Ana Filipa Ribeiro (master’s student in European Union Law at the School of Law of University of Minho and ENDE Research Grant Holder – ref. UMINHO/BIM/2026/33) and Renan Bendel Vaughan (master’s student in European Union Law at the School of Law of University of Minho and ENDE Research Grant Holder – ref. UMINHO/BIM/2026/40)

Setting the scene: a first fine and an open question

On 28 May 2026, the European Commission adopted a non-compliance decision against Temu, imposing a fine of 200 million euros for breach of its obligations under the Digital Services Act (DSA).[1] The decision is significant for several reasons. It is the first major fine imposed on an electronic commerce platform under that instrument and confirms that the public enforcement mechanism of the DSA is fully operational. It is important, however, to bear in mind that the procedure is not closed: under Article 75 DSA, Temu has until 28 August 2026 to submit an action plan to the Commission aimed at remedying the infringement, following which the European Board for Digital Services issues an opinion. The decision remains open to challenge before the Union courts.[2] 

What Temu was fined for

The decision concerns Temu’s failure to properly identify, analyse and assess systemic risks linked to the dissemination of illegal products through its online marketplaces.[3] In October 2024, the Commission opened a formal investigative procedure; in July 2025, it adopted preliminary findings of infringement; and in May 2026, it confirmed those findings in a non-compliance decision.[4]

The Commission’s findings are detailed. The risk assessment conducted by Temu for the 2024 exercise was based on generic information about the electronic commerce sector, rather than on specific evidence concerning the service itself; it seriously underestimated the frequency with which Union consumers encounter illegal products on the platform; and it failed to consider the manner in which its recommendation systems and promotion by digital influencers could amplify the dissemination of hazardous products.[5] An independent mystery shopping exercise, carried out in the scope of the investigation, confirmed that a markedly elevated proportion of the tested chargers failed basic electrical safety assessments, and that a significant proportion of baby toys posed medium to high risks.[6] The fine of 200 million euros was calculated by reference to the nature, gravity and duration of the infringement.[7]

The Commission also required Temu to adopt corrective measures and to submit an action plan setting out how it intends to remedy the infringement. The decision, thus, forms part of a broader enforcement framework, combining the punitive response to a previous failure in risk assessment with a forward-looking remedial function aimed at strengthening the platform’s future governance of systemic risks.

The Commission’s decision is grounded in the exposure of consumers in the Union to illegal or unsafe products, but its legal effects operate within the sphere of public enforcement by establishing a failure in the platform’s risk governance.[8] For that reason, its legal effect is directed primarily at Temu’s compliance obligations under the DSA, leaving open the individual legal position of consumers who may already have been exposed to (or harmed by) the relevant products.[9] To understand why that is so, it is necessary to examine the enforcement architecture within which the decision was adopted – and the structural position it assigns to the individual consumer.  

The public enforcement under DSA: a mechanism of market regulation

The DSA establishes a supervision and enforcement system structured around a distinction of scale. For the generality of platforms, supervision and enforcement are entrusted to the national Digital Services Coordinators (DSCs) – independent authorities designated by each Member State and endowed with investigative and sanctioning powers.[10] For Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) – services with an average of at least 45 million active monthly recipients in the Union[11] –, the Commission holds exclusive supervisory and enforcement competences in respect of the specific obligations imposed upon them, namely the obligations of systemic risk management.[12]

Temu was designated as a VLOP, which places it under the direct jurisdiction of the Commission and subjects it to the obligations laid down in Articles 34 and 35 DSA. Article 34 imposes upon VLOPs the obligation to carry out in-depth risk assessments, taking into account in particular the risks associated with the design of the service and the functioning of its recommendation systems. Article 35 requires the adoption of reasonable, proportionate and effective measures to mitigate the risks thus identified, with particular regard to their impact on fundamental rights.

This enforcement mechanism is, structurally, a mechanism of market regulation. The Commission acts in the public interest; the decision produces effects for the platform and the user community as a whole, not for any individual user. The consumer who purchased a hazardous toy, for example, is not a party to the procedure, does not have access to the evidence gathered, and receives no compensation for any damage suffered. Leerssen, van Duin, Toepoel and van Hoboken underscore that whilst public enforcement receives considerable attention, the role of private enforcement – that is, legal action brought by private individuals before national courts to enforce rights conferred by the DSA – remains relatively under-explored.[13] That observation provides the starting point for the analysis that follows, which examines whether this is borne out in practice.

