What the Commission Actually Found — and Why Generic Assessments No Longer Pass
On June 2, 2026, the European Commission announced a €200 million fine against Temu for systemic breaches of the Digital Services Act’s risk-assessment obligations. The ruling did not fault Temu for a single product slip or a missing disclosure. It found something structurally more damaging: the platform had produced a risk assessment that relied on generic e-commerce sector data rather than evidence specific to its own service, and therefore severely underestimated how frequently EU users were encountering illegal items.
Three concrete failures drove the decision. First, Temu’s assessment failed to evaluate how its own recommender systems and influencer-promotion mechanics amplified the distribution of non-compliant products — a gap the Commission’s mystery-shopping tests exposed directly, turning up unsafe phone chargers and baby toys carrying chemical hazards and suffocation risks. Second, the platform treated risk as a static property of product categories rather than a dynamic outcome of its design choices. Third, Temu had not demonstrated that its audit methodology could scale to the volume and speed of its seller onboarding pipeline.
The Commission framed the standard clearly: DSA risk assessments must be “evidence-based, platform-specific and sufficiently robust to address how a service’s design may contribute to consumer harm.” That phrase — “how a service’s design may contribute” — is the sentence every marketplace legal team needs to print and pin to the wall. The obligation is not to catalog known-bad products; it is to model how the platform’s own architecture accelerates harm.
This is now the second major DSA enforcement action. In 2025, the Commission fined X €120 million for deceptive design in its blue-checkmark verification system, inadequate advertising transparency, and barriers to researcher data access — three different failure modes, but the same underlying pattern: systemic obligations that platforms treated as box-ticking exercises rather than operational requirements.
The DSA Enforcement Architecture: What the Numbers Mean
The Temu fine needs to be read alongside the DSA’s penalty structure to understand the real exposure. Under the DSA’s tiered penalty framework, the ceiling for systemic risk violations is 6% of global annual turnover — not EU revenue, not regional revenue, but global revenue. For a platform of Temu’s scale, operating across North America, Europe, and Asia, that figure would dwarf €200 million several times over.
The €200 million number therefore represents a calibrated first strike, not a maximum. It is large enough to signal intent, small enough not to trigger immediate bankruptcy proceedings, and structured to escalate: the Commission retains the authority to impose periodic penalty payments if Temu’s August 28 action plan fails to satisfy the European Board for Digital Services’ review. The Board has one month to issue its opinion; the Commission then has one month to finalize implementation requirements. That timeline creates a hard clock for Temu’s compliance team — and a useful template for every other marketplace watching the proceedings.
The architecture matters because the DSA designates as Very Large Online Platforms any service exceeding 45 million monthly users in the EU. VLOP designation triggers enhanced obligations that go far beyond basic product-safety rules: systemic risk assessment, annual independent audit, real-time researcher data access, algorithm transparency, and advertising repository maintenance. A marketplace that crosses the 45-million threshold in EU users does not enter this regime gradually — it enters all at once.
Advertisement
What Marketplace Compliance Officers Should Build Now
The Temu decision is essentially a published specification of what the Commission considers a failing risk-assessment program. The inverse of each failure is a compliance requirement. For any marketplace operating at scale in Europe, the following three-part framework maps directly to the ruling.
1. Replace Category-Level Risk Taxonomies with Platform-Specific Harm Modeling
The Commission’s core complaint was that Temu’s risk assessment drew on generic e-commerce sector data — industry averages and product-category risk matrices that any marketplace could produce without looking at its own platform. That approach is now explicitly disqualified.
A compliant program requires a harm model built from the platform’s own behavioral data: seller velocity (how quickly new sellers are onboarding and listing), product return and complaint rates disaggregated by category and geography, and algorithmic amplification metrics showing which product types are being surfaced by recommender systems at elevated rates relative to their share of inventory. The €200 million ruling makes clear that if your risk assessment could have been written by a competitor using public datasets, it will not satisfy the Commission. The test is platform-specificity — evidence that you have looked at your own system, not the industry.
For marketplaces with machine-learning-driven search and recommendation, this means instrumenting the recommendation stack to expose which product categories are being surfaced disproportionately to EU users, and feeding that signal into the risk-assessment cycle at least quarterly.
2. Embed Mystery-Shopping Protocols as a Standing Audit Requirement
The Commission’s mystery-shopping exercise — which revealed unsafe chargers and chemically hazardous baby products — was not a surprise inspection. It was the Commission doing what the platform should have been doing continuously. Unsafe chargers and chemically non-compliant baby toys are not niche edge cases in high-volume cross-border marketplaces; they are predictable failure modes in categories with high import velocity from manufacturers who may not have EU conformity documentation.
Compliant platforms need a structured mystery-shopping program that operates independently of seller self-certification. The program should sample across the highest-risk product categories (electronics, children’s products, cosmetics, food contact materials), rotate sampling geographies to reflect EU market diversity, and produce documented test reports that can be supplied to regulators on request. Mystery-shopping findings should feed directly back into the risk-assessment cycle — not sit in a quality-assurance silo.
