Procedures for approving researchers to access platform data

DSA Data Access Portal

    Translations are provided as a service to Arcom users and are supplied “as is”, throught the DeepL tool. Consequently, only the text of the original version is authentic. Please note that not all the files have been translated.

    Find out more about translation

    Section 40 of the Digital Services Act (DSA) introduces an approval procedure for access to data held by very large online platforms (VLP) and very large online search engines (VLOS), giving approved researchers unprecedented access to data - including non-public data - held by these platforms.

    The aim of this procedure is to help reduce information disparities with the major platforms, by enabling the identification, inventory and understanding of systemic risks linked to TGPLs and TGMRs, as well as the evaluation of mitigation measures put in place by these platforms.

    Arcom has been involved in the issue of access to data from online platforms for several years. In its capacity as coordinator for digital services (CSN), it will participate in the researcher approval proceedings, making an initial assessment of the demand's compliance with the criteria set out in article 40 of the RSN.

    Where can I request approval?

    Requests for accreditation are made via the DSA Data Access Portal, a single, centralized point for making requests. Researchers interested in accreditation must register on the portal and complete a form.

    Each request must identify a principal investigator, who ensures the validity of the information provided and acts as a point of contact with the coordinators for digital services in processing the request for approval.

    Approval proceedings

    A request for approval can be sent to :

    • To the coordinator for digital services of the member state in which the research organization to which the principal investigator of the demand is affiliated is located. For researchers affiliated to a research organization located in France, this is Arcom;
    • The coordinator for institutional digital services (CSN d'établissement) of the platform provider concerned by the request.

    In all cases, the text defines a single maximum processing time for applications, equivalent to 80 working days.

    In view of the potentially large number of requests that ultimately reach the CSN d'établissement, we recommend that researchers based in France contact Arcom first, to ensure that the proceedings run smoothly and smoothly.

    Once the request has been sent by the principal investigator via the dedicated portal, Arcom carries out an initial assessment of compliance with the criteria set out in article 40 of the RSN for each researcher mentioned in the request. Arcom then forwards the file and the initial assessment to the CSN d'établissement.

    If approval is granted, the CSN d'établissement sends a reasoned demand to the TGPL/TGMR provider, containing :

    • The start and end dates of access;
    • Terms and conditions of access;
    • A summary of the demand;
    • The name and contact details of approved researchers, where necessary to allow access to the data, in accordance with the terms and conditions described in the reasoned demand.

    The platform provider may, within 15 days and under certain conditions, propose modifications to the demand. These modifications are assessed by the establishment's CSN, which may then draft a new reasoned demand if necessary. In the event of persistent disagreement with the reasoned demand following a request for modifications, the platform provider may initiate mediation.

    Apply to Arcom

    To submit your request to Arcom, fill in your request in the DSA Data Access Portal as described above and select"Digital Services Coordinator from the country of the research organisation" in the "Additional Information" tab.

    Arcom accepts requests in both French and English. Documents accompanying the request can also be supplied in both languages.

    If you have any questions or require further information, please contact Arcom at acces-aux-donnes@arcom.fr.

    We recommend that you contact us before submitting your requests via the dedicated portal, so that Arcom can assist you in the early stages of your application.

    The European Commission has also set up a Frequently Asked Questions (FAQ) section and a set of resources to help researchers navigate the portal and draft their demands.

    Conditions for approval

    Article 40.8 of the RSN defines all the criteria to be met:

    • Membership of a research organization (see frequently asked questions below for details);
    • Independence from commercial interests;
    • Mention of project funding sources (funding obtained or in the process of being obtained);
    • Description of the appropriate technical and organizational measures in place to meet data security and confidentiality requirements for each demand, in order to protect any personal data;
    • Demonstration that access to the data and the periods of access requested are necessary and proportionate for the purposes pursued by the research, and that the research project contributes to the identification, inventory or understanding of systemic risks, or to the assessment of mitigation measures taken by TGPL/TGMR in response to these risks (see frequently asked questions below for more details);
    • Demonstration that the planned research activities are being carried out for the purposes stated above;
    • A commitment to make the results of the research freely available to the public within a reasonable timeframe, subject to the rights and interests of the recipients of the service concerned.

    Calendar

    The Delegated Act on access to data under digital services legislation was adopted by the European Commission on Wednesday July 2, 2025. The proceedings came into force on October 29, 2025. This page will then be updated to inform interested researchers that it is now possible to make requests.

    Researchers can already access the portal and register. They can also send questions or requests for further information to Arcom at acces-aux-donnes@arcom.fr.

    Frequently asked questions

    Article 8 of the delegated act on access to data under the legislation on digital services, adopted on July 2, 2025, mentions a number of prerequisites necessary for drafting a reasoned demand:

    • For each researcher: evidence of affiliation to a research organization, a declaration of independence from commercial interests and a commitment to publish research results free of charge;
    • Information on project funding;
    • A description of the data required (format, scope, any metadata and documentation);
    • Information on the necessity and proportionality of access to the data, in relation to the aims of the proposed research;
    • Information on the risks identified in terms of data security and personal data protection, and the technical, legal and organizational measures put in place to counter these risks;
    • A description of the research activities planned as part of the demand;
    • A summary of the demand.