The consumer behind the fine: Article 54 and the structural problem of causation

The DSA is not limited to conferring enforcement powers upon public authorities. Article 54 establishes the right of recipients of the service to seek compensation from providers for damages or losses suffered by reason of an infringement of the obligations laid down in the Regulation. The provision is legally significant because it makes clear that the DSA is not directed solely at platforms as regulated entities but also confers individual subjective rights upon users – an option that Recital 126 of the DSA confirms, by affirming that the Regulation seeks to ensure access to legal remedies for those whose rights have been violated.[14]  

To access this compensation, the user must demonstrate, in accordance with the general conditions of civil liability law, (i) the existence of damage or loss, (ii) an infringement of the DSA on the part of the service provider, and (iii) a causal link between the two. These three conditions are not expressly enumerated in Article 54, but stem from its textual structure and correspond to elements common to the legal traditions of the Member States in the field of civil liability, as the literature observes.[15] What the provision does not regulate is the manner in which those elements must be proved: Article 54 contains no evidentiary presumption, establishes no rules on the burden of proof, and creates no mechanism of access to evidence held by the platform, remitting those matters to national procedural law under the principle of the procedural autonomy of Member States.[16]

This gap gives rise to a specific problem where the breach underlying the claim for damages consists in a breach of the obligations of systemic risk management laid down in Article 35 DSA. Unlike other obligations under the Regulation – such as the content moderation rules of Article 14, which tend to be precise and to generate infringements identifiable on a case-by-case basis – the obligations of Article 35 are, by their nature, diffuse: they are addressed to platforms in the abstract, in relation to the totality of their service, and compliance is measured holistically.

There is debate in the literature as to whether these obligations are obligations of means or of result. In the words of Husovec, the systemic risk management obligations of VLOPs relate to “more of a process or systems put in place” than to concrete and individually verifiable results – which means that their breach does not automatically generate liability for an individual damage.[17] This reading is corroborated by Recital 122 of the DSA: the damages recoverable under Article 54 must be causally linked to the breach of the duty of care in question and compensate only for the proportion of the damage attributable to it; damages caused by third parties who have uploaded content remain distinct.[18] Del Moral Sánchez argues that the obligations applicable to VLOPs are tendentially obligations of means, calibrated by reference to the scale and systemic impact of the service; Leerssen et al. acknowledge the ambiguity but conclude that the due diligence obligations of the DSA must, as a general rule, be treated as obligations of result, with the possible exception of the specific obligations of VLOPs.[19] In either case, the practical consequence for the individual user is the same: establishing a causal link between a systemic failure in the platform’s risk assessment and the specific harm suffered is a structurally difficult task.          

Leerssen et al. identify precisely this point as the central fragility of the right to compensation in this context, observing that establishing harm and causality can be challenging for many of the issues governed by Article 35 DSA, and that demonstrating that individuals have been harmed by those policies may be challenging, much less that they suffered harm as a result thereof.[20] This difficulty is not peculiar to the DSA: it arises in other areas of Union law whenever an obligation of a systemic or diffuse character generates individual damage. In the field of competition law, for example, the legislature responded to a structurally similar problem by introducing in Article 17(2) of the Antitrust Damages Directive a rebuttable presumption that cartel infringements cause harm, thereby easing the burden of proof placed on injured parties.[21] The DSA did not follow that path: it created the right to compensation without creating the conditions for its effective exercise.

That structural insufficiency takes concrete form when one considers what an individual consumer would actually need to do in order to lodge a claim. Four difficulties, each compounding the others, stand in the way.

