Enhanced access to platform data under new rules in the Digital Services Act

The question

How will new rules under the EU’s Digital Services Act (DSA) expand researchers’ access to platform data, and what are the implications for platforms, researchers and wider society?

The key takeaway

From 29 October 2025, qualified, vetted researchers can request access to data held by very large online platforms (VLOPs) and very large online search engines (VLOSEs) for the purpose of investigating systemic risks - including the dissemination of illegal content, impacts on mental health, risks to minors and other societal harms. This expanded access is enabled by a new Delegated Act on Data Access, which sets out detailed procedures, safeguards and technical conditions. It represents a major shift in transparency expectations for the largest online services operating in the EU.

The background

The DSA establishes a framework to increase accountability and transparency for online intermediaries, including platforms outside the EU that serve a substantial number of EU users - meaning UK-based organisations may be in scope.

Until now, independent researchers have faced significant barriers when seeking access to platform data, resulting in partial or inconsistent datasets and limiting scrutiny of platform systems.
The Delegated Act now in force addresses this by:

• obliging VLOPs/VLOSEs to provide data access where legally required;
• defining who qualifies as a vetted researcher;
• establishing the criteria, procedures and technical conditions for data sharing; and
• setting parameters to safeguard platform integrity, trade secrets and user privacy.

This is the first EU framework that creates a structured and enforceable mechanism for independent research into systemic risks in online environments.

The development

Under the new rules:

• vetted researchers may apply for access to platform data when their research directly relates to the systemic risks defined in the DSA (e.g., illegal content, public health misinformation, effects on minors, democratic harms);
• applications are reviewed by Digital Services Coordinators (DSCs) - the national authorities responsible for supervising DSA compliance;
• if a researcher satisfies the legal criteria, DSCs can require platforms to grant access to the requested data;
• DSCs must collaborate to ensure consistent and timely decisions across Member States;
• platforms must comply with approved requests and establish processes to manage data access securely and lawfully.

The Delegated Act also sets out technical standards for access environments, including secure processing spaces, privacy protection measures, and obligations to prevent data misuse.

Why is this important?

These rules dramatically expand the ability of independent researchers to analyse how platform systems shape online behaviour and societal outcomes. Enhanced data access may:

• improve public understanding of how recommendation systems, ranking, and advertising models influence user experience;
• reveal whether certain platform designs contribute to harms such as self-harm content exposure, polarisation, or discrimination;
• strengthen evidence-based policymaking and regulatory oversight; and
• increase pressure on platforms to demonstrate that their systems are safe by design and compliant with DSA risk-mitigation duties.

For platforms, this marks a shift from voluntary data-sharing to a mandatory, regulator-controlled regime with potential reputational, operational and compliance consequences.

Any practical tips?

For researchers:

• prepare detailed applications showing clear relevance to systemic risks, methodological robustness and capacity to handle data securely;
• engage early with DSC guidance to understand national expectations and timelines.

For platforms:

• review internal processes for receiving, assessing and fulfilling data-access requests;
• map where relevant data sits, including logs, recommender-system outputs, ad library data, ranking signals and safety-related metrics;
• implement or upgrade secure research environments and data-minimisation tooling;
• ensure governance teams are ready to liaise with DSCs and maintain audit-ready documentation.

For all organisations:

• monitor emerging guidance to understand how the rules will be applied in practice;
• expect increased scrutiny and potentially greater transparency demands as systemic-risk research expands.

Winter 2025