The European Commission today fined Temu €200 million under the Digital Services Act for failing to properly identify, analyse, and assess the systemic risks posed by illegal products sold on its platform. The decision, issued on May 28, 2026, marks the first major DSA non-compliance ruling aimed specifically at product safety on an e-commerce marketplace, and it caps an investigation that began in earnest in October 2024.

According to the Commission, evidence gathered during the investigation indicates that consumers in the EU are very likely to encounter illegal items when shopping on Temu. That finding is not theoretical. It rests on physical testing - a mystery shopping exercise commissioned by regulators and carried out by an independent testing organisation.

The fine and how it was calculated

The €200 million penalty was determined by weighing the nature of the infringement, its gravity relative to the number of affected EU users, and its duration. According to the Commission, failing to conduct adequate risk assessments is one of the cornerstones of DSA compliance - not a peripheral obligation - which made the breach particularly serious in the eyes of enforcers.

The figure sits below the maximum threshold available under the law. The DSA allows fines of up to 6% of a platform's total worldwide annual turnover. For context, Temu's parent company PDD Holdings reported revenues well into the tens of billions of dollars, meaning the theoretical ceiling for a fine was considerably higher than the €200 million ultimately imposed.

The non-compliance decision is rooted in Articles 34 and 35 of the DSA, which require Very Large Online Platforms to conduct thorough, platform-specific risk assessments and implement proportionate mitigation measures. According to the Commission, Temu's 2024 risk assessment fell short on multiple fronts.

What the investigation found

The Commission's critique of Temu's risk assessment is detailed. According to the non-compliance decision, the assessment was based on general information about risks facing the eCommerce sector as a whole, rather than on evidence specific to Temu's own service - including publicly available reports and product testing results that were accessible to the company.

That deficiency had concrete consequences. The assessment, according to the Commission, seriously underestimated how often EU consumers are likely to encounter illegal items when browsing the platform. The mystery shopping exercise makes the gap stark. A very high percentage of the selected chargers that investigators purchased on Temu failed basic electrical safety tests. Among baby toys purchased through the same exercise, a high percentage posed safety risks rated between medium and high severity - either because they contained chemicals exceeding legal safety limits, or because they included detachable parts small enough to pose a suffocation hazard.

The third failing is structural. According to the Commission, Temu's risk assessment did not properly examine how the design of its own service - specifically its recommender systems and influencer-driven product promotion programmes - could amplify the spread of illegal products. Recommender systems that surface products based on user behaviour and engagement signals can, if not properly evaluated, steer users toward non-compliant goods at scale. The DSA requires platforms to assess precisely this kind of systemic interaction between design choices and risk outcomes. Temu, regulators concluded, did not.

Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, stated: "Risk assessments are not box-ticking exercises - they are the backbone of the DSA. Temu's risk assessment underestimates concrete risks, lacks specificity, is not grounded in solid evidence, and is not comprehensive. It leaves regulators, users, and the public in the dark about the true scale of potential harm posed by illegal products sold on Temu. Now it is time for Temu to comply with the law."

The procedural timeline

The road to today's fine is long. The Commission issued formal requests for information to Temu on June 28, 2024, and again on October 11, 2024. Temu submitted its risk assessment report at the end of September 2024. On October 31, 2024, the Commission formally opened proceedings, targeting not just risk assessment failures but also the addictive design of the platform, the transparency of its recommender systems, and researcher data access.

Preliminary findings were adopted in July 2025, giving Temu an opportunity to respond and exercise rights of defence. The Commission also drew on Temu's interim 2025 risk assessment report, third-party submissions, and data from EU customs and market surveillance authorities - the latter revealing high rates of product non-compliance across the specific categories tested. The investigation now closes with the non-compliance decision issued today.

The entire arc - from VLOP designation on May 31, 2024, to fine on May 28, 2026 - spans almost exactly two years. That timeline is consistent with the DSA's design: the law sets no legal deadline for concluding proceedings, and duration depends on case complexity, the degree of platform cooperation, and the exercise of defence rights.

Temu's scale in the EU

The scale of Temu's presence in the EU gives the case its significance. According to the Commission's background materials, Temu was designated as a Very Large Online Platform on May 31, 2024, after declaring more than 45 million monthly active users in the EU. By September 2024, the platform had declared 92 million monthly active users in the bloc - more than double the threshold for VLOP designation within a matter of months.

Under the DSA, once a platform is designated as a VLOP it has four months to come into compliance with the law's most stringent obligations. Those include the requirement to conduct and document thorough systemic risk assessments, implement corresponding mitigation measures, and submit to independent auditing. Temu's designation in May 2024 therefore set a compliance deadline of late September 2024 - the same month the company submitted the risk assessment the Commission has now ruled inadequate.

Temu's own content moderation report, published in December 2024 and covering the period from February 17 to October 31, 2024, recorded approximately 93.7 million average monthly active users in the EU. That report described the platform's moderation infrastructure - combining automated text, image, and video recognition with human moderators who undergo a ten-day classroom training programme followed by two weeks of practical experience - but the risk assessment process at the heart of the current fine was a separate, distinct obligation.

Temu's platform has also drawn regulatory attention outside Europe. In the United States, Temu paid $2 million in the first INFORM Act enforcement case, which required online marketplaces to collect and verify information about high-volume third-party sellers. The platform has also withdrawn abruptly from U.S. Google Shopping following significant advertising investment, underscoring the turbulence around its international expansion strategy.

What happens next

Temu has until August 28, 2026, to submit an action plan to the Commission, as required by Article 75 of the DSA. The plan must set out concrete measures to remedy the breach of its risk-assessment obligations. Once received, the European Board for Digital Services has one month to issue its opinion. The Commission then has a further month to adopt a final decision and set a reasonable implementation period.