The X fine included a parallel lesson on this design point: X’s compliance team had built processes that satisfied the letter of DSA requirements in documentation, but failed in practice because researcher access was technically available yet operationally obstructed by processing delays. Form-compliance without functional compliance is the pattern regulators are now trained to detect.
3. Map Recommender System Architecture to Harm-Amplification Risk Before Each Assessment Cycle
This is the obligation the Temu ruling introduces that most marketplace legal teams are least equipped to discharge. The Commission found explicitly that Temu failed to evaluate how its recommender systems amplified illegal product distribution — not just that illegal products existed, but that the platform’s own design choices accelerated their reach.
Discharging this obligation requires the compliance function to work directly with the engineering team responsible for recommendation and search ranking. Specifically: for each product category in the risk taxonomy, the engineering team must be able to produce a report showing the uplift that recommendation provides to that category relative to organic search — the ratio of impressions driven by algorithmic recommendation versus direct search — and flag any category where that uplift is disproportionately high and the category carries elevated product-safety risk.
This is new territory for most marketplace compliance programs, which have historically operated downstream of the product engineering function. The DSA makes the algorithm an object of legal obligation, not just a product feature. Compliance teams that cannot obtain this data from their engineering counterparts are exposed to exactly the gap the Commission identified in Temu.
The Structural Lesson: Design Choices Are Now Regulatory Assets or Liabilities
The Temu and X decisions together establish a principle that did not exist in clear legal form before 2025: a platform’s design choices — its recommendation weights, its verification flows, its researcher access architecture — are now first-order regulatory objects. They are not background implementation details that compliance teams learn about after the fact. They are the primary subject of the DSA’s systemic risk obligations.
For marketplace compliance programs, this creates a structural requirement that governance catch up with engineering. The traditional model — legal reviewing policies and terms, product building features, compliance filing reports — breaks down when the regulation specifically asks whether the platform’s recommender system amplifies harm. That question cannot be answered by a policy team working from documentation. It requires embedded compliance capacity at the product and engineering level.
The enforcement trajectory also signals that the Commission is not satisfied with commitments and action plans as endpoints. The August 28 deadline Temu faces is a gate in an ongoing audit cycle, not a finish line. The European Board for Digital Services’ one-month review window and the Commission’s subsequent one-month finalization period create a structured adversarial process in which a weak action plan can be rejected and replaced with Commission-mandated requirements. Platforms that treat the fine as the cost of doing business and the action plan as a paperwork exercise are misreading the enforcement architecture.
The practical implication for any marketplace approaching VLOP designation — 45 million EU monthly users is achievable for any fast-growing cross-border platform within two to three years of European expansion — is to begin building the evidence-based, platform-specific risk-assessment infrastructure before the designation arrives, not after. The Temu ruling has now published the Commission’s minimum standard in operational detail. The cost of building to that standard before designation is a fraction of the cost of a €200 million fine and an externally mandated remediation program.
Frequently Asked Questions
What exactly did Temu do wrong under the DSA?
Temu’s risk assessment relied on generic e-commerce sector data rather than evidence specific to its own platform. The Commission found that this approach severely underestimated the frequency with which EU users encountered illegal products, and that Temu failed to evaluate how its recommender systems amplified the distribution of those products. Mystery-shopping tests by the Commission’s investigators uncovered unsafe chargers and baby toys with chemical hazards and suffocation risks.
How does the Temu fine compare to other DSA enforcement actions?
The €200 million Temu fine is the largest DSA enforcement action to date, exceeding the €120 million fine imposed on X in 2025. X was fined for three different violations: deceptive design in its blue-checkmark verification system, inadequate advertising transparency, and barriers to researcher data access. Both cases establish that the Commission is actively enforcing the DSA across multiple VLOP categories — social media, marketplace, and content platforms alike.
Which platforms are at risk of similar DSA enforcement?
Any platform designated as a Very Large Online Platform — defined as having more than 45 million monthly active users in the EU — faces the full set of DSA systemic-risk obligations. Currently designated VLOPs include major e-commerce marketplaces, social networks, video platforms, and search engines operating in Europe. Platforms approaching the 45 million EU-user threshold should begin building compliant risk-assessment programs before designation, as the obligations apply immediately upon designation.
Sources & Further Reading
- European Commission Fines Temu €200 Million for Breaching the DSA — Lewis Silkin
- Commission Fines X €120 Million Under the Digital Services Act — European Commission
- Digital Services Act — European Commission Policy Overview
- DSA Penalties: Fine Structure and Enforcement Framework — EU Cyber Laws
- €120 Million Later: The DSA Enters the Enforcement Phase — Media Laws
🔗 Related Intelligence
SaaS Vendor Breach Accountability: The Third-Party Risk Framework Enterprises Need in 2026
Platform Liability 2026: Section 230, the DSA, and the Global Battle Over Internet Rules
DSA Enforcement 2026: Platform Obligations for Minors Are Tightening
The 23% Problem: Third-Party Supply Chain Is Now the Default Breach Vector
