The Commission may issue recommendations on the application of this Section, including recommendations on the application of the risk management framework. The recommendations may also aim at establishing best practices in complying with the obligations set out in this Section, including for the application and use of harmonised standards. When preparing recommendations, the Commission shall take into account in particular the audit reports referred to in Article 36 and, where applicable, the reports referred to in Article 34(3) and the implementation reports referred to in Article 37(1).
Article 38
Recommendations issued by the Commission
Understanding This Article
Article 38 grants Commission power to issue non-binding recommendations on how VLOPs/VLOSEs should apply Section 5 obligations. While recommendations lack formal legal force (platforms can't be penalized for non-compliance with recommendations per se), they carry significant practical authority: Commission speaks with regulatory voice, recommendations signal enforcement priorities, and platforms ignoring recommendations invite closer scrutiny. This creates 'soft law' mechanism enabling flexible guidance without burdensome formal rulemaking.
The provision authorizes recommendations on 'application of this Section', meaning any Article 33-43 VLOP obligations: risk assessment methodology, mitigation measure design, audit procedures, crisis response, data access, compliance functions, advertising transparency, recommender systems. The specific mention of 'risk management framework' (Articles 34-35) recognizes this as core VLOP obligation where guidance is particularly valuable - risk assessment and mitigation are deliberately flexible, creating need for interpretive guidance on what constitutes adequate compliance.
The reference to 'establishing best practices' positions Commission as facilitator of industry learning. Rather than prescribing single mandatory approach, recommendations can showcase multiple effective approaches, enabling platforms to learn from each other. If several platforms developed effective minor protection measures, Commission can recommend these as best practices. The mention of 'harmonised standards' refers to technical standards (e.g., ISO standards, CEN/CENELEC European standards) that could support DSA compliance - Commission can recommend specific standards for risk management, auditing, security, accessibility.
The requirement that Commission 'take into account' audit reports, risk assessments, and implementation reports creates evidence-based recommendation process. Commission reviews dozens of VLOP audit reports annually, identifying patterns: Do multiple platforms struggle with similar obligations? Do certain approaches prove more effective? Do audits reveal common deficiencies? This aggregated intelligence informs recommendations addressing systemic challenges. If audits consistently find crisis protocols inadequate, Commission issues recommendations on effective crisis response mechanisms. If risk assessments commonly underestimate certain risks, Commission recommends enhanced assessment methodologies.
Article 38's power is in regulatory efficiency. Formal rulemaking through implementing acts or delegated regulations requires lengthy procedures, consultation, legal certainty requirements. Recommendations can be issued faster, updated more frequently, and adjusted based on evolving understanding. As DSA implementation reveals challenges, Commission can rapidly issue guidance helping platforms comply effectively. This iterative learning approach prevents ossification of new regulatory regime.
The non-binding nature creates interesting compliance dynamics. Platforms could theoretically ignore recommendations, but practical pressures create substantial compliance incentive: (1) Regulatory expectations - Commission recommendations signal enforcement priorities; platforms deviating without good reason face enhanced scrutiny in audits and investigations; (2) Legal defensibility - if enforcement action occurs, platform following Commission recommendations has strong defense ('we complied with official guidance'), while platform ignoring recommendations must justify deviation; (3) Reputational value - Commission endorsement through 'recommended best practices' provides legitimacy; (4) Industry coordination - if all major platforms follow recommendations, outliers face competitive disadvantage or user expectations they're non-compliant.
Article 38 also enables Commission to address emerging issues without formal rule changes. If new risk emerges (e.g., generative AI misinformation, new manipulation technique), Commission can quickly issue recommendations on assessing and mitigating it before platforms' next annual risk assessment cycle.
Key Points
- Commission may issue recommendations on applying Section 5 VLOP obligations
- Recommendations may cover: risk management framework application, best practices for compliance, harmonised standards use
- Commission bases recommendations on: audit reports (Article 36), risk assessments (Article 34), implementation reports (Article 37)
- Recommendations are non-binding but carry significant persuasive authority
- Enables Commission to provide clarity without formal rulemaking
- Creates 'soft law' guidance shaping platform behavior
- Commission can identify cross-platform patterns from audit reports and recommend solutions
- Platforms ignoring recommendations risk closer regulatory scrutiny
Practical Application
For Commission (Issuing Recommendations): Commission analyzes audit reports from all VLOPs annually, identifying patterns and developing recommendations. Example process: (1) Commission reviews 20+ VLOP audit reports covering 2023 compliance. (2) Identifies common themes: multiple audits note crisis protocols inadequately tested, risk assessments inconsistently address recommender system risks, advertising transparency implementation varies widely. (3) Drafts recommendations: 'Recommendation on Crisis Protocol Effectiveness' advising VLOPs to conduct quarterly simulation exercises testing election interference scenarios, coordinate cross-platform crisis response, establish dedicated crisis teams with 24/7 availability. 'Recommendation on Recommender System Risk Assessment' providing methodology for evaluating algorithm amplification effects, filter bubble formation, vulnerable population impacts. 'Recommendation on Advertising Transparency Implementation' suggesting user interface designs, data formats, disclosure timing. (4) Publishes recommendations officially, circulates to all VLOPs, makes available to public. (5) In subsequent audit cycles, auditors examine whether platforms adopted recommended practices - adoption becomes compliance indicator even though technically voluntary.
