CnaM Guidance Comparison

This overview is based on Guidance for Vetted Researcher Data Access provided by Coimisiún na Meán (the Irish Digital Service Coordinator).

This view compares guidance v1 (20 February 2026; Guidance for Applicants) with guidance v2 (25 May 2026; Guidance on Article 40(4-11) DSA).
HTML versions of the individual documents can be found by clicking the headers above.

In the text:

  • Light green background — wholly new in v2
  • Pink background — removed in v2
  • Red — v1 text changed or removed within a paired block
  • Green — v2 text added or changed within a paired block

In the headings: Yellow — section or paragraph reference changed.

Citation: If you wish to cite this comparison, please use the following format:

LK Seiling (2026). Comparison of Coimisiún na Meán Article 40 Data Access Guidance (v1 vs v2). DSA 40 Data Access Collaboratory. Available at: https://dsa40collaboratory.eu/cnam-guidance/.

Table of Contents

Title and publication details, 1. Introduction, 2. Overview of Guidance, 3. Overview of VR status application process, 4. How to apply, 5. Application Requirements, 6. Information to be provided (Article 40(8)), 7. Further guidance in respect of applications, 8. Access Modalities, 9. After an application for VR status is approved

Title and publication details

Title and publication details, Title (v1) → Title and publication details, Title (v2)

Guidance on Article 40 (4 - 11) DSA: Guidance for Applicants

Coimisiún na Meán

Publication date: 20 February 25th May 2026

Title and publication details, Contents (v1) → Title and publication details, Contents (v2)

1. Introduction

2. Overview of Guidance

3. Overview of VR status application process

4. How to apply

5. Application Requirements

6. Information to be provided in respect of each of the conditions in Article 40 (8) and related requirements in the Delegated Act in order for an application to be considered complete

7. Further guidance in respect of applications

8. Access Modalities

9. After an application for VR status is approved

1. Introduction

1. Introduction, Title (v1) → 1. Introduction, Title (v2)

1. Introduction

1. Introduction, 1.1, ¶1 (v1) → 1. Introduction, 1.1, ¶1 (v2)

Article 40 of the Digital Services Act ("DSA ") makes provision for certain researchers to access data from Very Large Online Platforms ("VLOPS ") or Very Large Online Search Engines ("VLOSES ") for the purposes of studying systemic risks in the EU stemming from the design, functioning or use of a VLOP /VLOSE and assessing mitigation measures implemented by the VLOP /VLOSE. Article 40 (8) of the DSA sets out the process whereby a researcher, who has been vetted or assessed by a Digital Services Coordinator ("DSC ") to have met the criteria as set out under this provision, can have a request for access to data held by a VLOP /VLOSE submitted on their behalf by the DSC. The data must be limited in scope in accordance with Article 34 and 35 of the Digital Services Act ("DSA ") and deemed necessary and proportionate to the purpose of the research.

1. Introduction, 1.2, ¶1 (v1) → 1. Introduction, 1.2, ¶1 (v2)

A Vetted Researcher ("VR ") is a researcher who:

1. Introduction, 1.2(a) (v1) → 1. Introduction, 1.2(a) (v2)
  • (a) applies to a DSC for VR status for specified research; and
1. Introduction, 1.2(b) (v1) → 1. Introduction, 1.2(b) (v2)
  • (b) is formally designated as a VR by a DSC, having met the conditions that are set out in Article 40 (8) of the DSA, and Commission Delegated Regulation (EU) 2025 /2050 of 1 July 2025 (the "Delegated Act "). for the purposes of accessing specified data for the purposes of the research outlined in their application.
1. Introduction, 1.3, ¶1 (v1) → 1. Introduction, 1.3, ¶1 (v2)

It is important to note that VR status is only awarded in respect of specific research as identified in an application. Where a person who has previously been granted VR status wishes to seek access to specified data held by a VLOP/VLOSE for the purposes of other research, a new application for VR status will need to be submitted for the purposes of that other research.

1. Introduction, 1.4, ¶1 (v1) → 1. Introduction, 1.4, ¶1 (v2)

In order to be designated as a VR for the purposes of specific research, a researcher must submit a detailed application to a DSC (through the DSA Data Access portal (the "Portal ")) which demonstrates that they meet the criteria as set out in Article 40 (8) of the DSA and related requirements set out in Commission Delegated Regulation (EU) 2025 /2050 of 1 July 2025 (the "Delegated Act "). In summary, a researcher will need to demonstrate:

1. Introduction, 1.4(a)–(g) (v1) → 1. Introduction, 1.4(a)–(g) (v2)
  • (a) They are affiliated to a research organisation[1];
  • (b) They are independent from commercial interests;
  • (c) They have disclosed the funding of the research;
  • (d) They can fulfil the specific data security, data protection and confidentiality requirements that correspond to the requested data and have described the appropriate technical and organisational measures that they have put and will put in place;
  • (e) Their access to the data and the time frames requested are necessary for, and proportionate to, the purpose of their research;
  • (f) The planned research will be carried out for the sole purposes purpose of contributing to an understanding of systemic risk in the EU stemming from the design, functioning or use of the relevant VLOP /VLOSE and the assessment of risk mitigation measures implemented by that VLOP /VLOSE; and
  • (g) They are committed to making the research results publicly available free of charge, within a reasonable period after the completion of the research.
1. Introduction, Footnote 1 (v1) → 1. Introduction, Footnote 1 (v2)

1 The term 'research organisation' has a specific definition, which is detailed further below.

1. Introduction, 1.5, ¶1 (v1) → 1. Introduction, 1.5, ¶1 (v2)

Where a DSC decides to designate a person as a VR for the specified research, the DSC will then issue a reasoned request for access to the data described in the application to the relevant VLOP/VLOSE. The VLOP/VLOSE will then be required to provide the VR with access to the specified data by way of the access modalities specified in the request, within a reasonable period specified in the request.[2]

1. Introduction, Footnote 2 (v1) → 1. Introduction, Footnote 2 (v2)

2 This is subject to the entitlement of a VLOP/VLOSE to request an amendment to the reasoned request, which is detailed further below.

2. Overview of Guidance

2. Overview of Guidance, Title (v1) → 2. Overview of Guidance, Title (v2)

2. Overview of Guidance

2. Overview of Guidance, 2.1, ¶1 (v1) → 2. Overview of Guidance, 2.1, ¶1 (v2)

Coimisiún na Meán ("An Coimisiún ") has developed this Guidance to outline inform interested researchers of the following:

2. Overview of Guidance, 2.1(a)–(b) (v1) → 2. Overview of Guidance, 2.1(a)–(b) (v2)
  • (a) the The form and manner in which applications for VR status are to be made; and
  • (b) an An overview of the process for the assessment of applications for VR status.
2. Overview of Guidance, 2.1(c) (v1) → removed in v2
  • (c) The aim of the Guidance is to help applicant researchers (referred to as "you"/ "your") to understand what is required of you for the application process and what the process will involve.
2. Overview of Guidance, 2.2, ¶1 (v1) → 2. Overview of Guidance, 2.2, ¶1 (v2)

The Guidance is informed by Irish and European legislation, in particular the DSA, the Broadcasting Act 2009 (the "2009 Act") and the Delegated Act.

2. Overview of Guidance, 2.3, ¶1 (v1) → 2. Overview of Guidance, 2.3, ¶1 (v2)

This Guidance has been provided to assist applicants for VR status in understanding the process that will be undertaken by An Coimisiún. It is not legal advice, it is not binding on An Coimisiún and it is not intended to have any impact on how any statutory provision is interpreted or applied. You The Applicant (s) and VLOP /VLOSE are advised to obtain your their own independent legal advice on the relevant statutory provisions. This Guidance may be updated and amended by An Coimisiún as considered necessary and appropriate and, subject to its obligations under applicable law, An Coimisiún reserves the right to amend its process as it sees fit.

3. Overview of VR status application process

3. Overview of VR status application process, Title (v1) → 3. Overview of VR status application process, Title (v2)

3. Overview of VR status application process

3. Overview of VR status application process, 3.1, ¶1 (v1) → 3. Overview of VR status application process, 3.1, ¶1 (v2)

The VR status application process begins with your the Applicant's registration as a researcher on the Portal.

3. Overview of VR status application process, 3.2, ¶1 (v1) → 3. Overview of VR status application process, 3.2, ¶1 (v2)

Once you have the Applicant has registered as a principal or applicant researcher on the Portal, you the Applicant will be able to access the private researcher - only area of the site. Here is where you will the Applicant submit applications for VR status for specific research.

3. Overview of VR status application process, 3.3, ¶1 (v1) → 3. Overview of VR status application process, 3.3, ¶1 (v2)

In line with the 3 2009 Act3, An Coimisiún has specified the form and manner in which an application must be made. The elements that an application is required to contain in order to be deemed complete and to proceed to the substantive assessment stage (the "Application Requirements ") are described in section 5 below. You The Applicant (s) should consult the Application Requirements before submitting any application, as failure to comply with the Application Requirements may lead to your application being rejected as incomplete (meaning that it will not proceed to the substantive assessment stage).

3. Overview of VR status application process, Footnote 3 (v1) → 3. Overview of VR status application process, Footnote 3 (v2)

3 S. 187 S187 (1) Broadcasting Act 2009

3. Overview of VR status application process, 3.4, ¶1 (v1) → 3. Overview of VR status application process, 3.4, ¶1 (v2)

When you are submitting an application via the Portal, you the Applicant (s) will have the option to submit your an application to:

3. Overview of VR status application process, 3.4(a) (v1) → 3. Overview of VR status application process, 3.5, ¶1 (v2)

The DSC of the EU Member State in which the main establishment of the provider of the VLOP or VLOSE is located or, where the provider has no establishment in the EU, where its legal representative resides or is established (referred to as the DSC of Establishment ("DSCoE ")); or

3. Overview of VR status application process, 3.4(b) (v1) → 3. Overview of VR status application process, 3.6, ¶1 (v2)

or The DSC of the EU Member State where your the Applicant (s) affiliated research organisation is based (and, where this Member State is different from the EU Member State of the DSCoE of the VLOP or VLOSE, this DSC shall be referred to as the DSC of Origin ("DSCoO ")).

3. Overview of VR status application process, 3.5, ¶1 (v1) → 3. Overview of VR status application process, 3.7, ¶1 (v2)

Where you the Applicant (s) submit submits your an application to your their DSCoO, it the DSCoO will carry out an initial assessment of your the application before transmitting it to the DSCoE. The DSCoE will then assess the application and will make a final decision on the application. If the DSCOO DSCoO deems the application is incomplete, the DSCOO DSCoO will transmit it the initial assessment to the DSCoE and, notify notifying the DSCoE of this initial view. Upon receipt of the initial assessment, and the DSCoE will proceed with its consideration of the application, first deciding whether the application should proceed.

3. Overview of VR status application process, 3.6, ¶1 (v1) → 3. Overview of VR status application process, 3.8, ¶1 (v2)

All applications must, at a minimum, be consistent with the Application Requirements. On receipt of an application, An Coimisiún will carry out what is referred to as a "Completeness Check "to ensure that the application complies with the Application Requirements. Where an application does not comply with the Application Requirements, the application will be deemed incomplete and will be rejected on that basis, without An Coimisiún proceeding to assess the substance of the application.

→ 3. Overview of VR status application process, 3.9, ¶1 (v2) (new in v2)

Applicants are responsible for ensuring that all information in their application is accurate, this includes details regarding the research organisation with which they are affiliated, and, in particular contact details for that organisation.

3. Overview of VR status application process, 3.7, ¶1 (v1) → Se3, 3.11, ¶1 (v2)

Where an application is rejected by An Coimisiún on the basis that it is incomplete, you are the Applicant (s) is encouraged to resubmit a new application which, that complies in full with the Application Requirements. For the avoidance of doubt, in these circumstances you the Applicant (s) must submit a new application via the Portal. It is not possible to seek to supplement or update your an initial application where that has been rejected, and An Coimisiún will not be in a position to consider any information or documentation submitted to it in connection with an application which that has been rejected.

→ 3. Overview of VR status application process, 3.10, ¶1 (v2) (new in v2)

It should be noted that Coimisiún na Meán, as a DSCoE will assess applications and supporting documents submitted in the English or Irish languages only.

3. Overview of VR status application process, 3.8, ¶1 (v1) → 3. Overview of VR status application process, 3.12, ¶2 (v2)

Where your an application is deemed complete, it will proceed to the assessment phase ("Assessment "). Where a DSCoO has carried out an initial assessment, this initial assessment will be considered by An Coimisiún as DSCoE in its assessment of the application. The Assessment will involve An Coimisiún considering the application and supporting documentation provided with a view to deciding whether you have the Applicant (s) has demonstrated that you they have meet met the conditions set out in Article 40 (8) of the DSA, and the related requirements set out in Article 8 of the Delegated Act.

3. Overview of VR status application process, 3.9, ¶1 (v1) → 3. Overview of VR status application process, 3.13, ¶1 (v2)

In the course of the Assessment, An Coimisiún may request further information from you the Applicant (s) regarding your an application. As detailed below, An Coimisiún may also provide the relevant VLOP /VLOSE with the opportunity to submit comments on an application. When requesting information and /or providing the opportunity to submit comments, An Coimisiún will specify a time period in which the information requested is to and /or comments should be provided. Failure to provide the information requested within the time period set out may impact the ability of An Coimisiún to proceed with the Assessment of your application. Failure to provide the information requested may lead to a decision that you have not demonstrated that you meet the designation conditions and related requirements.

3. Overview of VR status application process, 3.10, ¶1 (v1) → 3. Overview of VR status application process, 3.16, ¶1 (v2)

An Coimisiún may consult with subject matter experts in the course of the Assessment, which may require the sharing of documents in the Application.

3. Overview of VR status application process, 3.11, ¶1 (v1) → 3. Overview of VR status application process, 3.17, ¶1 (v2)

It may be necessary for An Coimisiún to share information contained in your application, the application and supporting documents with the relevant VLOP /VLOSE in order to provide give them an opportunity to submit comments on the application prior to a decision being made. Similarly, in certain circumstances, it may be necessary for An Coimisiún to share information contained in the submissions made by a VLOP /VLOSE with an Applicant in advance of a decision being made. In addition, An Coimisiún is also obliged to publish an overview of a reasoned request in the DSA data access portal once it is formulated.

3. Overview of VR status application process, 3.12, ¶1 (v1) → 3. Overview of VR status application process, 3.21, ¶1 (v2)

An Coimisiún is required to determine your an application within 80 working days of the date on which it is submitted. This 80 working day period can be extended where this is justified. Where An Coimisiún requires additional time to make its decision, it will notify you the Applicant (s) of same, explaining the basis on which additional time is required and notifying you the Applicant (s) of a new date by which the application will be determined.

→ 3. Overview of VR status application process, 3.14, ¶1 (v2) (new in v2)

In circumstances where strict timelines are provided for the conduct of an assessment and delivery of a decision by An Coimisiún as DSCoE, the delivery of additional information requested and/or comments by the Applicant(s) or a VLOP/VLOSE, as appropriate, will be time sensitive.

3. Overview of VR status application process, 3.13, ¶1 (v1) → 3. Overview of VR status application process, 3.22, ¶1 (v2)

You The Applicant (s) will be notified of An Coimisiún's decision regarding your the application via the Portal (the "Application Decision "). Where An Coimisiún decides to designate you the Applicant (s) as a VR for the specified research, An Coimisiún will proceed to issue a reasoned request for access to data to the relevant VLOP /VLOSE concerned (the "Reasoned Request ").

→ 3. Overview of VR status application process, 3.15, ¶1 (v2) (new in v2)

In light of this time sensitivity, it should be noted that failure by an Applicant(s) to provide the information requested by An Coimisiún within the time period set out may impact the ability of An Coimisiún to proceed with the Assessment of the application. In addition, a failure of the Applicant(s) to provide the information requested by An Coimisiún may lead to a decision that the Applicant(s) has not demonstrated that they meet the designation conditions and related requirements.

3. Overview of VR status application process, 3.14, ¶1 (v1) → 3. Overview of VR status application process, 3.23, ¶1 (v2)

On receipt of the Reasoned Request, the VLOP /VLOSE must either proceed to provide you the Applicant (s) with access to the requested data within the time period specified in the Reasoned Request, in accordance with the terms of the Reasoned Request or, within 15 days of receipt of the Reasoned Request, submit a proposal for an amendment to the Reasoned Request (an "Amendment Request ") on the basis that:

3. Overview of VR status application process, 3.14(a) (v1) → 3. Overview of VR status application process, 3.23(a)–(b) (v2)
  • (a) They do not have access to the data; or
  • (b) Giving access to the data would lead to significant vulnerabilities in the security of their service or the protection of confidential information, in particular trade secrets.
→ 3. Overview of VR status application process, 3.18, ¶1 (v2) (new in v2)

In light of this, if there is any information in an application and supporting documentation and/or submissions which the Applicants and/or VLOPS/VLOSES consider to be confidential, the Applicant(s) and VLOPS/VLOSES should clearly identify that information and explain why they believe it should not be shared or published. Confidential information may include commercially sensitive information (whether to the Applicant(s) or VLOP/VLOSE or to another party, such as the research organisation with which the Applicant(s) are affiliated).

3. Overview of VR status application process, 3.15, ¶1 (v1) → 3. Overview of VR status application process, 3.24, ¶1 (v2)

An Coimisiún will determine any Amendment Request submitted to it in accordance with the DSA and Delegated Act within a further 15 days. To enable An Coimisiún to make its determination, it may issue requests for information to you the Applicant (s) and /or the VLOP /VLOSE concerned and /or consult with subject matter experts. If the amendment proposal is accepted by An Coimisiún, a new Reasoned Request will be formulated by An Coimisiún and issued to the VLOP /VLOSE, who will then be required to comply with the revised terms of the Reasoned Request. You The Applicant (s) will be notified of the decision of An Coimisiún in relation to any Amendment Request and provided with the amended Reasoned Request, where applicable.

