On May 28, 2026, the European Commission fined Temu €200 million for breaching Article 34 of the Digital Services Act — the provision requiring "very large online platforms" to diligently identify, analyse, and assess systemic risks arising from their service. It is the largest DSA fine issued to date, surpassing the €120 million penalty imposed on X on December 5, 2025 for deceptive verification badges, an opaque ad repository, and blocked researcher access.
The Temu case is different in kind, not just size. X was fined for concrete design failures. Temu was fined for how it wrote its own compliance paperwork.
What the Commission Actually Found
According to the Commission's decision, Temu's 2024 risk assessment — the document VLOPs must produce annually to satisfy Article 34 — relied on "general information about risks concerning the eCommerce sector as a whole" rather than evidence specific to Temu's own platform. The Commission concluded this caused Temu to underestimate how often EU consumers encountered illegal products, and that the assessment failed to account for how Temu's recommender systems and its influencer-led promotion programmes could amplify the spread of unsafe goods.
The Commission backed this with its own mystery-shopping exercise: a very high share of chargers purchased on Temu failed basic electrical safety tests, and a high share of baby toys tested posed medium-to-severe safety risks — from chemical content exceeding legal limits to detachable parts creating choking hazards. Consumer group BEUC separately documented phthalate levels in some toys at up to 240 times the legal limit, supporting the enforcement action.
Commissioner for Tech Sovereignty Henna Virkkunen framed the ruling as a statement of principle: "Risk assessments are not box-ticking exercises — they are the backbone of the DSA." Temu now has until August 28, 2026 to submit a remedial action plan; the European Board for Digital Services gets a month to opine on it before the Commission decides whether it's sufficient.
The Case for the Fine
The strongest argument for this enforcement is straightforward: Article 34 exists precisely so that platforms can't discharge their obligations with boilerplate. If a self-assessment can cite sector-wide statistics instead of auditing your own marketplace, the requirement is decorative. Temu is a Chinese cross-border marketplace whose entire growth model runs on razor-thin margins, minimal seller vetting, and algorithmic recommendation at massive scale — precisely the conditions under which generic risk language would miss platform-specific failure modes. Given the mystery-shopping results, the underlying consumer-safety problem was real, not hypothetical. Utrecht University researcher Catalina Goanta noted this is also the first Commission decision to treat influencer-driven promotion as a genuine amplification risk — a reasonable extension given how much of Temu's user acquisition runs through affiliate and creator programs rather than traditional advertising.
Where the Precedent Gets Risky
But the Commission is fining a process failure, not a proven pattern of harm from that failure — and the line between "insufficiently specific risk assessment" and "risk assessment we'd have written differently" is not self-evidently bright. Article 34 asks platforms to be "specific" and "proportionate" to risks they must themselves characterize; those are inherently judgment calls, and a €200 million penalty for getting that judgment wrong sets a demanding bar for what counts as an adequate paper trail. Temu has called the fine "disproportionate," arguing the assessment in question dates to 2024 and that it has since tightened seller vetting and product screening — a response the Commission's own decision doesn't appear to rebut on the merits, only on timing.
The pattern matters more than any single case. The Commission is now running parallel risk-assessment investigations into Meta, AliExpress, and Shein, suggesting a deliberate strategy: rather than chasing every individual harmful listing, regulators are auditing the internal compliance machinery platforms use to justify inaction. That's a defensible, resource-efficient way to regulate systemic risk at scale — but it also means platforms face open-ended exposure based on how persuasively they can retroactively defend a document that, by the DSA's own design, has to synthesize probabilistic judgments about future harm. Proportionate regulation should reward platforms that visibly tighten controls after a finding, and the Commission's own two-stage process — action plan, then Board review, then implementation period — appropriately builds in room for remediation before harsher measures follow. Whether Brussels uses that room consistently, across Temu, Shein, and Meta alike, will determine if this becomes a coherent enforcement standard or a series of ad hoc penalties calibrated to each platform's politics.