Temu Fined €200M: EU's Biggest Platform Penalty Yet

The European Commission issued a €200 million fine against Temu on May 28, 2026 — the largest penalty ever imposed under the Digital Services Act, and a 67% increase over the previous record. The prior record holder, X (formerly Twitter), was fined €120 million in December 2025 for dark patterns and transparency failures. Temu's fine lands differently: it targets not what the platform did, but what it failed to think about.

Key Takeaways

• The European Commission fined Temu €200 million on May 28, 2026, the largest Digital Services Act fine to date, surpassing the €120 million penalty against X in December 2025.
• Temu violated DSA Articles 34 and 35 by submitting systemic risk assessments that relied on generic e-commerce sector data rather than Temu-specific evidence, significantly underestimating how frequently EU consumers encounter illegal products on the platform.
• Mystery shopping investigations found that a very high percentage of tested phone chargers failed basic electrical safety requirements, and a substantial proportion of baby toys contained chemicals exceeding legal limits or posed suffocation hazards.
• The Commission determined that Temu also failed to assess how its recommender system and influencer programs amplify the distribution of unsafe products — marking the first time the Commission has formally treated influencer marketing as a quantifiable systemic risk factor.
• Temu has until August 28, 2026, to submit a remediation action plan; three additional investigation strands covering addictive design, recommender transparency, and researcher data access remain ongoing.

What Temu Was Fined For

The DSA imposes two interlocking obligations on very large online platforms. Article 34 requires platforms to identify, analyze, and assess systemic risks stemming from their service design, algorithmic systems, and how users interact with them. Article 35 requires platforms to put reasonable, proportionate, and effective mitigation measures in place once those risks are identified.

Temu failed at Article 34 before getting to Article 35. The Commission found that Temu's risk assessments were built on general e-commerce sector data — not the evidence produced by Temu's own marketplace activity. The result was a material underestimation of how likely EU consumers were to encounter illegal products.

Mystery shopping investigations found that a very high percentage of phone chargers sampled from Temu's marketplace failed basic electrical safety requirements. Consumer group BEUC independently found phthalates in toys at up to 240 times the legal limit. Baby toys with detachable small parts creating suffocation hazards for children were documented as well. This was not a paperwork problem. Temu filed assessments. The Commission concluded those assessments were substantively deficient — constructed to satisfy a compliance requirement rather than to actually model the risks the platform creates.

Why the Risk Assessment Failure Mattered

The distinction between a technically submitted risk assessment and a substantively adequate one is the center of gravity for the entire Temu decision. Executive Vice President Henna Virkkunen put it directly: "Risk assessments are not box-ticking exercises — they are the backbone of the DSA."

The Commission identified two specific failures. First, Temu did not evaluate how its recommender system drives traffic toward certain products. A risk assessment that doesn't model how the recommender system amplifies exposure to any given product category is incomplete by design. Second, Temu failed to account for how its influencer and affiliate marketing programs function as distribution amplifiers. Researcher Catalina Goanta noted this marks the first time the Commission has formally treated influencer marketing as a systemic risk factor — a precedent with implications well beyond product safety.

The DSA Enforcement Pattern: X, TikTok, Temu

The Temu fine is the third major DSA enforcement action in seven months, and the escalation is not subtle.

In December 2025, the Commission fined X €120 million for three violations: the deceptive use of paid blue verification checkmarks, an inadequate advertising repository, and refusal to grant researchers access to platform data. TikTok, under preliminary findings related to addictive design features, chose to commit to binding transparency measures in exchange for avoiding a fine. Temu's case is distinct from both. The X fine was about disclosed transparency obligations that X ignored. The Temu fine is about the quality of internal risk governance work — whether the assessments a platform performs actually reflect the risks the platform creates.

Three additional investigation strands targeting Temu remain open: addictive design features, recommender system transparency, and researcher data access. Further enforcement actions are possible.

What This Means for Platform Compliance

Temu contests the decision and has described the fine as "disproportionate." That framing matters less than the precedent the decision sets for every other platform operating under DSA oversight.

The Temu decision clarifies three things about what DSA risk assessments must actually contain. First, assessments must be platform-specific — general industry benchmarks don't satisfy Article 34. Second, algorithmic systems must be modeled as risk amplifiers, not neutral infrastructure. Third, third party relationships — including influencer and affiliate programs — are within scope.

The August 28, 2026, remediation deadline gives Temu three months to produce a credible action plan. For compliance officers working through DSA readiness, the Temu decision provides a concrete benchmark: the Commission can conduct its own testing to evaluate whether your risk assessment's conclusions hold up to empirical scrutiny.

The DSA's risk assessment framework is not limited to product safety. The same Articles 34 and 35 obligations apply to systemic risks from tracking, privacy, and data protection. The Temu fine establishes that the Commission will pursue the substance of compliance work, not just its existence. For related enforcement context, see GM's $12.75M CCPA fine for selling driving data and Coupang's record $409M breach fine.