Ga verder naar contentGa verder naar content en skip ook inhoudsopgave
In- en Uitvoer
Home

Commission Delegated Regulation (EU) 2024/436 of 20 October 2023 supplementing Regulation (EU) 2022/2065 of the European Parliament and of the Council, by laying down rules on the performance of audits for very large online platforms and very large online search engines

Commission Delegated Regulation (EU) 2024/436 of 20 October 2023 supplementing Regulation (EU) 2022/2065 of the European Parliament and of the Council, by laying down rules on the performance of audits for very large online platforms and very large online search engines

SECTION I General provisions

Article 1 Subject matter

This Regulation lays down rules on the performance of audits pursuant to Article 37 of Regulation (EU) 2022/2065, as regards:

  1. the procedural steps for ensuring that the auditing organisation to be selected fulfils the conditions laid down in Article 37(3) of Regulation (EU) 2022/2065;

  2. the procedural steps for cooperation and assistance by the audited provider in the performance of audits, including accessing relevant information with a view to obtaining audit evidence;

  3. the definition and selection of auditing methodologies;

  4. the templates for the audit report and the audit implementation report.

Article 2 Definitions

For the purpose of this Regulation, the following definitions shall apply:

  1. ‘auditing organisation’ means an individual organisation, a consortium or other combination of organisations, including any sub-contractors, that the audited provider has contracted to perform an independent audit in accordance with Article 37 of Regulation (EU) 2022/2065;

  2. ‘audited service’ means a very large online platform or a very large online search engine designated in accordance with Article 33 of Regulation (EU) 2022/2065;

  3. ‘audited provider’ means the provider of an audited service which is subject to independent audits pursuant to Article 37(1) of that Regulation;

  4. ‘audited obligation or commitment’ means an obligation or commitment referred to in Article 37(1) of Regulation (EU) 2022/2065 which forms the subject matter of the audit;

  5. ‘audit criteria’ means the criteria against which the auditing organisation assesses compliance with each audited obligation or commitment;

  6. ‘audit evidence’ means any information used by an auditing organisation to support the audit findings and conclusions and to issue an audit opinion, including data collected from documents, databases or IT systems, interviews or testing performed;

  7. ‘misstatement’ means an intentional or unintentional omission, misrepresentation or error in the declarations or data reported or provided by the audited provider to the auditing organisation, or in the testing environment made available by the audited provider to the auditing organisation;

  8. ‘audit risk’ means the risk that the auditing organisation issues an incorrect audit opinion or reaches an incorrect conclusion concerning the audited provider’s compliance with an audited obligation or commitment, considering detection risks, inherent risks and control risks with respect to that audited obligation or commitment;

  9. ‘detection risk’ means the risk that the auditing organisation does not detect a misstatement that is relevant for the assessment of the audited provider’s compliance with an audited obligation or commitment;

  10. ‘inherent risk’ means the risk of non-compliance intrinsically related to the nature, the design, the activity and the use of the audited service, as well as the context in which it is operated, and the risk of non-compliance related to the nature of the audited obligation or commitment;

  11. ‘control risk’ means the risk that a misstatement is not prevented, detected and corrected in a timely manner by means of the audited provider’s internal controls;

  12. ‘materiality threshold’ means the threshold beyond which deviations or misstatements by the audited provider, individually or aggregated, would reasonably affect the audit findings, conclusions and opinions;

  13. ‘reasonable level of assurance’ means a high but not absolute level of assurance, which allows the auditing organisation to assert in its audit opinion and audit conclusions whether the audited provider complies with the audited obligations or commitments, based on sufficient and appropriate evidence;

  14. ‘internal control’ means any measures, including processes and tests, that are designed, implemented and maintained by the audited provider, including its compliance officers and management body, to monitor and ensure the audited provider’s compliance with the audited obligation or commitment;

  15. ‘vetted researcher’ means a researcher vetted in accordance with Article 40(8) of Regulation (EU) 2022/2065;

  16. ‘audit procedure’ means any technique applied by the auditing organisation in the performance of the audit, including data collection, the choice and application of methodologies, such as tests and substantive analytical procedures, and any other action taken to collect and analyse information to collect audit evidence and formulate audit conclusions, not including the issuing of an audit opinion or of the audit report;

  17. ‘test’ means an audit methodology consisting in measurements, experiments or other checks, including checks of algorithmic systems, through which the auditing organisation assesses the audited provider’s compliance with the audited obligation or commitment;

  18. ‘substantive analytical procedure’ means an audit methodology used by the auditing organisation to assess information to infer audit risks or compliance with the audited obligation or commitment.

Article 3 Scope of the audit and reasonable level of assurance

1.

The audit shall be performed in a manner and for a duration that allows the auditing organisation to assess the audited provider’s compliance with all audited obligations and commitments with a reasonable level of assurance.

2.

The audit shall cover the period starting immediately after the period covered by the previous audit and ending on a date that allows the auditing organisation to perform the audit within the time frame required by Article 37(1) of Regulation (EU) 2022/2065, including by asserting its assessment pursuant to paragraph 1 based on the evidence collected and audit procedures conducted during that period, and by completing and submitting the audit report pursuant to Article 37(4) of that Regulation to the audited provider.

3.

Where no previous audit was performed, the audit shall cover the period starting four months after the notification referred to in Article 33(6), first subparagraph, of Regulation (EU) 2022/2065, and the duration of the audit shall allow for the audit report pursuant to Article 6(1) to be completed at the latest within a year as from the start of the audited period.

SECTION II Conditions for the performance of the audit

Article 4 Selection of the auditing organisation

Article 5 Cooperation and assistance between the audited provider and the auditing organisation

SECTION III Performance of audits

Article 6 Audit report and audit implementation report

Article 7 Procedures for the preparations for the audit

Article 8 Audit opinion, audit conclusions and recommendations

SECTION IV Audit methodologies

Article 9 Audit risks analysis

Article 10 Appropriate audit methodologies

Article 11 Quality of audit evidence

Article 12 Sampling methods

Article 13 Specific methodologies for auditing compliance with Article 34 of Regulation (EU) 2022/2065 on risk assessment

Article 14 Specific methodologies for auditing compliance with Article 35 of Regulation (EU) 2022/2065 on mitigation of risks

Article 15 Specific methodologies for auditing compliance with Article 36 of Regulation (EU) 2022/2065 on crisis response mechanism

Article 16 Auditing compliance with Article 37 of Regulation (EU) 2022/2065 on independent audit

Article 17 Auditing compliance with codes of conduct and crisis protocols

SECTION V Final provisions

Article 18 Entry into force

ANNEX ITEMPLATE FOR THE AUDIT REPORT REFERRED TO IN ARTICLE 6

ANNEX IITEMPLATE FOR THE AUDIT IMPLEMENTATION REPORT REFERRED TO IN ARTICLE 6