Applications via the EU’s DSA Data Access Portal: An Introduction

With the application, a formal legal process begins.

The second talk in our mini‑series on the Digital Services Act (DSA), part of the NFDI lecture and discussion series “Show & Tell – Social‑Media Data in Research Practice”, focused on the EU Data Access Portal and its practical implications for researchers. The EU Data Access Portal provides the administrative framework through which researchers can submit formal data‑access requests; the Digital Services Coordinator (DSC) responsible assesses these requests and, if approved, forwards them to the relevant platforms as a reasoned request. The portal itself does not provide direct access to the data – the actual data provisioning and secure transfer are arranged outside the portal after the DSC decision. On 16 January, Dr Julian Jaursch (policy advisor at the Digital Services Coordinator, Federal Network Agency/Bundesnetzagentur) gave a hands‑on presentation explaining how the portal works and what procedural, vetting, and legal requirements applicants must meet. However, it should be noted that neither his talk nor this text provides binding legal advice. With 53 participants, we were pleased by the high level of interest in the community. During the first session of our series, Dr Jakob Ohme had introduced new access options for researchers within the framework of DSA as specified in Article 40(4) regarding non‑public platform data and Article 40(12) regarding public platform data. Jaursch then shifted the focus to the practical aspects of preparing and submitting applications for non-public data related to DSA Article 40(4).

At a Glance

First, Jaursch outlined the main eligibility criteria for accessing non-public platform data through the EU Data Access Portal. Data access is limited to vetted researchers. Each individual who wishes to receive data must be named in the application, hold an EU Login account, and provide proof of institutional affiliation and independence from commercial interests. Digital Services Coordinators (DSCs) formally vet these credentials. The non‑public data option applies only to very large online platforms (VLOPs) and search engines (VLOSEs) – those with more than 45 million average monthly users in the EU. Requests must focus tightly on the study of systemic risks within the EU. Applicants must provide a clear research question and describe the specific linkage to systemic risks as well as the precise data types required. They also have to indicate the relevant time frame and to explain why non‑public data is necessary and proportionate for studying that risk. Each portal application may cover only a single platform or search engine, which means multi‑platform projects require separate submissions for each provider. However, the portal offers features such as cloning to reuse text and reduce repetitive work. Researchers should also be aware that the portal workflow enforces both procedural and documentary requirements associated with these eligibility constraints. For example, applicants must list all data users up front, supply evidence of funding, institutional support, and data‑protection measures. Therefore, it is important to plan ahead and coordinate early on with institutional departments such as the legal, the IT security, and the data protection department. Doing so will substantially improve the likelihood of a complete, successful submission.

Practical Steps to Prepare an Application

During his talk, Jaursch guided the participants step by step through the EU Data Access Portal. The following summarizes the most important steps:

1. EU-Login and portal registration

• Every person who will later access the requested data must have an EU Login account and must be listed in the application. It is recommended to create the EU Logins early in the process. Accounts are free of charge and required for each team member who will get access.
• Only those researchers who will actually work with the data need to be added. If there are people on the project team who mainly contribute to theoretical foundations but do not need to handle the data, they can be excluded from the list.

2. Institutional and independence proof

• Provide evidence of your institutional affiliation and independence from commercial interests (e.g., employment contracts, statutes, letters from institution heads, or other documents proving the research intent).

3. Funding and non‑financial support

• Be transparent about funding sources, amounts, duration, and any non-financial contributions (software, infrastructure). Supporting documents (e.g., grant award letters, institutional commitments) are helpful.

4. Research question and methodology

• Provide a detailed description of the research question, hypothesis, methods and why the requested (non‑public) data is necessary. Explain the specific time frame and the link to systemic risk in the EU. Keep in mind that one application equals one platform.

5. Data protection and security documentation

• The portal asks for evidence of necessity and proportionality, and data protection measures. Documents on this – ideally showing a data lifecycle description (collection, storage, archiving, publication, deletion) – could be: a data management plan (DMP), data protection impact assessment (DPIA), institutional retention and deletion policies, and any certification or ISO compliance for information security (ISO 27001/27002 are relevant here).
• In some member states (e.g., Germany), data protection authorities will be involved in reviewing these fields. In any case, expect close attention to the legal grounds of the General Data Protection Regulation (GDPR) and to technical/organizational measures.

6. Confidentiality and access control

• Describe technical and organizational measures, e.g., access restriction, encryption, secure storage location, staff training, anti‑hacking practices, and physical infrastructure where applicable. It is useful to indicate existing institutional security policies.

