The European Commission has fined X €120 million ($140 million) for violating transparency obligations under the Digital Services Act (DSA).
This is the first non-compliance ruling under the DSA, a set of rules adopted in 2022 that requires platforms to remove harmful content and protect users across the European Union.
The fine was issued following a two-year investigation into the platform formerly known as Twitter to determine whether the social network violated the DSA regarding the effectiveness of measures to combat information manipulation and the dissemination of illegal content. The commission’s preliminary findings were shared with X in July 2024.
Regulators found that X had breached transparency requirements through its misleading ‘blue checkmark’ system for ‘verified accounts,’ its opaque advertising database, and its blocking of researchers’ access to public data.
The commission said that X’s checkmark misleads users because accounts can purchase the badge without meaningful identity verification. This deceptive design also makes it challenging to assess account authenticity, increasing exposure to fraud and manipulation.
“This deception exposes users to scams, including impersonation frauds, as well as other forms of manipulation by malicious actors,” the commission noted. “While the DSA does not mandate user verification, it clearly prohibits online platforms from falsely claiming that users have been verified, when no such verification took place.”
X also failed to maintain a transparent advertising repository, as the platform’s ad database lacks the accessibility features mandated by the DSA and imposes excessive processing delays that hinder efforts to detect scams, false advertising, and coordinated influence campaigns. It also set up unnecessary barriers that block researchers from accessing public platform data needed to study systemic risks facing European users.
“Deceiving users with blue checkmarks, obscuring information on ads and shutting out researchers have no place online in the EU. The DSA protects users. The DSA gives researchers the way to uncover potential threats,” said Henna Virkkunen, the bloc’s executive vice president for tech sovereignty.
“The DSA restores trust in the online environment. With the DSA’s first non-compliance decision, we are holding X responsible for undermining users’ rights and evading accountability.”
The commission said that X now has 60 working days to address the blue checkmark violations and 90 days to submit action plans for fixing the research access and advertising issues, and added that failure to comply could trigger additional periodic penalties.
X was designated as a Very Large Online Platform (VLOP) under the EU’s DSA on 25 April 2023, following its announcement that it had reached over 45 million monthly active users in the EU.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.