BNetzA Unveils DSA Risk Assessment Guidelines for SME Platforms: What You Need to Know

BNetzA Unveils DSA Risk Assessment Guidelines for SME Platforms: What You Need to Know

For B2B companies operating online platforms, navigating the complexities of the Digital Services Act (DSA) has become a critical challenge. The Bundesnetzagentur (BNetzA), Germany's regulatory body, has now released updated, detailed guidelines on May 9, 2026, specifically targeting Small and Medium-sized Enterprises (SMEs) with online platforms. These guidelines significantly clarify and expand upon the risk assessment and documentation obligations under Article 34 DSA. Businesses, particularly those with a strong presence in the German market or serving EU customers, must adapt their compliance strategies urgently; a three-month transition period concludes on August 9, 2026, after which strict enforcement, including substantial fines, commences.

The Core Obligation: Regular Risk Assessments for Your Platform

The BNetzA's new guidelines underscore the critical requirement for online platforms to conduct regular, thorough risk assessments. This is not merely a bureaucratic exercise; it's a fundamental obligation designed to identify and mitigate systemic risks inherent in digital services. The focus areas are clearly defined: platforms must diligently assess risks related to disinformation, which is estimated to constitute approximately 35% of identified risks, alongside online harassment (25%) and the sale of counterfeit goods (15%). For platforms with over one million active users, an annual risk assessment is recommended. Smaller platforms, encompassing many B2B SMEs, must conduct these assessments at least every two years. Ignoring this duty means overlooking potential vulnerabilities that could undermine your platform's integrity and expose your business to severe penalties under the Digital Services Act obligations.

Meticulous Documentation: Your Defence in Detail

Beyond conducting assessments, the BNetzA places a strong emphasis on detailed documentation. This is where many companies, especially SMEs, often fall short. The new guidelines mandate that platforms maintain comprehensive records of all risk assessments, including methodologies, identified risks, and implemented mitigation measures. Critically, this documentation must be presented to the supervisory authority within 48 hours upon request. To ease this burden, the BNetzA has introduced a new, modular template for risk assessment reports, which is projected to save companies up to 30% of the initial effort typically spent on structuring their own reports. This ready-to-use framework is a valuable tool, but its effective utilisation still requires dedicated internal processes and a clear understanding of what constitutes compliant documentation. Inadequate documentation is as serious as failing to perform the assessment itself.

Practical Steps for Immediate Compliance: Act Now

The August 9, 2026 deadline is rapidly approaching, and proactive adaptation is not merely advisable but essential. Firstly, businesses must determine if their online platform falls within the scope of these updated DSA requirements. Secondly, implement or refine robust risk assessment frameworks that align with the BNetzA's specified focus areas and frequency recommendations. Thirdly, integrate the new documentation standards into your operational procedures, ensuring that records are not only maintained but also easily retrievable within the stringent 48-hour window. The stakes are exceptionally high: violations of these documentation duties and other DSA non-compliance can lead to substantial fines, reaching up to 6% of a company's worldwide annual turnover. This underscores the urgency for B2B platforms to ensure their systems are not only compliant but also adaptable, potentially requiring upgrades to existing DSA-compliant platforms or custom development.

Conclusion: Seize the Opportunity for Compliance

The BNetzA's updated guidelines for DSA risk assessments are a clear signal: regulatory scrutiny on online platforms is intensifying, and SMEs are firmly in scope. The three-month transition period closing on August 9, 2026, leaves no room for procrastination. Businesses must act decisively to review their platforms, implement robust risk assessment methodologies, and ensure meticulous, accessible documentation. Embracing these requirements now not only mitigates the risk of severe financial penalties but also strengthens your platform's integrity and builds greater trust with your users and partners. Proactive engagement with these new obligations is key to maintaining a competitive edge and ensuring long-term operational resilience in the digital economy. Consider exploring expert support to implement DSA compliance effectively and securely.