Background to the complaint

1. The Digital Services Act[1] (DSA) requires providers of ‘very large online platforms’ annually to assess certain risks of their services related, for instance, to the dissemination of illegal content, or to negative effects on the exercise of fundamental rights or on the protection of minors.[2] In addition, an independent audit of those platforms’ compliance with the DSA is to be carried out.[3] Where risks are identified, the provider of the designated platform concerned has to put in place mitigating measures to address those risks.

2. The reports on these risk assessments and audits are to be shared with the European Commission, who monitors and enforces the compliance of very large online platforms with their obligations under the DSA. The reports must also be made public at the latest three months after the receipt of the audit report.[4] If a platform is found to be in breach of its obligations under the DSA, the Commission can impose fines to enforce compliance.[5]

3. On 14 September 2023, the Commission received the report on X’s first annual risk assessment following the entry into force of the DSA and the platform’s designation as a very large online platform.

4. Two weeks later, the complainant, a journalist, requested[6] public access to this report from the Commission.

5. In November 2023, the Commission refused to give public access, relying on the need to protect the commercial interests of the platform concerned.[7]

6. The complainant subsequently asked the Commission to review its decision to refuse to give public access (by making a ‘confirmatory application’).

7. In December 2023, based on its assessment of the platform’s risk assessment report (and other elements), the Commission opened a formal investigation[8] into the platform’s compliance with its obligations under the DSA. Specifically, the Commission considered that the platform had failed to diligently assess certain systemic risks in the EU, stemming from the design and functioning of its systems and the use of its services.

8. In June 2024, the Commission adopted a confirmatory decision on the complainant’s access request, maintaining that the risk assessment report could not be disclosed. In doing so, the Commission also invoked the need to protect its ongoing investigation under the DSA, arguing that a general presumption of non-disclosure applied and that the two exceptions for the protection of commercial interests[9] and for the protection of the purpose of investigations[10] were closely connected.

9. In July 2024, the Commission issued preliminary findings of non-compliance in the context of its DSA investigation, identifying three grievances.[11]

10. In September 2024, dissatisfied with the non-disclosure of the risk assessment report, the complainant turned to the Ombudsman.

11. The Ombudsman opened an inquiry into the Commission’s refusal to give public access in September 2024.

12. Following the inspection of the risk assessment report and the examination of the arguments presented, including in the Commission’s reply to the complaint, the Ombudsman shared her preliminary views[12] with the Commission in November 2024.

The Ombudsman's preliminary views

13. The Ombudsman took the preliminary view that it is unreasonable for the Commission to apply a general presumption of non-disclosure to a risk assessment report drawn up under the DSA.

14. Specifically, the Ombudsman considered that the rules that apply to risk assessment reports deviate significantly from the circumstances in which the EU courts have established the possibility to make use of a general presumption. Most notably, the DSA does not provide for privileged access rules to risk assessment reports but requires platforms to publish those reports, independently of whether there is an ongoing DSA investigation by the Commission.

15. In addition, the Ombudsman considered that, while the DSA allows[13] for certain information to be withheld when a platform eventually publishes its risk assessment report, it is unreasonable to conclude from this provision – and in light of the obligation to publish the report – that risk assessment reports contain sensitive commercial information throughout.

16. The Commission disagreed with the Ombudsman’s preliminary view.[14]

The Ombudsman's recommendation

17. The Ombudsman therefore continued her inquiry. Following further assessment, she noted that the DSA emphasises the importance of transparency and accountability of online services and that it acknowledges that there is a need for an increased level or transparency and public scrutiny as regards very large online platforms, due to their special role and reach.[15]

18. In addition, the Ombudsman noted that, while the DSA envisages a timeline for the publication of risk assessment reports, the publication is to take place irrespective of the state of play of the Commission’s assessment. This means that it is irrelevant whether the Commission has opened an investigation into the compliance of the platform concerned with its obligations under the DSA, whether such an investigation is ongoing or whether the Commission has yet to take a decision on the possible opening of an investigation.

19. The Ombudsman also considered it likely that the publication of the report (or a redacted version thereof) would normally take place before the Commission concludes its investigation and, thus, that the protection of its enforcement efforts is without prejudice to the transparency and public scrutiny of risk assessment reports.

20. The Ombudsman therefore maintained her view that it is unreasonable to apply a general presumption of non-disclosure to risk assessment reports drawn up under the DSA. She considered that, if the platform concerned has not yet published the risk assessment report proactively when a request for public access is made, the Commission should take this into account in its assessment of the document under Regulation 1049/2001. If it is not clear whether public access can be granted, the Commission should consult the platform concerned, as provided for in Regulation 1049/2001.[16]

21. The Ombudsman thus confirmed her preliminary view that the Commission’s use of a general presumption of non-disclosure constituted maladministration.