→ 3. Overview of VR status application process, 3.19, ¶1 (v2) (new in v2)

When claiming that information is confidential, Applicants and VLOPS/VLOSES should:

→ 3. Overview of VR status application process, 3.19(a)–(d) (v2) (new in v2)
  • (a) Identify those specific pieces of information in respect of which confidentiality is claimed;
  • (b) Explain the basis upon which confidentiality is claimed and, in doing so, clearly identify the harm that would result from the disclosure of the information claimed to be confidential;
  • (c) Provide i) a non-confidential version and ii) a confidential version of each of the relevant documents to An Coimisiún. The non-confidential version of relevant documents should redact the information in respect of which confidentiality is claimed; and
  • (d) provide a non-confidential summary of information in respect of which confidentiality is claimed.
→ 3. Overview of VR status application process, 3.20, ¶1 (v2) (new in v2)

Please note that, in general terms, Applicants and VLOPS/VLOSES may not claim confidentiality over an entire document or whole sections of a document. It should be possible to protect confidential information with limited redactions; entirely blank or blacked-out pages without justification will not be accepted. An Coimisiún retains the discretion to share or publish whatever information An Coimisiún considers necessary.

3. Overview of VR status application process, 3.16, ¶1 (v1) → 3. Overview of VR status application process, 3.25, ¶1 (v2)

You The Applicant (s) will also be notified through the Portal in the event An Coimisiún decides that your the application does not demonstrate that you the Applicant (s) meet the designation conditions and related requirements and, accordingly, refuses to designate you the Applicant (s) as a VR for the specified research. Where your an application has been refused, if you the Applicant (s) wish to challenge the refusal, you the Applicant (s) will have 14 days from the date of service of the notification of this decision to request a review by an independent reviewer (a "Review Request ") of the Application Decision.

4. How to apply

4. How to apply, Title (v1) → 4. How to apply, Title (v2)

4. How to apply

4. How to apply, 4.1, ¶1 (v1) → 4. How to apply, 4.1, ¶1 (v2)

Applications must be submitted via the Data Access Application Portal ("Portal ").

4. How to apply, 4.2, ¶1 (v1) → 4. How to apply, 4.3, ¶1 (v2)

To access the features available on the private area of the Portal, which is necessary in order to make an application, each researcher needs to have EU login credentials and a profile created on the Portal.

4. How to apply, 4.3, ¶1 (v1) → 4. How to apply, 4.3, ¶2 (v2)

Each researcher participating in a VR status application should have a dedicated profile created on the Portal for submitting VR status applications as principal researcher or as applicant researcher on the VR status application.

5. Application Requirements

5. Application Requirements, Title (v1) → 5. Application Requirements, Title (v2)

5. Application Requirements

5. Application Requirements, 5.1, ¶1 (v1) → 5. Application Requirements, 5.1, ¶1 (v2)

An application shall be made in the form and manner specified by An Coimisiún4 and this section of the Guidance sets out what an application must contain in order for it to be considered by An Coimisiún to be a complete application. Failure to comply with the Application Requirements may lead to your an application being rejected as incomplete meaning that it will not proceed to the Assessment stage.

5. Application Requirements, 5.2, ¶1 (v1) → 5. Application Requirements, 5.2, ¶1 (v2)

You are The Applicant (s) is responsible for demonstrating that you they satisfy the conditions set out in Article 40 (8) of the DSA and related requirements set out in the Delegated Act and you the Applicant (s) must submit all of the information and the documentary evidence specified in this Guidance and /or as may be requested at a later stage by An Coimisiún. It is important that you the Applicant (s) ensure full and accurate information is provided to avoid any delays to the application process and to avoid your an application being closed on the basis that it is incomplete.

5. Application Requirements, 5.3, ¶1 (v1) → 5. Application Requirements, 5.3, ¶1 (v2)

In assessing an application, An Coimisiún will have regard to the information submitted by you the Applicant (s) and also to information available to it from its own independent information - gathering and research that may be relevant to its verification of the information submitted by you the Applicant (s). An Coimisiún may also take into account information provided to it by the VLOP /VLOSE in connection with your an application.

5. Application Requirements, 5.3, ¶2 (v1) → 5. Application Requirements, Footnote 4 (v2)

4 Section 187(1) of the 2009 Act.

6. Information to be provided (Article 40(8))

6. Information to be provided (Article 40(8)), Title (v1) → 6. Information to be provided (Article 40(8)), Title (v2)

6. Information to be provided in respect of each of the conditions in Article 40(8) and related requirements in the Delegated Act in order for an application to be considered complete

6. Information to be provided (Article 40(8)), Heading (6.1) (v1) → 6. Information to be provided (Article 40(8)), Heading (6.1) (v2)

Article 40(8)(a) - Demonstrating Affiliation to Research Organisation

6. Information to be provided (Article 40(8)), 6.1, ¶1 (v1) → 6. Information to be provided (Article 40(8)), 6.1, ¶1 (v2)

For each applicant researcher, the application must demonstrate (i) affiliation to a research organisation. For these purposes 'research organisation' has the definition given to it in Article 2, point (1), of Directive (EU) 2019/790 of the European Parliament and of the Council and includes civil society organisations that are conducting scientific research with the primary goal of supporting their public interest mission (a "Research Organisation"). In order to be deemed complete, the application must contain information and documentation which will allow An Coimisiún to assess, in respect of each applicant researcher, their affiliation to a Research Organisation.

6. Information to be provided (Article 40(8)), 6.1, ¶2 (v1) → 6. Information to be provided (Article 40(8)), 6.1, ¶2 (v2)

This may include, but is not limited to, providing at least one and, in some situations, more than one, of the items listed below. Applicants should consider, having regard to their particular circumstances, what information and documentation should be provided in order for their application to demonstrate affiliation to a Research Organisation:

6. Information to be provided (Article 40(8)), Subheading (6.1) (v1) → 6. Information to be provided (Article 40(8)), Subheading (6.1) (v2)

Affiliation

6. Information to be provided (Article 40(8)), 6.1(a)–(d) (v1) → 6. Information to be provided (Article 40(8)), 6.1(a)–(d) (v2)
  • (a) Proof of legal association with a Research Organisation;
  • (b) Contract of employment for the researcher in question;
  • (c) Funding award letter;
  • (d) Ethical approval letter;
6. Information to be provided (Article 40(8)), 6.1(e) (v1) → removed in v2
  • (e) Formal letter signed by Research Organisation stating that the researcher is affiliated with the organisation;
6. Information to be provided (Article 40(8)), 6.1(f) (v1) → 6. Information to be provided (Article 40(8)), 6.1(e) (v2)
  • (e) Confirmation researcher may rely on Research Organisation's technical and organisational information security measures to address conditions set out in Article 40 (8) (d).
6. Information to be provided (Article 40(8)), Subheading (6.1) (v1) → 6. Information to be provided (Article 40(8)), Subheading (6.1) (v2)

Research Organisation

6. Information to be provided (Article 40(8)), 6.1(a)–(h) (v1) → 6. Information to be provided (Article 40(8)), 6.1(a)–(h) (v2)
  • (a) Annual Reports, Financial Statements, Returns etc. from the legal entity showing that a significant portion of funding is allocated to research activities and the organisation operates on a not - for - profit basis;
  • (b) For public institutions, links to the legal text creating the institution;
  • (c) Links to relevant sections of the website of the Research Organisation;
  • (d) Relevant, Articles of Association, or Constitution, a public interest mission recognised by an EU Member State;
  • (e) Governance relating to the board of the Research Organisation;
  • (f) If on a not-for-profit basis, documentation evidencing the not-for-profit or charity status of the Research Organisation;
  • (g) If on a 'for profit' basis, evidence that shows that all profits are reinvested in scientific research such as annual reports or financial statements; and/or
  • (h) Confirmation that the results generated by the organisation's research are not used on a preferential basis by any party that exercises decisive influence on the organisation, including special or exclusive access, early access to findings etc.
6. Information to be provided (Article 40(8)), Heading (6.2) (v1) → 6. Information to be provided (Article 40(8)), Heading (6.2) (v2)

Article 40(8)(b) - Demonstrating Independence from Commercial Interests

6. Information to be provided (Article 40(8)), 6.2, ¶1 (v1) → 6. Information to be provided (Article 40(8)), 6.2, ¶1 (v2)

For each applicant researcher, the application must demonstrate independence from commercial interests. A completed declaration of independence from commercial interests must be provided by each applicant researcher.

6. Information to be provided (Article 40(8)), 6.2, ¶2 (v1) → 6. Information to be provided (Article 40(8)), 6.2, ¶2 (v2)

Other documentation which may be demonstrative of independence from commercial interests includes but is not limited to documents relating to:

6. Information to be provided (Article 40(8)), 6.2, ¶3 (v1) → 6. Information to be provided (Article 40(8)), 6.2(a) (v2)
  • (a) The Research Organisation's ownership structure and who makes strategic decisions;
6. Information to be provided (Article 40(8)), 6.2(a)–(e) (v1) → 6. Information to be provided (Article 40(8)), 6.2(b)–(f) (v2)
  • (b) The Research Organisation's financing model (and if the model includes multiple sources of financing, specifying same);
  • (c) The Th existence of financing agreements;
  • (d) The existence of any partnership agreements;
  • (e) Any codes of conduct and ethics of the researchers as well as the conflict - of - interest policy;
  • (f) Confirmation of the absence of, or if applicable an explanation of any:
6. Information to be provided (Article 40(8)), 6.2(e)(i) (v1) → 6. Information to be provided (Article 40(8)), 6.2(f)(i) (v2)

(i) Conflict of interest that would result in the applicant researcher not being independent from commercial interests;

6. Information to be provided (Article 40(8)), 6.2(e)(ii) (v1) → 6. Information to be provided (Article 40(8)), 6.2(f)(ii) (v2)

(ii) Funding from commercial / private / semi-private entities;

6. Information to be provided (Article 40(8)), 6.2(e)(iii) (v1) → 6. Information to be provided (Article 40(8)), 6.2(f)(iii) (v2)

(iii) Financial interest in any VLOP/VLOSE or competitor of any VLOP/VLOSE;

6. Information to be provided (Article 40(8)), 6.2(e)(iv) (v1) → 6. Information to be provided (Article 40(8)), 6.2(f)(iv) (v2)

(iv) Previous employment with any VLOP/VLOSE or competitor of any VLOP/VLOSE within the last three years;

6. Information to be provided (Article 40(8)), 6.2(e)(v) (v1) → 6. Information to be provided (Article 40(8)), 6.2(f)(v) (v2)

(v) A material business relationship with a VLOP/VLOSE or competitor of any VLOP/VLOSE, either directly or through any other organisation in which the applicant researcher is a partner, shareholder, director, senior employee, etc.;

6. Information to be provided (Article 40(8)), 6.2(e)(vi) (v1) → 6. Information to be provided (Article 40(8)), 6.2(f)(vi) (v2)

(vi) Close familial ties with any shareholder, director, or senior employee of a VLOP /VLOSE.

6. Information to be provided (Article 40(8)), Heading (6.3) (v1) → 6. Information to be provided (Article 40(8)), Heading (6.3) (v2)

Article 40 (8) (c) - Information Required in Relation to the Funding of the Research

6. Information to be provided (Article 40(8)), 6.3, ¶1 (v1) → 6. Information to be provided (Article 40(8)), 6.3, ¶1 (v2)

The application must disclose the funding of the research the subject of the application. To comply with this condition, information and/or documentation must be provided which discloses the funding of the research, to include details on financial and non-financial contributions supporting the research the subject of the application.

6. Information to be provided (Article 40(8)), 6.3, ¶2 (v1) → 6. Information to be provided (Article 40(8)), 6.3, ¶2 (v2)

This may include, but is not limited to, the documents and information listed below. The Applicants Applicant (s) should consider their particular circumstances, and determine what information and documentation should be provided in order to demonstrate that their application discloses the funding of the research:

6. Information to be provided (Article 40(8)), 6.3(a)–(g) (v1) → 6. Information to be provided (Article 40(8)), 6.3(a)–(g) (v2)
  • (a) Details of financial contributions, both public or private, supporting the research project for which the data are requested and the dates of any relevant funding. This should include financial contributions already obtained at the time of the submission of the application or possible financial contributions which have been applied for but in respect of which decisions are pending;
  • (b) Details of non-financial contributions the research project would benefit from, such as contributions in-kind, the use of facilities, or structural reliance on expertise;
  • (c) Details of any indirect funding, such as sources of salaries or other payments of researcher;
  • (d) Copy of any funding award letter;
  • (e) Copy of any grant agreement;
  • (f) A declaration signed by each applicant researcher, declaring that except for the third- party funding disclosed by the applicant researcher, the applicant researcher does not intend to rely on any funding to perform the research other than indirect funding or non- financial support provided by the applicant researcher's Research Organisation of affiliation;
  • (g) Copy of any grant agreement; Information on funding as to any arrangements in place to bridge funding or otherwise support the work should the current funding award end before the data access duration date.
6. Information to be provided (Article 40(8)), 6.3, ¶3 (v1) → 6. Information to be provided (Article 40(8)), 6.3, ¶3 (v2)

The information provided by you the Applicant (s) should include details of any contributions, such as the funding entity, the amount, the nature and duration of the contribution, including whether the funding has already been awarded or is still under evaluation, as well as, where applicable, relevant references to EU funded projects.

6. Information to be provided (Article 40(8)), 6.3, ¶4 (v1) → 6. Information to be provided (Article 40(8)), 6.3, ¶4 (v2)

Where available, the VR status application should also include the outcomes of evaluations conducted by the entity providing the funding.

6. Information to be provided (Article 40(8)), Heading (6.4) (v1) → 6. Information to be provided (Article 40(8)), Heading (6.4) (v2)

Article 40 (8) (d) - Demonstrating capability to fulfil specific data security, confidentiality, and personal data protection requirements

6. Information to be provided (Article 40(8)), 6.4, ¶1 (v1) → 6. Information to be provided (Article 40(8)), 6.4, ¶1 (v2)

The application must demonstrate that the researchers Applicant (s) are capable of fulfilling the specific data security and confidentiality requirements corresponding to the requested data and to protect personal data (where relevant).

6. Information to be provided (Article 40(8)), 6.4, ¶2 (v1) → 6. Information to be provided (Article 40(8)), 6.4, ¶2 (v2)

The application must include information on the identified risks in terms of confidentiality, data security and personal data protection related to the data that would be accessed, a description of the technical, legal and organisational measures that will be put in place, including, where possible, suggested access modalities, to mitigate such risks when processing the requested data.

6. Information to be provided (Article 40(8)), 6.4, ¶3 (v1) → 6. Information to be provided (Article 40(8)), 6.4, ¶3 (v2)

This must include:

6. Information to be provided (Article 40(8)), 6.4(a)–(e) (v1) → 6. Information to be provided (Article 40(8)), 6.4(a) (v2)
  • (a) Description of technical, legal, and organisational measures to mitigate the above risks;
  • (b) Identification of data security and confidentiality risks associated with the request;
  • (c) Details on proposed access modality and its associated technical security measures.;
  • (d) Description of whether the data is pseudonymised or relates to an individual who is identified or identifiable without the need for any additional information;
  • (a) Information demonstrating compliance with data protection legislation, including an assessment of the risks that the processing of personal data would entail for data subjects;
6. Information to be provided (Article 40(8)), 6.4(f) (v1) → 6. Information to be provided (Article 40(8)), 6.4(b) (v2)
  • (b) Relevant data protection documentation identifying the roles and responsibilities within the meaning of data protection legislation; Description of the legal basis to be used under GDPR; and
6. Information to be provided (Article 40(8)), 6.4(g) (v1) → 6. Information to be provided (Article 40(8)), 6.4(d) (v2)
  • (d) Description of technical, organisational and legal and organisational measures to mitigate the risks relating to personal data.
6. Information to be provided (Article 40(8)), 6.4, ¶4 (v1) → 6. Information to be provided (Article 40(8)), 6.4, ¶4 (v2)

Further guidance in respect of compliance with Article 40(8)(d) is set out below under different headings.

6. Information to be provided (Article 40(8)), Subheading (6.4) (v1) → 6. Information to be provided (Article 40(8)), Subheading (6.4) (v2)

Data Security

6. Information to be provided (Article 40(8)), 6.4, ¶5 (v1) → 6. Information to be provided (Article 40(8)), 6.4, ¶6 (v2)

Documents which may be provided in order to demonstrate that you the Applicant (s) can fulfil the specific data security requirements corresponding to the requested data include, but are not limited to, one or more of the documents listed below. The Applicants Applicant (s) should consider, having regard to the subject matter of your application, what documentation should be provided for this purpose:

6. Information to be provided (Article 40(8)), 6.4(a)–(m) (v1) → 6. Information to be provided (Article 40(8)), 6.4(a)–(m) (v2)
  • (a) ICT Security assessment;
  • (b) Security accreditation of investigators or entities;
  • (c) Software security assessments or technical assessments;
  • (d) Detailed description of technical security measures of proposed access modality;
  • (e) Privacy policies of Secure Processing Environment (SPE);
  • (f) Contract and T&Cs of SPE;
  • (g) ISO Standards certification;
  • (h) IT security documentation related to Research Organisation IT (if relevant);
  • (i) Data Management Plan (DMP) with Research Organisation review/ recommendations;
  • (j) Data Protection Impact Assessment (DPIA) with Data Protection Officer (DPO) review/ recommendations;
  • (k) Record of Processing Activities (ROPA);
  • (l) Any other documentation which demonstrate demonstrates the implementation of data security best practices; and
  • (m) Declaration signed by Research Organisation that the researcher may use the research organisation's technical and organisational measures to fulfil the data security requirements that correspond to the requested data.
6. Information to be provided (Article 40(8)), Subheading (6.4) (v1) → 6. Information to be provided (Article 40(8)), Subheading (6.4) (v2)

Data Confidentiality

6. Information to be provided (Article 40(8)), 6.4, ¶6 (v1) → 6. Information to be provided (Article 40(8)), 6.4, ¶5 (v2)

Documents which may be provided in order to demonstrate that you the Applicant (s) are capable of fulfilling the specific data confidentiality requirements corresponding to the requested data include, but are not limited to, one or more of the documents listed below. Applicants should consider, having regard to the subject matter of your the application, what documentation should be provided for this purpose.