    To obtain approval, each demand must therefore contain all the above-mentioned information and documents.

    European law defines a research organization as

    "a university, including its libraries, a research institute or any other entity, the primary purpose of which is to carry out scientific research, or to engage in educational activities that also include scientific research:

    • a) on a non-profit basis or by reinvesting all profits in its scientific research;
    • or b) as part of a public-interest task recognized by a Member State ;

    in such a way that it is not possible for a company exercising a decisive influence on this organization to benefit from privileged access to the results produced by this scientific research".

    Each researcher associated with the demand must therefore prove his or her affiliation with the research organization , and each organization must be a research organization as described in the above definition.

    Article 40 of the RSN defines two methods of accessing platform data for research:

    • A previously described approval procedure for access to TGPL/TGMR data, including non-public data (article 40.4 to 40.11 of the RSN);
    • Access to publicly accessible TGPL/TGMR data (article 40.12 of the RSN), where the conditions required for access are broader than those for the approval proceedings.

    It is within the framework of article 40.12 of the RSN that the platforms have set up application programming interfaces (APIs), theoretically enabling researchers to access publicly accessible TGPL/TGMR data, without needing to demand approval from the coordinators for digital services.

    If you would like more information about access to publicly accessible TGPL/TGMR data, please contact us at recherche@arcom.fr.

    A list of existing APIs from major public data platforms is available at this address.

    Article 34 of the RSN stipulates that TGPL/TGMR "shall diligently inventory, analyze and assess any systemic risk within the Union arising from the design or operation of their services and related schemes, including algorithmic schemes, or from the use made of their services".

    4 categories of systemic risk are mentioned:

    • Diffusion of unlawful content;
    • Any actual or foreseeable negative impact on the exercise of fundamental rights;
    • Any actual or foreseeable negative effect on civic discourse, electoral processes and public safety;
    • Any actual or foreseeable negative effects related to gender-based violence, the protection of public health and persons under 18, and serious negative consequences on the physical and mental well-being of individuals.

    Article 35 of the NSR, meanwhile, states that TGPL/TGMR "shall put in place reasonable, proportionate and effective mitigation measures, adapted to the specific systemic risks identified in accordance with Article 34, taking particular account of the impact of such measures on fundamental rights". This may involve, for example, adapting online interfaces or content moderation, taking targeted measures for persons under 18, etc.

    In most cases, public TGPL and TGMR data can be accessed by means of the solutions proposed under article 40.12 of the RSN (via APIs set up by platform providers in particular).

    However, the delegated act on data access specifies that access to data, including publicly accessible data, is possible by means of an approval demand, if duly justified. Such justifications may include, for example, the case where the quality of data accessible through other sources (such as APIs intended for researchers under article 40.12 of the RSN) is poor, or if the format of the data needed to study a systemic risk is not accessible through these other sources.

    The Delegated Act on Data Access under the Digital Services Legislation specifies that researchers can rely on the following legal bases of the General Data Protection Regulation (GDPR), with regard to the processing of personal data:

    • Processing is necessary for the performance of a task carried out in the public interest ("public interest" - Article 6.1.e of the RGPD);
    • The processing is necessary for the pursuit of legitimate interests of the controller, with due respect for the rights and interests of the persons whose data is processed ("legitimate interest of the controller" - Article 6.1.f of the RGPD).

    The RGPD makes provision for a ban on the processing of so-called "sensitive" data (political opinions, religious beliefs, alleged racial or ethnic origin, etc.). Exceptions to this prohibition are, however, provided for.

    The delegated act specifies the two exemptions that can be mobilized under Article 40 of the RSN:

    • "the processing is necessary for reasons of substantial public interest, on the basis of Union law or the law of a Member State [...]" (Article 9.2.g of the RGPD);
    • "processing is necessary [...] for scientific or historical research purposes or for statistical purposes, in accordance withArticle 89(1), on the basis of Union law or the law of a Member State [...]" (Article 9.2.j of the RGPD).

    Thus, obtaining approval under Article 40 of the RSN is sufficient to allow the processing of sensitive data. Under these conditions, a submission of a case before the court to the French national data protection agency on the basis of article 44.6° of the "informatique et libertés" law is not necessary.

    The delegated act on access to data under the legislation on digital services specifies that researchers may indicate, in the sources of funding, funding in the process of being obtained for which the researchers have applied. It is therefore possible to make an accreditation demand while awaiting funding.

    Where appropriate, researchers can also demonstrate that they will be able to meet the criteria of article 40, even if funding is not ultimately obtained.

    Article 40 of the RSN clearly states that the conditions for approval must be fulfilled for each researcher. Ideally, each researcher who is going to participate in the research project should be included in a demand.

    However, should additional researchers join an ongoing project, you can submit a demand for these researcher(s), mentioning (via their identifier) the previous successful demand and repeating the relevant elements of the first approval.

    Article 40.10 of the RSN stipulates that on the basis of information from third parties or on the basis of an investigation initiated on its own initiative, the coordinator for institutional digital services may carry out an investigation that may lead to the termination of access. Before terminating access, the CSN gives the researcher the opportunity to respond to the findings of the investigation and to the intention to terminate access.

    Additional resources