22. Noting that a redacted version of the risk assessment report at issue had in the meantime been disclosed by the platform concerned[17], in line with its obligations under the DSA, and that the complainant was dissatisfied with the redactions made by the platform, the Ombudsman made the following recommendation to the Commission: The Commission should conduct a concrete and individual assessment of the risk assessment report at issue with a view to granting the widest public access possible, including to those parts of the report that have been redacted in the version that was published by the platform concerned. If the Commission concludes that no access can be granted to certain parts of the report, it should explain, why, specifically and actually, their disclosure is prevented in light of the exceptions laid down in Article 4 of Regulation 1049/2001.[18]

23. In reply[19], the Commission maintained that it had been justified in applying a general presumption of non-disclosure to the report.

24. In particular, the Commission reiterated that, upon receipt, risk assessment reports become part of its case file concerning the respective platform’s compliance with the DSA. These reports are thus not only protected by the obligation of professional secrecy but become also subject to the specific access regime that applies to the Commission’s administrative file.[20]

25. In addition, the Commission argued that (partial) disclosure of a risk assessment report, which has not yet been made public by the platform concerned under the DSA, would deprive the platform of its right to redact confidential information. In addition, even if the Commission were to consult the platform concerned, in the absence of a reply, the Commission would be obliged to assess highly sensitive information to decide whether disclosure might cause “significant vulnerabilities” of protected interests. This, in turn, would risk legal challenges by the platform concerned and would undermine the very purpose of the risk assessment reporting and dialogue with the platform. The Commission also contended that disclosure would undermine its monitoring and supervisory role and the platform’s right to be heard.

26. As regards a possible overriding public interest in disclosure, the Commission considered that an interest in scrutinising the compliance of very large online platforms with their obligations under the DSA and understanding the risks related to the use of a platform’s services constitute private interests, similar to an individual’s interest in exercising their right of defence in judicial proceedings against them.

27. The Commission also stated that a right to access cannot be derived from its practice of making public information related to its findings and the progress made in a DSA investigation.

28. Finally, the Commission said that it had not contested the confidential information that was withheld by the platform when it published a redacted version of the risk assessment report at issue.

29. In his comments on the Commission’s reply, the complainant reiterated that he considers the Commission’s application of a general presumption of non-disclosure to virtually all documents related to ongoing DSA investigations excessive.

30. The complainant also contended that the Commission “seemed dismissive” of any possibility of an overriding public interest in disclosure.

31. Further, the complainant considered that, if the Commission generally were to refuse public access to risk assessment reports under Regulation 1049/2001, it would prevent the public from scrutinising and challenging any redactions that the platforms themselves make.

The Ombudsman's assessment after the recommendation

32. The Ombudsman remains unconvinced that a general presumption of non-disclosure can be applied to risk assessment reports drawn up under the DSA.

33. While the DSA requires professional secrecy, designated platforms cannot legitimately expect that all information they provide in a risk assessment report (that is meant to be made public) would remain confidential.

34. Rather, only information that can reasonably be regarded as sensitive may legitimately be withheld. Nor does it seem reasonable that disclosure under Regulation 1049/2001 would deprive the platform concerned from its right to redact confidential information or its right to be heard. Regulation 1049/2001 provides for the very possibility to consult a third-party author, where it is not obvious whether a document or certain parts of it can or cannot be disclosed.

35. Further, the Ombudsman is concerned about the Commission’s refusal to carry out an individual assessment of the risk assessment report on the basis that the potential absence of a reply by the third party would require it to decide itself which parts to disclose.

36. If this line of argumentation were to be followed, no document authored by a third party could ever be disclosed because of the potential lack of a reply to a third-party consultation.

37. In addition, EU institutions can never solely rely on a third party’s assessment, even if they reply to a consultation. They must always conduct their own assessment, taking into account the third party’s views. The Commission’s position seems to be at odds with the obligation under Regulation 1049/2001 to conduct a concrete and individual assessment, including where access is sought to a document containing possible commercially sensitive information.

38. The Ombudsman also disagrees with the Commission’s position that scrutinising the compliance of a very large online platform with its obligations under the DSA – with a view to understanding the potential serious risks that the use of its services entails and whether and how such risks are being addressed by the platform – constitutes a private interest. As the Commission’s own actions illustrate[21], the services offered by very large online platforms can enable serious fundamental rights violations such as identity theft, sexual violence and infringements of the rights of the child. Such serious breaches of the law, which in some jurisdictions are, moreover, very difficult to prosecute and against which victims find it very difficult to defend themselves, can hardly be considered a domestic or private issue of individual victims. On the contrary, they can generate very serious societal problem and, consequently, a threat to democracy and the society at large. In light also of the fast pace in which new artificial intelligence tools are being developed and the new technical possibilities they offer, there is a growing and important public interest in receiving, in a timely manner, access to information related to the risks that the services offered by very large online platforms (might) entail. Such form of transparency allows users to take informed decisions on whether using a platform’s services is safe and informs the ongoing public debate in many EU Member States on whether and what kind of regulatory changes might be required to address such risks.

