Legal:Wikimedia Foundation EU Compliance/DSA Publication Archive

Under the specific obligations of the European Union's Digital Services Act ("DSA") for Very Large Online Platforms" (VLOPs)  (which Wikipedia was designated in April of 2023), the operator of the platform is audited annually by an independent auditor regarding compliance on matters such as complaint handling, transparency reporting, and risk assessment and mitigation. The auditor is then required to write an Audit Report that must be submitted to the EU Commission on the anniversary of the official compliance period's start date.

For the Wikimedia Foundation (WMF), our initial audit period began 25 August 2023. The inaugural DSA Audit Report was completed on 23 August 2024 and submitted to the EU Commission on 26 August 2024. The Wikimedia Foundation's DSA Audit Report for that first period was completed by Holistic AI, who are also assessing WMF's compliance with the Global Network Initiative (GNI) Principles.

VLOP operators must respond to the Audit Report, within one month, with an Audit Implementation Report that details our efforts to implement recommendations, reasons for not implementing, and/or alternative measures we plan to take. Pursuant to DSA Article 42(4), both the Audit and Audit Implementation reports must be made publicly available within a 90 day period.

In addition, the DSA requires VLOP operators to annually assess "systemic risks" in the EU linked to their platform, and ensure that suitable mitigations exist for those risks.  Annual Systemic Risk Assessment and Mitigation (SRAM) documentation must also be published at the same time as the DSA Audit Report and DSA Audit Implementation Report.

The table below provides links to WMF's openly-published Audit Report, Audit Implementation Report, and SRAM documentation, as required by DSA Article 42(4).  Redactions are governed by DSA Article 42(5).

Because readers will be unfamiliar with documentation of this type, we are including, below, a brief summary of the main findings of each document for the first year.

Out of a rating system of Positive, Positive with comments, or Negative, the overall rating from the 2024 Audit Report for the Wikimedia Foundation conducted by Holistic AI was 'Positive with comments.'

The high level-areas of focus described in the Audit Report, along with a summary of the Foundation's response in our Audit Implementation Report, are summarized below:

• Systemic Risks and Mitigations (SRAM): This documentation (see below) is itself an annual requirement of the DSA. (See Articles 34 & 35.) The auditors recommend that we add more information and explanation to the SRAM, which we are working on implementing for the 2024-2025 version.
• Transparency Reporting: Although the Wikimedia Foundation has been publishing Transparency Reports since 2014 as a best practice, the auditors recommended that we add more specific detail to some of the information we include, e.g.  in our takedown and personnel metrics. We are working to implement them for future Transparency Reports.
• Administrative updates to our ToU: The auditors recommended we create EU-specific Terms of Use (ToU) and make some of the Foundation's contact information more explicit. The Wikimedia Foundation will review the ToU to make it less US-centric and to ensure contact information is easily accessible.
• Operational adjustments to complaint handling: We are currently developing an Incident Reporting System in light of the DSA, as a new mechanism for users to flag complaints. The auditors recommended we study whether and how this Incident Reporting System complements our pre-DSA reporting systems (via email addresses such as legal wikimedia org). The auditors also recommended we create more clarity about where reports should be sent for platform users across the different language versions of Wikipedia, and that we specify the differences between using community staffed contact addresses (such as info wikimedia org) or Wikimedia Foundation contact addresses (such as legal wikimedia org or ca wikimedia org).

An illustrated summary of the 2023-2024 SRAM methodology and key findings is included in the cover letter that we are providing alongside the SRAM itself.