The civil procedural difficulty

The first difficulty concerns the proof of damage or loss, as the presence of illegal products on a platform is insufficient to establish compensable harm for each consumer. For that purpose, the consumer must identify a concrete loss, which may take the form of economic loss, physical harm, non-material damage or another form of prejudice recognised under the applicable law. Although the fine may evidence the insufficiency of Temu’s risk assessment, it does not individualise the damage allegedly suffered by each consumer.[22]

The second difficulty concerns causation, which is likely to constitute one of the most demanding aspects of any individual claim. The infringement sanctioned by the Commission relates to the governance of systemic risks at platform level, whereas a consumer claim will ordinarily concern a specific product, transaction or exposure, together with a concrete instance of harm. The consumer must, therefore, establish a legally relevant connection between the platform-level failure identified by the Commission and the individual damage allegedly suffered.[23] This connection may be particularly difficult to establish in the context of an online marketplace. The unsafe product may have been listed by a third-party seller, manufactured by another entity, imported by a separate operator and delivered through an autonomous logistical structure.[24] The platform may nevertheless have contributed to the consumer’s exposure to that product through search, ranking, recommendation or promotional mechanisms that increased its visibility and accessibility.[25] In that context, the consumer must explain how the platform’s infringement contributed, in the specific circumstances of the case, to the harm allegedly suffered.

The third difficulty concerns the attribution of responsibility. The DSA makes the platform accountable before the regulator for the governance of systemic risks, yet civil liability requires the identification of the actor legally responsible for the damage suffered by the consumer. Hence, in individual proceedings, the consumer may need to determine whether the claim should be directed against the platform, the seller, the manufacturer, the importer or several actors jointly, depending on their respective role in the placing, promotion, distribution or supply of the unsafe product.[26]

A fourth difficulty concerns access to evidence, since many of the facts relevant to an individual consumer claim are likely to remain within the informational sphere of the platform.[27] This may include previous notices concerning the same seller or product, internal risk signals, moderation history, ranking criteria, recommendation mechanisms, audit findings and mitigation measures. The consumer’s ability to establish that the platform knew (or ought to have known) of the relevant risk or that its systems contributed to the exposure to the unsafe product, may, for that reason, depend on information that is not readily accessible in individual proceedings.

This difficulty is closely connected to the regulatory logic of the DSA. The information asymmetry that justifies the systemic regulation of VLOPs may, after harm has occurred, become a procedural obstacle to individual redress.[28] Although the Regulation equips public authorities with powers to obtain and assess information concerning platform risks, the extent to which that information can support compensation claims brought by consumers (or by entities acting on their behalf) remains legally and procedurally uncertain.

Article 54 DSA and the limits of redress

At the procedural level the right to compensation remains contingent on national rules. Although a consumer may rely on Article 54, the practical success of the claim will depend on national procedural rules, evidentiary standards and access to the information necessary to connect the infringement of the DSA with the individual damage suffered.

This is particularly important in the context of cross-border digital marketplaces. The consumer may be located in one Member State, the seller in another jurisdiction, the manufacturer outside the Union and the platform may operate through a complex corporate and technical structure. In that setting, EU private international law and judicial cooperation instruments may provide answers to questions of jurisdiction, applicable law, service of documents, taking of evidence and recognition of judgments. In the field of online consumer contracts, the Court of Justice has, for instance, developed criteria for determining whether a trader directs its activities to the consumer’s Member State and has addressed applicable-law issues in cross-border online consumer relations.[29]

Nevertheless, they do not remove the more specific difficulty raised by the Temu fine, that is, how a Commission finding of an infringement relating to systemic risk management can be used by an individual consumer seeking redress.[30] The remaining problems concern the evidentiary value of the Commission’s decision, access to platform-held information, the causal link between systemic risk governance and individual harm, and the identification of the actor legally responsible for compensation.

The Temu fine, therefore, reveals the difficulty of translating a Commission finding of an infringement relating to systemic risk management into effective remedial protection for the individual consumer. The platform may be held accountable before the Commission for defective risk governance, while the consumer must still formulate that finding as a civil claim capable of satisfying the requirements of damage, causation, attribution of responsibility and proof under the applicable procedural framework. This tension between the formal existence of a right and the practical conditions for its exercise is not just a procedural inconvenience.

Effectiveness and effective judicial protection

The difficulties identified above may also be examined through the principle of effectiveness[31] and the right to effective judicial protection.[32] That tension raises a question about the architecture of enforcement itself, particularly whether a system that relies on consumer exposure to justify public enforcement action can avoid addressing the practical possibility of redress for those consumers.

The central issue concerns the conditions under which the remedy formally recognised by Article 54 DSA can be exercised in practice. Where the consumer cannot obtain the information necessary to substantiate the claim, or where the public finding of infringement has no clear procedural relevance in subsequent proceedings, the right to compensation risks remaining difficult to operationalise.

