The Digital Services Act (DSA) is designed to foster a safer, fairer, and more transparent online environment (→ eucrim 4/2022, 228-230). It establishes new obligations for online platforms, thereby ensuring that EU users are safeguarded against the dissemination of illicit goods and content and that their rights are respected when they engage in interactions, share information, or make purchases online. The DSA is a crucial touchstone for law enforcement purposes (→ eucrim 1/2024, 13).

This news item continues the reporting on the latest DSA developments by giving a chronological overview. It covers the period from May to Mid-October 2025. For overviews of previous developments, see November 2024-January 2025 →eucrim 4/2024, 272-273 and February-April 2025 →eucrim 1/2025, 12-13, each with further references.

• 7 May 2025: The European Commission issues a reasoned opinion to Bulgaria for not appointing and empowering a Digital Services Coordinator (DSC) and for failing to set out penalty rules as required under the DSA. Member States were obliged to establish their DSCs by 17 February 2024 to monitor the DSA’s application and ensure that users can, for example, file complaints against platforms. The Commission gives Bulgaria two months to comply; if it fails to do so, the case may be referred to the Court of Justice of the European Union (CJEU).
• 7 May 2025: The Commission refers Czechia, Spain, Cyprus, Poland, and Portugal to the CJEU for failing to properly implement the DSA. Although Czechia, Cyprus, Spain, and Portugal have designated DSCs, they have not granted them the powers needed to fulfil their functions. Poland has neither designated nor empowered a DSC. None of the five Member States has adopted the required national penalty framework or remedied their failures during the first steps of the infringement procedure.
• 15 May 2025: The Commission announces its preliminary finding that TikTok is in breach of the DSA for failing to comply with the requirement to maintain a transparent and searchable advertisement repository. According to the Commission, TikTok’s repository lacks key information and does not allow for comprehensive public searches. The preliminary assessment follows an in-depth investigation into company documents, tool testing, and expert interviews. TikTok now has the opportunity to respond in writing and access the investigation file; the European Board for Digital Services will be consulted. If the Commission confirms its findings, it may adopt a non-compliance decision, imposing fines of up to 6% of TikTok’s annual global turnover and potentially placing the platform under enhanced supervision.
• 26 May 2025: The Commission and national consumer authorities from Belgium, France, Ireland, and the Netherlands, acting through the Consumer Protection Cooperation (CPC) Network, formally urge online retailer SHEIN to comply with EU consumer protection law. Following a coordinated EU-level investigation, the authorities identifed several unlawful commercial practices on SHEIN’s platform and ordered the company to bring its operations in line with EU legislation. The investigation found multiple breaches of EU consumer law, including fake discounts, pressure-selling tactics, misleading or incomplete information on refunds and returns, deceptive product labelling, false sustainability claims, and hidden contact details preventing consumers from easily reaching the company. SHEIN has also been asked to clarify how it ensures that product rankings, reviews, and third-party seller obligations are transparent and not misleading. The company now has one month to reply and propose corrective measures. If its response is unsatisfactory, national authorities may take enforcement actions, including fines based on the company’s EU turnover.
• 27 May 2025: The Commission launches formal investigations into Pornhub, Stripchat, XNXX, and XVideos for potential breaches of the DSA concerning the protection of minors. The inquiry focuses on whether said porn platforms have effective age-verification systems and other measures ensuring children’s privacy, safety, and well-being, as required under the DSA. The Commission simultaneously withdraws Stripchat’s status as a Very Large Online Platform (VLOP) after finding its EU user base to have been below the legal threshold for over a year. Oversight of Stripchat’s compliance now falls to Cyprus’s Digital Services Coordinator. In parallel, EU Member States are beginning a coordinated action targeting smaller pornographic platforms, ensuring consistent DSA enforcement.
