August/September. Although officials point out that the designation step itself unlocks what they couch as wide-ranging investigatory powers — so EU regulators are sending an early warning shot that they already armed with tools to start digging into issues of particular concern for the 19 listed platforms.

The bloc is also keen to point out that certain algorithmic transparency requirements will, ultimately, apply to all digital services that get regulated under the DSA — not just the larger subset of VLOPs/VLOSE — from early next year. Although oversight on those smaller services will fall to Member State level bodies, rather than the Commission itself.

Asked if it’s getting much international inbound over the DSA, as regulators in other jurisdictions consider how to tackle platform power, a Commission official said there has already been plentiful interest — so much so they said a dedicated team has been set up to respond to international enquiries.

At the same time, the Commission said it’s keen to avoid what it referred to as “zombie DSAs” popping up elsewhere in countries that lack a foundational fundamental and/or human rights framework to build on.

This report was updated with additional detail following a Commission technical briefing on the VLOPs/VLOSE designations

We also updated with a correction after the Commission initially misstated Amazon Marketplace as designated; in fact it’s Amazon Store that’s been named a VLOP

Countdown to compliance as EU’s Digital Services Act published

EU lawmakers eye tiered approach to regulating generative AI

More TechCrunch

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

13 hours ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

15 hours ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo

Sony Music Group has sent letters to more than 700 tech companies and music streaming services to warn them not to use its music to train AI without explicit permission.…

Sony Music warns tech companies over ‘unauthorized’ use of its content to train AI

Winston Chi, Butter’s founder and CEO, told TechCrunch that “most parties, including our investors and us, are making money” from the exit.

GrubMarket buys Butter to give its food distribution tech an AI boost

The investor lawsuit is related to Bolt securing a $30 million personal loan to Ryan Breslow, which was later defaulted on.

Bolt founder Ryan Breslow wants to settle an investor lawsuit by returning $37 million worth of shares

Meta, the parent company of Facebook, launched an enterprise version of the prominent social network in 2015. It always seemed like a stretch for a company built on a consumer…

With the end of Workplace, it’s fair to wonder if Meta was ever serious about the enterprise

X, formerly Twitter, turned TweetDeck into X Pro and pushed it behind a paywall. But there is a new column-based social media tool in town, and it’s from Instagram Threads.…

Meta Threads is testing pinned columns on the web, similar to the old TweetDeck

As part of 2024’s Accessibility Awareness Day, Google is showing off some updates to Android that should be useful to folks with mobility or vision impairments. Project Gameface allows gamers…

Google expands hands-free and eyes-free interfaces on Android