The Digital Services Act was sold to Europe as a transparency regime. Very large platforms would have to look hard at their own systemic risks — disinformation, election manipulation, harms to civic discourse — write it all down, and hand it to regulators. The public, in theory, would finally see how the machinery works. In May 2026 the European Ombudsman found that the body charged with running that regime had itself failed the transparency test.
What the Ombudsman found
The case began in September 2023, when Alexander Fanta, a journalist with the investigative outlet Follow The Money, asked the European Commission for access to X's first annual systemic-risk assessment — the report that Article 34 of the DSA obliges very large platforms to produce each year. The Commission refused. When Fanta complained in 2024, the Ombudsman, Teresa Anjinho, opened an inquiry. Her recommendation, issued in May 2026, concluded that the Commission's refusal amounted to maladministration.
The problem was not that the Commission protected some genuinely sensitive material. It was how it refused. Rather than reading the document and weighing disclosure line by line, the Commission leaned on a blanket presumption that nothing in it could be released — because an investigation into X was ongoing, because an independent audit was in train, and because X's commercial interests might suffer. The Ombudsman found that reasoning unreasonable. She recommended the Commission do its own assessment and grant Fanta the widest possible access, including parts that X itself had redacted, and explain in detail any section it still withheld.
The case for the Commission's caution
The Commission's instinct deserves a fair hearing. Premature disclosure of a risk report mid-investigation can genuinely prejudice enforcement: it can tip a platform off to the regulator's theory of the case, or let it tailor its defence. There is also a real chilling concern — if platforms know their candid internal risk assessments will be published the moment a journalist asks, they may write blander, more lawyered, less useful reports. And the DSA's audit framework depends on a degree of confidentiality to function. These are legitimate interests, and the EU's access-to-documents rules (Regulation 1049/2001) explicitly protect investigations and commercial secrets.
But legitimate interests are exactly what a case-by-case review is for. The Ombudsman did not order the Commission to publish everything. She ordered it to look. The vice she identified is the shortcut: invoking a category — "ongoing investigation" — as a reason to never open the file. A proportionate regime redacts the genuinely sensitive paragraph and releases the rest. A disproportionate one stamps the whole document secret and calls it prudence.
Why this matters beyond one report
The timing sharpens the irony. In December 2025 the Commission issued its first DSA non-compliance decision, fining X €120 million for a deceptive blue-checkmark system, an inadequate advertising repository, and terms that blocked researchers' data access under Article 40. Two of those three findings are, at bottom, transparency failures — X not letting outsiders see how its systems work. The Commission was willing to fine X €120 million for opacity while running an opacity defence of its own.
This is not a partisan point. Whatever one thinks of X under Elon Musk — and this publication has been sharply critical of arbitrary content decisions on every major platform — the principle cuts the same way regardless of who sits on the other side. The DSA hands the Commission sweeping discretion over the largest speech platforms on earth. That discretion is only legitimate if it is auditable. When the regulator decides, by default, that the public cannot see the documents underpinning its enforcement, it converts a transparency law into a black box and asks citizens to trust the operator.
The proportionality lesson
There is a version of DSA enforcement that strengthens the open internet: targeted, evidence-based, and visible enough that platforms, researchers, and the public can check the regulator's work. There is another version — secretive, presumption-driven, accountable only to itself — that simply relocates the power to control speech from Silicon Valley boardrooms to Brussels back offices. The Ombudsman's finding is a warning shot against the second.
It is worth noting what the Ombudsman is and isn't. Her recommendations are not binding; the Commission can decline to follow them, though doing so against an explicit maladministration finding carries real political cost and feeds the European Parliament's annual scrutiny of the office. X has, in the meantime, published its report with redactions — so the marginal disclosure now at stake is narrow. But the precedent is not. If "there's an open investigation" is a sufficient answer to any access request, then every consequential DSA document is sealed for as long as the Commission chooses to keep a file open, which can be years.
The fix is unglamorous and entirely achievable: read the document, redact what genuinely warrants it, release the rest, and justify each cut. That is what the DSA demands of platforms every single day. A regime built on the premise that sunlight disciplines power cannot credibly exempt the regulator from the same light. Europe asked X to show its work. It is a fair request — and it runs in both directions.