6. Information to be provided (Article 40(8)), 6.4(a)–(h) (v1) → 6. Information to be provided (Article 40(8)), 6.4(a)–(h) (v2)
  • (a) Data Management Plan with Research Organisation review /recommendations;
  • (b) Data Flow Diagram (DFD);
  • (c) Data Protection Impact Assessment (DPIA) with DPO review /recommendation;
  • (d) Record of Processing Activities (ROPA);
  • (e) Any involvement with National Data Protection Authority (DPA) should be attached as supporting documentation;
  • (f) Statement of understanding that only aggregate or summary results should be published;
  • (g) Statement of understanding that raw or individual level data should not be published;
  • (h) Declaration signed by Research Organisation that the researcher may use the Research Organisation's technical and organisational measures to fulfil the data confidentiality requirements that correspond to the requested data.
  • (i) Organisation's technical and organisational measures to fulfil the data confidentiality requirements that correspond to the requested data.
6. Information to be provided (Article 40(8)), Subheading (6.4) (v1) → 6. Information to be provided (Article 40(8)), Subheading (6.4) (v2)

Personal Data Protection

6. Information to be provided (Article 40(8)), 6.4, ¶7 (v1) → 6. Information to be provided (Article 40(8)), 6.4, ¶7 (v2)

Documents which may be provided in order to demonstrate that you the Applicants (s) are capable of fulfilling the specific personal data protection requirements corresponding to the requested data include, but are not limited to, one or more of the documents listed below. The Applicants Applicant (s) should consider, having regard to the subject matter of your application, what documentation should be provided for this purpose:

6. Information to be provided (Article 40(8)), 6.4(a) (v1) → 6. Information to be provided (Article 40(8)), 6.4(b) (v2)
  • (b) Data Flow Diagram (DFD);
6. Information to be provided (Article 40(8)), 6.4(b) (v1) → 6. Information to be provided (Article 40(8)), 6.4(a) (v2)
  • (a) Data Management Plan (DMP) with Research Organisation review /DPO review recommendations;
6. Information to be provided (Article 40(8)), 6.4(c)–(j) (v1) → 6. Information to be provided (Article 40(8)), 6.4(c)–(j) (v2)
  • (c) Data Protection Impact Assessment (DPIA) with DPO review /recommendations;
  • (d) Record of Processing Activities (ROPA);
  • (e) Any involvement with National Data Protection Authority (DPA) should be attached as supporting documentation;
  • (f) Statement of understanding that only aggregate or summary results should be published;
  • (g) Statement of understanding that raw or individual level data should not be published;
  • (h) Statement that no attempt to reidentify data subjects will be made;
  • (i) Declaration signed by research organisation that the researcher may use the research organisation's technical, organisational and organisational legal measures to fulfil the personal data protection requirements that correspond to the requested data;
  • (j) Description of the legal basis to be used under GDPR.
6. Information to be provided (Article 40(8)), Subheading (6.4) (v1) → 6. Information to be provided (Article 40(8)), Subheading (6.4) (v2)

Technical Measures to Protect Data

6. Information to be provided (Article 40(8)), 6.4, ¶8 (v1) → 6. Information to be provided (Article 40(8)), 6.4, ¶8 (v2)

In order to comply with the condition that you the Applicant (s) demonstrate in your the application the appropriate technical measures that you have the Applicant (s) has put and will put in place having regard to data security and confidentiality and, if applicable, personal data protection, documents to be provided may include those listed below. Applicants should consider, having regard to the subject matter of your the application, what documentation should be provided for this purpose:

6. Information to be provided (Article 40(8)), 6.4(a)–(e) (v1) → 6. Information to be provided (Article 40(8)), 6.4(a)–(e) (v2)
  • (a) Detailed description of technical security measures of proposed access modality;
  • (b) ISO 27001, ISO 27002, ISO 27701 Certification or similar;
  • (c) SOC2 Attestation Report or similar;
  • (d) NIS2 Directive compliance or similar; and/or
  • (e) A declaration signed by Research Organisation that the researcher may use the Research Organisation's technical measures to fulfil the technical measures requirements that correspond to the requested data.
6. Information to be provided (Article 40(8)), Subheading (6.4) (v1) → 6. Information to be provided (Article 40(8)), Subheading (6.4) (v2)

Organisational Measures to Protect Data

6. Information to be provided (Article 40(8)), 6.4, ¶9 (v1) → 6. Information to be provided (Article 40(8)), 6.4, ¶9 (v2)

In order to comply with the condition that you the Applicant (s) demonstrate in your the application the appropriate organisational measures that you have been put and will put in place having regard to data security and confidentiality and, if applicable, personal data protection, documents to be provided may include those listed below. Applicants should consider, having regard to the subject matter of your the application, what documentation should be provided for this purpose:

6. Information to be provided (Article 40(8)), 6.4(a)–(f) (v1) → 6. Information to be provided (Article 40(8)), 6.4(a)–(f) (v2)
  • (a) Data sharing agreement;
  • (b) Non-disclosure agreements;
  • (c) Data management policies;
  • (d) Ethical or methodological review/approval;
  • (e) Data Protection Training certificates or similar;
  • (f) Data Breach policy of Research Organisation;
6. Information to be provided (Article 40(8)), 6.4, ¶10 (v1) → 6. Information to be provided (Article 40(8)), 6.4(g) (v2)
  • (g) Undertaking by researcher prohibiting them from disclosing the data to any person (s) not named in their applications application, prohibition against the use or disclosure of data in any manner that was not described in the application;
6. Information to be provided (Article 40(8)), 6.4, ¶11 (v1) → 6. Information to be provided (Article 40(8)), 6.4(h) (v2)
  • (h) Declaration signed by the Research Organisation that the researcher may use the Research Organisation's organisational measures to tofulfil fulfil the organisational measures requirements that correspond to the requested data.
6. Information to be provided (Article 40(8)), Subheading (6.4) (v1) → 6. Information to be provided (Article 40(8)), Subheading (6.4) (v2)

Legal Measures to protect Data

6. Information to be provided (Article 40(8)), 6.4, ¶12 (v1) → 6. Information to be provided (Article 40(8)), 6.4, ¶10 (v2)

In order to comply with the requirement that you the Applicant (s) demonstrate in your the request the appropriate legal measures that you have been put in place having regard to data security and confidentiality and, if applicable, personal data protection, documents to be provided may include those listed below. Applicants should consider, having regard to the subject matter of your the application, what documentation should be provided for this purpose.;

6. Information to be provided (Article 40(8)), 6.4(a)–(d) (v1) → 6. Information to be provided (Article 40(8)), 6.4(a)–(d) (v2)
  • (a) Data sharing agreement;
  • (b) Non-disclosure agreement;
  • (c) Data processing agreement with any third party who will process the data on your behalf;
  • (d) Other contractual protections.
6. Information to be provided (Article 40(8)), Subheading (6.4) (v1) → 6. Information to be provided (Article 40(8)), Subheading (6.4) (v2)

Special Considerations for International Personal Data Transfers

6. Information to be provided (Article 40(8)), 6.4, ¶13 (v1) → 6. Information to be provided (Article 40(8)), 6.4, ¶11 (v2)

Some or all of the data that will be accessed by you the Applicant (s) if you are granted VR status might not constitute personal data. However, if you the Applicant (s) will access any personal data, your the application should indicate whether there will be any'international personal data transfer'for the purposes of the GDPR. An international personal data transfer is the transfer of personal data to a country outside of the European Economic Area ("EEA ").

6. Information to be provided (Article 40(8)), 6.4, ¶14 (v1) → 6. Information to be provided (Article 40(8)), 6.4, ¶12 (v2)

The meaning of transfer is extremely broad. It does not require a physical handover of data or direct transfer and can include remote access from a third country. Some examples of what where there may be constitute an international personal data transfer include includes, but is not limited to:

6. Information to be provided (Article 40(8)), 6.4(i) (v1) → 6. Information to be provided (Article 40(8)), 6.4(a) (v2)
  • (a) You are A situation where the Applicant (s) /the affiliated Research Organisation is located /established in a country outside the EEA;
6. Information to be provided (Article 40(8)), 6.4(ii) (v1) → 6. Information to be provided (Article 40(8)), 6.4(b) (v2)
  • (b) A situation where the Applicant (ii s) Even if you are /the affiliated Research Organisation is located /established within the EEA,; however the data will be hosted /provided /accessed on a platform which is outside the EEA.
6. Information to be provided (Article 40(8)), 6.4, ¶15 (v1) → removed in v2

If there will be an international personal data transfer if you are granted VR status, the application must demonstrate that you will ensure compliance with the obligations under the GDPR in connection with such transfer, i.e. that the access will be covered by

6. Information to be provided (Article 40(8)), 6.4(i) (v1) → 6. Information to be provided (Article 40(8)), 6.4(a)–(b) (v2)
  • (a) the The third country being covered by an'adequacy decision,',
  • (b) (ii) appropriate Appropriate safeguards for data subjects'rights (e. g. you the Applicant will enter into Standard Contractual Clauses governing the transfer and that a positive Transfer Impact Assessment has been completed).
6. Information to be provided (Article 40(8)), Heading (6.5) (v1) → 6. Information to be provided (Article 40(8)), Heading (6.5) (v2)

Article 40 (8) (e): - Demonstrating Proposed Access and Time Frames are necessary for, and proportionate to the purpose of the research

6. Information to be provided (Article 40(8)), 6.5, ¶1 (v1) → 6. Information to be provided (Article 40(8)), 6.5, ¶1 (v2)

The application must demonstrate that access to the data and the time frames requested are necessary for, and proportionate to, the purposes of the applicant Applicant'(s) research, and that the expected results of that research will contribute to the purposes laid down in Article 40 (4) DSA. Article 40 (4) provides for access to data "for the sole purpose of conducting research that contributes to the detection, identification and understanding of systemic risks in the Union, as set out in Article 34 (1), and to the assessment of the adequacy, efficiency and impacts of the risk mitigation measures pursuant to Article 35. "

6. Information to be provided (Article 40(8)), 6.5, ¶2 (v1) → 6. Information to be provided (Article 40(8)), 6.5, ¶2 (v2)

The application must contain:

6. Information to be provided (Article 40(8)), 6.5(a)–(c) (v1) → 6. Information to be provided (Article 40(8)), 6.5(a)–(c) (v2)
  • (a) a A description of the data requested, including format, scope and, where possible, the specific attributes, relevant metadata and data documentation, also considering the information made available pursuant to Article 6 (4) of the Delegated Act (i. e. information in the VLOP /VLOSE's DSA data catalogue);
  • (b) information Information on the necessity and proportionality of the access to the data and the time frames for the purposes of the research for which the data are requested; and
  • (c) a A description of the research activities to be conducted with the requested data and an estimation of the required duration of the access.
6. Information to be provided (Article 40(8)), 6.5, ¶3 (v1) → 6. Information to be provided (Article 40(8)), 6.5, ¶3 (v2)

Further guidance in respect of compliance with Article 40(8)(e) is set out below under different headings.

6. Information to be provided (Article 40(8)), Subheading (6.5) (v1) → 6. Information to be provided (Article 40(8)), Subheading (6.5) (v2)

Necessity and Proportionality of Access:

→ 6. Information to be provided (Article 40(8)), 6.4, ¶13 (v2) (new in v2)

If an international personal data transfer will be involved should the Applicant(s) be granted VR status, the application must demonstrate that the Applicant(s) will ensure compliance with the obligations under the GDPR in connection with such transfer, i.e. that the access will be covered by:

6. Information to be provided (Article 40(8)), 6.5, ¶4 (v1) → 6. Information to be provided (Article 40(8)), 6.5, ¶4 (v2)

In order to demonstrate that the access to data you from the Applicant (s) request is necessary and proportionate, documents to be provided may include those listed below. The Applicants Applicant (s) should consider, having regard to the subject matter of your the application, what documentation should be provided in order to demonstrate that the access to data you request requested is necessary and proportionate:

6. Information to be provided (Article 40(8)), 6.5(a)–(d) (v1) → 6. Information to be provided (Article 40(8)), 6.5(a)–(d) (v2)
  • (a) Data Management Plan (DMP) with Research Organisation review / recommendations
  • (b) Data Protection Impact Assessment (DPIA) with DPO review /recommendations;
  • (c) Necessity assessment or other such documentation demonstrating the access to data are necessary; and
  • (d) Proportionality assessment or other such documentation demonstrating the access to data are proportionate.
6. Information to be provided (Article 40(8)), 6.5, ¶5 (v1) → 6. Information to be provided (Article 40(8)), 6.5, ¶5 (v2)

In respect of the necessity and proportionality of access, an application should consider, and where appropriate, address the following:

6. Information to be provided (Article 40(8)), 6.5(a) (v1) → 6. Information to be provided (Article 40(8)), 6.5, ¶6 (v2)

A clear description of data variables requested is expected, which should include format, scope and where possible specific attributes, relevant metadata, and data documentation. Researchers should ask for the exact data they would like require access to and that they believe the VLOP /VLOSE may have;

6. Information to be provided (Article 40(8)), 6.5(b)–(m) (v1) → 6. Information to be provided (Article 40(8)), 6.5(a)–(l) (v2)
  • (a) Each variable or groups of variables (particularly where personal data is concerned) must be necessary for the project and this should be described by the researcher;
  • (b) Researchers should demonstrate that the amount, scope, granularity, and type of data requested do not exceed what is necessary to achieve the research objectives;
  • (c) Researchers should describe how the data and data format were selected;
  • (d) Whether data requested are aggregate data or individual level data;
  • (e) Whether data requested are anonymous, pseudonymised or identifiable data;
  • (f) Researchers should provide a description of why these data must be used (as opposed to aggregate data or anonymous data for example);
  • (g) Researchers should consider whether there is a less intrusive way to complete the research;
  • (h) Is the amount of data being collected comparable to that used in other research projects or articles on the same topic?
  • (i) Any data minimisation is clearly described and justified;
  • (j) That the research question /hypothesis is sound and is achievable with the data requested;
  • (k) That the access requested balances the impact on the rights and interests (e. g. commercial interests, interests in confidential information, intellectual property rights, data protection rights, etc.) of (i) the data subjects; (ii) the VLOP /VLOSE; and (iii) any other affected third parties, and researchers should describe their assessment of same; and
  • (l) The importance of the objective should be described.
6. Information to be provided (Article 40(8)), Subheading (6.5) (v1) → 6. Information to be provided (Article 40(8)), Subheading (6.5) (v2)

Necessity and Proportionality of Timeframe of Access:

6. Information to be provided (Article 40(8)), 6.5, ¶6 (v1) → 6. Information to be provided (Article 40(8)), 6.5, ¶7 (v2)

In order to demonstrate that the timeframe of access to data you request requested is necessary and proportionate, documents to be provided may include:

6. Information to be provided (Article 40(8)), 6.5(a)–(d) (v1) → 6. Information to be provided (Article 40(8)), 6.5(a)–(d) (v2)
  • (a) Data Management Plan (DMP) with Research Organisation review/recommendations;
  • (b) Data Protection Impact Assessment (DPIA) with DPO review/ recommendations;
  • (c) Necessity assessment or other such documentation demonstrating the timeframe to data are necessary; and/or
  • (d) Proportionality assessment or other such documentation demonstrating the timeframe to data are proportionate.
6. Information to be provided (Article 40(8)), 6.5, ¶7 (v1) → 6. Information to be provided (Article 40(8)), 6.5, ¶8 (v2)

In respect of the necessity and proportionality of timeframe of access, an application should address the following:

6. Information to be provided (Article 40(8)), 6.5(e)–(h) (v1) → 6. Information to be provided (Article 40(8)), 6.5(a)–(d) (v2)
  • (a) A description of the timeframe in relation to the data requested, including whether it is requested as at a set timepoint, or over a time range;
  • (b) A description of how long the researcher will need access to data for and a justification of why the timeframe is necessary;
  • (c) A justification of the data retention period described;
  • (d) A breakdown of the research project timeline, i. e., the duration of data cleaning, data analysis, report writing, peer review, publication etc;
6. Information to be provided (Article 40(8)), 6.5, ¶8 (v1) → 6. Information to be provided (Article 40(8)), 6.5, ¶9 (v2)

Researchers Applicants should demonstrate why the timeframe for access to data requested is adequate to achieve the envisaged objective of the research.

6. Information to be provided (Article 40(8)), 6.5, ¶9 (v1) → 6. Information to be provided (Article 40(8)), 6.5, ¶10 (v2)

In cases whereby researchers Applicants request access to live systems, or live data, they should explain why it is proportionate, and why the research could not be achieved through the examination of historical data.

6. Information to be provided (Article 40(8)), Subheading (6.5) (v1) → 6. Information to be provided (Article 40(8)), Subheading (6.5) (v2)

Expected Results

6. Information to be provided (Article 40(8)), 6.5, ¶10 (v1) → 6. Information to be provided (Article 40(8)), 6.5, ¶11 (v2)

In addition, researchers Applicants must describe how the results sought to be achieved will contribute toward the detection, identification and understanding of systemic risks in the EU, as set out pursuant to Article 34 (1) of the DSA, and to the assessment of the adequacy, efficiency and impacts of the risk mitigation measures pursuant to Article 35 of the DSA, and should describe both the benefits and risks associated with the proposed research. A Data Management Plan or Data Protection Impact Assessment with Research Organisation review /will again be considered by An Coimisiún in this regard.

6. Information to be provided (Article 40(8)), Heading (6.6) (v1) → 6. Information to be provided (Article 40(8)), Heading (6.6) (v2)

Article 40 (8) (f): - Demonstrating that research activities will be carried out for the purposes laid down in Article 40 (4) DSA

6. Information to be provided (Article 40(8)), 6.6, ¶1 (v1) → 6. Information to be provided (Article 40(8)), 6.6, ¶1 (v2)

In order to comply with the condition that you the Applicant (s) demonstrate that the research activities will be carried out for the purposes laid down in Article 40 (4) DSA, you the Applicant (s) must provide the following documentation and information:

6. Information to be provided (Article 40(8)), 6.6(a)–(c) (v1) → 6. Information to be provided (Article 40(8)), 6.6(a)–(c) (v2)
  • (a) A description of the research activities to be conducted with the requested data and an estimation of the required duration of the access;
  • (b) A summary of the application including the research topic; and
  • (c) A description of the purpose pursuant to DSA Articles 34 and 35. This should cover research activities and methodology and give details of how they are connected to Article 34 (systemic risks) and Article 35 (mitigation measures) and related to the specific VLOP/VLOSE.
6. Information to be provided (Article 40(8)), 6.6, ¶2 (v1) → 6. Information to be provided (Article 40(8)), 6.6, ¶2 (v2)

A link should be made between the systemic risks and the design or functioning of the VLOP /VLOSE's service and its related systems or use of the VLOP /VLOSE's service. An Coimisiún will assess whether the application demonstrates that the research described does or will be carried out for the purposes of contributing to the detection, identification and understanding of systemic risks in the EU stemming from the design, functioning or use of the VLOP /VLOSE, and] to the assessment of the adequacy, efficiency and impacts of risk mitigation measures.

