Full Report
X's paid "blue checkmark" system for verifying users and other aspects of the platform violate the EU's Digital Services Act, the European Commission said in fining the company €120 million ($139 million).
Analysis Summary
# Regulation/Compliance: Digital Services Act (DSA) Enforcement Action against X
## Overview
This summary details the first enforcement action taken under the EU's Digital Services Act (DSA), resulting in a significant fine against the social media platform X (formerly Twitter). The action centers on X's violation of DSA requirements related to user transparency (specifically concerning its paid verification system) and mandated obligations for very large online platforms (VLOPs) regarding disinformation, political advertising transparency, and researcher access to data.
## Key Details
- Issuing Authority: The European Commission
- Effective Date: The DSA itself has phased implementation, but this specific enforcement relates to requirements for Very Large Online Platforms (VLOPs) which are required to comply with significant obligations. The fine was issued on December 5th, 2025 (as per the article date).
- Jurisdiction: European Union (EU)
- Status: Final Enforcement Action (Fine Issued)
## Requirements
### Mandatory Requirements (Violated by X)
1. **User Verification Transparency:** Platforms must not mislead users regarding verification status. Specifically, X was found to be violating rules by allowing anyone to pay for "verified" status without meaningful verification of the account holder's identity.
2. **Political Advertisement Repository:** Platforms must maintain a publicly available, searchable repository for political advertisements. This repository must be updated "in as close as possible to real-time" and include critical information such as the content, topic, and the legal entity responsible for paying for the ad.
3. **Researcher Data Access:** Platforms must provide researchers with access to their public data to facilitate the detection of systemic risks, including disinformation and influence operations. X was found to be prohibiting eligible researchers from accessing public data (including via scraping) and imposing "unnecessary barriers."
### Recommended Practices
*Note: The DSA primarily sets mandatory requirements for VLOPs. Specific best practices are often derived from implementing the intent behind the mandates, such as ensuring ad repository features are fully functional and timely.*
1. Ensuring research access mechanisms are frictionless and non-discriminatory to fully support independent validation of systemic risk assessments.
2. Designing verification schemes that prioritize meaningful identity validation over payment for status, to prevent user confusion and manipulation.
## Affected Organizations
- Industries: Online Platforms, intermediary services, and specifically **Very Large Online Platforms (VLOPs)** designated under the DSA.
- Organization Size: The specific stringent transparency and risk management requirements apply to VLOPs, defined as entities reaching a threshold of 45 million monthly active users in the EU.
- Geographic Scope: The regulation applies to any entity providing intermediary services within the EU, regardless of where the company is headquartered (e.g., U.S.-based platform X).
## Compliance Timeline
- **Last Year (Implied):** The Commission informed X of alleged breaches shortly after setting out the DSA rules, indicating ongoing compliance monitoring.
- **December 5th, 2025 (Article Date):** Initial significant enforcement fine (€120 million) was issued following confirmation of violations.
- **Ongoing/Future:** Continuous compliance is required. Extreme non-compliance risks further escalation, potentially including requests for access restriction across the EU.
## Implementation Guidance
### Assessment Phase
- **Verification Audit:** Review the paid verification scheme (e.g., "blue checkmark") to ensure identity verification for paid accounts is "meaningful" and not purely payment-dependent, avoiding user deception.
- **Repository Evaluation:** Audit the political ad repository for required data fields (content, topic, payer entity) and timing (near real-time updates). Identify and eliminate "access barriers" like excessive processing delays.
- **Data Access Review:** Examine Terms of Service and technical access protocols to confirm that eligible researchers have appropriate, unhindered access to public data, including via means like scraping if necessary for systemic risk research.
### Implementation Phase
1. Immediately rectify design features and access barriers that undermine the transparency and function of the political ad repository.
2. Update terms of service and technical infrastructure to grant eligible researchers frictionless access to relevant public data streams.
3. Re-engineer the paid verification process to ensure that payment does not substitute for robust identity confirmation, or clearly demarcate verification levels based on identity assurance.
### Validation Phase
- Continuous monitoring by the Commission based on submitted compliance reports and platform performance data.
- Verification through independent researcher usage of the ad repository and data access APIs.
## Technical Requirements
1. **Ad Repository Integrity:** Must store and display required metadata (content, topic, payer entity) for political ads.
2. **Data Access APIs:** Must provide accessible mechanisms (allowing scraping or comparable bulk data retrieval) for specific researchers to obtain public data sets relevant to systemic risk analysis.
## Penalties & Enforcement
- **Fines:** Up to **6% of the company’s global annual turnover** for VLOPs that fail to meet DSA obligations.
- **Specific Penalty Issued:** €120 million ($139 million) for the stated violations regarding transparency and data access.
- **Other Consequences:** In extreme cases, the Commission has the power to request **restriction of access to the service across the entire EU**.
- **Enforcement:** Directly enforced by the European Commission via administrative investigation and fining powers.
## Related Standards
- **Digital Services Act (DSA):** The primary regulatory framework governing platforms in the EU, focusing on illegal content, transparency, and risk management for systemic harms.
- **Alignment:** The DSA sets specific, legally binding operational mandates that supersede general industry standards when related to EU digital market obligations.
## Resources
- Official Documentation: *Digital Services Act (DSA)* documentation (Search for official EU legal text of Regulation (EU) 2022/2065).
- Guidance Documents: European Commission guidance documents pertaining to the application of the DSA, specifically for VLOPs.
- Tools: Internal compliance reporting tools provided by the Commission for monitoring obligations.
## Practical Recommendations
1. **Conduct a full gap analysis** against all DSA obligations applicable to VLOPs immediately, focusing heavily on transparency mechanisms (ads, verification) and data governance for researchers.
2. **Establish dedicated internal working groups** to manage compliance reporting to the European Commission, as continuous monitoring will be required post-fine.
3. **Prioritize engineering efforts** to remove technical barriers preventing researcher access to public data, treating this access as a mandatory operational requirement, not an optional feature.