This analysis preserves the distinction between administrative fines and civil redress. The administrative fine is directed at punishing the infringement, deterring future non-compliance and correcting platform behaviour. Civil redress is directed at repairing individual harm. The difficulty lies in the limited articulation between these two dimensions, especially where the administrative fine is justified by reference to consumer exposure to illegal or unsafe products.

For that reason, the Temu fine raises a broader question of effective protection. Where consumer exposure forms part of the justification for public enforcement, the established infringement should acquire procedural relevance for consumers already affected by the relevant risks. The effectiveness of Article 54 DSA depends, at least in part, on whether findings relating to failures in systemic risk assessment and mitigation can support the practical construction of individual or representative claims for compensation.

The possible direction

The possible direction is, therefore, to give Article 54 DSA greater procedural density in cases where public enforcement has already established a an infringement relating to systemic risk management obligations. A Commission decision should be capable of assisting subsequent claims by affected consumers, at least as an authoritative basis for demonstrating the existence and nature of the breach. This would allow national courts to focus the assessment on the remaining elements of civil liability, especially the connection between the established infringement and the harm alleged in the concrete case.

This approach would also require procedural tools capable of addressing the informational imbalance that characterises claims against VLOPs. Where the relevant facts are embedded in risk assessments, internal alerts, recommender systems, moderation practices or mitigation measures, the effectiveness of Article 54 depends on whether those materials can be accessed and used in a legally structured manner. Hence, representative actions may play an important role in this respect, particularly where the harm is dispersed across a large number of consumers and individual litigation would be unlikely to provide an effective route to compensation.

Finally, the Temu fine points to a broader development in the enforcement architecture of the DSA. Public findings of failures in systemic risk assessment and mitigation need to be capable of supporting the remedial dimension of the Regulation, so that the right to compensation is not confined to formal recognition. The future effectiveness of Article 54 will depend on the emergence of procedural mechanisms that allow established infringements to be translated into viable individual or representative claims. But a rule enforced without a remedy is, in the end, a rule enforced only halfway – and the consumer who was exposed to unsafe products before 28 May 2026 remains, after it, in the same procedural position. The fine remains nonetheless an important assertion of the Union’s regulatory authority over VLOPs. As Thomas Regnier put it, speaking for the Commission: “If you want access to our market of 450 million consumers, you have to respect our rules. Period!”[33]

---

[1] European Commission, Press Release, Commission fines Temu €200 million for breaching the Digital Services Act (28 May 2026), available at: https://ec.europa.eu/commission/presscorner/detail/en/ip_26_1178.

[2] European Commission, The enforcement framework under the Digital Services Act, available at: https://digital-strategy.ec.europa.eu/en/policies/dsa-enforcement; Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act), OJ L 277 (27.10.2022), Article 75.

[3] European Commission, Commission fines Temu €200 million for breaching the Digital Services Act.

[4] European Commission, Commission fines Temu €200 million for breaching the Digital Services Act.

[5] European Commission, Commission fines Temu €200 million for breaching the Digital Services Act; European Commission, Press Release, Commission preliminarily finds Temu in breach of the Digital Services Act, 28 July 2025, available at: https://ec.europa.eu/commission/presscorner/detail/en/ip_25_1913.

[6] European Commission, Commission fines Temu €200 million for breaching the Digital Services Act; European Commission, Commission preliminarily finds Temu in breach of the Digital Services Act.

[7] European Commission, Commission fines Temu €200 million for breaching the Digital Services Act; European Commission, Commission preliminarily finds Temu in breach of the Digital Services Act.

[8] DSA, Articles 34, 35 and 74.

[9] DSA, Article 54.

[10] DSA, Articles 49 and 51. See also European Commission, The enforcement framework under the Digital Services Act.

[11] DSA, Article 33(1).

[12] DSA, Articles 56(2) and (3), and 74.

[13] Paddy Leerssen, Anna van Duin, Iris Toepoel and Joris van Hoboken, Pathways to Private Enforcement of the Digital Services Act, Institute for Information Law (IViR) (University of Amsterdam, June 2025), 4, available at: https://dsa-observatory.eu/2025/06/05/report-pathways-to-private-enforcement-of-the-digital-services-act-dsa/.