6. Information to be provided (Article 40(8)), 6.6, ¶3 (v1) → 6. Information to be provided (Article 40(8)), 6.6, ¶3 (v2)

The application should describe the specific systemic risks in the EU stemming from the design or functioning of the service in question and its related systems, including algorithmic systems, or from the use made of said services that are the intended focus of the research. The following non-exhaustive examples of such systemic risks are set out in the DSA:

6. Information to be provided (Article 40(8)), 6.6(a)–(d) (v1) → 6. Information to be provided (Article 40(8)), 6.6(a)–(d) (v2)
  • (a) The dissemination of illegal content through the VLOP/VLOSE;
  • (b) Any actual or foreseeable negative effects for the exercise of fundamental rights;
  • (c) Any actual or foreseeable negative effects on civic discourse and electoral processes, and public security;
  • (d) Any actual or foreseeable negative effects in relation to gender-based violence, the protection of public health and minors and serious negative consequences to the person's physical and mental well-being.
6. Information to be provided (Article 40(8)), 6.6, ¶4 (v1) → 6. Information to be provided (Article 40(8)), 6.6, ¶4 (v2)

Other potential systemic risks include any systemic risks identified by the relevant VLOP /VLOSE in its own risk assessments performed under the DSA. Applicant (s) should also include a confirmation that there is no other intended use of the data outside of this research.

6. Information to be provided (Article 40(8)), 6.6, ¶5 (v1) → removed in v2

Researchers should also include a confirmation that there is no other intended use of the data outside of this research.

6. Information to be provided (Article 40(8)), Heading (6.7) (v1) → 6. Information to be provided (Article 40(8)), Heading (6.7) (v2)

Article 40 (8) (g): - Demonstrating Commitment to Publication of Research

6. Information to be provided (Article 40(8)), 6.7, ¶1 (v1) → 6. Information to be provided (Article 40(8)), 6.7, ¶1 (v2)

The application must demonstrate that you the Applicant (s) are committed to making your the research results publicly available, free of charge, within a reasonable period after the completion of the research, subject to the rights and interests of the recipients of the service concerned, in accordance with the GDPR.

6. Information to be provided (Article 40(8)), 6.7, ¶2 (v1) → 6. Information to be provided (Article 40(8)), 6.7, ¶2 (v2)

Each applicant researcher must provide a written commitment to make research results publicly available, free of charge, subject to the rights and interests of the recipients of the service under the GDPR. Information should also be provided as to the way in which it is expected that the results will be made publicly available, free of charge, and a timeframe should be proposed for same. Where the results, or part of the results, will not be made publicly available free of charge, the applicant researcher should explain the basis for this.

7. Further guidance in respect of applications

7. Further guidance in respect of applications, Title (v1) → 7. Further guidance in respect of applications, Title (v2)

7. Further guidance in respect of applications

7. Further guidance in respect of applications, 7.1, ¶1 (v1) → 7. Further guidance in respect of applications, 7.1, ¶1 (v2)

The application submitted by you the Applicant (s) must comply with the requirements set out below:

7. Further guidance in respect of applications, 7.1(a) (v1) → 7. Further guidance in respect of applications, 7.1(a) (v2)
  • (a) Declaration: Your The application should include a Declaration signed by you the Applicant (s) certifying that the information contained in the application form and documentary evidence relating to you the Applicant (s) is true and correct to the best of your their knowledge and belief.
7. Further guidance in respect of applications, 7.1(b) (v1) → 7. Further guidance in respect of applications, 7.1(b) (v2)
  • (b) False or misleading information: You The Applicant (s) must not include any false or misleading information in your the application. Under section 202 (1) of the 2009 Act, a person persons who knowingly or recklessly provides false or misleading information to An Coimisiún in relation to an application for VR status shall be guilty of a category 2 criminal offence. A person guilty of a category 2 offence shall be liable on summary conviction, to a class A fine (a fine not greater than € 5, 000) or imprisonment for a term not exceeding 12 months or both, or on conviction on indictment, to a fine not exceeding € 50, 000 or imprisonment for a term not exceeding 5 years or both.
7. Further guidance in respect of applications, 7.1(c) (v1) → 7. Further guidance in respect of applications, 7.1(c) (v2)
  • (c) Changes: You The Applicant (s) must notify An Coimisiún, promptly of any changes that occur, between the date of submission of your the application and the date on which you the Applicant (s) receive notice of An Coimisiún's decision on your the application, to any material information contained in your the applicationand application and /or to any supplemental information that was provided subsequent to the submission of the initial application as requested by An Coimisiún to support its assessment of whether you the Applicant (s) met the requirements to be awarded VR status. Where there are changes to the information that was provided in your the application which An Coimisiún considers to be material, this may necessitate the submission of a new application.
7. Further guidance in respect of applications, 7.1(d) (v1) → 7. Further guidance in respect of applications, 7.1(d) (v2)
  • (d) Publication: An Coimisiún is required to publish an overview of any reasoned request that is issued to a VLOP/VLOSE in the public interface of the DSA Data Access Portal. This shall include a summary of your application (if successful) and the access modalities as determined pursuant to Art. 9 of the Delegated Act.
7. Further guidance in respect of applications, 7.1(e) (v1) → 7. Further guidance in respect of applications, 7.1(e) (v2)
  • (e) Confidential and Commercially Sensitive Information: In submitting your application As detailed above at paragraph 3. 14 and 3. 15, you Applicant (s) and VLOPS /VLOSES should bear in mind that An Coimisiún may share or publish information contained in your the application and supporting documents and with the relevant VLOP /VLOSE or submissions in certain circumstances. In light of that, if where An Coimisiún considers this to be necessary in order to give them an opportunity to submit comments on your application. An Coimisiún is also obliged to publish an overview of a reasoned request in the DSA data access portal once it is formulated. If there is any information in your the application or supporting documents and /or submissions which you the Applicant (s) and /or VLOPs /VLOSES consider to be confidential, Applicant or commercially sensitive (s whether to you or to another party, such as the research organisation with which you are affiliated) and, to the extent that it should not be shared by An Coimisiún with the relevant VLOP VLOPS /VLOSE VLOSES or published, you should clearly identify that information and explain why you they believe it should not be shared or published. This is addressed in further detail at paragraph 3 An Coimisiún will consider any such explanation but retains discretion to share or publish whatever information An Coimisiún considers necessary. 14 and following above.
7. Further guidance in respect of applications, 7.1(f) (v1) → 7. Further guidance in respect of applications, 7.1(f) (v2)
  • (f) Freedom of Information: Access to records held by An Coimisiún may be requested by persons under the Freedom of Information Act 2014 ("FOI Act "). The provisions of the FOI Act exempt certain records from release, including if they are records containing commercially sensitive information or confidential information or personal information. An Coimisiún will consult with you the Applicant (s) in respect of any records relating to you the Applicant (s) that are within the scope of a FOI request received by An Coimisiún prior to making a decision under the FOI Act, where it is required to do so under the FOI Act.
7. Further guidance in respect of applications, 7.1(g) (v1) → 7. Further guidance in respect of applications, 7.1(g) (v2)
  • (g) Personal Data: An Coimisiún is obligated and committed to protecting all personal data submitted in accordance with its obligations under the General Data Protection Regulation, the Data Protection Act 2018 and any other applicable data and privacy laws and regulations. An Coimisiún's published privacy policy can be found at: Coimisiún na Meán | Data Protection (cnam. ie). A supplemental privacy notice with regard to the processing of personal data provided by applicants in relation to the submission of an application under Article 40 (4) of the DSA can be found here: Vetted Researcher Data Access Supplemental Privacy Statement - Coimisiún na Meán. Any personal data collected by An Coimisiún in connection with an application will be used only for the purposes stated in the supplemental privacy notice. Vetted Researcher Data Access Supplemental Privacy Statement - Coimisiún na Meán Any personal data collected by An Coimisiún in connection with an application will be used only for the purposes stated in the supplemental privacy notice.
7. Further guidance in respect of applications, 7.1(h) (v1) → 7. Further guidance in respect of applications, 7.1(h) (v2)
  • (h) Please note that all documents and information submitted as part of a VR status application should only be submitted through AGORA. Applications or related materials submitted directly to An Coimisiún will not be responded to and will not be considered. Any queries or requests for clarification in relation to the contents of this Guidance should be directed to Article40@cnam.ie.

8. Access Modalities

8. Access Modalities, Title (v1) → 8. Access Modalities, Title (v2)

8. Access Modalities

8. Access Modalities, 8.1, ¶1 (v1) → 8. Access Modalities, 8.1, ¶1 (v2)

If you are the Applicant (s) is designated as a VR and a Reasoned Request is issued, the Reasoned Request will include details of any access modalities that An Coimisiún requires the VLOP /VLOSE to use when providing you the Applicant (s) with access to the data.

8. Access Modalities, 8.2, ¶1 (v1) → 8. Access Modalities, 8.2, ¶1 (v2)

When determining the access modalities to be included in a Reasoned Request, An Coimisiún is required to take into account any access modalities proposed by you the Applicant (s) in your the application and any access modalities proposed by the VLOP /VLOSE to be used in connection with data the VLOP /VLOSE has stated is available in its DSA data access catalogue. However neither of these proposals is binding on An Coimisiún.

8. Access Modalities, 8.3, ¶1 (v1) → 8. Access Modalities, 8.3, ¶1 (v2)

The VLOP /VLOSE and you the Applicant (s) will be required to comply with whatever access modalities are specified by An Coimisiún in the Reasoned Request. These may include technical, legal or organisational measures to be used by the VLOP /VLOSE when providing you the Applicant (s) with access to the data. They may include, for example:

8. Access Modalities, 8.3(a)–(e) (v1) → 8. Access Modalities, 8.3(a)–(d) (v2)
  • (a) whether Whether a secure processing environment is necessary to process the data;
  • (b) relevant Relevant network security measures, encryption, access control, mechanisms, backup policies, data integrity mechanisms, incident response plans;
  • (c) storage Storage periods and data destruction plans;
  • (d) internal Internal review processes, restrictions of access rights and information sharing; and
  • (e) any Any contractual requirements, such as non - disclosure agreements or data sharing agreements.
8. Access Modalities, 8.4, ¶1 (v1) → 8. Access Modalities, 8.4, ¶1 (v2)

If the specified access modalities include a requirement that the VLOP /VLOSE enters enter into a data sharing agreement or any other contractual arrangement with you the Applicant (s), then you the Applicant (s) and the VLOP /VLOSE will be required to enter into that contractual arrangement and you the Applicant (s) will be subject to contractual obligations to the VLOP /VLOSE in connection with your the access to the data.

9. After an application for VR status is approved

9. After an application for VR status is approved, Title (v1) → 9. After an application for VR status is approved, Title (v2)

9. After an application for VR status is approved

9. After an application for VR status is approved, 9.1, ¶1 (v1) → 8. Access Modalities, 9.1, ¶1 (v2)

If you the Applicant (s) are designated as a VR and a Reasoned Request is issued, you the Applicant (s) must comply with the designation conditions set out in Article 40 (8) of the DSA and related requirements set out in the Delegated Act and implement the technical, legal and organisational measures that you the Applicant stated would be put in place in your the application when accessing the data and performing the research within the scope of the Reasoned Request. If you the Applicant (s) fail to do so then this may result, among other things, in your access to the data within the scope of that Reasoned Request being terminated under Article 40 (10) of the DSA and Chapter 2 of Part 15 of the 2009 Act.

9. After an application for VR status is approved, 9.2, ¶1 (v1) → 8. Access Modalities, 9.2, ¶1 (v2)

An Coimisiún may commence an investigation for the purposes of determining whether researchers who have been granted the status of VR continue to meet the designation conditions as set out in Article 40 (8) of the DSA, at any time. An Coimisiún may do this of its own volition or based on information provided to it by any third party including but not limited to the relevant VLOP /VLOSE. Subject to the outcome of such an investigation, An Coimisiún may terminate your the Applicant (s) data access if it determines that you the Applicant (s) no longer meet the designation conditions. Where it is proposed to terminate your the data access, you the Applicant (s) will be notified of this proposal and you will have an opportunity within 14 days, to make representations or to request a review of the proposed termination by an independent person. If your the Applicant (s) data access is terminated, the VLOP /VLOSE will no longer be required to provide you the Applicant (s) with access to the data within the scope of the Reasoned Request.

9. After an application for VR status is approved, 9.3, ¶1 (v1) → 8. Access Modalities, 9.3, ¶1 (v2)

If your the Applicant (s) access to data within the scope of a Reasoned Request is not terminated early, then your the Applicant (s) access to that data will expire on the date specified in the Reasoned Request.

9. After an application for VR status is approved, 9.4, ¶1 (v1) → 8. Access Modalities, 9.4, ¶1 (v2)

Further to the commitment you the Applicant (s) provided in your the application, you the Applicant (s) will be required to make the results of your the research publicly available free of charge within a reasonable period after the completion of your the Applicants (s) research.

Guidance for Applicants
Publication date: 20 February 2026

Machine-readable HTML rendering of the tidied guidance text.

Contents

1. Introduction

2. Overview of Guidance

3. Overview of VR status application process

4. How to apply

5. Application Requirements

6. Information to be provided in respect of each of the conditions in Article 40(8)

7. Further guidance in respect of applications

8. Access Modalities

9. After an application for VR status is approved

1. Introduction

1.1

Article 40 of the Digital Services Act ("DSA") makes provision for certain researchers to access data from Very Large Online Platforms ("VLOPS") or Very Large Online Search Engines ("VLOSES") for the purposes of studying systemic risks in the EU stemming from the design, functioning or use of a VLOP/VLOSE and assessing mitigation measures implemented by the VLOP/VLOSE. Article 40(8) of the DSA sets out the process whereby a researcher, who has been vetted or assessed by a Digital Services Coordinator ("DSC") to have met the criteria as set out under this provision, can have a request for access to data held by a VLOP/VLOSE submitted on their behalf by the DSC. The data must be limited in scope in accordance with Article 34 and 35 of the Digital Services Act ("DSA") and deemed necessary and proportionate to the purpose of the research

1.2

A Vetted Researcher ("VR") is a researcher who

  • (a) applies to a DSC for VR status for specified research; and
  • (b) is formally designated as a VR by a DSC, having met the conditions that are set out in Article 40(8) of the DSA, for the purposes of accessing specified data for the purposes of the research outlined in their application.

1.3

It is important to note that VR status is only awarded in respect of specific research as identified in an application. Where a person who has previously been granted VR status wishes to seek access to specified data held by a VLOP/VLOSE for the purposes of other research, a new application for VR status will need to be submitted for the purposes of that other research.

1.4

In order to be designated as a VR for the purposes of specific research, a researcher must submit a detailed application to a DSC (through the DSA Data Access portal (the "Portal")) which demonstrates that they meet the criteria as set out in Article 40(8) of the DSA and related requirements set out in Commission Delegated Regulation (EU) 2025/2050 of 1 July 2025 (the "Delegated Act"). In summary, a researcher will need to demonstrate:

  • (a) They are affiliated to a research organisation[1];
  • (b) They are independent from commercial interests;
  • (c) They have disclosed the funding of the research;
  • (d) They can fulfil the specific data security, data protection and confidentiality requirements that correspond to the requested data and have described the appropriate technical and organisational measures that they have put and will put in place;
  • (e) Their access to the data and the time frames requested are necessary for, and proportionate to, the purpose of their research;
  • (f) The planned research will be carried out for the sole purposes of contributing to an understanding of systemic risk in the EU stemming from the design, functioning or use of the relevant VLOP/VLOSE and the assessment of risk mitigation measures implemented by that VLOP/VLOSE; and
  • (g) They are committed to making the research results publicly available free of charge, within a reasonable period after the completion of the research.

1 The term 'research organisation' has a specific definition, which is detailed further below.

1.5

Where a DSC decides to designate a person as a VR for the specified research, the DSC will then issue a reasoned request for access to the data described in the application to the relevant VLOP/VLOSE. The VLOP/VLOSE will then be required to provide the VR with access to the specified data by way of the access modalities specified in the request, within a reasonable period specified in the request.[2]

2 This is subject to the entitlement of a VLOP/VLOSE to request an amendment to the reasoned request, which is detailed further below.

2. Overview of Guidance

2.1

Coimisiún na Meán ("An Coimisiún") has developed this Guidance to inform interested researchers of the following:

  • (a) the form and manner in which applications for VR status are to be made; and
  • (b) an overview of the process for the assessment of applications for VR status.
  • (c) The aim of the Guidance is to help applicant researchers (referred to as "you"/ "your") to understand what is required of you for the application process and what the process will involve.

2.2

The Guidance is informed by Irish and European legislation, in particular the DSA, the Broadcasting Act 2009 (the "2009 Act") and the Delegated Act.

2.3

This Guidance has been provided to assist applicants for VR status in understanding the process that will be undertaken by An Coimisiún. It is not legal advice, it is not binding on An Coimisiún and it is not intended to have any impact on how any statutory provision is interpreted or applied. You are advised to obtain your own independent legal advice on the relevant statutory provisions. This Guidance may be updated and amended by An Coimisiún as considered necessary and appropriate and, subject to its obligations under applicable law, An Coimisiún reserves the right to amend its process as it sees fit.

3. Overview of VR status application process

3.1

The VR status application process begins with your registration as a researcher on the Portal.

3.2

Once you have registered as a principal or applicant researcher on the Portal, you will be able to access the private researcher-only area of the site. Here is where you will submit applications for VR status for specific research.

3.3

In line with the 3 Act[3], An Coimisiún has specified the form and manner in which an application must be made. The elements that an application is required to contain in order to be deemed complete and to proceed to the substantive assessment stage (the "Application Requirements. You should consult the Application Requirements before submitting any application, as failure to comply with the Application Requirements may lead to your application being rejected as incomplete (meaning that it will not proceed to the substantive assessment stage).

