The EU's 1st Report on 'Systemic Risks' under the Digital Services Act
'Threat actors continue to explore ways to circumvent detection and enforcement, such as implying instead of explicitly stating things.' ∽ EU Board for Digital Services, 18 Nov. 2025
So, since we spoke about the EU’s so-called ‘Digital Services Act’, or DSA, earlier this week, I thought we’d talk about it some more.
Background and references via:
Reason being (drum roll) this gem from late November 2025:
European regulators, the European Commission and the Board of the Digital Services Coordinators, enforcing the Digital Service Act published a world-wide first report on the landscape of prominent and recurrent risks on very large online platforms and search engines in the European Union.
The report (pdf) identifies systemic risks such as, among others, the spread of illegal content or threats to fundamental rights, occurring on very large online platforms. It also gives a first overview of the mitigation measures taken by platforms, based on the transparency requirements under the DSA.
Key findings cover risks to mental health and to the protection of minors online; the impact of emerging technologies, such as generative AI, on online platforms; and challenges to intellectual property protection on online marketplaces. Among the notable mitigation measures highlighted are, for example, the use of automated systems to detect emojis used as code for illegal activities online, such as the sale of illegal drugs.
The report draws on platforms’ own risk assessment, audit, and transparency reports, as well as independent research on certain risks, and diverse civil society contributions.
It is the first of an annual cycle of risk landscape reports. Future editions will also expand on platforms’ best practices, as more data become available on the effectiveness of risk mitigation strategies, including through research made possible by the delegated act on data access. Over time, this will provide a long-term perspective on the most prominent and recurrent systemic risks in Europe.
And without much further ado, let’s look at the amazing results of the research™ carried out by the EU.
While the above-linked report (pdf) is in English, I’ve taken the liberty to add both emphases and [snark], for the Italics are found in the original. Enjoy.
The DSA’s First Report
Under the header, ‘what is this report about’, the curious reader learns:
The Digital Services Act (“DSA”) regulates online intermediary services, platforms such as online marketplaces [in a footnote, we learn that his means “online platforms allowing consumers to conclude distance contracts with traders” in the DSA.’], social networks, application stores, or search engines. The supervision and enforcement of the rules in the DSA is carried out by the European Commission and by authorities in Member States, notably the national Digital Services Coordinators (“DSCs”), all of which work together in the European Board for Digital Services (“the Board”).
The DSA risk management framework in Articles 34 and 35 establishes key obligations for providers of very large online platforms (“VLOPs”) and of very large online search engines (“VLOSEs”). These services have at least 45 million monthly active recipients in the Union. [line break added for emphasis]
Article 34(1) DSA establishes a requirement to “diligently identify, analyse and assess any systemic risks in the Union stemming from the design or functioning of their service and its related systems, including algorithmic systems, or from the use made of their services”.
Article 35(1) DSA requires that providers of VLOPs and VLOSEs take reasonable, proportionate and effective mitigation measures tailored to the systemic risks identified in their risk assessments. In doing so, providers must have particular consideration [sic] for the impacts of such measures on fundamental rights.
Recital 90 of the DSA adds that providers of VLOPs and VLOSEs “should ensure that their approach to risk assessment and mitigation is based on the best available information and scientific insights and that they test their assumptions with the groups most impacted by the risks and the measures they take”.
These provisions are applicable to VLOPs and VLOSEs, but not to platforms or other intermediary services under the threshold of 45 million average monthly active recipients in the Union.
And now we all know that ‘systemic risks in the Union’ may derive from internet platforms and search engines.
I’m skipping over pp. 4-5 on ‘how this report was prepared’ so we can take a look at the ‘systemic risks’ that were, well, identified™ (pp. 6ff.):
There are references to plausible things, such as ‘Illegal products, services and activities’, ‘the dissemination of illegal products’, ‘Illegal services and the conduct of illegal activities’, ‘Child Sexual Abuse Material (“CSAM”)’, and ‘Terrorist content’, for instance, all of which has been illegal before the DSA existed and for which, obviously, law enforcement is the primary addressee (and not the EU Commission because it’s also about jurisdiction, which the EU Commission doesn’t have over these issues, but I digress).
Mission Creep, or: Commission Weaponises the DSA
On pp. 10ff. we get into a bunch of different categories, such as ‘Illegal hate speech and the incitement of hate crimes’, which are already in the grey area between what the criminal code proscribes (what is illegal?) and what is pushed without clear-cut legal definitions, such as ‘hate speech’ or ‘hate crimes’.
As a fun factoid aside, we may, at this junction, scratch our heads and ask: is there such a definition that EU-level regulation™ may use?
To answer this question, I refer you to the EU Parliament’s briefing document with the telling title ‘Criminalisation of hate speech and hate crime in selected EU countries’ by Beatrix Immenkamp from Nov. 2024), which holds:
Council Framework Decision 2008/913/JHA of 28 November 2008 on combating certain forms and expressions of racism and xenophobia by means of criminal law (the 2008 Council Framework Decision) criminalises hate speech and hate crime based on a range of grounds. It prohibits ‘publicly inciting to violence or hatred against a group of persons or a member of such a group defined by reference to race, colour, religion, descent or national or ethnic origin’ (Article 1(a)) [I suspect that terms & conditions apply: heterosexual white males may not apply]. It also requires that Member States take measures to ensure that racist and xenophobic motivation is considered an aggravating circumstance in their criminal laws or, alternatively, may be taken into consideration by the courts when setting penalties (Article 4).
