The Digital Services Act (DSA) sets clear rules for online platforms to tackle illegal content, increase transparency and protect users’ fundamental rights online. One of the key tools in the law is the requirement for platforms to carry out risk assessments to provide much-needed transparency on how they make decisions that affect millions of users, and explain what they are doing to prevent or reduce systemic risks to people's fundamental rights. If done properly, such risk assessments would allow civil society to conduct independent analyses, inform the European Commission’s oversight mandate, and enhance accountability. In our new policy brief, ECNL reviews the first three years of platform risk assessments (2023–2025) and sets out practical recommendations to help the Commission strengthen the DSA’s implementation in practice.
How should risk assessments be improved?
The policy brief focuses on 5 platforms that, in our view, are most likely to affect civic space, civic freedoms and online discourse, given their size, influence and the nature of their products: Facebook, Instagram, TikTok, X and YouTube. Unfortunately, our research has found that in their current form, risk assessments are unlikely to provide external organisations with meaningful insights into platforms’ risk mitigation measures. In the document, we highlight the following key lessons:
- The assessment must be specific to individual risks, not composed of vague declarations.
- Platforms must apply the same level of diligence when assessing negative effects on fundamental rights as they do when evaluating other systemic risks.
- For meaningful scrutiny, we need relevant information that substantiates platforms’ claims.
- Risk assessments should explain how platforms engaged external stakeholders, what feedback platforms received during consultations, and how it shaped their response
- Platforms should more consistently account for the different languages and geographic contexts across EU Member States
How these issues are addressed will determine whether risk assessments become meaningful and impactful tools - or remain little more than superficial compliance exercises.
ECNL is a long-standing member of the DSA Civil Society Coordination Group as well as European Digital Rights. In 2023, in collaboration with Access Now, we developed recommendations for conducting meaningful risk assessments under the DSA. Our review of the first round of risk assessments informed the initial analysis published in March 2025 by the DSA Civil Society Coordination Group. In 2025, we published an updated version of the Framework for Meaningful Engagement in AI, which outlines recommendations for AI developers and deployers on engaging with civil society and affected communities.