Blog · Analysis · May 2026

The Platform Risk Assessment Becomes the Feed's Confession

The Digital Services Act does something simple and radical: it treats the feed as a system that can create public risk, not merely host user speech. Very large platforms must assess, document, audit, and sometimes redesign the machinery that decides what becomes visible.

From Content to System

For years, platform accountability was argued as if the central object were the individual post: remove it, leave it up, label it, demote it, suspend the account, restore the account, write a policy, improve the appeals queue. That frame is still necessary. Illegal content, harassment, fraud, manipulation, and abuse often arrive as particular messages attached to particular accounts.

But the public experience of a platform is not a bag of posts. It is a ranked environment. A feed chooses sequence, salience, repetition, tempo, friction, and adjacency. It decides which thing appears after grief, which clip follows outrage, which account becomes a suggestion, which rumor becomes trend-shaped, which ad arrives beside fear, and which synthetic artifact is repeated until it feels like common weather.

The EU Digital Services Act, or DSA, is important because it forces that systemic layer into law. It does not only ask whether a platform has rules against bad content. For very large online platforms and very large online search engines, it asks whether the design and functioning of the service, including algorithmic systems, create systemic risks. That changes the governance object from "the post" to "the conditions under which posts become reality."

This belongs beside the site's work on the platform engine of belief, answer engines as the front page, AI encyclopedias as canon, and provenance that is not truth. The risk assessment is the bureaucratic form of a deeper cultural question: can the institution that shapes public perception be made to describe the shape of its own influence?

What the DSA Requires

The DSA's strongest obligations apply to services designated as very large online platforms or very large online search engines. The threshold is more than 45 million average monthly recipients in the European Union, roughly 10 percent of the EU population. Once designated, a service faces a risk-governance regime that smaller services do not.

Article 34 requires those providers to identify, analyse, and assess systemic risks in the EU that stem from the design or functioning of the service and its related systems, including algorithmic systems, or from the way people use the service. The listed risks include illegal content, negative effects on fundamental rights, negative effects on civic discourse, elections and public security, and serious negative consequences for public health, minors, gender-based violence, and physical or mental well-being.

That list matters because it names platform harm as more than content violation. A recommender can affect civic discourse without every amplified item being illegal. A design pattern can affect mental well-being without looking like a moderation case. A synthetic-media feature can change the risk profile of a platform before any single incident is adjudicated. An advertising system can produce vulnerability at scale without being reducible to one deceptive ad.

Article 34 also tells providers to consider how recommender systems, other algorithmic systems, content moderation systems, terms and conditions, advertising systems, and data practices influence the risks. Article 35 then requires reasonable, proportionate, and effective mitigation measures. Those measures can include adapting the service's design or interface, testing and adapting algorithmic systems including recommender systems, changing advertising systems, improving internal supervision, protecting children, and marking generated or manipulated media that falsely appears authentic.

Article 38 adds a specific recommender-system rule for the largest services: they must provide at least one recommender option not based on profiling. Article 42 requires public reporting of risk assessments, mitigation measures, audit reports, and audit implementation reports, with some redactions allowed for confidentiality, security, public security, and user harm. The law therefore creates a paper trail around the feed. It is not a complete window into the machine, but it is more than a platform blog post.

The Feed as Evidence

The risk assessment turns ordinary product choices into evidentiary objects.

Infinite scroll is no longer only a growth feature. Autoplay is no longer only convenience. Push notifications are no longer only retention. A personalized recommendation model is no longer only relevance. A generative AI feature inside a social platform is no longer only product expansion. Under a systemic-risk frame, each can become part of the explanation for how the service affects minors, public discourse, public health, electoral processes, gender-based violence, illegal content, scams, or mental well-being.

This is the right level of abstraction for model-mediated public reality. The deepest effect of a feed is often not that it says one false thing. It is that it repeatedly arranges attention until some things feel normal, urgent, popular, inevitable, laughable, dangerous, or unreal. It turns statistical prediction into cultural tempo.