39. As the Commission itself noted in its reply to the Ombudsman’s recommendation, one of the aims of the DSA is effectively to protect fundamental rights.[22] Timely information on how very large online platforms strive to prevent violations of fundamental rights on their services contributes to this objective. Moreover, transparency becomes even more important when a platform fails to comply with its obligation to provide researchers with access to information, thereby “effectively undermining research into several systemic risks in the European Union.”[23]

40. Therefore, the Ombudsman finds that the Commission should have assessed the arguments put forward by the complainant to determine whether they establish an overriding public interest in disclosure.

41. Finally, the Ombudsman considers it unlikely that (partial) disclosure of risk assessment reports under Regulation 1049/2001 would undermine the mutual trust on which the dialogue between the Commission and the designated platforms is based. Very large online platforms are legally obliged to cooperate with the Commission and to provide it with information relevant to an assessment of their compliance with the DSA. The Commission can impose fines, if a designated platform fails to comply with its obligations. In any case, as stated above, if the Commission had doubts about the disclosure of certain parts of the risk assessment report, it could have consulted the platform on the access request.

42. As regards the Ombudsman’s previous reference to information on the Commission’s DSA investigation concerning the platform at issue that it had published before the completion of the relevant audit, this only aimed to underline the Ombudsman’s view that disclosure was unlikely to undermine the audit. While the Ombudsman notes that the Commission no longer refers to the need to protect the purpose of the independent audit, she considers that the fact that certain information had already been disclosed by the Commission at the time of the confirmatory decision is an element that should have been taken into account in the context of the assessment of the complainant’s public access request, as the Commission itself noted in its reply to the Ombudsman’s recommendation.

43. In light of the above, the Ombudsman upholds her finding of maladministration.

Conclusions

Based on the inquiry, the Ombudsman closes this case with the following conclusions:

The use of a general presumption of non-disclosure and, thus, the refusal to conduct a concrete and individual assessment of the risk assessment report at issue, constituted maladministration by the European Commission.

The complainant and the Commission will be informed of this decision.

Teresa Anjinho
European Ombudsman

Strasbourg, 07/05/2026

 

[1] Regulation 2022/2065 on a Single Market For Digital Services (Digital Services Act): http://data.europa.eu/eli/reg/2022/2065/oj.

[2] Article 34 of the DSA.

[3] Article 37 of the DSA.

[4] Article 42(4) of the DSA.

[5] Articles 73f. of the DSA.

[6] Under Regulation 1049/2001 regarding public access to European Parliament, Commission and Council documents: http://data.europa.eu/eli/reg/2001/1049/oj.

[7] In accordance with Article 4(2), first indent of Regulation 1049/2001.

[8] In accordance with Article 66(1) of the DSA - file number of the investigation: DSA.100.100.

[9] Article 4(2), first indent of Regulation 1049/2001.

[10] Article 4(2), third indent of Regulation 1049/2001.

[11] See: https://digital-strategy.ec.europa.eu/en/news/commission-sends-preliminary-findings-x-breach-digital-services-act.

[12] The full text of the Ombudsman’s preliminary views is available at: https://www.ombudsman.europa.eu/en/doc/correspondence/en/199731.

[13] Article 42(5) of the DSA.

[14] The full text of the Commission’s reply to the Ombudsman’s preliminary view is available at:

https://www.ombudsman.europa.eu/doc/correspondence/214482.

[15] See, for example, recitals (65) and (100) of the DSA.

[16] In accordance with Article 4(4) of Regulation 1049/2001.

[17] The published version of the report is available at: https://digital-strategy.ec.europa.eu/en/policies/dsa-brings-transparency#ecl-inpage-lsets8qr.

[18] The full text of the Ombudsman’s recommendation is available at: https://www.ombudsman.europa.eu/en/recommendation/en/214486.

[19] The full text of the Commission’s reply to the Ombudsman’s recommendation is available at: https://www.ombudsman.europa.eu/doc/correspondence/223606

[20] In accordance with Articles 84 and 79(4) of the DSA.

[21] For example, the Commission has set up an Expert Group on Safer Internet for Children that is assessing how best to protect minors from harmful content online, including approaches such as a social media minimum age (https://digital-strategy.ec.europa.eu/en/policies/expert-group-safer-internet). In addition, the Commission has opened investigations into the compliance of several very large online platforms with the DSA, including concerning child protection, addictive design, illegal content and election risks (https://digital-strategy.ec.europa.eu/en/policies/list-designated-vlops-and-vloses).

[22] See, for example, recital (9) of the DSA.

[23] See: https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2934.