Brussels has fined X €120m for breaching key transparency obligations under the Digital Services Act (DSA), marking the EU’s first non-compliance decision under the regulation. The Commission found that X’s verification system (blue checkmark), advertising transparency tools and researcher data access mechanisms all violated legally binding DSA standards.
According to the decision, X’s redesigned “blue checkmark” constitutes deceptive design, allowing users to purchase a verified status without meaningful identity checks. The Commission said this misleads the public about account authenticity and exposes users to scams and impersonation attempts. Officials stressed that while the DSA does not require platforms to verify users, it prohibits presenting unverifiable accounts as verified.
The Commission also concluded that X’s advertising repository fails to meet DSA requirements. The platform’s repository lacks essential information, such as the content of advertisements and the identity behind paid campaigns, and includes design barriers that hinder access. The Commission argues this prevents independent scrutiny of potential disinformation, covert influence operations and illegal commercial activity.
“With the DSA’s first non-compliance decision, we are holding X responsible for undermining users’ rights and evading accountability” – Executive Vice-President Henna Virkkunen
A third violation concerns the platform’s refusal to provide researchers access to public-interest data. The Commission cited barriers, restrictive terms of service and inconsistent access processes that undermine the DSA’s requirement to enable research into systemic online risks.
Following the decision, Executive Vice-President Henna Virkkunen said the ruling underscored the EU’s commitment to transparency and user protection. “With the DSA’s first non-compliance decision, we are holding X responsible for undermining users’ rights and evading accountability”.
You might be interested
Investigation opened in 2023
The case traces back to December 2023, when the Commission opened formal proceedings to assess whether X had breached the Digital Services Act across several areas, including risk management, content moderation, deceptive interface design, advertising transparency and data access for researchers.
The move followed an initial review of X’s risk assessment concerning the spread of illegal content after Hamas attacked Israel. Regulators examined X’s handling of illegal content notices, the adequacy of its mitigation measures, the effectiveness of its Community Notes system and potential risks to civic discourse and elections, alongside suspected shortcomings in its ads repository and researcher data access obligations.
Transatlantic tension
The decision is expected to draw a response from Washington. The Trump administration has repeatedly criticised the DSA in the past, portraying it as a form of censorship and warning that the regulation imposes disproportionate burdens on US tech companies. The US president has previously threatened retaliatory measures, including tariffs on European exports and potential sanctions on EU officials involved in enforcing the law.
X now has 60 working days to inform the Commission of the measures it will take to end the infringement related to its verification system. The company must also submit, within 90 working days, an action plan outlining how it will address deficiencies in its advertising repository and researcher data access. The Digital Services Board will review the plan before the Commission issues a final decision.
