DSA & AI Act

DSA Article 27 requires online platforms that use recommender systems to explain in their terms of service the parameters the system uses, the possibility for users to adjust those parameters, and at least one option not based on profiling. These are broad transparency requirements aimed at comprehensibility for ordinary users — the emphasis is on what the system does and how users can exercise control over it.

The AI Act adds a different layer. Article 13 requires providers of high-risk AI systems to give those who deploy the system (deployers) sufficient information to interpret and assess the output. Article 14 sets requirements for human oversight: deployers must be able to intervene, stop the system and correct decisions. Recommender systems that can have significant effects on users — think news recommendations with impact on political opinion formation — may qualify as high-risk AI. Then both transparency regimes apply simultaneously: the DSA explanation to users and the AI Act documentation for deployers. The challenge is that the two regimes serve different audiences: users versus deployers.

DSA Articles 14 and 15 require hosting providers and online platforms to establish mechanisms by which users can report illegal content (notice-and-action) and to report on measures taken in response to such notifications in transparency reports. Platforms using automated systems for content moderation must explain how those systems work, how often they make mistakes, and what safeguards exist for human review.

AI Act Article 50 introduces a specific transparency obligation for AI systems that interact with people or generate content: users must be informed that they are communicating with an AI system or that content is AI-generated, unless this is obvious from the context. For content moderation AI that makes decisions about removing, hiding or demoting user contributions, the person whose content is affected additionally has a right to an explanation — an obligation fed by both the DSA (through the complaint procedure) and the AI Act (through transparency requirements). Automated content decisions without a human review option are problematic under both regulatory frameworks.

DSA Articles 34 and 35 require VLOPs and VLOSEs to conduct annual systemic risk assessments. Those assessments must identify the risks the platform poses for societal themes such as democracy, public health, safety and fundamental rights — and must demonstrate what risk mitigation measures the platform takes. External auditors then verify whether those measures are adequate. This is a broad, systems-level assessment that goes beyond individual cases.

The AI Act works with a different risk framework: for each AI system it is determined whether it is high-risk, limited-risk or minimal-risk, and on that basis specific obligations apply (technical file, conformity assessment, registration in the EU database). For platforms this means that the same algorithmic infrastructure — the recommender system, the moderation tool, the advertising platform — is simultaneously subject to the DSA systemic risk assessment and the AI Act risk classification per system. The two assessments overlap but are not identical: the DSA looks at societal systemic effects, the AI Act at risks for individual users per system.

DSA Article 25 prohibits online platforms from using so-called "dark patterns": design and interaction techniques that deceive, manipulate or nudge users into making choices that are not in their interest. Think of misleading button placement, hidden unsubscribe options, false urgency messages or the automatic reset to an algorithmic timeline after choosing chronological — a practice recently characterised as a DSA violation by a Dutch court in the case against Meta.

AI Act Article 5 prohibits AI systems that exploit subliminal techniques, exploitation of vulnerabilities or other manipulative methods to significantly influence people's behaviour in a way that harms their interests. These are prohibited practices — the most severe category in the AI Act, with fines up to €35 million or 7% of global annual turnover. The overlap is precisely at the point where AI systems are used to implement or amplify dark patterns: an algorithm that deliberately identifies vulnerable users to expose them more often to engagement-driving content falls under both prohibitions simultaneously. This is not a theoretical risk — it is precisely what regulators such as the European Commission are investigating at TikTok and Meta.

DSA Article 26 requires online platforms to make clear for every advertisement shown to a user that it is an advertisement, on whose behalf it is shown, and on the basis of which parameters the user was selected as a target. For VLOPs additional requirements apply: they must maintain a searchable register of all advertisements they display — the so-called advertising repository. And targeted advertising based on special categories of personal data (religion, political views, health) is explicitly prohibited for VLOPs.

AI-driven advertising selection touches three regulatory frameworks simultaneously here. The DSA sets transparency requirements and prohibits certain forms of targeting. GDPR requires a valid legal basis for the profiling underlying that targeting — and for special categories explicit consent is required. The AI Act adds that AI systems for advertising selection that have significant effects on individuals may be classified as high-risk, with all the documentation and transparency obligations that entails. Platforms combining AI recommendations with advertising targeting must address all these layers simultaneously in their compliance architecture.