Note that ‘an aggravating circumstance’ in legalese means that there must be a crime that’s punishable in the first place, e.g., if I attack Mohammed, Fritz, and Jacqueline with a baseball bat, it’s (aggravated) assault, but my attack on Mohammed is an aggravating circumstance because (drum roll) of his ‘race, colour, religion, descent or national or ethnic origin’.
If that hypothetical strikes you as utterly stoopid, welcome to the EU; I note, in passing, that ‘an aggravating circumstance’ in legalese is a little bit like a ‘contributing factor’ on someone’s death certificate: without an underlying illness (e.g., obesity and pneumonia), the former (e.g., a PCR test-certified infection™ with Sars-Cov-2) isn’t per se what killed you.
What the EU Commission means is that if prosecutors get considerable leeway to add ‘an aggravating circumstance’ to whatever transgression you commit at their discretion.
If you thought, well, that strikes me as being illegal and unconstitutional due to equality-under-the-law clauses, well, get the second major aspect mentioned in that briefing:
Directive (EU) 2024/1385 of 14 May 2024 on combating violence against women and domestic violence lays down rules to prevent and combat violence against women. The Directive requires Member States to criminalise hate speech against women along with other forms of gender-based cyber-violence. Article 8 of the Directive requires Member States to make it a crime to intentionally incite violence or hatred against a group of persons or a member of such a group, defined by reference to gender, by publicly disseminating material containing incitement online.
I’m going out on a limb here noting that the intentional incitement of violence and hatred is already a crime, with the main addition here being, it seems to me, the promulgation of yet another set of terms and conditions that, somehow, disadvantage heterosexual white males once more.
I think at this point, it’s fair game to cite two bits from the preamble, namely
(2) Equality between women and men and non-discrimination are core values of the Union and fundamental rights enshrined, respectively, in Article 2 of the Treaty on European Union (TEU) and in Articles 21 and 23 of the Charter of Fundamental Rights of the European Union (the ‘Charter’). Violence against women and domestic violence endanger those very values and rights, undermining women and girls’ rights to equality in all areas of life and hindering their equal societal and professional participation [if your 12yo daughter doesn’t want to share the toilet with a 50+ tranny, however, all these ‘core values’ don’t apply, and you bigot will be persecuted under the above-cited ‘hate crime’ schemes].
(3) Violence against women and domestic violence is a violation of fundamental rights such as the right to human dignity, the right to life and integrity of the person, the prohibition of inhuman or degrading treatment or punishment, the right to respect for private and family life, the right to liberty and security, the right to the protection of personal data, the right to non-discrimination, including on the grounds of sex, and the rights of the child, as enshrined in the Charter and the United Nations Convention on the Rights of the Child.
Needless to say, that directive being from 2024, all of the deliberate and otherwise made-up infractions on these ‘fundamental rights’ etc. that the EU Commission and the member-states committed vs. the citizens during the Covid shitshow don’t count.
But I digress.
There are also ‘systemic risks’ in the DSA report associated with intellectual property rights violations and ‘consumer protection’ in online marketplaces.
And here are the exemplary risks™ the DSA report™ identified:
Re Zalando: it’s a platform where individuals offer/sell used stuff, which renders is totally obvious that not all information provided is accurate.
Re AliExpress and X, I note that the EU’s main concern appears to be that the EU cannot control the information that’s there; long-term readers know that a historical analogy follows—it’s the same concern™ that bedevilled the likes of Metternich in the first half of the nineteenth century who tried, in vain, to censor liberal and socialist texts to avoid a replay of the French Revolution.
Re Facebook: that’s perhaps the most laughable part, but it also confirms that a) all Big Tech companies use AI™ and other ‘automated’ tools to police their platforms and b) that these tools don’t work really well.
The most problematic aspects here are, of course, that users may imply things rather than state them openly, which makes it very tricky to both prove a legal infraction and the intent to harm.
Do note that the Facebook risk™ explicitly relates to the use of coded emojis and the like, which brings me to p. 27, which reads:
Intentional manipulation of the services: Risk assessment reports of providers highlighted concerns about adults posing as minors, creating fake profiles, or sharing accounts with children. Providers have reported challenges in age assurance, where guardians misunderstand or mismanage age-verification processes or minors bypass verification or estimation measures by misstating their age, or where minors purchase or share fake accounts. Similarly, they noted challenges in content moderation, for example with the use of coded language and emojis to evade moderation that changes frequently (e.g. “chicken soup” referring to self-harm, “cheese pizza” referring to CSAM) [remember: CSAM is child porn, and WTF would a ‘pizza’ reference do here, esp. as the report predates the Epstein File dump]. Risk assessment reports also noted instances of children being moved/redirected off-platform towards less moderated or offline spaces, increasing risks of exploitation.