3 S. 187(1) Broadcasting Act 2009

3.4

When you are submitting an application via the Portal, you will have the option to submit your application to:

  • (a) The DSC of the EU Member State in which the main establishment of the provider of the VLOP or VLOSE is located or, where the provider has no establishment in the EU, where its legal representative resides or is established (referred to as the DSC of Establishment ("DSCoE")); or
  • (b) The DSC of the EU Member State where your affiliated research organisation is based (and, where this Member State is different from the EU Member State of the DSCoE of the VLOP or VLOSE, this DSC shall be referred to as the DSC of Origin ("DSCoO")).

3.5

Where you submit your application to your DSCoO, it will carry out an initial assessment of your application before transmitting it to the DSCoE. The DSCoE will then assess the application and will make a final decision on the application. If the DSCoO deems the application is incomplete, the DSCoO will transmit it to the DSCoE and notify the DSCoE of this initial view, and the DSCoE will proceed with its consideration of the application, first deciding whether the application should proceed.

3.6

All applications must, at a minimum, be consistent with the Application Requirements. On receipt of an application, An Coimisiún will carry out what is referred to as a "Completeness Check" to ensure that the application complies with the Application Requirements. Where an application does not comply with the Application Requirements, the application will be deemed incomplete and will be rejected on that basis without An Coimisiún proceeding to assess the substance of the application.

3.7

Where an application is rejected by An Coimisiún on the basis that it is incomplete, you are encouraged to resubmit a new application which complies in full with the Application Requirements. For the avoidance of doubt, in these circumstances you must submit a new application via the Portal. It is not possible to seek to supplement or update your initial application where that has been rejected and An Coimisiún will not be in a position to consider any information or documentation submitted to it in connection with an application which has been rejected.

3.8

Where your application is deemed complete, it will proceed to the assessment phase ("Assessment"). Where a DSCoO has carried out an initial assessment, this will be considered by An Coimisiún as DSCoE in its assessment of the application. The Assessment will involve An Coimisiún considering the application and supporting documentation provided with a view to deciding whether you have demonstrated that you meet the conditions set out in Article 40(8) of the DSA, and the related requirements set out in Article 8 of the Delegated Act.

3.9

In the course of the Assessment, An Coimisiún may request further information from you regarding your application. When requesting information, An Coimisiún will specify a time period in which the information requested is to be provided. Failure to provide the information requested within the time period set out may impact the ability of An Coimisiún to proceed with the Assessment of your application. Failure to provide the information requested may lead to a decision that you have not demonstrated that you meet the designation conditions and related requirements.

3.10

An Coimisiún may consult with subject matter experts in the course of the Assessment which may require the sharing of documents in the Application.

3.11

It may be necessary for An Coimisiún to share information contained in your application, the application and supporting documents with the relevant VLOP/VLOSE to give them an opportunity to submit comments on the application prior to a decision being made.

3.12

An Coimisiún is required to determine your application within 80 working days of the date on which it is submitted. This 80 working day period can be extended where this is justified. Where An Coimisiún requires additional time to make its decision, it will notify you of same, explaining the basis on which additional time is required and notifying you of a new date by which the application will be determined.

3.13

You will be notified of An Coimisiún's decision regarding your application via the Portal (the "Application Decision"). Where An Coimisiún decides to designate you as a VR for the specified research, An Coimisiún will proceed to issue a reasoned request for access to data to the relevant VLOP/VLOSE concerned (the "Reasoned Request").

3.14

On receipt of the Reasoned Request, the VLOP/VLOSE must either proceed to provide you with access to the requested data within the time period specified in the Reasoned Request, in accordance with the terms of the Reasoned Request or, within 15 days of receipt of the Reasoned Request, submit a proposal for an amendment to the Reasoned Request (an "Amendment Request") on the basis that:

  • (a) They do not have access to the data; or
  • (b) Giving access to the data would lead to significant vulnerabilities in the security of their service or the protection of confidential information, in particular trade secrets

3.15

An Coimisiún will determine any Amendment Request submitted to it in accordance with the DSA and Delegated Act within a further 15 days. To enable An Coimisiún to make its determination, it may issue requests for information to you and/or the VLOP/VLOSE concerned and/or consult with subject matter experts. If the amendment proposal is accepted by An Coimisiún, a new Reasoned Request will be formulated by An Coimisiún and issued to the VLOP/VLOSE, who will then be required to comply with the revised terms of the Reasoned Request. You will be notified of the decision of An Coimisiún in relation to any Amendment Request and provided with the amended Reasoned Request, where applicable.

3.16

You will also be notified through the Portal in the event An Coimisiún decides that your application does not demonstrate that you meet the designation conditions and related requirements and, accordingly, refuses to designate you as a VR for the specified research. Where your application has been refused, if you wish to challenge the refusal, you will have 14 days from the date of service of the notification of this decision to request a review by an independent reviewer (a "Review Request") of the Application Decision.

4. How to apply

4.1

Applications must be submitted via the Data Access Application Portal ("Portal").

4.2

To access the features available on the private area of the Portal, which is necessary in order to make an application, each researcher needs to have EU login credentials and a profile created on the Portal.

4.3

Each researcher participating in a VR status application should have a dedicated profile created on the Portal for submitting VR status applications as principal researcher or as applicant researcher on the VR status application.

5. Application Requirements

5.1

An application shall be made in the form and manner specified by An Coimisiún[4] and this section of the Guidance sets out what an application must contain in order for it to be considered by An Coimisiún to be a complete application. Failure to comply with the Application Requirements may lead to your application being rejected as incomplete meaning that it will not proceed to the Assessment stage.

5.2

You are responsible for demonstrating that you satisfy the conditions set out in Article 40(8) of the DSA and related requirements set out in the Delegated Act and you must submit all of the information and the documentary evidence specified in this Guidance and/or as may be requested at a later stage by An Coimisiún. It is important that you ensure full and accurate information is provided to avoid any delays to the application process and to avoid your application being closed on the basis that it is incomplete.

5.3

In assessing an application, An Coimisiún will have regard to the information submitted by you and also to information available to it from its own independent information-gathering and research that may be relevant to its verification of the information submitted by you. An Coimisiún may also take into account information provided to it by the VLOP/VLOSE in connection with your application.

4 Section 187(1) of the 2009 Act.

6. Information to be provided in respect of each of the conditions in Article 40(8) and related requirements in the Delegated Act in order for an application to be considered complete

6.1

Article 40(8)(a) - Demonstrating Affiliation to Research Organisation

For each applicant researcher, the application must demonstrate (i) affiliation to a research organisation. For these purposes 'research organisation' has the definition given to it in Article 2, point (1), of Directive (EU) 2019/790 of the European Parliament and of the Council and includes civil society organisations that are conducting scientific research with the primary goal of supporting their public interest mission (a "Research Organisation"). In order to be deemed complete, the application must contain information and documentation which will allow An Coimisiún to assess, in respect of each applicant researcher, their affiliation to a Research Organisation.

This may include, but is not limited to, providing at least one and, in some situations, more than one, of the items listed below. Applicants should consider, having regard to their particular circumstances, what information and documentation should be provided in order for their application to demonstrate affiliation to a Research Organisation:

Affiliation

  • (a) Proof of legal association with a Research Organisation;
  • (b) Contract of employment for the researcher in question;
  • (c) Funding award letter;
  • (d) Ethical approval letter;
  • (e) Formal letter signed by Research Organisation stating that the researcher is affiliated with the organisation;
  • (f) Confirmation researcher may rely on Research Organisation's technical and organisational information security measures to address conditions set out in Article 40(8)(d).

Research Organisation

  • (a) Annual Reports, Financial Statements, Returns etc from the legal entity showing that a significant portion of funding is allocated to research activities and the organisation operates on a not-for-profit basis;
  • (b) For public institutions, links to the legal text creating the institution;
  • (c) Links to relevant sections of the of the Research Organisation;
  • (d) Relevant, Articles of Association, or Constitution, a public interest mission recognised by an EU Member State;
  • (e) Governance relating to the board of the Research Organisation;
  • (f) If on a not-for-profit basis, documentation evidencing the not-for-profit or charity status of the Research Organisation;
  • (g) If on a 'for profit' basis, evidence that shows that all profits are reinvested in scientific research such as annual reports or financial statements; and/or
  • (h) Confirmation that the results generated by the organisation's research are not used on a preferential basis by any party that exercises decisive influence on the organisation, including special or exclusive access, early access to findings etc.

6.2

Article 40(8)(b) - Demonstrating Independence from Commercial Interests

For each applicant researcher, the application must demonstrate independence from commercial interests. A completed declaration of independence from commercial interests must be provided by each applicant researcher.

Other documentation which may be demonstrative of independence from commercial interests includes but is not limited to documents relating to:

The Research Organisation's ownership structure and who makes strategic decisions;

  • (a) The Research Organisation's financing model (and if the model includes multiple sources of financing, specifying same);
  • (b) The existence of financing agreements;
  • (c) The existence of any partnership agreements;
  • (d) Any codes of conduct and ethics of the researchers as well as the conflict of interest policy
  • (e) Confirmation of the absence of, or if applicable an explanation of any:
  • (i) Conflict of interest that would result in the applicant researcher not being independent from commercial interests;
  • (ii) Funding from commercial / private / semi-private entities;
  • (iii) Financial interest in any VLOP/VLOSE or competitor of any VLOP/VLOSE;
  • (iv) Previous employment with any VLOP/VLOSE or competitor of any VLOP/VLOSE within the last three years;
  • (v) A material business relationship with a VLOP/VLOSE or competitor of any VLOP/VLOSE, either directly or through any other organisation in which the applicant researcher is a partner, shareholder, director, senior employee, etc.;
  • (vi) Close familial ties with any shareholder, director or senior employee of a VLOP/VLOSE.

6.3

Article 40(8)(c) - Information Required in Relation to the Funding of the Research

The application must disclose the funding of the research the subject of the application. To comply with this condition, information and/or documentation must be provided which discloses the funding of the research, to include details on financial and non-financial contributions supporting the research the subject of the application.

This may include, but is not limited to, the documents and information listed below. Applicants should consider their particular circumstances, and determine what information and documentation should be provided in order to demonstrate that their application discloses the funding of the research:

  • (a) Details of financial contributions, both public or private, supporting the research project for which the data are requested and the dates of any relevant funding. This should include financial contributions already obtained at the time of the submission of the application or possible financial contributions which have been applied for but in respect of which decisions are pending;
  • (b) Details of non-financial contributions the research project would benefit from, such as contributions in-kind, the use of facilities, or structural reliance on expertise;
  • (c) Details of any indirect funding, such as sources of salaries or other payments of researcher;
  • (d) Copy of any funding award letter;
  • (e) Copy of any grant agreement;
  • (f) A declaration signed by each applicant researcher, declaring that except for the third- party funding disclosed by the applicant researcher, the applicant researcher does not intend to rely on any funding to perform the research other than indirect funding or non- financial support provided by the applicant researcher's Research Organisation of affiliation;
  • (g) Copy of any grant agreement;Information on funding as to any arrangements in place to bridge funding or otherwise support the work should the current funding award end before the data access duration date.

The information provided by you should include details of any contributions, such as the funding entity, the amount, the nature and duration of the contribution, including whether the funding has already been awarded or is still under evaluation, as well as, where applicable, relevant references to EU funded projects.

Where available, the VR status application should also include the outcomes of evaluations conducted by the entity providing the funding.

6.4

Article 40(8)(d) - Demonstrating capability to fulfil specific data security, confidentiality and personal data protection requirements

The application must demonstrate that the researchers are capable of fulfilling the specific data security and confidentiality requirements corresponding to the requested data and to protect personal data (where relevant).

The application must include information on the identified risks in terms of confidentiality, data security and personal data protection related to the data that would be accessed, a description of the technical, legal and organisational measures that will be put in place, including, where possible, suggested access modalities, to mitigate such risks when processing the requested data.

This must include:

  • (a) Description of technical, legal and organisational measures to mitigate the above risks
  • (b) Identification of data security and confidentiality risks associated with the request
  • (c) Details on proposed access modality and its associated technical security measures.
  • (d) Description of whether the data is pseudonymised or relates to an individual who is identified or identifiable without the need for any additional information
  • (e) Information demonstrating compliance with data protection legislation, including an assessment of the risks that the processing of personal data would entail for data subjects;
  • (f) Relevant data protection documentation identifying the roles and responsibilities within the meaning of data protection legislation; Description of the legal basis to be used under GDPR; and
  • (g) Description of technical, legal and organisational measures to mitigate the risks relating to personal data.

Further guidance in respect of compliance with Article 40(8)(d) is set out below under different headings.

Data Security

Documents which may be provided in order to demonstrate that you can fulfil the specific data security requirements corresponding to the requested data include, but are not limited to, one or more of the documents listed below. Applicants should consider, having regard to the subject matter of your application, what documentation should be provided for this purpose:

  • (a) ICT Security assessment;
  • (b) Security accreditation of investigators or entities;
  • (c) Software security assessments or technical assessments;
  • (d) Detailed description of technical security measures of proposed access modality;
  • (e) Privacy policies of Secure Processing Environment (SPE);
  • (f) Contract and T&Cs of SPE;
  • (g) ISO Standards certification;
  • (h) IT security documentation related to Research Organisation IT (if relevant);
  • (i) Data Management Plan (DMP) with Research Organisation review/ recommendations;
  • (j) Data Protection Impact Assessment (DPIA) with Data Protection Officer (DPO) review/ recommendations;
  • (k) Record of Processing Activities (ROPA);
  • (l) Any other documentation which demonstrate the implementation of data security best practices; and
  • (m) Declaration signed by Research Organisation that the researcher may use the research organisation's technical and organisational measures to fulfil the data security requirements that correspond to the requested data.

Data Confidentiality

Documents which may be provided in order to demonstrate that you are capable of fulfilling the specific data confidentiality requirements corresponding to the requested data include, but are not limited to, one or more of the documents listed below. Applicants should consider, having regard to the subject matter of your application, what documentation should be provided for this purpose.

  • (a) Data Management Plan with Research Organisation review/recommendations
  • (b) Data Flow Diagram (DFD)
  • (c) Data Protection Impact Assessment (DPIA) with DPO review/ recommendation
  • (d) Record of Processing Activities (ROPA)
  • (e) Any involvement with National Data Protection Authority (DPA) should be attached as supporting documentation
  • (f) Statement of understanding that only aggregate or summary results should be published
  • (g) Statement of understanding that raw or individual level data should not be published
  • (h) Declaration signed by Research Organisation that the researcher may use the Research Organisation's technical and organisational measures to fulfil the data confidentiality requirements that correspond to the requested data.

Personal Data Protection

Documents which may be provided in order to demonstrate that you are capable of fulfilling the specific personal data protection requirements corresponding to the requested data include, but are not limited to, one or more of the documents listed below. Applicants should consider, having regard to the subject matter of your application, what documentation should be provided for this purpose:

  • (a) Data Flow Diagram (DFD)
  • (b) Data Management Plan (DMP) with Research Organisation/DPO review
  • (c) Data Protection Impact Assessment (DPIA) with DPO review/ recommendations
  • (d) Record of Processing Activities (ROPA)
  • (e) Any involvement with National Data Protection Authority (DPA) should be attached as supporting documentation
  • (f) Statement of understanding that only aggregate or summary results should be published
  • (g) Statement of understanding that raw or individual level data should not be published
  • (h) Statement that no attempt to reidentify data subjects will be made
  • (i) Declaration signed by research organisation that the researcher may use the research organisation's technical and organisational measures to fulfil the personal data protection requirements that correspond to the requested data
  • (j) Description of the legal basis to be used under GDPR.

Technical Measures to Protect Data

In order to comply with the condition that you demonstrate in your application the appropriate technical measures that you have put and will put in place having regard to data security and confidentiality and, if applicable, personal data protection, documents to be provided may include those listed below. Applicants should consider, having regard to the subject matter of your application, what documentation should be provided for this purpose:

  • (a) Detailed description of technical security measures of proposed access modality
  • (b) ISO 27001, ISO 27002, ISO 27701 Certification or similar
  • (c) SOC2 Attestation Report or similar
  • (d) NIS2 Directive compliance or similar; and/or
  • (e) A declaration signed by Research Organisation that the researcher may use the Research Organisation's technical measures to fulfil the technical measures requirements that correspond to the requested data.

Organisational Measures to Protect Data

In order to comply with the condition that you demonstrate in your application the appropriate organisational measures that you have put and will put in place having regard to data security and confidentiality and, if applicable, personal data protection, documents to be provided may include those listed below. Applicants should consider, having regard to the subject matter of your application, what documentation should be provided for this purpose:

  • (a) Data sharing agreement;
  • (b) Non-disclosure agreements;
  • (c) Data management policies;
  • (d) Ethical or methodological review/approval;
  • (e) Data Protection Training certificates or similar;
  • (f) Data Breach policy of Research Organisation;

Undertaking by researcher prohibiting them from disclosing the data to any person(s) not named in their applications, prohibition against the use or disclosure of data in any manner that was not described in the application;

Declaration signed by Research Organisation that the researcher may use the Research Organisation's organisational measures tofulfil the organisational measures requirements that correspond to the requested data.

Legal Measures to protect Data

In order to comply with the requirement that you demonstrate in your request the appropriate legal measures that you have put in place having regard to data security and confidentiality and, if applicable, personal data protection, documents to be provided may include those listed below. Applicants should consider, having regard to the subject matter of your application, what documentation should be provided for this purpose.

  • (a) Data sharing agreement;
  • (b) Non-disclosure agreement;
  • (c) Data processing agreement with any third party who will process the data on your behalf;
  • (d) Other contractual protections.

Special Considerations for International Personal Data Transfers

Some or all of the data that will be accessed by you if you are granted VR status might not constitute personal data. However, if you will access any personal data, your application should indicate whether there will be any 'international personal data transfer' for the purposes of the GDPR. An international personal data transfer is the transfer of personal data to a country outside of the European Economic Area ("EEA").

The meaning of transfer is extremely broad. It does not require a physical handover of data or direct transfer and can include remote access from a third country. Some examples of where there may be an international personal data transfer include:

  • (i) You are/the affiliated Research Organisation is located/established in a country outside the EEA;
  • (ii) Even if you are/the affiliated Research Organisation is located/established within the EEA, the data will be hosted/provided/accessed on a platform which is outside the EEA.