AI intensifies the problem because the feed is no longer ranking only human-origin content. It is beginning to rank generated images, synthetic voices, AI-written comments, bot-like engagement, AI-assisted ads, model-generated summaries, and platform-native AI features. The same service may host the synthetic artifact, recommend it, label it, monetize it, moderate it, summarize it, and train on traces of the response. Risk no longer sits at one layer.

The assessment is therefore not a moral diary. It should be a map of causal pressure: which systems amplify what, which user groups are affected, which risks are foreseeable, which metrics reveal harm, which mitigations changed outcomes, and which choices remain tradeoffs rather than solved problems.

Researcher Access and the Audit Surface

A risk assessment written entirely by the platform would be weak governance. The DSA tries to widen the evidence surface through transparency reports, advertisement repositories, independent audits, regulator access, and researcher access.

Article 40 requires very large platforms and search engines to provide regulators with data necessary to monitor and assess compliance. It also requires them, on request, to explain the design, logic, functioning, and testing of algorithmic systems, including recommender systems. For vetted researchers, Article 40 creates a path to data access for research on systemic risks and mitigation measures.

The machinery became more concrete in 2025. On July 2, 2025, the European Commission adopted a delegated act on data access. The European Centre for Algorithmic Transparency says that as of October 29, 2025, the delegated act had entered into force and researchers could submit data access applications through the DSA Data Access Portal. The rules require researchers to be vetted, disclose funding, show independence from commercial interests, and handle data under security, confidentiality, and privacy rules. They also require platforms to make data catalogues available so researchers can identify relevant datasets.

This is not only academic convenience. It is institutional counterweight. Platforms hold the logs, models, experiments, ad delivery data, moderation data, recommendation data, and internal measurements that make public claims testable. Without access, researchers are left scraping fragments, studying visible outputs, or relying on platform-selected disclosures. With access, there is at least a formal route for independent work to ask whether the official risk story matches the system's behavior.

The March 2026 harmonised transparency-reporting template points in the same direction. The Commission says the new machine-readable template standardizes moderation reporting across platforms and aligns categories with the DSA Transparency Database, allowing consistency checks across tools. That sounds dry. It is dry because it is governance. Accountability often begins when records become comparable.

Current Enforcement Signals

The DSA is already being used against systems, not only posts.

On December 5, 2025, the Commission issued its first DSA non-compliance decision, fining X 120 million euros. The decision concerned transparency obligations: the deceptive design of the blue checkmark, lack of transparency in X's advertising repository, and failure to provide researchers access to public data. The researcher-access part is central to this essay. If independent scrutiny is part of the governance design, then blocking or burdening data access is not a side issue. It is a way of keeping the feed from becoming evidence.

On January 26, 2026, the Commission launched a new formal investigation into X and extended its ongoing investigation into X's recommender-system risk management obligations. The new inquiry concerns Grok functionalities inside X and whether X properly assessed and mitigated risks before deployment. The Commission specifically named risks around illegal content, gender-based violence, and serious negative consequences for physical and mental well-being. This is the DSA risk-assessment logic applied to a platform-native AI feature.

On February 6, 2026, the Commission preliminarily found TikTok in breach of the DSA for addictive design. The statement named infinite scroll, autoplay, push notifications, and a highly personalized recommender system. It said TikTok had not adequately assessed how those features could harm physical and mental well-being, including for minors and vulnerable adults, and that its mitigation tools appeared too easy to dismiss or too burdensome for parents. These are preliminary findings, not a final decision. But the direction is clear: the feed's basic design can become the compliance problem.

The important pattern is not that the EU has solved platform governance. It has not. The important pattern is that regulators are now treating interface design, recommender behavior, AI feature deployment, data access, ad transparency, and risk documentation as one connected institutional surface.

Failure Modes

The first failure mode is self-audit theater. A platform writes a polished risk assessment, publishes a partial public version, redacts the hardest evidence, and treats the existence of a report as proof that the risk has been governed.

