EU’s Digital Services Act Faces Its First Real Stress Test: What Łukasz Olejnik’s Analysis Reveals About Platform Compliance

Cybersecurity expert Łukasz Olejnik flags growing gaps between DSA compliance requirements and what platforms actually deliver. With enforcement accelerating and researcher data access still problematic, the EU's landmark regulation faces a defining year.
EU’s Digital Services Act Faces Its First Real Stress Test: What Łukasz Olejnik’s Analysis Reveals About Platform Compliance
Written by Lucas Greene

The European Union’s Digital Services Act is no longer theoretical. It’s being enforced. And according to cybersecurity researcher and privacy expert Łukasz Olejnik, the early results are raising serious questions about whether major platforms are actually meeting their obligations — or just going through the motions.

Olejnik, a former W3C Technical Architecture Group invited expert and author of Philosophy of Cybersecurity, has been closely tracking DSA implementation since the regulation’s phased rollout began. His recent analysis shared on X highlights growing tensions between what the DSA demands on paper and what platforms are delivering in practice.

The Compliance Gap Is Widening

The DSA, which became fully applicable to all in-scope platforms in February 2024, requires online intermediaries to be transparent about content moderation, provide researchers with data access, and implement risk assessments for systemic issues like disinformation and election interference. Very Large Online Platforms (VLOPs) — those with more than 45 million monthly active users in the EU — face the strictest requirements.

But transparency reports filed so far have been uneven at best. Some platforms have submitted detailed breakdowns. Others have offered what critics describe as superficial summaries that technically check boxes without providing meaningful insight into how algorithmic systems shape what users see.

Olejnik’s commentary zeroes in on this gap. The formal structure of compliance exists. The substance often doesn’t.

This isn’t just an academic concern. The European Commission has already opened formal proceedings against X (formerly Twitter) over suspected DSA violations related to transparency, content moderation, and deceptive design patterns. TikTok and AliExpress have faced similar scrutiny. According to the Commission’s own statements, these investigations could result in fines of up to 6% of a platform’s global annual turnover.

So the stakes are real. The question is whether enforcement will match the ambition.

Researcher Access Remains a Flashpoint

One of the DSA’s most ambitious provisions is Article 40, which mandates that VLOPs grant vetted researchers access to platform data. The intent: enable independent study of systemic risks, from algorithmic amplification of harmful content to the spread of coordinated inauthentic behavior during elections.

In practice, this has been a mess.

Researchers have reported bureaucratic delays, overly narrow data provisions, and in some cases outright stonewalling. The European Digital Media Observatory (EDMO) and several academic groups have raised alarms about the gap between the law’s promise and what platforms are actually providing. Meta’s CrowdTangle shutdown — which eliminated a widely used tool for tracking content virality — drew particular criticism, even as Meta pointed to its new Content Library as a replacement.

Olejnik has been vocal about this friction. His position is straightforward: without genuine data access, the DSA’s risk assessment framework is hollow. You can’t audit what you can’t see. And platforms have every incentive to limit what outsiders can examine.

The Commission has acknowledged the problem. In late 2024, it published a delegated regulation specifying conditions for researcher data access, but implementation timelines remain slow. Meanwhile, the 2024 European Parliament elections came and went — the first major electoral test under the DSA — with many researchers still unable to get the data they needed to study platform behavior in real time.

This matters beyond Europe. The DSA model is being watched by regulators in Brazil, Australia, Canada, and elsewhere. If the EU can’t make data access work, it undermines the credibility of the entire regulatory approach.

What Comes Next

Enforcement is accelerating, but unevenly. The Commission has signaled it will prioritize election integrity and illegal content cases in 2025. Digital Services Coordinators in individual EU member states are still standing up their operations — some faster than others. Ireland’s Coimisiún na Meán, which oversees many of the largest platforms due to their Dublin headquarters, has been particularly watched.

Olejnik’s broader argument is that the DSA’s success or failure won’t be determined by the text of the law. It’ll be determined by political will, technical capacity, and whether platforms face real consequences for half-hearted compliance.

Early signs are mixed. The Commission has shown willingness to open cases. But no major fines have landed yet. And platforms continue to test the boundaries of what minimal compliance looks like.

For industry professionals, the takeaway is clear: the DSA isn’t a paper tiger, but it isn’t yet a fully operational enforcement machine either. The next 12 months will determine which it becomes.

Subscribe for Updates

AITrends Newsletter

The AITrends Email Newsletter keeps you informed on the latest developments in artificial intelligence. Perfect for business leaders, tech professionals, and AI enthusiasts looking to stay ahead of the curve.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us