EU fines X €120 million under the Digital Services Act

The European Commission has imposed the first-ever fine under the Digital Services Act (DSA), ordering X (formerly Twitter) to pay €120 million for multiple breaches of the regulation. The decision follows a two‑year investigation into the platform’s compliance with obligations applicable to very large online platforms, notably in the areas of advertising transparency, access to data for researchers, and the design of its account verification system. The Commission concluded that X’s practices undermine key DSA objectives related to accountability, user protection, and oversight of systemic risks.

A central element of the decision concerns X’s reconfigured blue checkmark system. Under the previous model, blue badges indicated that an account had undergone a meaningful verification process, particularly to prevent impersonation of public figures and brands. Following its acquisition by Elon Musk, X linked the blue checkmark primarily to payment for a premium subscription, without equivalent verification. The Commission found that this shift amounts to misleading design because it signals verification where no substantive verification occurs, thereby exposing users to impersonation, scams, and manipulation by malicious actors. While the DSA does not require platforms to verify users, it expressly prohibits false or deceptive claims about verification.

The Commission also identified material shortcomings in X’s ad transparency framework. Its advertising repository was found to be difficult to access and to lack essential information such as content, topic, and the legal entity financing the ads. These deficiencies, compounded by excessive delays in responding to transparency requests, were deemed incompatible with DSA requirements that ad repositories be comprehensive, searchable, and genuinely usable by researchers and civil society. In the Commission’s view, these obstacles substantially hinder the detection of scams, coordinated influence operations, and disinformation campaigns within the EU.

Finally, X’s restrictions on researcher access to public data were found to infringe the DSA’s provisions on data access for vetted researchers investigating systemic risks. X’s terms of service prohibit independent access, including scraping, and impose what the Commission characterizes as unnecessary barriers to lawful research activities. X has been given 60 working days to address the deceptive aspects of its blue checkmark system and 90 working days to remedy issues related to the ad repository and researcher access. Absent timely compliance, the company may face periodic penalty payments. The decision contrasts with TikTok’s approach, as TikTok has entered into binding commitments to align its ad repository with DSA standards, thereby avoiding a fine on that issue.