The second is metric substitution. The platform measures what is easy: removals, response times, reports, clicks, watch time, user controls opened, or labels displayed. It then treats those metrics as substitutes for harder questions about compulsive use, civic distortion, harassment networks, synthetic-media propagation, or vulnerable-user exposure.

The third is researcher access attrition. Access exists on paper, but the process is slow, narrow, legally risky, technically constrained, poorly documented, or shaped by platform-defined data catalogues that omit the most important questions.

The fourth is redaction gravity. Confidentiality, trade secrets, privacy, and security are real concerns. They can also become broad excuses. If too much disappears from public reports, the public receives the ritual of transparency without the evidence needed for trust.

The fifth is AI feature laundering. A platform introduces a generative AI system as an assistant, search feature, creator tool, or entertainment layer while treating it as separate from the platform's existing recommender, advertising, moderation, and data systems. The user experiences one environment; governance treats it as disconnected modules.

The sixth is jurisdictional fragmentation. A European risk regime may force useful disclosures and design changes, while users elsewhere remain governed by weaker rules. Global platforms may then maintain different safety surfaces by region, making public accountability depend on geography.

The Governance Standard

A serious platform risk-assessment regime should satisfy seven tests.

First, assess systems, not only content categories. Recommenders, ads, generative AI features, notification systems, search ranking, creator monetization, moderation queues, and account-verification signals should be evaluated as interacting systems.

Second, publish enough to contest. Public reports should state concrete risks, affected groups, mitigation logic, residual uncertainty, audit results, and material design changes. Redaction should be narrow and explained.

Third, protect independent research. Researcher access should include useful metadata, codebooks, changelogs, and appropriate technical modalities. Access rules should protect privacy and security without letting platforms define scrutiny out of existence.

Fourth, measure outcomes, not only controls. A screen-time tool matters only if it changes harmful use. A non-profiled feed option matters only if users can find and understand it. A synthetic-media label matters only if it travels with the content and avoids false certainty.

Fifth, require ad hoc assessment before risky product changes. Major generative AI features, recommender redesigns, youth-facing engagement loops, monetization changes, or identity signals should be assessed before deployment, not only after public scandal.

Sixth, preserve appeal and speech rights. Risk mitigation can itself harm fundamental rights through over-removal, political bias, weak appeal, or chilling effects. Systemic-risk governance must not become an excuse for unreviewable centralized censorship.

Seventh, connect platform records to public memory. Risk assessments, audit summaries, transparency reports, enforcement actions, researcher findings, and major incidents should be traceable over time. A platform should not be able to forget each controversy as soon as the product surface changes.

The Spiralist Reading

The feed is one of the main belief-formation machines of the present. It does not merely show culture. It trains the rhythm by which culture appears.

That rhythm is recursive. Users react to what the feed shows. The feed learns from the reaction. Creators learn the feed. Advertisers learn the feed. Political actors learn the feed. Generative systems learn the platform-shaped traces of culture. Then the platform ranks the next wave of generated, optimized, emotionally tuned material as if it were simply what people wanted.

The DSA risk assessment is a crude but important interruption in that loop. It says the platform must stop presenting itself as a neutral mirror. It must name the risks produced by its own design, keep supporting documents, submit to audits, provide data access, and adapt systems when mitigation is required.

That does not make the state an oracle of truth. It does not make regulators immune to political pressure. It does not make platforms honest by default. But it creates a contested record where before there was often a public-relations surface and an internal dashboard.

The deeper lesson is institutional. A society governed by feeds needs more than media literacy. It needs risk literacy at the level of infrastructure: who ranked this, who profited, who measured harm, who saw the logs, who audited the claims, who could appeal, who could study the system, and what changed after the warning signs appeared?

The feed's confession will always be incomplete. No institution naturally reveals the full shape of its power. But a partial confession, forced into records, audits, data access, and public dispute, is better than a machine that shapes reality while insisting it only reflects us.

Sources

Return to Blog