Needless to say, the future is also outlined (remember that the report™ hails from November 2025):
Account verification. Providers and CSOs also mentioned the importance of account verification as a way to prevent platforms manipulations, including two-factor authentication, the deletion of accounts of users below 13 years of age, and programmes such as “know your developer” for application stores. Providers have noted the (re)allocation of resources for monitoring and enforcing their terms and conditions, such as implementing mechanisms to prevent circumvention or coordinated attacks by bad actors. In this context, some providers, particularly online marketplaces, explained requiring, in some cases, two-factor authentication for third parties to use their services and/or publish content.
4.7. Trusted flaggers
Article 35(1)(g) DSA refers to the following mitigation measures for providers to put in place: “initiating or adjusting cooperation with trusted flaggers in accordance with Article 22 and the implementation of the decisions of out-of-court dispute settlement bodies pursuant to Article 21”.
Some providers mentioned the compilation of reports from trusted flaggers, the involvement of trusted flaggers in their product safety development processes and product updates, the creating of dashboards for trusted flaggers to follow-up on the status of their notices, the creation of partnerships with CSOs and public authorities to perform similar roles as trusted flaggers and report e.g. suspected illegal content.
Oh, look at that: in November 2025, the EU Commission noted ‘account verification’ as their aim, and by Q2 2026, all member-states plus the hapless EEC members are pushing for digital ID requirements (like in, say, Australia) to ‘save the children’.
As to the ‘trusted flaggers’, well, that’s a piss-poorly worded reference to the future growth of employment opportunities in Brussels’ fledgling bureaucracy as more and more people will be rendered unemployed due to the combo of AI™/robotics and the energy crisis.
Call me a cynic, but I ain’t buyin’ it.
Bottom Lines
This is the EU’s announcement, by the way:
I had planned on writing something witty, but anti-establishmentarian EU parliamentarian Martin Sonneborn (source) beat me to it, hence I’ll merely reproduce his comment:
No, vonderLeyen (GrandmaSmiley!) is not planning any regulation (HandcuffsSmiley!) of Emojis, even though one could certainly imagine her doing so. At any rate, not yet. WinkSmiley!
With its tweet that’s a bit incomprehensible to non-bureaucrats, the so-called Digital-Team of the so-called Digital-Commission of the so-called EU merely wants to point out to you that back in the so-called November of last year, in so-called concordance with Art. 35 (2) of the so-called Digital Services Act, the so-called European Board for Digital Services, in collaboration with the so-called Commission, produced its so-called first report.
The so-called Digital-Team is therefore informing you that both it itself and the EU Commission have now—in so-called April, i.e., a good so-called half-year later—cottoned on to the fact that the so-called Emojis you use out there in the context of your so-called communication don’t always mean exactly what one might think…The EU Commission has just made the discovery that so-called people use so-called symbols to communicate with each other—and that these symbols (Emojis) can take on a different meaning than what their pure appearance might suggest.
The paranoia triggered by this unexpected observation—Drugs! Hate! Illegal!—can, in the EU, only lead to the utterly pointless endeavor of trying to capture something that (due to its liveliness) is by nature impossible to capture. Especially not by a few—by nature dead—dead organisms like EU regulations, Commission bureaucracies & their shriveled algorithms.
Because EVERYTHING can always also mean ANYTHING ELSE—that’s the principle of language, encrypted codes & irony, the latter of which belongs so inextricably to human communication that it naturally appears in social media too…What will the binary-code specialists at the EU scrutinize next?
“The true meaning of hieroglyphs: Hate speech by Egyptologists on TikTok”?
“Mesopotamian calligraphy & child abuse”?
Do pleonasms (”wet water”) and oxymorons (”bittersweet”) endanger mental health? In children: BRAINSPLOSION, immediately?
And above all: Can subversive abbreviations (”WWRD”), ambiguous acronyms (”EU”) and absolutely spot-on elisions (”FCK YRSLF”) really remain unpunished forever?
Do check out the witty replies the EU Commission’s posting garnered since they posted this BS.





Just imagine what the EU can do with the Biden-regime created 2021 Infrastructure Investment and Jobs Act, which stipulates all cars produced and sold from January 1st 2027 must include a kill-switch that will make it impossible for you to start your car if the onboard mandatory AI (with always-online hook-up) deems you being "impaired" in some way.
Some online pundits have opined this will lead to an increase of people using older cars. It won't.
For starters, the state will mandate higher insurance rates for cars without the kill-switch.
Secondly, insurance companies will tack on extra premium costs and will refuse to pay out insurance if and when they can argue "the incident wouldn't have happened if the vehicle had had the AI-assisted safet system".
Third, the state will limit where and when you may drive "unsafe" cars.
And so on - I could pile on more such stuff, that keeps it totally "voluntary" to buy a state-corporate controlled Iphone-with-wheels.
---
Meanwhile, hard empirical data for what all the surveillance has actually achieved?
Might as well look for unicorns.