Commitments Framework under DSA

The content specifically addresses 'Commitments' as a distinct DSA mechanism that warrants its own dedicated topic, separate from general codes of conduct, as it represents a specific framework for voluntary undertakings by service providers with particular procedural and compliance characteristics.

commitments DSA commitments service provider commitments voluntary commitments commitment obligations commitment procedures commitment monitoring commitment enforcement

Overview

Legal Framework

The Digital Services Act (DSA) establishes a specific "Commitments" framework, distinct from general codes of conduct, primarily referenced in Recitals 98 and 99. While the core legal obligations for Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) are set out in the operative articles, the recitals frame the context for voluntary, structured undertakings. Recital 98 emphasizes that providers must not prevent vetted researchers from using publicly accessible data to detect systemic risks, facilitating real-time access where technically feasible. Recital 99 mandates that VLOPs and VLOSEs establish an independent compliance function, reporting directly to management, which is a foundational structure for overseeing any formal commitments made.

Practical Application

This framework allows providers to proactively offer commitments to the European Commission to address systemic risks, potentially as part of a dialogue preceding formal proceedings. The commitments, once accepted by the Commission, become binding and are monitored for compliance. The independent compliance function required by Recital 99 is critical for ensuring these commitments are integrated into governance and adhered to operationally. While specific DSA case law on commitments is still developing, the principle from cases like Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems—that commitments and oversight must ensure a level of protection "essentially equivalent" to EU standards—informs the expectation that any voluntary DSA undertakings must be substantively robust and effectively enforced.

Key Considerations

  • The compliance function must be structurally independent, with its head reporting directly to top management, to credibly oversee and report on adherence to any formalized commitments.
  • Commitments offered to the Commission should be specific, measurable, and coupled with clear implementation plans, as they become enforceable obligations subject to monitoring and potential penalties for non-compliance.
  • Providers should ensure their data access policies for vetted researchers (per Recital 98) are aligned with this framework, as facilitating independent research is a key mechanism for identifying risks that commitments may aim to mitigate.
Newest Relevant

Laws (10)

Recital 98

Oct 27, 2022 DSA

Recital 93

Oct 27, 2022 DSA

Recital 99

Oct 27, 2022 DSA

Article 71

Toezeggingen

Oct 27, 2022 DSA

Recital 92

Oct 27, 2022 DSA

Recital 93

Oct 27, 2022 DSA

Recital 98

Oct 27, 2022 DSA

Recital 99

Oct 27, 2022 DSA

Article 71

Commitments

Oct 27, 2022 DSA

Recital 92

Oct 27, 2022 DSA

Case Law (2)

Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems

Schrems II

“although not requiring a third country to ensure a level of protection identical to that guaranteed in the EU legal order, the term ‘adequate level of protection’ must […] be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the regulation, read in the light of the Charter.

Jul 16, 2020 CJEU

Data Protection Commissioner v. Schrems and Facebook

Schrems I

Safe harbour: US public authorities are not required to comply with safe harbor principles. Decision 2000/520 specifies that safe harbor principles may be limited to the extent necessary to meet national security, public interest or law enforcement requirements, or statute, regulation or caselaw. Self-certified US organizations receiving personal data from the EU are thus bound to disregard safe harbor principles when they conflict with US legal requirements. Decision 2000/520 does not contain s

Oct 6, 2015 CJEU

Guidance (9)

Guidelines 07/2022 on certification as a tool for transfers

Guidelines on certification and identifying certification criteria

The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR). These guidelines provide guidance as to the applicati...

Nov 21, 2025 EDPB

Guidelines 07/2020 on the concepts of controller and processor in the GDPR

Guidelines on the concepts of controller and processor in the GDPR

The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...

Nov 21, 2025 EDPB

Versiegeschiedenis

guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER

Nov 21, 2025 EDPB

Richtsnoeren 07/2022 voor certificering als doorgifte-instrument

Op grond van artikel 46 van de algemene verordening gegevensbescherming (AVG) moeten gegevensexporteurs passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die gegevensexporteurs overeenkomstig artikel 46 kunnen gebruiken als kader voor de doorgifte aan derde landen, onder meer door certificering in te voeren als nieuw doorgiftemechanisme (artikel 42, lid 2, en a...

Nov 21, 2025 EDPB

Richtsnoeren 04/2021 voor gedragscodes als instrumenten voor doorgifte

Volgens artikel 46 van de AVG moeten verwerkingsverantwoordelijken/verwerkers passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die organisaties op grond van artikel 46 kunnen gebruiken voor doorgiften aan derde landen, onder meer door gedragscodes in te voeren als nieuw doorgiftemechanisme (artikel 40, lid 3, en artikel 46, lid 2, punt ...

Nov 21, 2025 EDPB

Guidelines 04/2021 on Codes of Conduct as tools for transfers

Guidelines on codes of conduct and monitoring bodies

The GDPR requires in its Article 46 that controllers/processors shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations under Article 46 for framing transfers to third countries by introducing amongst others, codes of conduct as a new transfer mechanism (articles 40-3 and 46-2-e). In this respect, as provi...

Nov 21, 2025 EDPB

Richtsnoeren 07/2022 voor certificering als doorgifte-instrument

guidelines certificering

Op grond van artikel 46 van de algemene verordening gegevensbescherming (AVG) moeten gegevensexporteurs passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die gegevensexporteurs overeenkomstig artikel 46 kunnen gebruiken als kader voor de doorgifte aan derde landen, onder meer door certificering in te voeren als nieuw doorgiftemechanisme (artikel 42, lid 2, en a...

Nov 21, 2025 EDPB

Version history

Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

Nov 21, 2025 EDPB

Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679

Guidelines on codes of conduct and monitoring bodies

Nov 21, 2025 EDPB

News (3)

Making GDPR compliance easier through new initiatives: a key focus of the EDPB work programme 2026-2027

Brussels, 13 February - The EDPB has recently adopted its work programme for 2026-2027, which is grounded in the four pillars of the EDPB strategy 2024-2027. The work programme is based on the priorities set out in the EDPB strategy and it also takes into account the commitments made in the Helsinki Statement on enhanced clarity, support and engagement aimed at making GDPR compliance easier, strengthening consistency, and boosting cross-regulatory cooperation. Easing compliance is at the top of

Feb 13, 2026 European Data Protection Board

EDPB work programme 2026-2027: easing compliance and strengthening cooperation across the evolving digital landscape

Brussels, 12 February - During its latest plenary, the EDPB adopted its work programme for 2026-2027. This is the second work programme to support the implementation of the EDPB strategy 2024-2027*. The work programme is based on the priorities set out in the EDPB strategy and the needs identified as most critical for stakeholders. It also takes into account the commitments made in the Helsinki Statement on enhanced clarity, support and engagement aimed at making GDPR compliance easier, strength

Feb 12, 2026 European Data Protection Board

TikTok makes ad transparency commitments to comply with EU DSA

The European Commission says that TikTok has agreed to provide advertising repositories in which data is stored and managed to ensure full transparency around ads on its services, as required by the Digital Services Act

Jan 21, 2026 Privacy Laws & Business