If there will be an international personal data transfer if you are granted VR status, the application must demonstrate that you will ensure compliance with the obligations under the GDPR in connection with such transfer, i.e. that the access will be covered by

  • (i) the third country being covered by an 'adequacy decision',
  • (ii) appropriate safeguards for data subjects' rights (e.g. you will enter into Standard Contractual Clauses governing the transfer and that a positive Transfer Impact Assessment has been completed).

6.5

Article 40(8)(e): - Demonstrating Proposed Access and Time Frames

The application must demonstrate that access to the data and the time frames requested are necessary for, and proportionate to, the purposes of the applicant's research, and that the expected results of that research will contribute to the purposes laid down in Article 40(4) DSA. Article 40(4) provides for access to data "for the sole purpose of conducting research that contributes to the detection, identification and understanding of systemic risks in the Union, as set out in Article 34(1), and to the assessment of the adequacy, efficiency and impacts of the risk mitigation measures pursuant to Article 35."

The application must contain:

  • (a) a description of the data requested, including format, scope and, where possible, the specific attributes, relevant metadata and data documentation, also considering the information made available pursuant to Article 6(4) of the Delegated Act (i.e. information in the VLOP/VLOSE's DSA data catalogue);
  • (b) information on the necessity and proportionality of the access to the data and the time frames for the purposes of the research for which the data are requested; and
  • (c) a description of the research activities to be conducted with the requested data and an estimation of the required duration of the access.

Further guidance in respect of compliance with Article 40(8)(e) is set out below under different headings.

Necessity and Proportionality of Access:

In order to demonstrate that the access to data you request is necessary and proportionate, documents to be provided may include those listed below. Applicants should consider, having regard to the subject matter of your application, what documentation should be provided in order to demonstrate that the access to data you request is necessary and proportionate:

  • (a) Data Management Plan (DMP) with Research Organisation review / recommendations
  • (b) Data Protection Impact Assessment (DPIA) with DPO review/ recommendations
  • (c) Necessity assessment or other such documentation demonstrating the access to data are necessary; and
  • (d) Proportionality assessment or other such documentation demonstrating the access to data are proportionate.

In respect of the necessity and proportionality of access, an application should consider, and where appropriate, address the following:

  • (a) A clear description of data variables requested is expected, which should include format, scope and where possible specific attributes, relevant metadata and data documentation. Researchers should ask for the exact data they would like and that they believe the VLOP/VLOSE may have;
  • (b) Each variable or groups of variables (particularly where personal data is concerned) must be necessary for the project and this should be described by the researcher;
  • (c) Researchers should demonstrate that the amount, scope, granularity and type of data requested do not exceed what is necessary to achieve the research objectives;
  • (d) Researchers should describe how the data and data format were selected;
  • (e) Whether data requested are aggregate data or individual level data;
  • (f) Whether data requested are anonymous, pseudonymised or identifiable data;
  • (g) Researchers should provide a description of why these data must be used (as opposed to aggregate data or anonymous data for example);
  • (h) Researchers should consider whether there is a less intrusive way to complete the research;
  • (i) Is the amount of data being collected comparable to that used in other research projects or articles on the same topic?
  • (j) Any data minimisation is clearly described and justified;
  • (k) That the research question/hypothesis is sound and is achievable with the data requested;
  • (l) That the access requested balances the impact on the rights and interests (e.g. commercial interests, interests in confidential information, intellectual property rights, data protection rights, etc.) of (i) the data subjects; (ii) the VLOP/VLOSE; and (iii) any other affected third parties, and researchers should describe their assessment of same; and
  • (m) The importance of the objective should be described.

Necessity and Proportionality of Timeframe of Access:

In order to demonstrate that the timeframe of access to data you request is necessary and proportionate, documents to be provided may include:

  • (a) Data Management Plan (DMP) with Research Organisation review/recommendations;
  • (b) Data Protection Impact Assessment (DPIA) with DPO review/ recommendations;
  • (c) Necessity assessment or other such documentation demonstrating the timeframe to data are necessary; and/or
  • (d) Proportionality assessment or other such documentation demonstrating the timeframe to data are proportionate.

In respect of the necessity and proportionality of timeframe of access, an application should address the following:

  • (e) A description of the timeframe in relation to the data requested, including whether it is requested as at a set timepoint, or over a time range;
  • (f) A description of how long the researcher will need access to data for and a justification of why the timeframe is necessary;
  • (g) A justification of the data retention period described;
  • (h) A breakdown of the research project timeline, i.e., the duration of data cleaning, data analysis, report writing, peer review, publication etc;

Researchers should demonstrate why the timeframe for access to data requested is adequate to achieve the envisaged objective of the research.

In cases whereby researchers request access to live systems, or live data, they should explain why it is proportionate, and why the research could not be achieved through the examination of historical data.

Expected Results

In addition, researchers must describe how the results sought to be achieved will contribute toward the detection, identification and understanding of systemic risks in the EU, as set out pursuant to Article 34(1) of the DSA, and to the assessment of the adequacy, efficiency and impacts of the risk mitigation measures pursuant to Article 35 of the DSA, and should describe both the benefits and risks associated with the proposed research. A Data Management Plan or Data Protection Impact Assessment with Research Organisation review/ will again be considered by An Coimisiún in this regard.

6.6

Article 40(8) (f): - Demonstrating that research activities will be carried out for the purposes laid down in Article 40(4) DSA

In order to comply with the condition that you demonstrate that the research activities will be carried out for the purposes laid down in Article 40(4) DSA, you must provide the following documentation and information:

  • (a) A description of the research activities to be conducted with the requested data and an estimation of the required duration of the access;
  • (b) A summary of the application including the research topic; and
  • (c) A description of the purpose pursuant to DSA Articles 34 and 35. This should cover research activities and methodology and give details of how they are connected to Article 34 (systemic risks) and Article 35 (mitigation measures) and related to the specific VLOP/VLOSE.

A link should be made between the systemic risks and the design or functioning of the VLOP/VLOSE's service and its related systems or use of the VLOP/VLOSE's service. An Coimisiún will assess whether the application demonstrates that the research described does or will be carried out for the purposes of contributing to the detection, identification and understanding of systemic risks in the EU stemming from the design, functioning or use of the VLOP/VLOSE, and] to the assessment of the adequacy, efficiency and impacts of risk mitigation measures.

The application should describe the specific systemic risks in the EU stemming from the design or functioning of the service in question and its related systems, including algorithmic systems, or from the use made of said services that are the intended focus of the research. The following non-exhaustive examples of such systemic risks are set out in the DSA:

  • (a) The dissemination of illegal content through the VLOP/VLOSE;
  • (b) Any actual or foreseeable negative effects for the exercise of fundamental rights;
  • (c) Any actual or foreseeable negative effects on civic discourse and electoral processes, and public security;
  • (d) Any actual or foreseeable negative effects in relation to gender-based violence, the protection of public health and minors and serious negative consequences to the person's physical and mental well-being.

Other potential systemic risks include any systemic risks identified by the relevant VLOP/VLOSE in its own risk assessments performed under the DSA.

Researchers should also include a confirmation that there is no other intended use of the data outside of this research.

6.7

Article 40(8)(g):- Demonstrating Commitment to Publication of Research

The application must demonstrate that you are committed to making your research results publicly available free of charge, within a reasonable period after the completion of the research, subject to the rights and interests of the recipients of the service concerned, in accordance with the GDPR.

Each applicant researcher must provide a written commitment to make research results publicly available free of charge, subject to the rights and interests of the recipients of the service under the GDPR. Information should also be provided as to the way in which it is expected that the results will be made publicly available free of charge, a timeframe should be proposed for same. Where the results, or part of the results, will not be made publicly available free of charge, the applicant researcher should explain the basis for this.

7. Further guidance in respect of applications

7.1

The application submitted by you must comply with the requirements set out below:

  • (a) Declaration: Your application should include a Declaration signed by you certifying that the information contained in the application form and documentary evidence relating to you is true and correct to the best of your knowledge and belief.
  • (b) False or misleading information: You must not include any false or misleading information in your application. Under section 202(1) of the 2009 Act, a person who knowingly or recklessly provides false or misleading information to An Coimisiún in relation to an application for VR status shall be guilty of a category 2 criminal offence. A person guilty of a category 2 offence shall be liable on summary conviction, to a class A fine (a fine not greater than €5,000) or imprisonment for a term not exceeding 12 months or both, or on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.
  • (c) Changes: You must notify An Coimisiún, promptly of any changes that occur, between the date of submission of your application and the date on which you receive notice of An Coimisiún's decision on your application, to any material information contained in your applicationand/or to any supplemental information that was provided subsequent to the submission of the initial application as requested by An Coimisiún to support its assessment of whether you met the requirements to be awarded VR status. Where there are changes to the information that was provided in your application which An Coimisiún considers to be material, this may necessitate the submission of a new application.
  • (d) Publication: An Coimisiún is required to publish an overview of any reasoned request that is issued to a VLOP/VLOSE in the public interface of the DSA Data Access Portal. This shall include a summary of your application (if successful) and the access modalities as determined pursuant to Art. 9 of the Delegated Act.
  • (e) Confidential and Commercially Sensitive Information: In submitting your application, you should bear in mind that An Coimisiún may share information contained in your application and supporting documents with the relevant VLOP/VLOSE, where An Coimisiún considers this to be necessary in order to give them an opportunity to submit comments on your application. An Coimisiún is also obliged to publish an overview of a reasoned request in the DSA data access portal once it is formulated. If there is any information in your application or supporting documents which you consider to be confidential or commercially sensitive (whether to you or to another party, such as the research organisation with which you are affiliated), to the extent that it should not be shared by An Coimisiún with the relevant VLOP/VLOSE or published, you should clearly identify that information and explain why you believe it should not be shared or published. An Coimisiún will consider any such explanation but retains discretion to share or publish whatever information An Coimisiún considers necessary.
  • (f) Freedom of Information: Access to records held by An Coimisiún may be requested by persons under the Freedom of Information Act 2014 ("FOI Act"). The provisions of the FOI Act exempt certain records from release, including if they are records containing commercially sensitive information or confidential information or personal information. An Coimisiún will consult with you in respect of any records relating to you that are within the scope of a FOI request received by An Coimisiún prior to making a decision under the FOI Act, where it is required to do so under the FOI Act.
  • (g) Personal Data: An Coimisiún is obligated and committed to protecting all personal data submitted in accordance with its obligations under the General Data Protection Regulation, the Data Protection Act 2018 and any other applicable data and privacy laws and regulations. An Coimisiún's published privacy policy can be found at: Coimisiún na Meán | Data Protection (cnam.ie). A supplemental privacy notice with regard to the processing of personal data provided by applicants in relation to the submission of an application under Article 40(4) of the DSA can be found here: Any personal data collected by An Coimisiún in connection with an application will be used only for the purposes stated in the supplemental privacy notice. Vetted Researcher Data Access Supplemental Privacy Statement - Coimisiún na Meán Any personal data collected by An Coimisiún in connection with an application will be used only for the purposes stated in the supplemental privacy notice.
  • (h) Please note that all documents and information submitted as part of a VR status application should only be submitted through AGORA. Applications or related materials submitted directly to An Coimisiún will not be responded to and will not be considered. Any queries or requests for clarification in relation to the contents of this Guidance should be directed to Article40@cnam.ie.

8. Access Modalities

8.1

If you are designated as a VR and a Reasoned Request is issued, the Reasoned Request will include details of any access modalities that An Coimisiún requires the VLOP/VLOSE to use when providing you with access to the data.

8.2

When determining the access modalities to be included in a Reasoned Request, An Coimisiún is required to take into account any access modalities proposed by you in your application and any access modalities proposed by the VLOP/VLOSE to be used in connection with data the VLOP/VLOSE has stated is available in its DSA data access catalogue. However neither of these proposals is binding on An Coimisiún.

8.3

The VLOP/VLOSE and you will be required to comply with whatever access modalities are specified by An Coimisiún in the Reasoned Request. These may include technical, legal or organisational measures to be used by the VLOP/VLOSE when providing you with access to the data. They may include, for example:

  • (a) whether a secure processing environment is necessary to process the data;
  • (b) relevant network security measures, encryption, access control, mechanisms, backup policies, data integrity mechanisms, incident response plans;
  • (c) storage periods and data destruction plans;
  • (d) internal review processes, restrictions of access rights and information sharing; and
  • (e) any contractual requirements, such as non-disclosure agreements or data sharing agreements.

8.4

If the specified access modalities include a requirement that the VLOP/VLOSE enters into a data sharing agreement or any other contractual arrangement with you, then you and the VLOP/VLOSE will be required to enter into that contractual arrangement and you will be subject to contractual obligations to the VLOP/VLOSE in connection with your access to the data.

9. After an application for VR status is approved

9.1

If you are designated as a VR and a Reasoned Request is issued, you must comply with the designation conditions set out in Article 40(8) of the DSA and related requirements set out in the Delegated Act and implement the technical, legal and organisational measures that you stated would be put in place in your application when accessing the data and performing the research within the scope of the Reasoned Request. If you fail to do so then this may result, among other things, in your access to the data within the scope of that Reasoned Request being terminated under Article 40(10) of the DSA and Chapter 2 of Part 15 of the 2009 Act.

9.2

An Coimisiún may commence an investigation for the purposes of determining whether researchers who have been granted the status of VR continue to meet the designation conditions as set out in Article 40(8) of the DSA at any time. An Coimisiún may do this of its own volition or based on information provided to it by any third party including but not limited to the relevant VLOP/VLOSE. Subject to the outcome of such an investigation, An Coimisiún may terminate your data access if it determines that you no longer meet the designation conditions. Where it is proposed to terminate your data access, you will be notified of this proposal and you will have an opportunity within 14 days, to make representations or to request a review of the proposed termination by an independent person. If your data access is terminated, the VLOP/VLOSE will no longer be required to provide you with access to the data within the scope of the Reasoned Request.

9.3

If your access to data within the scope of a Reasoned Request is not terminated early, then your access to that data will expire on the date specified in the Reasoned Request.

9.4

Further to the commitment you provided in your application, you will be required to make the results of your research publicly available free of charge within a reasonable period after the completion of your research.

Guidance on Article 40(4-11) DSA
Publication date: 25 May 2026

Machine-readable HTML rendering of the tidied guidance text.

Contents

1. Introduction

2. Overview of Guidance

3. Overview of VR status application process

4. How to apply

5. Application Requirements

6. Information to be provided in respect of each of the conditions in Article 40(8) and related requirements in the Delegated Act in order for an application to be considered complete

7. Further guidance in respect of applications

8. Access Modalities

9. After an application for VR status is approved

1. Introduction

1.1

Article 40 of the Digital Services Act ("DSA") makes provision for certain researchers to access data from Very Large Online Platforms ("VLOPS") or Very Large Online Search Engines ("VLOSES") for the purposes of studying systemic risks in the EU stemming from the design, functioning or use of a VLOP/VLOSE and assessing mitigation measures implemented by the VLOP/VLOSE. Article 40(8) of the DSA sets out the process whereby a researcher, who has been vetted or assessed by a Digital Services Coordinator ("DSC") to have met the criteria as set out under this provision, can have a request for access to data held by a VLOP/VLOSE submitted on their behalf by the DSC. The data must be limited in scope in accordance with Article 34 and 35 of the Digital Services Act ("DSA") and deemed necessary and proportionate to the purpose of the research.

1.2

A Vetted Researcher ("VR") is a researcher who:

  • (a) applies to a DSC for VR status for specified research; and
  • (b) is formally designated as a VR by a DSC, having met the conditions that are set out in Article 40(8) of the DSA and Commission Delegated Regulation (EU) 2025/2050 of 1 July 2025 (the "Delegated Act"). for the purposes of accessing specified data for the purposes of the research outlined in their application.

1.3

It is important to note that VR status is only awarded in respect of specific research as identified in an application. Where a person who has previously been granted VR status wishes to seek access to specified data held by a VLOP/VLOSE for the purposes of other research, a new application for VR status will need to be submitted for the purposes of that other research.

1.4

In order to be designated as a VR for the purposes of specific research, a researcher must submit a detailed application to a DSC (through the DSA Data Access portal (the "Portal")) which demonstrates that they meet the criteria as set out in Article 40(8) of the DSA and related requirements set out in the Delegated Act. In summary, a researcher will need to demonstrate:

  • (a) They are affiliated to a research organisation[1];
  • (b) They are independent from commercial interests;
  • (c) They have disclosed the funding of the research;
  • (d) They can fulfil the specific data security, data protection and confidentiality requirements that correspond to the requested data and have described the appropriate technical and organisational measures that they have put and will put in place;
  • (e) Their access to the data and the time frames requested are necessary for, and proportionate to, the purpose of their research;
  • (f) The planned research will be carried out for the sole purpose of contributing to an understanding of systemic risk in the EU stemming from the design, functioning or use of the relevant VLOP/VLOSE and the assessment of risk mitigation measures implemented by that VLOP/VLOSE; and
  • (g) They are committed to making the research results publicly available free of charge, within a reasonable period after the completion of the research.

1 The term 'research organisation' has a specific definition, which is detailed further below.

1.5

Where a DSC decides to designate a person as a VR for the specified research, the DSC will then issue a reasoned request for access to the data described in the application to the relevant VLOP/VLOSE. The VLOP/VLOSE will then be required to provide the VR with access to the specified data by way of the access modalities specified in the request, within a reasonable period specified in the request.[2]

2 This is subject to the entitlement of a VLOP/VLOSE to request an amendment to the reasoned request, which is detailed further below.

2. Overview of Guidance

2.1

Coimisiún na Meán ("An Coimisiún") has developed this Guidance to outline the following:

  • (a) The form and manner in which applications for VR status are to be made; and
  • (b) An overview of the process for the assessment of applications for VR status.

2.2

The Guidance is informed by Irish and European legislation, in particular the DSA, the Broadcasting Act 2009 (the "2009 Act") and the Delegated Act.

2.3

It is not legal advice, it is not binding on An Coimisiún and it is not intended to have any impact on how any statutory provision is interpreted or applied. The Applicant(s) and VLOP/VLOSE are advised to obtain their own independent legal advice on the relevant statutory provisions. This Guidance may be updated and amended by An Coimisiún as considered necessary and appropriate and, subject to its obligations under applicable law, An Coimisiún reserves the right to amend its process as it sees fit.

