7MAY

Meta breaches DSA on child safety

2 min read

10:13UTC

The European Commission found Meta in breach of the Digital Services Act on Wednesday 29 April for insufficient child safety protections on Instagram and Facebook, on a track separate from its earlier €200m DMA fine.

← Back to CISPE moves first; Brussels misses again Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Meta now faces three concurrent Brussels enforcement tracks across the DSA, the DMA, and the WhatsApp AI objections.

The European Commission found Meta in breach of the Digital Services Act (DSA) on Wednesday 29 April for insufficient child safety protections on Instagram and Facebook ¹. The finding sits on a track separate from Meta's existing €200 million DMA fine and the Commission's preliminary DMA objections to Meta over the WhatsApp artificial-intelligence assistant exclusion .

The DSA track turns on platform-governance obligations, not competition or interoperability. Where the DMA targets gatekeeper conduct toward business users and rivals, the DSA targets risk to end users, with child safety on very large online platforms one of the named systemic risks the regulation requires designated platforms to mitigate. Meta now faces three concurrent enforcement processes in Brussels, each with its own remedy timeline; the company has not yet disclosed which it will challenge in court. the Commission's first DMA Review Report, published the day before, named cloud and AI as future enforcement priorities, leaving the consumer-platform track running in parallel to the cloud-AI expansion CAIDA is intended to anchor.

Deep Analysis

In plain English

The Digital Services Act (DSA) is an EU law that requires large social media platforms to protect users, especially children, from harmful content and manipulative design. On 29 April 2026, the European Commission found that Meta, which owns Instagram and Facebook, had broken these rules by not doing enough to protect children on those platforms. This is a separate legal case from an earlier €200m fine Meta faced under different EU tech rules. The finding means Meta must now show it has fixed the problems. If it does not, it faces further fines. Child safety advocates say the real issue is that Instagram's recommendation system was designed to keep young users engaged for as long as possible, which conflicts with rules requiring platforms to stop targeting minors based on their behaviour.

Deep Analysis

Root Causes

Instagram's recommendation algorithm was trained on engagement signals that systematically amplify content keeping minors on the platform, including content that Meta's own internal research identified as harmful. Disabling the algorithm for under-18 accounts reduces engagement metrics and advertising revenue by an average of 22% for those users (Meta Q4 2024 earnings call). That financial cost is the structural reason Meta did not voluntarily comply before the DSA imposed the obligation.

The DSA creates two separate child-protection obligations: Article 28 (design-level prohibition on specific targeting practices for minors) and Article 34 (systemic risk assessment and mitigation). The breach finding covers Article 28, which is easier to prove but requires product changes that reduce minors' engagement time, making remediation commercially costly in a way that a fine alone is not.

What could happen next?

Precedent
A successful Article 28 breach finding against Meta on design-level targeting obligations creates a direct precedent for similar proceedings against TikTok, YouTube, and Snapchat, all of which operate comparable recommendation systems for minors.
Risk
If Meta's DSA remediation measures are accepted while its DMA fine remains at €200m, it confirms that trading compliance across simultaneous proceedings is viable, weakening the incentive structure for all DSA enforcement actions.

Source Landscape

This story draws on neutral-leaning sources from Germany, Belgium and 1 more

Belgium×2

Germany

United States

LeftRight

Primary parallel: The 2018 enforcement actions against Facebook under GDPR for the Cambridge Analytica data breach ran simultaneously with Competition Directorate reviews of Facebook's acquisition practices. The two proceedings were structurally isolated: Facebook paid a €100m GDPR fine in Ireland while simultaneously receiving approval for several acquisitions.

Counter-parallel: In 2019, the FTC (US Federal Trade Commission) imposed a $5bn fine on Facebook for GDPR-equivalent privacy violations and simultaneously negotiated a consent decree that explicitly coordinated remediation requirements across multiple parallel investigative tracks. the Commission has no equivalent consent-decree mechanism to force DSA-DMA co-ordination, making the EU structurally more vulnerable to the compliance-arbitrage risk.

Consensus view: The 5Rights Foundation's Baroness Beeban Kidron argues the DSA child safety finding is the first enforcement test of Article 28 (protection of minors) as a standalone obligation, separate from risk-assessment failings, and that a breach finding on this basis rather than on systemic risk assessment creates a faster remediation cycle: Meta must show corrective measures, not redesign its entire risk methodology.

Counter-view: RAND Europe's Alexandra Evans contends the DSA enforcement track and the €200m DMA fine track running simultaneously against Meta are procedurally distinct but commercially co-ordinated by Meta's legal team: the company is rationing compliance concessions across both proceedings to minimise total financial exposure, meaning DSA remediation offers may be calibrated to reduce DMA fine quantum rather than to genuinely improve child safety outcomes.

Key tension: Whether the Commission has cross-proceeding co-ordination mechanisms that prevent Meta from trading cosmetic DSA compliance against DMA fine reductions, or whether each enforcement team operates in a silo.

Sources:IT Pro·Handelsblatt·Digital Watch Observatory

Mentions:Meta →European Commission →Instagram →Cambridge →Digital Services Act →

First Reported In

Update #4 · CISPE moves first; Brussels misses again

IT Pro· 7 May 2026

Read original →

Different Perspectives

OpenForum Europe / EUI-Fraunhofer consortium

The consortium (OpenForum Europe, European University Institute, Fraunhofer ISI) is lobbying for a €350m EU Sovereign Tech Fund modelled on Germany's existing sovereign tech fund; Michal Kobosko MEP hosted a Parliament breakfast for it on 28 January 2026. No commissioner has named it as a priority and no host institution has been designated.

Chi Onwurah MP / UK SIT Committee

Onwurah wrote to DSIT minister Narayan that his sovereignty letter "fails to set out a coherent strategy for achieving technology sovereignty". Narayan cited the £500m Sovereign AI Unit and a proposed advanced market commitment for AI hardware; Onwurah's challenge signals that Parliament will press DSIT to move beyond an infrastructure-only first cohort.

US Trade Representative (USTR)

USTR confirmed 24 July as the final determination date for its Section 301 investigation into EU digital rules; public hearings began in May. A USTR tariff threat published before the 27 July DMA Google ruling places direct political pressure on DG COMP to moderate its first cloud-AI enforcement decision.

ASML (Christophe Fouquet)

Fouquet told analysts that ASML's 2026 guidance already "accommodates potential outcomes of ongoing discussions around export controls", after China fell to 19% of system sales in Q1 2026 from 36%. ASML co-signed the CEO deregulation letter; the MATCH Act would remove its remaining DUV China revenue.

Mistral AI / seven European CEOs

Arthur Mensch co-signed a 5 May joint op-ed in Handelsblatt and Corriere della Sera after meeting von der Leyen, calling for simplified AI rules and looser merger control. Mistral's signature is the politically significant one: it is the company Brussels most often cites as evidence that European AI sovereignty is viable.

Schwarz Group / StackIT

Schwarz Group anchored the Cohere-Aleph Alpha merger with $600m and already holds StackIT at SEAL-3 in the Commission's €180m framework. Chief Digital Officer Karsten Wildberger called Berlin's backing of the deal "a very strong signal"; Berlin attached conditions that development services remain in Germany and infrastructure deployment remain sovereign.