DSA Enforcement 2026: Platform Obligations for Minors Are Tightening

April 2026: The Enforcement Dial Turns Further

The European Board for Digital Services convened its 18th meeting on April 15, 2026. According to the official meeting statement, the Board “reaffirmed its commitment to the protection of minors online” and discussed coordinating enforcement activities across national Digital Services Coordinators (DSCs) and the European Commission. The statement reflects an enforcement posture that has moved from investigation-building (2024) to active proceedings (2025) to coordinated multi-platform action (2026).

The Digital Services Act, which became applicable to very large online platforms (VLOPs) and very large online search engines (VLOSEs) in August 2023, established a two-tier enforcement structure. The European Commission holds exclusive enforcement jurisdiction over the largest platforms — those with more than 45 million monthly active EU users. National DSCs enforce the Act for smaller platforms in their jurisdictions. The Board coordinates the two tiers, promotes consistent application, and can issue non-binding opinions and binding decisions in certain circumstances.

The first enforcement wave (late 2023 through 2024) focused on establishing the procedural framework: formal designations of VLOPs, audit requirements, algorithmic transparency reporting, and investigations into illegal content moderation. The second wave — the one unfolding in 2026 — is focused on a specific harm category that has drawn the most political attention across EU member states: the protection of children and minors from algorithmic harm, addictive design, and inadequate age verification.

Four Platforms, One Month: The Enforcement Picture in March 2026

The scale and coordination of March 2026 enforcement actions mark a qualitative shift in DSA implementation. Within a single month, the Commission took action against at least five platforms across different categories of minors-protection violations.

TikTok received preliminary findings in February 2026 for algorithmic design features identified as “intrinsically addictive.” The Commission’s specific concerns included infinite scroll, autoplay video, push notifications, and personalized recommendation intensity — features that the Commission argued are engineered to maximize engagement at the expense of minors’ mental health and autonomy. TikTok has 60-90 working days to respond to the preliminary findings before the Commission issues a final decision, which could include structural remedies and fines.

Snapchat became subject to a formal Commission investigation in March 2026, originating from a referral by the Dutch Digital Services Coordinator. The investigation’s focus includes Snapchat’s age-verification approach — specifically, its reliance on self-declaration by users, which the Commission deemed insufficient to meet the platform’s DSA obligations for minors. Concerns about inadequate moderation of illicit sales and facilitation of harmful interactions with minors were also cited.

Four adult-content platforms — Pornhub, Stripchat, XNXX, and XVideos — received Commission preliminary findings in March 2026, all citing inadequate safeguards for minors. These platforms had been designated as VLOPs in 2023, triggering the full DSA compliance burden. Their failure to implement robust age verification and content moderation for minor access represents the clearest-cut category of violation: the content is harmful to minors by definition, and the platforms’ verification systems were found to be structurally inadequate.

The precedent-setting enforcement action was the €120 million fine levied against X (formerly Twitter) in December 2025 for DSA violations related to advertising practices and content moderation transparency. This fine — while not the largest possible under the regulation’s 6% of global turnover ceiling — established the enforcement credibility that had been questioned when the Act first came into force.

What “Tightening” Means: Four Platform Obligations Gaining Enforcement Focus

For platform operators and their compliance teams, understanding which specific obligations are driving the 2026 enforcement acceleration is more useful than tracking individual investigations. Based on Commission communications and enforcement actions through April 2026, four obligation categories are receiving the most active scrutiny.

1. Age Verification: Moving from Self-Declaration to Verified Systems

The Snapchat investigation and the adult-content platform findings both center on the inadequacy of self-declaration as an age verification mechanism. DSA Article 28 requires VLOPs to implement appropriate and proportionate measures to ensure a high level of privacy, safety, and security for minors. The Commission’s emerging enforcement position is that self-declaration — asking users to enter a birth date without verification — does not meet this standard when the platform hosts content that is harmful to minors.