Non-compliance with that final decision would expose Temu to periodic penalty payments - an additional lever that can be used to compel ongoing adherence. The Commission has stated it continues to engage with Temu to ensure compliance both with today's decision and with the DSA more broadly.

The October 2024 proceedings covered a wider set of concerns beyond risk assessment: the platform's systems for limiting the reappearance of previously suspended rogue traders, the addictive design of the service including game-like reward programmes, the transparency of its recommender systems under Articles 27 and 38 of the DSA, and researcher data access under Article 40. Today's non-compliance decision addresses the risk assessment obligation specifically. Those other strands of the investigation may still generate separate findings.

Broader DSA enforcement context

The Temu fine arrives in the context of increasingly assertive DSA enforcement across the European Commission's portfolio. The Commission issued a €120 million fine against X on December 5, 2025, the first non-compliance decision under the DSA, targeting deceptive blue checkmark practices, inadequate ad repository transparency, and blocked researcher data access. That decision prompted X to terminate the European Commission's own advertising account two days later.

In February 2026, the Commission issued preliminary findings against TikTok for addictive design features including infinite scroll, autoplay, push notifications, and highly personalised recommender systems - features that overlap in their mechanics with concerns about Temu's own design. In October 2025, TikTok and Meta were found in preliminary breach of DSA transparency rules covering researcher data access and content moderation reporting. Both cases could still result in fines.

The pattern is significant for advertising and marketing professionals. Platforms that serve as advertising channels - and Temu was at one point among the largest buyers of digital advertising space globally, spending heavily on Google Shopping and Meta before its US pullback - are increasingly being evaluated not just on their ad products but on the systemic risks their design choices create. The DSA's risk assessment framework directly implicates recommender systems, which are also the primary engine for ad delivery and product surfacing on platforms like Temu.

The advertising relevance extends further. The DSA obligates platforms to give users at least one alternative to profiling-based content recommendations, and to disclose the main parameters driving their recommender systems. Those obligations sit at the intersection of consumer protection and ad-tech transparency, two areas that have defined the European regulatory conversation for the past several years. For marketers buying inventory on platforms that are now subject to non-compliance decisions, the enforcement wave creates real compliance questions about the ad environments they operate in.

According to the Commission, the evidence gathered from EU customs and market surveillance authorities revealed high rates of non-compliance among products in the specific categories tested. That customs-level data, combined with the independent mystery shopping exercise, gives the Commission an empirical foundation for the fine that goes beyond documentation review.

The DSA enforcement framework that emerges from this case - and from the X fine before it - is one in which risk assessment quality is scrutinised rigorously, general sector-wide analysis is insufficient, and platform-specific evidence is required. For any marketplace operating at VLOP scale in the EU, the message from Brussels today is precise: risk assessments must reflect the actual characteristics of the platform's own users, products, and design choices.

Timeline

  • April 2023: Temu launches to EU consumers
  • May 31, 2024: Commission designates Temu as a Very Large Online Platform under the DSA, following declaration of more than 45 million monthly active users in the EU
  • June 28, 2024: Commission sends first formal request for information to Temu
  • Late September 2024: Temu submits its risk assessment report to the Commission; also declares 92 million monthly active users in the EU
  • October 11, 2024: Commission sends second formal request for information to Temu
  • October 31, 2024: Commission opens formal proceedings against Temu covering illegal product systems, addictive design, recommender transparency, and researcher data access
  • December 2024: Temu publishes its first DSA content moderation report covering approximately 93.7 million average monthly active users
  • December 5, 2025Commission fines X €120 million in the first DSA non-compliance decision
  • July 2025: Commission adopts preliminary findings in the Temu investigation
  • July 29, 2025Temu joins the International Trademark Association and agrees to serve on its Anti-Counterfeiting Committee
  • September 8, 2025Temu pays $2 million in the first INFORM Act enforcement case in the United States
  • February 6, 2026: Commission issues preliminary findings against TikTok for addictive design features under the DSA
  • May 28, 2026: Commission issues €200 million non-compliance decision against Temu for failure to properly assess systemic risks of illegal products
  • August 28, 2026: Deadline for Temu to submit an action plan to the Commission under Article 75 of the DSA

Summary

Who: The European Commission and Temu, the e-commerce platform owned by PDD Holdings, with approximately 92 to 93.7 million monthly active users in the European Union.

What: The Commission issued a €200 million fine - a non-compliance decision under the Digital Services Act - for Temu's failure to diligently identify, analyse, and assess the systemic risks posed by illegal products on its platform. The fine is based on Temu's 2024 risk assessment, mystery shopping test results, third-party data, and EU customs and market surveillance findings. A very high percentage of tested chargers failed basic safety tests; a high percentage of tested baby toys posed medium-to-high safety risks.

When: The fine was issued on May 28, 2026. Formal proceedings were opened on October 31, 2024. Preliminary findings were adopted in July 2025. Temu has until August 28, 2026 to submit a remediation action plan.

Where: Brussels. The decision applies to Temu's operations in all 27 EU member states. The investigation involved the Irish Digital Services Coordinator, the European Board of Digital Services Coordinators, EU customs authorities, and market surveillance agencies across the bloc.

Why: Under the DSA, Very Large Online Platforms must conduct thorough, platform-specific risk assessments and adopt proportionate mitigation measures. Temu's 2024 assessment was based on general eCommerce sector information rather than evidence specific to its own platform, underestimated consumer exposure to illegal items, and failed to evaluate how its recommender systems and influencer-driven promotion programmes could amplify the dissemination of non-compliant products.

Share this article
The link has been copied!