3. Overview of VR status application process

3.1

The VR status application process begins with the Applicant's registration as a researcher on the Portal.

3.2

Once the Applicant has registered as a principal or applicant researcher on the Portal, the Applicant will be able to access the private researcher-only area of the site. Here is where the Applicant submit applications for VR status for specific research.

3.3

In line with the 2009 Act[3], An Coimisiún has specified the form and manner in which an application must be made. The elements that an application is required to contain in order to be deemed complete and to proceed to the substantive assessment stage (the "Application Requirements") are described in section 5 below. The Applicant(s) should consult the Application Requirements before submitting any application, as failure to comply with the Application Requirements may lead to application being rejected as incomplete (meaning that it will not proceed to the substantive assessment stage).

3 S187(1) Broadcasting Act 2009

3.4

When submitting an application via the Portal, the Applicant(s) will have the option to submit an application to:

3.5

The DSC of the EU Member State in which the main establishment of the provider of the VLOP or VLOSE is located or, where the provider has no establishment in the EU, where its legal representative resides or is established (referred to as the DSC of Establishment ("DSCoE"));

3.6

or The DSC of the EU Member State where the Applicant(s) affiliated research organisation is based (and, where this Member State is different from the EU Member State of the DSCoE of the VLOP or VLOSE, this DSC shall be referred to as the DSC of Origin ("DSCoO")).

3.7

Where the Applicant(s) submits an application to their DSCoO, the DSCoO will carry out an initial assessment of the application before transmitting it to the DSCoE. The DSCoE will then assess the application and will make a final decision on the application. If the DSCoO deems the application is incomplete, the DSCoO will transmit the initial assessment to the DSCoE, notifying the DSCoE of this initial view. Upon receipt of the initial assessment, the DSCoE will proceed with consideration of the application.

3.8

All applications must, at a minimum, be consistent with the Application Requirements. On receipt of an application, An Coimisiún will carry out what is referred to as a "Completeness Check" to ensure that the application complies with the Application Requirements. Where an application does not comply with the Application Requirements, the application will be deemed incomplete and will be rejected on that basis, without An Coimisiún proceeding to assess the substance of the application.

3.9

Applicants are responsible for ensuring that all information in their application is accurate, this includes details regarding the research organisation with which they are affiliated, and, in particular contact details for that organisation.

3.10

It should be noted that Coimisiún na Meán, as a DSCoE will assess applications and supporting documents submitted in the English or Irish languages only.

3.11

Where an application is rejected by An Coimisiún on the basis that it is incomplete, the Applicant(s) is encouraged to resubmit a new application, that complies in full with the Application Requirements. For the avoidance of doubt, in these circumstances the Applicant(s) must submit a new application via the Portal. It is not possible to seek to supplement or update an initial application where that has been rejected, and An Coimisiún will not be in a position to consider any information or documentation submitted to it in connection with an application that has been rejected.

3.12

Where an application is deemed complete, it will proceed to the assessment phase

("Assessment"). Where a DSCoO has carried out an initial assessment, this initial assessment will be considered by An Coimisiún as DSCoE in its assessment of the application. The Assessment will involve An Coimisiún considering the application and supporting documentation provided with a view to deciding whether the Applicant(s) has demonstrated that they have met the conditions set out in Article 40(8) of the DSA, and the related requirements set out in Article 8 of the Delegated Act.

3.13

In the course of the Assessment, An Coimisiún may request further information from the Applicant(s) regarding an application. As detailed below, An Coimisiún may also provide the relevant VLOP/VLOSE with the opportunity to submit comments on an application. When requesting information and/or providing the opportunity to submit comments, An Coimisiún will specify a time period in which the information and/or comments should be provided.

3.14

In circumstances where strict timelines are provided for the conduct of an assessment and delivery of a decision by An Coimisiún as DSCoE, the delivery of additional information requested and/or comments by the Applicant(s) or a VLOP/VLOSE, as appropriate, will be time sensitive.

3.15

In light of this time sensitivity, it should be noted that failure by an Applicant(s) to provide the information requested by An Coimisiún within the time period set out may impact the ability of An Coimisiún to proceed with the Assessment of the application. In addition, a failure of the Applicant(s) to provide the information requested by An Coimisiún may lead to a decision that the Applicant(s) has not demonstrated that they meet the designation conditions and related requirements.

3.16

An Coimisiún may consult with subject matter experts in the course of the Assessment, which may require the sharing of documents in the Application.

3.17

It may be necessary for An Coimisiún to share information contained in the application and supporting documents with the relevant VLOP/VLOSE in order to provide an opportunity to submit comments on the application prior to a decision being made. Similarly, in certain circumstances, it may be necessary for An Coimisiún to share information contained in the submissions made by a VLOP/VLOSE with an Applicant in advance of a decision being made. In addition, An Coimisiún is also obliged to publish an overview of a reasoned request in the DSA data access portal once it is formulated.

3.18

In light of this, if there is any information in an application and supporting documentation and/or submissions which the Applicants and/or VLOPS/VLOSES consider to be confidential, the Applicant(s) and VLOPS/VLOSES should clearly identify that information and explain why they believe it should not be shared or published. Confidential information may include commercially sensitive information (whether to the Applicant(s) or VLOP/VLOSE or to another party, such as the research organisation with which the Applicant(s) are affiliated).

3.19

When claiming that information is confidential, Applicants and VLOPS/VLOSES should:

  • (a) Identify those specific pieces of information in respect of which confidentiality is claimed;
  • (b) Explain the basis upon which confidentiality is claimed and, in doing so, clearly identify the harm that would result from the disclosure of the information claimed to be confidential;
  • (c) Provide i) a non-confidential version and ii) a confidential version of each of the relevant documents to An Coimisiún. The non-confidential version of relevant documents should redact the information in respect of which confidentiality is claimed; and
  • (d) provide a non-confidential summary of information in respect of which confidentiality is claimed.

3.20

Please note that, in general terms, Applicants and VLOPS/VLOSES may not claim confidentiality over an entire document or whole sections of a document. It should be possible to protect confidential information with limited redactions; entirely blank or blacked-out pages without justification will not be accepted. An Coimisiún retains the discretion to share or publish whatever information An Coimisiún considers necessary.

3.21

An Coimisiún is required to determine an application within 80 working days of the date on which it is submitted. This 80 working day period can be extended where this is justified. Where An Coimisiún requires additional time to make its decision, it will notify the Applicant(s) of same, explaining the basis on which additional time is required and notifying the Applicant(s) of a new date by which the application will be determined.

3.22

The Applicant(s) will be notified of An Coimisiún's decision regarding the application via the Portal (the "Application Decision"). Where An Coimisiún decides to designate the Applicant(s) as a VR for the specified research, An Coimisiún will proceed to issue a reasoned request for access to data to the relevant VLOP/VLOSE concerned (the "Reasoned Request").

3.23

On receipt of the Reasoned Request, the VLOP/VLOSE must either proceed to provide the Applicant(s) with access to the requested data within the time period specified in the Reasoned Request, in accordance with the terms of the Reasoned Request or, within 15 days of receipt of the Reasoned Request, submit a proposal for an amendment to the Reasoned Request (an "Amendment Request") on the basis that:

  • (a) They do not have access to the data; or
  • (b) Giving access to the data would lead to significant vulnerabilities in the security of their service or the protection of confidential information, in particular trade secrets.

3.24

An Coimisiún will determine any Amendment Request submitted to it in accordance with the DSA and Delegated Act within a further 15 days. To enable An Coimisiún to make its determination, it may issue requests for information to the Applicant(s) and/or the VLOP/VLOSE concerned and/or consult with subject matter experts. If the amendment proposal is accepted by An Coimisiún, a new Reasoned Request will be formulated by An Coimisiún and issued to the VLOP/VLOSE, who will then be required to comply with the revised terms of the Reasoned Request. The Applicant(s) will be notified of the decision of An Coimisiún in relation to any Amendment Request and provided with the amended Reasoned Request, where applicable.

3.25

The Applicant(s) will also be notified through the Portal in the event An Coimisiún decides that the application does not demonstrate that the Applicant(s) meet the designation conditions and related requirements and, accordingly, refuses to designate the Applicant(s) as a VR for the specified research. Where an application has been refused, if the Applicant(s) wish to challenge the refusal, the Applicant(s) will have 14 days from the date of service of the notification of this decision to request a review by an independent reviewer (a "Review Request") of the Application Decision.

4. How to apply

4.1

Applications must be submitted via the Portal.

4.3

To access the features available on the private area of the Portal, which is necessary in order to make an application, each researcher needs to have EU login credentials and a profile created on the Portal.

4.3

Each researcher participating in a VR status application should have a dedicated profile created on the Portal for submitting VR status applications as principal researcher or as applicant researcher on the VR status application.

5. Application Requirements

5.1

An application shall be made in the form and manner specified by An Coimisiún[4] and this section of the Guidance sets out what an application must contain in order for it to be considered by An Coimisiún to be a complete application. Failure to comply with the Application Requirements may lead to an application being rejected as incomplete meaning that it will not proceed to the Assessment stage.

5.2

The Applicant(s) is responsible for demonstrating that they satisfy the conditions set out in Article 40(8) of the DSA and related requirements set out in the Delegated Act and the Applicant(s) must submit all of the information and the documentary evidence specified in this Guidance and/or as may be requested at a later stage by An Coimisiún. It is important that the Applicant(s) ensure full and accurate information is provided to avoid any delays to the application process and to avoid an application being closed on the basis that it is incomplete.

5.3

In assessing an application, An Coimisiún will have regard to the information submitted by the Applicant(s) and also to information available to it from its own independent information- gathering and research that may be relevant to its verification of the information submitted by the Applicant(s). An Coimisiún may also take into account information provided to it by the VLOP/VLOSE in connection with an application.

4 Section 187(1) of the 2009 Act.

6. Information to be provided in respect of each of the conditions in Article 40(8) and related requirements in the Delegated Act in order for an application to be considered complete

6.1

Article 40(8)(a) - Demonstrating Affiliation to Research Organisation

For each applicant researcher, the application must demonstrate (i) affiliation to a research organisation. For these purposes 'research organisation' has the definition given to it in Article 2, point (1), of Directive (EU) 2019/790 of the European Parliament and of the Council and includes civil society organisations that are conducting scientific research with the primary goal of supporting their public interest mission (a "Research Organisation"). In order to be deemed complete, the application must contain information and documentation which will allow An Coimisiún to assess, in respect of each applicant researcher, their affiliation to a Research Organisation.

This may include, but is not limited to, providing at least one and, in some situations, more than one, of the items listed below. Applicants should consider, having regard to their particular circumstances, what information and documentation should be provided in order for their application to demonstrate affiliation to a Research Organisation:

Affiliation

  • (a) Proof of legal association with a Research Organisation;
  • (b) Contract of employment for the researcher in question;
  • (c) Funding award letter;
  • (d) Ethical approval letter;
  • (e) Confirmation researcher may rely on Research Organisation's technical and organisational information security measures to address conditions set out in Article 40(8)(d).

Research Organisation

  • (a) Annual Reports, Financial Statements, Returns etc. from the legal entity showing that a significant portion of funding is allocated to research activities and the organisation operates on a not-for-profit basis;
  • (b) For public institutions, links to the legal text creating the institution;
  • (c) Links to relevant sections of the website of the Research Organisation;
  • (d) Relevant, Articles of Association, or Constitution, a public interest mission recognised by an EU Member State;
  • (e) Governance relating to the board of the Research Organisation;
  • (f) If on a not-for-profit basis, documentation evidencing the not-for-profit or charity status of the Research Organisation;
  • (g) If on a 'for profit' basis, evidence that shows that all profits are reinvested in scientific research such as annual reports or financial statements; and/or
  • (h) Confirmation that the results generated by the organisation's research are not used on a preferential basis by any party that exercises decisive influence on the organisation, including special or exclusive access, early access to findings etc.

6.2

Article 40(8)(b) - Demonstrating Independence from Commercial Interests

For each applicant researcher, the application must demonstrate independence from commercial interests. A completed declaration of independence from commercial interests must be provided by each applicant researcher.

Other documentation which may be demonstrative of independence from commercial interests includes but is not limited to documents relating to:

  • (a) The Research Organisation's ownership structure and who makes strategic decisions;
  • (b) The Research Organisation's financing model (and if the model includes multiple sources of financing, specifying same);
  • (c) Th existence of financing agreements;
  • (d) The existence of any partnership agreements;
  • (e) Any codes of conduct and ethics of the researchers as well as the conflict-of-interest policy;
  • (f) Confirmation of the absence of, or if applicable an explanation of any:
  • (i) Conflict of interest that would result in the applicant researcher not being independent from commercial interests;
  • (ii) Funding from commercial / private / semi-private entities;
  • (iii) Financial interest in any VLOP/VLOSE or competitor of any VLOP/VLOSE;
  • (iv) Previous employment with any VLOP/VLOSE or competitor of any VLOP/VLOSE within the last three years;
  • (v) A material business relationship with a VLOP/VLOSE or competitor of any VLOP/VLOSE, either directly or through any other organisation in which the applicant researcher is a partner, shareholder, director, senior employee, etc.;
  • (vi) Close familial ties with any shareholder, director, or senior employee of a VLOP/VLOSE.

6.3

Article 40(8) (c) - Information Required in Relation to the Funding of the Research

The application must disclose the funding of the research the subject of the application. To comply with this condition, information and/or documentation must be provided which discloses the funding of the research, to include details on financial and non-financial contributions supporting the research the subject of the application.

This may include, but is not limited to, the documents and information listed below. The Applicant(s) should consider their particular circumstances, and determine what information and documentation should be provided in order to demonstrate that their application discloses the funding of the research:

  • (a) Details of financial contributions, both public or private, supporting the research project for which the data are requested and the dates of any relevant funding. This should include financial contributions already obtained at the time of the submission of the application or possible financial contributions which have been applied for but in respect of which decisions are pending;
  • (b) Details of non-financial contributions the research project would benefit from, such as contributions in-kind, the use of facilities, or structural reliance on expertise;
  • (c) Details of any indirect funding, such as sources of salaries or other payments of researcher;
  • (d) Copy of any funding award letter;
  • (e) Copy of any grant agreement;
  • (f) A declaration signed by each applicant researcher, declaring that except for the third- party funding disclosed by the applicant researcher, the applicant researcher does not intend to rely on any funding to perform the research other than indirect funding or non- financial support provided by the applicant researcher's Research Organisation of affiliation;
  • (g) Information on funding as to any arrangements in place to bridge funding or otherwise support the work should the current funding award end before the data access duration date.

The information provided by the Applicant(s) should include details of any contributions, such as the funding entity, the amount, the nature and duration of the contribution, including whether the funding has already been awarded or is still under evaluation, as well as, where applicable, relevant references to EU funded projects.

Where available, the VR status application should also include the outcomes of evaluations conducted by the entity providing the funding.

6.4

Article 40(8)(d) - Demonstrating capability to fulfil specific data security, confidentiality, and personal data protection requirements

The application must demonstrate that the Applicant(s) are capable of fulfilling the specific data security and confidentiality requirements corresponding to the requested data and to protect personal data (where relevant).

The application must include information on the identified risks in terms of confidentiality, data security and personal data protection related to the data that would be accessed, a description of the technical, legal and organisational measures that will be put in place, including, where possible, suggested access modalities, to mitigate such risks when processing the requested data.

This must include:

  • (a) Description of technical, legal, and organisational measures to mitigate the above risks;
  • (b) Identification of data security and confidentiality risks associated with the request;
  • (c) Details on proposed access modality and its associated technical security measures;
  • (d) Description of whether the data is pseudonymised or relates to an individual who is identified or identifiable without the need for any additional information;
  • (a) Information demonstrating compliance with data protection legislation, including an assessment of the risks that the processing of personal data would entail for data subjects
  • (b) Relevant data protection documentation identifying the roles and responsibilities within the meaning of data protection legislation;
  • (c) Description of the legal basis to be used under GDPR; and
  • (d) Description of technical, organisational and legal measures to mitigate the risks relating to personal data.

Further guidance in respect of compliance with Article 40(8)(d) is set out below under different headings.

Data Security

Documents which may be provided in order to demonstrate that the Applicant(s) can fulfil the specific data security requirements corresponding to the requested data include, but are not limited to, one or more of the documents listed below. The Applicant(s) should consider, having regard to the subject matter of your application, what documentation should be provided for this purpose:

  • (a) ICT Security assessment;
  • (b) Security accreditation of investigators or entities;
  • (c) Software security assessments or technical assessments;
  • (d) Detailed description of technical security measures of proposed access modality;
  • (e) Privacy policies of Secure Processing Environment (SPE);
  • (f) Contract and T&Cs of SPE;
  • (g) ISO Standards certification;
  • (h) IT security documentation related to Research Organisation IT (if relevant);
  • (i) Data Management Plan (DMP) with Research Organisation review/ recommendations;
  • (j) Data Protection Impact Assessment (DPIA) with Data Protection Officer (DPO) review/ recommendations;
  • (k) Record of Processing Activities (ROPA);
  • (l) Any other documentation which demonstrates the implementation of data security best practices; and
  • (m) Declaration signed by Research Organisation that the researcher may use the research organisation's technical and organisational measures to fulfil the data security requirements that correspond to the requested data.

Data Confidentiality

Documents which may be provided in order to demonstrate that the Applicant(s) are capable of fulfilling the specific data confidentiality requirements corresponding to the requested data include, but are not limited to, one or more of the documents listed below. Applicants should consider, having regard to the subject matter of the application, what documentation should be provided for this purpose.

  • (a) Data Management Plan with Research Organisation review/recommendations;
  • (b) Data Flow Diagram (DFD);
  • (c) Data Protection Impact Assessment (DPIA) with DPO review/ recommendation;
  • (d) Record of Processing Activities (ROPA);
  • (e) Any involvement with National Data Protection Authority (DPA) should be attached as supporting documentation;
  • (f) Statement of understanding that only aggregate or summary results should be published;
  • (g) Statement of understanding that raw or individual level data should not be published;
  • (h) Declaration signed by Research Organisation that the researcher may use the Research Organisations technical and organisational measures to fulfil the data confidentiality requirements that correspond to the requested data.