The practical implication is that platforms will need to move toward verified age assurance mechanisms: document verification, device-level signals, payment card verification, or third-party age assurance services. The UK’s Online Safety Act has already established a comparable requirement in the British market. EU enforcement is now converging on the same standard, and platforms operating across both jurisdictions will need a unified verification architecture.

2. Algorithmic Design: Addictive Features as a Compliance Risk

The TikTok preliminary findings introduce a new enforcement frontier: treating certain algorithmic design choices as inherently non-compliant, independent of content. Infinite scroll, autoplay, and notification intensity are not neutral technical features — the Commission’s position is that when deployed to minors, they create engagement patterns that override minors’ autonomy and constitute a systemic risk under Article 34 of the DSA.

This has broad implications beyond TikTok. Any VLOP that uses infinite scroll, autoplay, or high-frequency push notifications directed at users who may be minors now faces potential scrutiny. Compliance teams should audit which platform features are designed to maximize session length or return frequency, assess whether those features are adequately restricted for minor users, and document the design choices and mitigation measures that were considered.

3. Recommender System Transparency and Opt-Out

DSA Article 38 requires VLOPs to offer users at least one option for a recommender system not based on profiling. For minors, the obligation is stronger: the default must be the non-profiling option. Platforms that profile minor users’ behavior to drive personalized content recommendations — without ensuring the default is off — are in violation.

Audit findings and investigation notices consistently cite recommender system non-compliance as a co-occurring violation alongside age verification failures. Platforms should ensure that minor-flagged or unverified-age accounts are defaulted to non-profiling recommendations and that the opt-out mechanism for profiling is prominently accessible to all users.

4. Targeted Advertising to Minors: Hard Prohibition

DSA Article 28(2) contains a hard prohibition on presenting targeted advertising to minors on VLOPs — no exceptions, no opt-in alternatives, no legitimate interest justification. This is among the most absolute obligations in the regulation. Yet enforcement findings consistently note advertising targeting practices that were not reliably suppressed for minor-age users.

For ad-supported platforms, this requires a technically robust system for identifying minor users across all surfaces (web, mobile, embedded players), suppressing the personalization pipeline for those users, and ensuring that age-verified adult users are not inadvertently excluded from advertising while unverified-minor users remain exposed. The technical architecture to implement a clean advertising suppression for minors is more complex than a policy flag — it requires integration between age assurance, consent management, and ad-serving systems.

The Bigger Picture: From GDPR to DSA as the Second Compliance Wave

The enforcement trajectory of the DSA in 2026 mirrors the trajectory of GDPR between 2018 and 2022 — an initial period of framework-building followed by an acceleration of substantive enforcement once the regulator had built institutional capacity and enforcement precedent. The €120 million X fine plays the same role that early GDPR fines played: signaling that the regulation has teeth, that enforcement will not be indefinitely deferred, and that the largest platforms will not receive special forbearance.

The difference from GDPR is the subject matter. GDPR enforcement focused on data flows, consent, and information rights — abstract issues that rarely generated public pressure. DSA enforcement on minors protection is politically charged: every EU government has constituents who are parents, and every national DSC operates under political pressure to show results on child safety. This political dimension accelerates enforcement timelines in ways that GDPR’s more abstract violations did not.

For compliance teams at consumer platforms — whether very large or smaller, whether operating under Commission or national DSC jurisdiction — the message from April 2026 is clear: the standard for minors protection has moved from aspirational to enforceable, and the coordination between Commission and national authorities means there is no safe harbor in jurisdictional ambiguity.

Frequently Asked Questions

Sources & Further Reading

• Digital Services Act — European Commission
• DSA Enforcement is the New Regulatory Shock: Mapping the First Wave of Platform Risk in 2026 — Atlas Institute
• European Commission Fines X €120M for DSA Violations — IAPP
• DSA Enforcement and Penalties — EDAA
• EU Prepares Tougher Tech Enforcement in 2026 — European Business Magazine
• Digital Markets Act and DSA Enforcement State of Play — EP Think Tank