DSA enforcement in practice: from rules to commitments and fines

The Commission takes the lead: two fines and formal investigations

Under Article 56 (2) DSA, the Commission holds exclusive competence to supervise and enforce systemic risk obligations regarding Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs). The Commission may impose substantial sanctions using its enforcement toolkit (under Articles 64-76 DSA), including fines up to 6% of the worldwide annual turnover. The Commission’s enforcement record up to date reveals two priorities: compliance with risk assessment and mitigation of systemic risks, and compliance with transparency obligations.

Risk assessment and mitigation

The DSA requires VLOPs and VLOSEs to annually assess and identify systemic risks and subsequently taking adequate measures to mitigate those risks (Article 34 and 35 DSA). The provisions are designed to prevent the dissemination of illegal content, prevent fundamental rights violations, protect minors and protect the physical and mental well-being of users. The Commission emphasises the importance of a thorough risk assessment and a proportionate mitigation of the identified risks by VLOPs and VLOSEs. The following cases illustrate this approach. 

Temu fined EUR 200 million: the DSA’s biggest fine yet (28 May 2026)

On 28 May 2026, the Commission imposed a EUR 200 million fine on Temu, making it the highest fine issued under the DSA to date. The company failed to adequately identify and assess systemic risks concerning illegal products being offered on its platform, leaving European consumers vulnerable to deceptive and dangerous goods. The Commission’s non-compliance decision is heavily based on deficiencies in Temu’s risk assessment dating from 2024. The investigation concluded that Temu’s risk assessment:  

• was based on general information concerning the e-commerce sector rather than specific evidence about its own service;
• underestimated how often EU consumers were likely to encounter illegal items; and
• concluded an improper assessment of how its service design amplified the dissemination risks of illegal products.

Evidence from a mystery shopping exercise confirmed these problems. A high percentage of the chargers selected in this test failed basic safety tests and many of the tested baby toys posed safety hazards of medium to high severity. Commissioner Henna Virkkunen, Executive Vice-President for Tech Sovereignty Security and Democracy stated that "Risk assessments are not box-ticking exercises, they are the backbone of the DSA. Temu’s risk assessment underestimates concrete risks, lacks specificity, is not grounded in solid evidence, and is not comprehensive."

Temu has until 28 August 2026 to submit a legally binding action plan that sets out measures to remedy its systemic failures. Failure to comply may lead to periodic penalty payments. Temu has stated it considers the fine to be disproportionate and is exploring all options, including an appeal. At the time of writing, no appeal has been announced.

TikTok: preliminary findings on addictive designs (6 February 2026)

In February 2026, the Commission published a preliminary finding that TikTok is in breach of Article 34 and 35 DSA due to its addictive design. According to the Commission, TikTok’s interface contained addictive design features such as infinite scroll, autoplay, push notifications and its highly personalised recommender system, creating systemic risks under Article 34 DSA. According to the Commission, TikTok failed to identify these risks adequately and did not put proportionate measures in place to mitigate those risks. TikTok has rejected the Commission’s preliminary findings describing them as an ‘entirely meritless depiction’ of its platform. TikTok responded that it will take all measures necessary to challenge these findings.

Meta: investigation into access by minors (29 April 2026)

In April 2026, the Commission opened an investigation against Meta’s services Instagram and Facebook for allegedly failing to identify, assess and mitigate the risks of minors under the age of 13 accessing their services. According to the Commission, the measures implemented by Meta did neither effectively prevent minors from accessing Meta’s services, nor did these identify and remove such minors once they had already gained access. This could constitute a breach of Meta’s obligations under Article 34 and 35 DSA in conjunction with Article 28 DSA, which requires platforms to take appropriate measures to ensure a high level of safety and security of minors online. Meta has stated that it disagrees with the preliminary findings and will continue to engage constructively with the Commission on this matter. The investigation remains ongoing.

Four adult content platforms: failure preventing access to minors (26 March 2026)

On 26 March 2026, the Commission issued preliminary findings regarding the conduct of four adult content platforms. The platforms failed to protect minors from being exposed to pornographic content on their services. The Commission found that the platforms did not take adequate measures to prevent minors from accessing their services, therefore failing to protect their well-being. Minors were able to enter the platforms by ‘self-declaration’ (age), and content warnings did not effectively prevent minors from accessing harmful content, thus breaching their obligations under Article 35 DSA.

Transparency obligations

Besides prioritising a thorough risk assessment, the Commission also underlines the importance of transparency. Platforms are required to advertise and to provide recommender systems in a clear and transparent manner, and in case of VLOPs and VLOSEs, provide advertising repositories (Article 26, 27 and 39 DSA). The Commission initiated three enforcement actions for alleged infringements of these obligations.

X fined EUR 120 million: first fine by the Commission (5 December 2025)

The first fine imposed by the Commission under the DSA was against X on 5 December 2025. The Commission issued a fine of EUR 120 million to X for breaching its transparency obligations.

Three concerns ultimately led the Commission to impose a fine on conclusion of its investigation:

1. X’s use of the ‘blue checkmark’ which could be obtained by everyone without verification, thus being a deceptive design practice (Article 25 DSA), which prohibits platforms to design their interfaces in a manipulative or deceptive manner;
2. lack of transparency in its advertising repository (Article 39 DSA); and
3. providing insufficient access to researchers to public data, (in violation of Article 40 DSA).

