EU misinformation takedown laws

EU Locks Disinformation Code Into DSA, Targeting Algorithms Over Content — but Audit Credibility Remains Unproven

Europe's misinformation governance has shifted from voluntary pledges to binding platform audits — a sounder design than takedown mandates, but one whose real test lies ahead.

EU Disinformation Enforcement: Key Metrics People of Internet Research · EU €120M First DSA Fine X penalised Dec 2025 for deceptive… 10 Platforms Now Auditable Services including Google, Meta, T… 7 years Code Evolution Span EU Disinformation Code ran as volu… peopleofinternet.com

Key Takeaways

The most important nuance in Europe's evolving approach to online misinformation is what it does not require: governments issuing removal orders for content they deem false. That distinction — largely invisible in political debate — explains both the framework's genuine strengths and the tensions now surfacing as enforcement begins in earnest.

From Voluntary Code to Binding Audit Benchmark

On July 1, 2025, the EU's Code of Practice on Disinformation ceased to be a voluntary industry commitment and became an auditable benchmark for Digital Services Act (DSA) compliance. The integration, formally endorsed by the European Commission and the European Board for Digital Services on February 13, 2025, means very large online platforms (VLOPs) — including Google, Meta, Microsoft, and TikTok — must now demonstrate to independent auditors that their systems meet the Code's commitments or face regulatory scrutiny.

The first transparency reports under this framework, covering July to December 2025, were published in early 2026. They span platform commitments on election integrity, crisis disinformation including the Ukraine conflict, and fact-checker partnerships across ten major services: Google Search, YouTube, Google Ads, Facebook, Instagram, Messenger, WhatsApp, Bing, LinkedIn, and TikTok. Notably, the Commission chose not to evaluate whether the reported measures were sufficient — a deliberate choice it says reflects the audit process's early stage, but one that civil society observers have flagged as a gap that undermines the entire accountability claim.

The definitional architecture matters here. The DSA's systemic risk framework does not require platforms to remove specific pieces of misinformation. Instead, it requires them to identify and mitigate risks arising from their systems: recommendation algorithms that amplify low-quality content, advertising networks that fund disinformation at scale, and design features that obscure who is communicating what to whom. This is a regulatory philosophy with a clear pedigree — one that targets the amplification infrastructure rather than individual messages.

The December 2025 Fine — and What It Actually Said

On December 5, 2025, the Commission issued its first DSA non-compliance decision: a €120 million fine against X (formerly Twitter). Critically, the fine was not for hosting misinformation. X was penalised for three transparency failures: a deceptive "blue checkmark" system that allowed anyone to purchase "verified" status without meaningful identity verification, exposing users to impersonation fraud; an advertising repository lacking the transparency required by Article 39 of the DSA; and failure to provide researchers meaningful access to public data under Article 40 DSA — the very access needed to study disinformation at systemic scale.

The fine signals that the Commission will act. But it also illustrates the framework's underlying logic: the primary enforcement target is transparency and research access, not content removal. A parallel investigation opened in January 2026 targets X's Grok AI tool for systemic risks including AI-generated manipulated imagery. Shein faced a separate investigation in February 2026 for addictive design features. The enforcement universe is expanding — and the cases remain consistent in their focus on system design rather than content policing.

The European Democracy Shield: Proportionate Augmentation?

Announced by the Commission on November 12, 2025, the European Democracy Shield adds non-coercive tools to the framework: a proposed Centre for Democratic Resilience, an extended mandate for the European Digital Media Observatory (EDMO), and EU funding for a European network of fact-checkers. These are investments in media literacy and independent research capacity rather than speech controls, and the approach is defensible. Fact-checking networks and media literacy programmes can improve information quality without mandating specific speech outcomes.

The strongest case for this architecture rests on a straightforward premise: Europe faces documented foreign information manipulation, including Russian state-backed interference campaigns affecting multiple Member States. Doing nothing is not a neutral option. Transparency requirements and independent research access are among the least invasive tools available, and they create accountability without vesting governments with editorial authority over individual posts.

Where the Framework Strains

Three problems deserve honest acknowledgment.

Audit credibility is unproven. The Code of Conduct's enforcement depends entirely on auditors gaining access to meaningful platform data and applying rigorous, independent methodology. Civil society groups have warned that "without a clear audit framework and access to meaningful data, these audits won't be credible." Without published audit standards, the framework risks becoming compliance theatre — platforms file reports, auditors sign off, and the information environment remains unchanged.

Crisis protocols present structural risk. The DSA grants the Commission authority to activate emergency measures during declared crises, potentially requiring platforms to accelerate content restrictions. The Centre for European Reform has noted that machine-learning content classifiers used in such scenarios are "notoriously inaccurate" and context-blind, creating systematic over-removal risk. A protocol designed to counter state-sponsored disinformation can easily misfire on legitimate journalism, satire, or minority political speech. Strict judicial authorisation thresholds and hard time limits are not currently guaranteed by the regulation's text.

The boundary between disinformation and dissent is politically contested. When systemic risk assessments are conducted by Commission staff and when "civic discourse" risks are defined by the same institution that regulates platforms, the line between protecting democracy and constraining political speech becomes dangerously thin. Neutral-sounding technical language can mask deeply political choices delegated to unaccountable algorithmic systems.

The Editorial Verdict

The EU's systemic risk approach is better designed than a takedown-mandate regime. Requiring algorithmic transparency, researcher access, and advertising accountability while leaving content-level decisions with platforms is the right model in principle. The seven-year evolution of the Disinformation Code — from a 2018 voluntary pledge to a DSA-integrated enforcement benchmark — represents genuine institutional learning.

But the Commission has completed only the easier part. Publishing a framework is not the same as enforcing it credibly. The next eighteen months will reveal whether DSA audits have real teeth — whether auditors are genuinely independent of the platforms they assess, whether methodology is publicly accessible, and whether civil society can effectively contest compliance claims. The Democracy Shield's fact-checker network is valuable only to the extent it operates independently of EU institutions.

The right test for any misinformation framework is whether it makes the information environment more transparent and accountable — not whether it expands the state's power to define and remove disfavoured speech. The EU has built a framework that could meet that standard. Whether it does depends on the enforcement choices being made this year.

Sources & Citations

  1. EC: Commission Fines X €120M Under DSA (Dec 2025)
  2. EC: Code of Conduct on Disinformation
  3. Tech Policy Press: EU Disinformation Code Takes Effect
  4. Centre for European Reform: Will the DSA Save Europe From Disinformation?
  5. eucrim: DSA Developments November 2025–February 2026