Personal Data Protection

Documents which may be provided in order to demonstrate that the Applicants(s) are capable of fulfilling the specific personal data protection requirements corresponding to the requested data include, but are not limited to, one or more of the documents listed below. The Applicant(s) should consider, having regard to the subject matter of your application, what documentation should be provided for this purpose:

  • (a) Data Management Plan (DMP) with Research Organisation review/ recommendations;
  • (b) Data Flow Diagram (DFD);
  • (c) Data Protection Impact Assessment (DPIA) with DPO review/ recommendations;
  • (d) Record of Processing Activities (ROPA);
  • (e) Any involvement with National Data Protection Authority (DPA) should be attached as supporting documentation;
  • (f) Statement of understanding that only aggregate or summary results should be published;
  • (g) Statement of understanding that raw or individual level data should not be published;
  • (h) Statement that no attempt to reidentify data subjects will be made;
  • (i) Declaration signed by research organisation that the researcher may use the research organisation's technical, organisational and legal measures to fulfil the personal data protection requirements that correspond to the requested data;
  • (j) Description of the legal basis to be used under GDPR.

Technical Measures to Protect Data

In order to comply with the condition that the Applicant(s) demonstrate in the application the appropriate technical measures that the Applicant(s) has put and will put in place having regard to data security and confidentiality and, if applicable, personal data protection, documents to be provided may include those listed below. Applicants should consider, having regard to the subject matter of the application, what documentation should be provided for this purpose:

  • (a) Detailed description of technical security measures of proposed access modality;
  • (b) ISO 27001, ISO 27002, ISO 27701 Certification or similar;
  • (c) SOC2 Attestation Report or similar;
  • (d) NIS2 Directive compliance or similar; and/or
  • (e) A declaration signed by Research Organisation that the researcher may use the Research Organisation's technical measures to fulfil the technical measures requirements that correspond to the requested data.

Organisational Measures to Protect Data

In order to comply with the condition that the Applicant(s) demonstrate in the application the appropriate organisational measures that have been put and will put in place having regard to data security and confidentiality and, if applicable, personal data protection, documents to be provided may include those listed below. Applicants should consider, having regard to the subject matter of the application, what documentation should be provided for this purpose:

  • (a) Data sharing agreement;
  • (b) Non-disclosure agreements;
  • (c) Data management policies;
  • (d) Ethical or methodological review/approval;
  • (e) Data Protection Training certificates or similar;
  • (f) Data Breach policy of Research Organisation;
  • (g) Undertaking by researcher prohibiting them from disclosing the data to any person(s) not named in their application, prohibition against the use or disclosure of data in any manner that was not described in the application;
  • (h) Declaration signed by the Research Organisation that the researcher may use the Research Organisation's organisational measures to fulfil the organisational measures requirements that correspond to the requested data.

Legal Measures to protect Data

In order to comply with the requirement that the Applicant(s) demonstrate in the request the appropriate legal measures that have been put in place having regard to data security and confidentiality and, if applicable, personal data protection, documents to be provided may include those listed below. Applicants should consider, having regard to the subject matter of the application, what documentation should be provided for this purpose;

  • (a) Data sharing agreement;
  • (b) Non-disclosure agreement;
  • (c) Data processing agreement with any third party who will process the data on your behalf;
  • (d) Other contractual protections.

Special Considerations for International Personal Data Transfers

Some or all of the data that will be accessed by the Applicant(s) if granted VR status might not constitute personal data. However, if the Applicant(s) will access any personal data, the application should indicate whether there will be any 'international personal data transfer' for the purposes of the GDPR. An international personal data transfer is the transfer of personal data to a country outside of the European Economic Area ("EEA").

The meaning of transfer is extremely broad. It does not require a physical handover of data or direct transfer and can include remote access from a third country. Some examples of what may constitute an international personal data transfer includes, but is not limited to:

  • (a) A situation where the Applicant(s) /the affiliated Research Organisation is located/established in a country outside the EEA;
  • (b) A situation where the Applicant(s) /the affiliated Research Organisation is located/established within the EEA; however the data will be hosted/provided/accessed on a platform which is outside the EEA.

If an international personal data transfer will be involved should the Applicant(s) be granted VR status, the application must demonstrate that the Applicant(s) will ensure compliance with the obligations under the GDPR in connection with such transfer, i.e. that the access will be covered by:

  • (a) The third country being covered by an 'adequacy decision,'
  • (b) Appropriate safeguards for data subjects' rights (e.g. the Applicant will enter into Standard Contractual Clauses governing the transfer and that a positive Transfer Impact Assessment has been completed).

6.5

Article 40(8) (e) - Demonstrating Proposed Access and Time Frames are necessary for, and proportionate to the purpose of the research

The application must demonstrate that access to the data and the time frames requested are necessary for, and proportionate to, the purposes of the Applicant(s) research, and that the expected results of that research will contribute to the purposes laid down in Article 40(4) DSA. Article 40(4) provides for access to data "for the sole purpose of conducting research that contributes to the detection, identification and understanding of systemic risks in the Union, as set out in Article 34(1), and to the assessment of the adequacy, efficiency and impacts of the risk mitigation measures pursuant to Article 35."

The application must contain:

  • (a) A description of the data requested, including format, scope and, where possible, the specific attributes, relevant metadata and data documentation, also considering the information made available pursuant to Article 6(4) of the Delegated Act (i.e. information in the VLOP/VLOSE's DSA data catalogue);
  • (b) Information on the necessity and proportionality of the access to the data and the time frames for the purposes of the research for which the data are requested; and
  • (c) A description of the research activities to be conducted with the requested data and an estimation of the required duration of the access.

Further guidance in respect of compliance with Article 40(8)(e) is set out below under different headings.

Necessity and Proportionality of Access

In order to demonstrate that the access to data from the Applicant(s) request is necessary and proportionate, documents to be provided may include those listed below. The Applicant(s) should consider, having regard to the subject matter of the application, what documentation should be provided in order to demonstrate that the access to data requested is necessary and proportionate:

  • (a) Data Management Plan (DMP) with Research Organisation review / recommendations
  • (b) Data Protection Impact Assessment (DPIA) with DPO review/ recommendations
  • (c) Necessity assessment or other such documentation demonstrating the access to data are necessary; and
  • (d) Proportionality assessment or other such documentation demonstrating the access to data are proportionate.

In respect of the necessity and proportionality of access, an application should consider, and where appropriate, address the following:

A clear description of data variables requested is expected, which should include format, scope and where possible specific attributes, relevant metadata, and data documentation. Researchers should ask for the exact data they require access to and that they believe the VLOP/VLOSE may have;

  • (a) Each variable or groups of variables (particularly where personal data is concerned) must be necessary for the project and this should be described by the researcher;
  • (b) Researchers should demonstrate that the amount, scope, granularity, and type of data requested do not exceed what is necessary to achieve the research objectives;
  • (c) Researchers should describe how the data and data format were selected;
  • (d) Whether data requested are aggregate data or individual level data;
  • (e) Whether data requested are anonymous, pseudonymised or identifiable data;
  • (f) Researchers should provide a description of why these data must be used (as opposed to aggregate data or anonymous data for example);
  • (g) Researchers should consider whether there is a less intrusive way to complete the research;
  • (h) Is the amount of data being collected comparable to that used in other research projects or articles on the same topic?
  • (i) Any data minimisation is clearly described and justified;
  • (j) That the research question/hypothesis is sound and is achievable with the data requested;
  • (k) That the access requested balances the impact on the rights and interests (e.g. commercial interests, interests in confidential information, intellectual property rights, data protection rights, etc.) of (i) the data subjects; (ii) the VLOP/VLOSE; and (iii) any other affected third parties, and researchers should describe their assessment of same; and
  • (l) The importance of the objective should be described.

Necessity and Proportionality of Timeframe of Access

In order to demonstrate that the timeframe of access to data requested is necessary and proportionate, documents to be provided may include:

  • (a) Data Management Plan (DMP) with Research Organisation review/recommendations;
  • (b) Data Protection Impact Assessment (DPIA) with DPO review/ recommendations;
  • (c) Necessity assessment or other such documentation demonstrating the timeframe to data are necessary; and/or
  • (d) Proportionality assessment or other such documentation demonstrating the timeframe to data are proportionate.

In respect of the necessity and proportionality of timeframe of access, an application should address the following:

  • (a) A description of the timeframe in relation to the data requested, including whether it is requested as at a set timepoint, or over a time range;
  • (b) A description of how long the researcher will need access to data for and a justification of why the timeframe is necessary;
  • (c) A justification of the data retention period described;
  • (d) A breakdown of the research project timeline, i.e., the duration of data cleaning, data analysis, report writing, peer review, publication etc;

Applicants should demonstrate why the timeframe for access to data requested is adequate to achieve the envisaged objective of the research.

In cases whereby Applicants request access to live systems, or live data, they should explain why it is proportionate, and why the research could not be achieved through the examination of historical data.

Expected Results

In addition, Applicants must describe how the results sought to be achieved will contribute toward the detection, identification and understanding of systemic risks in the EU, as set out pursuant to Article 34(1) of the DSA, and to the assessment of the adequacy, efficiency and impacts of the risk mitigation measures pursuant to Article 35 of the DSA, and should describe both the benefits and risks associated with the proposed research. A Data Management Plan or Data Protection Impact Assessment with Research Organisation review will again be considered by An Coimisiún in this regard.

6.6

Article 40(8) (f) - Demonstrating that research activities will be carried out for the purposes laid down in Article 40(4) DSA

In order to comply with the condition that the Applicant(s) demonstrate that the research activities will be carried out for the purposes laid down in Article 40(4) DSA, the Applicant(s) must provide the following documentation and information:

  • (a) A description of the research activities to be conducted with the requested data and an estimation of the required duration of the access;
  • (b) A summary of the application including the research topic; and
  • (c) A description of the purpose pursuant to DSA Articles 34 and 35. This should cover research activities and methodology and give details of how they are connected to Article 34 (systemic risks) and Article 35 (mitigation measures) and related to the specific VLOP/VLOSE.

A link should be made between the systemic risks and the design or functioning of the VLOP/VLOSE's service and its related systems or use of the VLOP/VLOSE's service. An Coimisiún will assess whether the application demonstrates that the research described does or will be carried out for the purposes of contributing to the detection, identification and understanding of systemic risks in the EU stemming from the design, functioning or use of the VLOP/VLOSE, and to the assessment of the adequacy, efficiency and impacts of risk mitigation measures.

The application should describe the specific systemic risks in the EU stemming from the design or functioning of the service in question and its related systems, including algorithmic systems, or from the use made of said services that are the intended focus of the research. The following non-exhaustive examples of such systemic risks are set out in the DSA:

  • (a) The dissemination of illegal content through the VLOP/VLOSE;
  • (b) Any actual or foreseeable negative effects for the exercise of fundamental rights;
  • (c) Any actual or foreseeable negative effects on civic discourse and electoral processes, and public security;
  • (d) Any actual or foreseeable negative effects in relation to gender-based violence, the protection of public health and minors and serious negative consequences to the person's physical and mental well-being.

Other potential systemic risks include any systemic risks identified by the relevant VLOP/VLOSE in its own risk assessments performed under the DSA. Applicant(s) should also include a confirmation that there is no other intended use of the data outside of this research.

6.7

Article 40(8)(g) - Demonstrating Commitment to Publication of Research

The application must demonstrate that the Applicant(s) are committed to making the research results publicly available, free of charge, within a reasonable period after the completion of the research, subject to the rights and interests of the recipients of the service concerned, in accordance with the GDPR.

Each applicant researcher must provide a written commitment to make research results publicly available, free of charge, subject to the rights and interests of the recipients of the service under the GDPR. Information should also be provided as to the way in which it is expected that the results will be made publicly available, free of charge and a timeframe should be proposed for same.

7. Further guidance in respect of applications

7.1

The application submitted by the Applicant(s) must comply with the requirements set out below:

  • (a) Declaration: The application should include a Declaration signed by the Applicant(s) certifying that the information contained in the application form and documentary evidence relating to the Applicant(s) is true and correct to the best of their knowledge and belief.
  • (b) False or misleading information: The Applicant(s) must not include any false or misleading information in the application. Under section 202(1) of the 2009 Act, persons who knowingly or recklessly provides false or misleading information to An Coimisiún in relation to an application for VR status shall be guilty of a category 2 criminal offence. A person guilty of a category 2 offence shall be liable on summary conviction, to a class A fine (a fine not greater than €5,000) or imprisonment for a term not exceeding 12 months or both, or on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.
  • (c) Changes: The Applicant(s) must notify An Coimisiún, promptly of any changes that occur, between the date of submission of the application and the date on which the Applicant(s) receive notice of An Coimisiún's decision on the application, to any material information contained in the application and/or to any supplemental information that was provided subsequent to the submission of the initial application as requested by An Coimisiún to support its assessment of whether the Applicant(s) met the requirements to be awarded VR status. Where there are changes to the information that was provided in the application which An Coimisiún considers to be material, this may necessitate the submission of a new application.
  • (d) Publication: An Coimisiún is required to publish an overview of any reasoned request that is issued to a VLOP/VLOSE in the public interface of the DSA Data Access Portal. This shall include a summary of your application (if successful) and the access modalities as determined pursuant to Art. 9 of the Delegated Act.
  • (e) Confidential Information: As detailed above at paragraph 3.14 and 3.15, Applicant(s) and VLOPS/VLOSES should bear in mind that An Coimisiún may share or publish information contained in the application and supporting documents and/or submissions in certain circumstances. In light of that, if there is any information in the application or supporting documents and/or submissions which the Applicant(s) and/or VLOPs/VLOSES consider to be confidential, Applicant(s) and VLOPS/VLOSES should clearly identify that information and explain why they believe it should not be shared or published. This is addressed in further detail at paragraph 3.14 and following above.
  • (f) Freedom of Information: Access to records held by An Coimisiún may be requested by persons under the Freedom of Information Act 2014 ("FOI Act"). The provisions of the FOI Act exempt certain records from release, including if they are records containing commercially sensitive information or confidential information or personal information. An Coimisiún will consult with the Applicant(s) in respect of any records relating to the Applicant(s) that are within the scope of a FOI request received by An Coimisiún prior to making a decision under the FOI Act, where it is required to do so under the FOI Act.
  • (g) Personal Data: An Coimisiún is obligated and committed to protecting all personal data submitted in accordance with its obligations under the General Data Protection Regulation, the Data Protection Act 2018 and any other applicable data and privacy laws and regulations. An Coimisiún's published privacy policy can be found at: Coimisiún na Meán | Data Protection (cnam.ie). A supplemental privacy notice with regard to the processing of personal data provided by applicants in relation to the submission of an application under Article 40(4) of the DSA can be found here: Vetted Researcher Data Access Supplemental Privacy Statement - Coimisiún na Meán. Any personal data collected by An Coimisiún in connection with an application will be used only for the purposes stated in the supplemental privacy notice.
  • (h) Please note that all documents and information submitted as part of a VR status application should only be submitted through AGORA. Applications or related materials submitted directly to An Coimisiún will not be responded to and will not be considered. Any queries or requests for clarification in relation to the contents of this Guidance should be directed to Article40@cnam.ie.

8. Access Modalities

8.1

If the Applicant(s) is designated as a VR and a Reasoned Request is issued, the Reasoned Request will include details of any access modalities that An Coimisiún requires the VLOP/VLOSE to use when providing the Applicant(s) with access to the data.

8.2

When determining the access modalities to be included in a Reasoned Request, An Coimisiún is required to take into account any access modalities proposed by the Applicant(s) in the application and any access modalities proposed by the VLOP/VLOSE to be used in connection with data the VLOP/VLOSE has stated is available in its DSA data access catalogue. However neither of these proposals is binding on An Coimisiún.

8.3

The VLOP/VLOSE and the Applicant(s) will be required to comply with whatever access modalities are specified by An Coimisiún in the Reasoned Request. These may include technical, legal or organisational measures to be used by the VLOP/VLOSE when providing the Applicant(s) with access to the data. They may include, for example:

  • (a) Whether a secure processing environment is necessary to process the data;
  • (b) Relevant network security measures, encryption, access control, mechanisms, backup policies, data integrity mechanisms, incident response plans;
  • (c) Storage periods and data destruction plans;
  • (d) Internal review processes, restrictions of access rights and information sharing; and
  • (e) Any contractual requirements, such as non-disclosure agreements or data sharing agreements.

8.4

If the specified access modalities include a requirement that the VLOP/VLOSE enter into a data sharing agreement or any other contractual arrangement with the Applicant(s), then the Applicant(s) and the VLOP/VLOSE will be required to enter into that contractual arrangement and the Applicant(s) will be subject to contractual obligations to the VLOP/VLOSE in connection with the access to the data.

9. After an application for VR status is approved

9.1

If the Applicant(s) are designated as a VR and a Reasoned Request is issued, the Applicant(s) must comply with the designation conditions set out in Article 40(8) of the DSA and related requirements set out in the Delegated Act and implement the technical, legal and organisational measures that the Applicant stated would be put in place in the application when accessing the data and performing the research within the scope of the Reasoned Request. If the Applicant(s) fail to do so then this may result, among other things, access to the data within the scope of that Reasoned Request being terminated under Article 40(10) of the DSA and Chapter 2 of Part 15 of the 2009 Act.

9.2

An Coimisiún may commence an investigation for the purposes of determining whether researchers who have been granted the status of VR continue to meet the designation conditions as set out in Article 40(8) of the DSA, at any time. An Coimisiún may do this of its own volition or based on information provided to it by any third party including but not limited to the relevant VLOP/VLOSE. Subject to the outcome of such an investigation, An Coimisiún may terminate the Applicant(s) data access if it determines that the Applicant(s) no longer meet the designation conditions. Where it is proposed to terminate the data access, the Applicant(s) will be notified of this proposal and will have an opportunity within 14 days, to make representations or to request a review of the proposed termination by an independent person. If the Applicant(s) data access is terminated, the VLOP/VLOSE will no longer be required to provide the Applicant(s) with access to the data within the scope of the Reasoned Request.

9.3

If the Applicant(s) access to data within the scope of a Reasoned Request is not terminated early, then the Applicant(s) access to that data will expire on the date specified in the Reasoned Request.

9.4

Further to the commitment the Applicant(s) provided in the application, the Applicant(s) will be required to make the results of the research publicly available free of charge within a reasonable period after the completion of the Applicants(s) research.