TikTok: binding commitments on advertising transparency (5 December 2025)

While X received a fine, two other companies resolved their issues by offering commitments. On 5 December 2025, the same day on which X was fined, the Commission accepted the proposed commitments by TikTok, addressing concerns around its advertising transparency. TikTok agreed to improve its advertising repository, provide full content of the advertisement as it appears in users' feeds and introduced additional search options and filters. The latter demonstrates that an early dialogue with the Commission may help in avoiding the imposition of sanctions.

AliExpress: binding commitments on transparency and risk assessment (18 June 2025)

Earlier, on 18 June 2025, the Commission had already accepted binding commitments offered by AliExpress. These commitments concerned both transparency obligations in advertising and recommender systems, as well as risk assessment and mitigation. According to the Commission, AliExpress failed to identify and mitigate the dissemination of illegal products on its platform.

Both commitment cases show that the Commission may be willing to explore an alternative resolution without formally determining an infringement, incentivising companies under scrutiny to engage with the Commission. Altogether, these three cases illustrate a proactive approach by the Commission towards enforcement regarding transparency. Platforms willing to offer sufficient commitments may avoid receiving a (hefty) fine.

Commission paved the way and the ACM follows

On 4 February 2025, the Netherlands Authority for Consumers and Markets (ACM) was designated as the Digital Services Coordinator (DSC) in the Netherlands, under the Uitvoeringswet digitaledienstenverordening (Implementation Act DSA). Pursuant to this Act, the ACM is to exercise the supervisory and enforcement powers granted to a DSC under the DSA. The ACM is able to conduct formal investigations, request information, impose fines and it may accept binding commitments. Although the ACM cannot directly enforce the DSA against VLOPs and VLOSEs (this remains the Commission’s authority under Article 56 (2) DSA), it has a supporting role in European investigations.

So far, the ACM has not yet made any infringement or commitments decisions. However, it started formal investigations against several online platforms.

Snapchat: investigation on illegal sale of vapes (9 September 2025)

Snapchat was the first platform scrutinised by the ACM under the DSA. At the request of the Dutch Foundation ‘Stichting Rookpreventie Jeugd’, the ACM started an investigation into Snapchat in September 2025. The investigation focuses on whether Snapchat takes sufficient and appropriate measures to prevent the illegal sale of vapes to minors on its platform as required under Article 28 and 35 of the DSA. Since Snapchat is designated as a VLOP, which falls under the exclusive scope of the Commission, the ACM works closely together with the Commission. On 26 March 2026, the ACM’s investigation became part of a broader European investigation into Snapchat. This case is still ongoing.

Roblox: protection of minors against illegal content (30 January 2026)

The second formal investigation opened by the ACM on 30 January 2026 concerns the online gaming platform Roblox. The investigation focuses on the platform’s measures regarding the protection of minors against violent content as well as harmful interactions, as required under Article 28 of the DSA. Roblox’s legal representatives are established in the Netherlands, therefore making the ACM the competent DSC. This investigation is expected to conclude in approximately 12 months.

Shein: cooperation in European investigation (17 February 2026)

Beyond its formal investigations, the ACM has also participated in numerous European enforcement actions relating to the DSA and consumer law. On 17 February 2026, the Commission opened an investigation concerning Shein. Together with several other European authorities, the ACM launched a formal investigation focused on three concerns: Shein’s systems for limiting the sale of illegal products (including products such as childlike sex dolls), the addictive design features of its service and the transparency of the recommendation systems that Shein uses to propose products to its users. This investigation is still ongoing.

What this means for platforms and businesses

The first years of DSA enforcement send a clear and consistent message. Both the Commission and the ACM are moving towards active enforcement. For platforms and other online businesses, several practical implications follow:

• Ensure risk assessments are substantive and platform-specific. Risk assessments must go beyond generic sector-level assumptions and be based on concrete, service-specific data. Regulators expect clear evidence of how risks arise on a platform and how they are mitigated.
• Strengthen transparency and avoid misleading design. Platforms should ensure clear transparency around advertising, recommender systems and user-facing signals. Interface elements must not mislead users about verification, trustworthiness or commercial intent.
• Societal risks drive enforcement priorities. Recurring themes for enforcement include the protection of minors, the prevention of illegal products sales and addictive interfaces. Adequate measures should be implemented to address these matters.
• Engage early with regulators and act proactively. Early engagement and offering commitments can help avoid formal infringement decisions and significant fines. Platforms should monitor regulatory signals and take timely corrective action where needed.

Conclusion

In conclusion, recent enforcement under the DSA demonstrates that the framework has quickly evolved into a robust and credible regulatory regime. The EUR 200 million fine imposed on Temu and the earlier EUR 120 million fine imposed on X confirms that the Commission is willing to take decisive action. Across its enforcement practice, the Commission has consistently prioritised substantive risk assessments, meaningful protection of minors, and strong transparency standards, while also leaving room for cooperative outcomes through commitments where companies engage early.

At the same time, national authorities such as the ACM are increasingly active, reinforcing and extending European enforcement at the domestic level. Together, these developments signal a clear shift from formal obligations to practical accountability. For platforms and businesses, the message is unambiguous: compliance under the DSA requires concrete, evidence-based measures and proactive engagement with regulators, as shortcomings may lead not only to investigations but also to significant financial and reputational consequences.

Contact

If you have any questions or would like to explore the implications of these developments for your business, please feel free to get in touch with one of the advisers mentioned below.