• 18 June 2025: The Commission takes two major steps in its investigation into Chinese online retail service AliExpress under the DSA to strengthen user and consumer safety online. First, the Commission accepts and makes legally binding a set of commitments offered by AliExpress to address DSA compliance concerns. These commitments improve the detection and removal of illegal products, enhance the notice-and-action and complaint systems, increase advertising and recommender system transparency, strengthen trader traceability, and expand data access for researchers. AliExpress will establish a monitoring framework to be overseen by an independent Monitoring Trustee that reports annually to the Commission. Any breach of these commitments amounts to a DSA violation and could trigger fines. Second, the Commission’s preliminary findings indicate that AliExpress has failed to properly assess and mitigate risks related to the dissemination of illegal products, such as counterfeit goods and unsafe items. The platform allegedly underestimated moderation shortcomings, inadequately penalized repeat offenders, and allowed traders to manipulate its content-moderation systems - in breach of its obligations as a VLOP under Arts. 34 and 35 DSA. AliExpress can now defend against the preliminary investigation. If the Commission's findings were to be ultimately confirmed, the Commission would adopt a non-compliance decision and impose a fine.
• 2 July 2025: The Commission adopts a delegated act on data access under the DSA, giving vetted researchers unprecedented access to internal data from VLOPs and Search Engines (VLOSEs). The goal is to enable research on systemic online risks and how platforms mitigate them. The act defines procedures, data formats, and documentation standards for data sharing and requires Digital Services Coordinators (DSCs) to vet researchers. Applicants must prove institutional affiliation, independence from commercial interests, and compliance with privacy and security standards, while committing to publish their findings. A new DSA Data Access Portal will connect researchers, DSCs, and platforms and will manage applications. The Board of Digital Services has agreed on common vetting tools to ensure consistent EU-wide standards.
• 4 July 2025: During the first EU–Moldova Summit in Chisinau, Moldova declares its intention to transpose the DSA by establishing a normative framework that enables efficient interaction with major online platforms, including Very Large Online Platforms and Search Engines (VLOPSEs). Following the adoption of its national law on digital services, Moldova and the EU plan to explore cooperation mechanisms between their respective enforcement authorities, including capacity-building measures for Moldova’s designated regulatory body.
• 14 July 2025: The Commission presents new guidelines on protecting minors and a prototype age-verification app under the DSA to make the online space safer for children. The guidelines urge platforms to curb addictive design features, strengthen tools against cyberbullying, give minors more control over recommender systems, and set accounts private by default to reduce unwanted contact. The age-verification app offers a privacy-preserving way for users to prove they are over 18 without revealing their identity or browsing habits. It will be tested with Denmark, Greece, Spain, France, and Italy before broader rollout. Together, these measures will advance the DSA’s goal of ensuring safe, age-appropriate, and privacy-respecting digital environments for minors. The measures were prepared by means of a stakeholder consultation in spring 2025.
• 28 July 2025: The Commission issues a preliminary finding that online marketplace Temu breached the DSA by failing to properly assess and mitigate risks related to illegal products on its marketplace. A Commission mystery shopping exercise found that EU consumers are highly likely to encounter non-compliant goods, such as unsafe baby toys and small electronics, on Temu’s platform. The Commission concludes that Temu’s October 2024 risk assessment was inadequate, relying on generic industry data rather than marketplace-specific evidence, resulting in insufficient safeguards against illegal products. If confirmed, the Commission could issue a non-compliance decision under Art. 34 DSA, impose fines of up to 6% of global turnover, and require corrective measures under enhanced supervision.
• 10 September 2025: The General Court (GC) annuls the Commission’s 2023 decisions setting supervisory fees for Facebook, Instagram, and TikTok under the DSA. The GC ruled that the calculation method had to be adopted through a delegated act, not an implementing act as done by the Commission. Since the obligation of the companies concerned to pay the supervisory fee for 2023 holds up, the GC is temporarily maintaining the effects of the annulled decisions. The Commission has up to 12 months to correct the legal defects.
• 10 October 2025: The Commission requests information from Snapchat, YouTube, Apple App Store, and Google Play to assess the measures they use to protect minors, marking the first step in enforcing the Guidelines on the Protection of Minors adopted in July 2025 (see above). Furthermore, the Commission takes action to ensure a safe online space for minors: The European Board for Digital Services’ Working Group on child protection is working with national authorities to identify high-risk platforms, verify their compliance with DSA safety requirements, and develop common investigatory tools to ensure consistent enforcement across the EU. The guidelines of July 2025 have been made available in all 24 EU languages, and a simplified version to help children, families, and educators understand key safety principles has been released. The second blueprint for an EU age-verification solution, introducing passport and ID-based verification and support for the Digital Credentials API, has been published. As announced in Commission President von der Leyen’s State of the Union address, the Commission is now setting up an advisory panel to shape the EU’s future strategy for safe online experiences for minors.