Article 28 - Independent audit

Article 27 - Mitigation of risks
Article 29 - Recommender systems
  1. Very large online platforms shall be subject, at their own expense and at least once a year, to audits to assess compliance with the following:
    1. the obligations set out in Chapter III;
    2. any commitments undertaken pursuant to the codes of conduct referred to in Articles 35 and 36 and the crisis protocols referred to in Article 37.
  2. Audits performed pursuant to paragraph 1 shall be performed by organisations which:
    1. are independent from the very large online platform concerned;
    2. have proven expertise in the area of risk management, technical competence and capabilities;
    3. have proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards.
  3. The organisations that perform the audits shall establish an audit report for each audit. The report shall be in writing and include at least the following:
    1. the name, address and the point of contact of the very large online platform subject to the audit and the period covered;
    2. the name and address of the organisation performing the audit;
    3. a description of the specific elements audited, and the methodology applied;
    4. a description of the main findings drawn from the audit;
    5. an audit opinion on whether the very large online platform subject to the audit complied with the obligations and with the commitments referred to in paragraph 1, either positive, positive with comments or negative;
    6. where the audit opinion is not positive, operational recommendations on specific measures to achieve compliance.
  4. Very large online platforms receiving an audit report that is not positive shall take due account of any operational recommendations addressed to them with a view to take the necessary measures to implement them. They shall, within one month from receiving those recommendations, adopt an audit implementation report setting out those measures. Where they do not implement the operational recommendations, they shall justify in the audit implementation report the reasons for not doing so and set out any alternative measures they may have taken to address any instances of non-compliance identified.