Europe fines X €120 million in first enforcement of the Digital Services Act

The European Commission has imposed a €120 million fine on X (formerly Twitter), finding the platform in breach of key transparency and user-protection rules under the Digital Services Act (DSA).

The DSA is a landmark EU regulation enacted in 2022, creating a comprehensive framework to make online spaces safer, protect users' fundamental rights, and ensure big tech platforms are accountable for illegal and harmful content, aiming to bring online rules in line with offline laws. It imposes obligations on transparency, content moderation, and restricts manipulative advertising.

The Commission’s ruled that X violated three core DSA obligations:

·      deceptive design of its “blue checkmark”

·      a lack of transparency of its advertising repository

·      a failure to provide access to public data for researchers

The blue tick

The “blue checkmark” verification (X’s blue-tick) is available to any subscriber and hardly reflects identity verification, the Commission stresses.

“X's use of the ‘blue checkmark' for ‘verified accounts' deceives users,” according to the announcement. “This violates the DSA obligation for online platforms to prohibit deceptive design practices on their services.”

"This deception exposes users to scams, including impersonation frauds, as well as other forms of manipulation by malicious actors," the Commission said.

Lax transparency around X's ads repository

The second issue centers on X’s lack of transparency around advertising. The platform’s ad repository fails to meet DSA standards, omitting critical details such as ad content, topics, and who paid for them.

This opacity undermines the capacity of researchers, regulators and the public to detect malvertising, disinformation campaigns or suspicious ad-driven manipulations, the Commission said.

Hampering researcher access to public data

X’s third breach is described as a “failure to provide researchers access to public data.”

The European Commission says X has made it unduly difficult for eligible researchers to access its public data, hampering independent scrutiny of systemic risks such as coordinated disinformation, algorithmic amplification, or social-engineering threats.

This is the first formal non-compliance decision under the DSA, marking a major milestone in the EU’s online-safety enforcement efforts.

X must submit remedial plans within 60 days for checkmark issues and within 90 days for ads and data access. Otherwise, it faces further periodic fines — potentially up to a significant share of its global revenue under DSA enforcement rules.

What this means for user trust

The sanction is particularly relevant against the backdrop of the findings from our 2025 Bitdefender Consumer Cybersecurity Survey, which revealed consumer distrust toward several tech giants – X ranking among the least trusted of the major players in Big Tech.

Source: Bitdefender 2025 Consumer Cybersecurity Survey

Source: Bitdefender 2025 Consumer Cybersecurity Survey

The survey identified social platforms as the top vector for fraud and impersonation – the very risks the EU flagged in its decision against X.

Consumers often assume that a “verified” badge means the account behind it is authentic – which, in the case of X’s pay-to-verify model, no longer holds true. The EU fine helps validate public skepticism and underscores the mismatch between platform promises and actual safety.

What users should take away

• Don’t assume that a “verified” badge equals trust or authenticity – especially on platforms with pay-to-verify models.
• Be wary of accounts or ads – even “verified” ones – offering deals or making claims, especially financial ones.
• Prioritize tools and behaviors that reduce attack surfaces. Use strong, unique passwords, exercise skepticism toward messages from unverified or newly created accounts and use a scam detector on your phone or computer.

For users, the EU’s action is a step toward safer social media. For Big Tech, it’s a clear reminder that lax verification can no longer be accepted under modern digital-safety laws.

You may also want to read:

Accept All Cookies? ICO Prompts Top UK Websites to Make It Clear What Data They Collect from Users

Singapore Tells Apple and Google to Block Fake Messages in Crackdown on Scams

1 in 7 Consumers Got Scammed in the Past Year – Bitdefender Consumer Cybersecurity Survey 2025