7. Publication commitment and public summary

• Applicants must commit to make research outputs publicly available free of charge. The portal publishes a summary of successful applications, so draft a summary suitable for public disclosure. Thus far, what type of publication is required in the context of DSA data requests has not been clearly defined. That means it does not necessarily have to be a journal article – alternative forms of dissemination may also be acceptable.

What Happens after You Submit

After the submission, the DSC receiving the application (which will be either the DSC in the country where the platform in question is located in the EU or the DSC in the researcher’s country) performs a formal completeness check. For the following detailed legal assessment, a limited timeline is in place: the Delegated Act on the DSA restricts the timeline for the assessment process to a maximum of 80 days. The final vetting decision always lies with the DSC in the country where the platform is located in the EU (regardless of where the application went first). If the application is successful, this DSC issues a “reasoned request” to the platform to provide the data, and the platform must comply under the specified terms or initiate an amendment. If the application is not successful, researchers can revise and resubmit. DSCs often provide feedback where legally/technically possible. Be prepared for follow-up questions and possible external expert consultations during the assessment.

The Q&A Session

After the talk, we had a lively Q&A session. This helped to clarify issues that the talk touched upon at both the big-picture and the detailed level. Jaursch emphasized that it is crucial for potential applicants to consider the legal requirements. He also pointed out that, unfortunately, new researchers cannot be added to an application at a later stage, which runs counter to established workflows in research projects. Applicants have, however, the option to clone an application and resubmit it. Another aspect worth noting is that at the moment, it is also not possible to add missing documents after submission.

Should researchers go through the applications process with their home DSC or the DSC of the country where the VLOP is registered? Jaursch answered this question with an example: Let’s say you are a researcher working in Germany and want to request data from Meta. In that case, you may apply for the data through either the German DSC, the Bundesnetzagentur, or the Irish DSC, the Coimisiún na Meán. In both cases, the Coimisiún na Meán will have the final say. But if the researcher applies through the German DSC, they can provide their Irish colleagues with a (non-binding) recommendation and additional information about the researcher’s home institution, which might not be well-known in Ireland. Jaursch also reminded the audience that Ireland has the most VLOPs at the moment, so that the Coimisiún na Meán might soon be beyond its capacity if all applications went to them directly.

Jaursch stressed that the DSCs do not assess the scholarly quality of applications but rather their legal dimension. Requesting research data via the Data Access Portal (Article 40(4)) is a formalized application process involving national-level regulators, whereas applying to Article 40(12) is considerably lower‑threshold in this respect, since interaction there occurs directly between platform and researcher. The DSA’s researcher access routes are a major step toward formalizing and improving access to platform data, but they come with very strict procedural, legal, and technical requirements. The process is still at an early stage and many questions have not yet been finally settled and will only be decided in practical use cases. National DSCs are preparing new materials to support researchers in the process as best as possible.

Practical Tips and Checklist

• Start early to create EU Login accounts for every team member.
• Prepare a clear one-platform-per-application plan; use cloning to reuse text.
• Draft a concise public summary early – it will be published if the application is approved.
• Prepare DPIA / DMP and a documented data lifecycle.
• Be transparent on funding and affiliations; provide supporting letters and contracts.
• Check platform data catalogues (platforms must publish catalogs of available data types) and the delegated act recitals for suggested data types.
• Consult national DSC guidance (many DSCs publish top tips for applicants like the Coimisiún na Meán or step‑by‑step guidance and FAQs like the Bundesnetzagentur) and the EU DSA Data Access Portal FAQ / “tips & tricks.”

Next Session

The next talk of the mini-series on the DSA (organized by Katrin Weller, Yannik Peters, and Johannes B. Gruber from GESIS) will take place on Friday March 20, 2026, 2:00 pm CET. Dr. Leticia Bode (Georgetown University) and Peter Chapman (Knight-Georgetown Institute) will cover their new “Better Access” framework. Sign up here: Better Access: A Framework for Accessing High-Influence Public Platform Data (20. März 2026) · Events (Indico)

Thank You

Finally, we want to thank Philippe Genêt (DNB@Text+) and the Working Group on Social Media Data in the NFDI for giving us a venue for the mini-series on the DSA. And we especially thank Julian Jaursch for providing us with such a great and insightful session!

---

About the Authors:

• Johannes Gruber
• Yannik Peters
• Katrin Weller

---

---