For Meta (Responding to Recommendations): When Commission issues recommendations on crisis protocol effectiveness based on cross-platform audit findings, Meta must decide: adopt, adapt, or justify alternative approach. Meta's analysis: (1) Review recommendation details: Commission recommends quarterly crisis simulations, 24/7 crisis teams, cross-platform coordination mechanisms. (2) Compare to current practices: Meta conducts semi-annual simulations, has on-call crisis team but not fully 24/7, limited cross-platform coordination. (3) Decision: adopt recommendations as baseline, exceed where possible. (4) Implementation: establish quarterly crisis simulation schedule, expand crisis team to ensure 24/7 coverage globally, reach out to YouTube/TikTok/Twitter for cross-platform coordination framework. (5) Document adoption: in next annual risk assessment and audit, demonstrate Meta adopted Commission-recommended practices, cite specific recommendations implemented. This demonstrates regulatory responsiveness, reduces compliance uncertainty, and builds positive relationship with Commission. If Meta chose not to adopt recommendations, would need compelling justification and risk that auditors flag deviation as potential compliance concern.
For YouTube (Using Recommendations as Safe Harbor): YouTube faces ongoing concerns about recommendation algorithm amplifying extremism. Commission issues recommendation on assessing and mitigating recommendation algorithm risks, suggesting: algorithm testing methodologies, diversity injection approaches, circuit breaker mechanisms, transparency practices. YouTube adopts recommended practices: implements suggested testing framework, adopts recommended circuit breakers preventing consecutive extreme content recommendations, uses recommended transparency disclosures. In subsequent audit, YouTube demonstrates: 'YouTube implemented risk assessment methodology consistent with Commission Recommendation 2024/XX, adopted mitigation measures aligned with recommended best practices, exceeded recommendations by adding additional safeguards.' If enforcement action or criticism emerges, YouTube has defense: 'We followed official Commission guidance on best practices.' Recommendations provide legal safe harbor reducing regulatory uncertainty.
For TikTok (Recommendations as Trust-Building): Given ongoing scrutiny, TikTok views Commission recommendations as opportunity to demonstrate good-faith compliance. When Commission issues recommendations on data localization and security for platforms with non-EU ownership, TikTok proactively adopts recommended practices even if exceeding minimum legal requirements: implements recommended access controls, adopts suggested audit procedures, uses recommended transparency measures. TikTok publicly announces: 'TikTok welcomes Commission recommendations on data security and has implemented all recommended practices for EU data protection.' This visible compliance with official guidance counters skepticism, demonstrates commitment to EU regulatory framework, and makes restrictive enforcement actions less defensible for regulators.
For Emerging VLOPs (Recommendations as Roadmap): Platform approaching 45 million EU users anticipating VLOP designation uses Commission recommendations as implementation roadmap. Reviews all published recommendations on: risk assessment methodology, mitigation best practices, audit preparation, crisis protocols, compliance function structure. Adopts recommended approaches before formal designation, demonstrating readiness for VLOP obligations. At designation, platform presents to regulators: 'We have proactively implemented Commission-recommended best practices in anticipation of VLOP status, including X, Y, Z practices from Recommendations 2024/XX, 2024/YY.' This smooth transition reduces compliance friction and regulatory concerns about newly-designated VLOP struggling with obligations.
For Small Platforms (Voluntary Adoption): While Article 38 recommendations target VLOPs, smaller platforms may voluntarily adopt recommended practices. If Commission recommends best practices for minor protection, crisis response, or content moderation that prove effective for VLOPs, smaller platforms can implement similar approaches proportionate to their scale. Voluntary adoption: improves safety outcomes, demonstrates social responsibility, prepares platform for potential future growth to VLOP status, reduces liability risks by following recognized best practices. Commission recommendations thus influence broader platform ecosystem beyond just VLOPs subject to mandatory obligations.