[14] DSA, Article 54 and recital 126. See also Leerssen et al., Pathways, 9, and Folkert Wilman, Saulius Lukas Kaleda and Paul-John Loewenthal, The EU Digital Services Act (Oxford: Oxford University Press, 2024): 370-317, available at: https://doi.org/10.1093/law/9780198892847.001.0001

[15] Judgment CJEU Österreichische Post, 4 May 2023, case C-300/21, ECLI:EU:C:2023:370, para. 32. Similarly, upholding the analogous application of the three cumulative requirements set out in Österreichische to Article 54 DSA. See also Leerssen et al., Pathways to Private Enforcement of the Digital Services Act, 9, and Wilman, Kaleda and Loewenthal, The EU Digital Services Act, 370-371.

[16] On procedural autonomy and its limits, see Anna Van Duin, Effective Judicial Protection in Consumer Litigation (Cambridge: Intersentia, 2022): 43-45, available at: https://doi.org/10.1017/9781839702501. See also Joana Covelo de Abreu, “Princípio da Autonomia Processual dos Estados-Membros”, in Enciclopédia da União Europeia, ed. Ana Paula Brandão, Francisco Pereira Coutinho, Isabel Camisão, and Joana Covelo de Abreu (Lisbon: Petrony, 2017): 300-303.

[17] Martin Husovec, “Rising Above Liability: The Digital Services Act as a Blueprint for the Second Generation of Global Internet Rules”, in Berkeley Technology Law Journal 38, no. 3 (2023): 902-904, available at: https://doi.org/10.15779/Z38M902431.

[18] Husovec, “Rising Above Liability”, 911, fn. 102. See also DSA, recital 122 and Articles 35 and 54.

[19] Leerssen et al., Pathways to Private Enforcement of the Digital Services Act, 11 and 18-22. See also Miguel Del Moral Sánchez, “The Devil Is in the Procedure: Private Enforcement in the DMA and the DSA”, University of Bologna Law Review 9 (2024): 7, accessed at: https://doi.org/10.6092/issn.2531-6133/19638.

[20] Leerssen et al., Pathways to Private Enforcement of the Digital Services Act, 21-22.

[21] Directive 2014/104/EU of the European Parliament and of the Council of 26 November 2014 on certain rules governing actions for damages under national law for infringements of the competition law provisions of the Member States and of the European Union, OJ L 349, 5 December 2014, article 17(2).

[22] Hannah von Wickede, Johannes Berchtold, and Andreas Splittgerber, “Compensation Claims under the Digital Services Act”, Reed Smith Viewpoints, 14 August 2024, available at: https://www.reedsmith.com/our-insights/blogs/viewpoints/102jglg/compensation-claims-under-the-digital-services-act/.

[23] Leerssen, et al., Pathways to Private Enforcement of the Digital Services Act, 20-21.

[24] Regulation (EU) 2023/988 of the European Parliament and of the Council of 10 May 2023 on general product safety, amending Regulation (EU) No 1025/2012 of the European Parliament and of the Council and Directive (EU) 2020/1828 of the European Parliament and the Council, and repealing Directive 2001/95/EC of the European Parliament and of the Council and Council Directive 87/357/EEC, OJ L 135 (23.05.2023): 1-51, recitals 45, 46 and 58 and Articles 9 to 22.

[25] DSA, Article 34 and recital 84.

[26] Christoph Busch, “Rethinking Product Liability Rules for Online Marketplaces: A Comparative Perspective,” The 49th Research Conference on Communication, Information and Internet Policy (July 31, 2021), 23-24 and 33-35, accessed June 11, 2026, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3897602. Christoph Busch notes that online marketplaces have disrupted traditional distribution chains and made the application of product liability rules to online intermediaries controversial, while EU law has largely relied on public enforcement of product safety rules and market surveillance.

[27] DSA, recital 85 and Article 40. See also Leerssen, et al., Pathways to Private Enforcement of the Digital Services Act, 8 and 12.

[28] See Leerssen, et al., Pathways to Private Enforcement of the Digital Services Act, 8, 12 and 26 on information asymmetries, national procedural autonomy and evidentiary burdens in private enforcement.

[29] Judgment CJEU Pammer v Reederei Karl Schlüter GmbH & Co KG and Hotel Alpenhof GesmbH v Heller, 7 December 2010, joined cases C-585/08 and C-144/09,  ECLI:EU:C:2010:740, recitals 75-84, and  CJEU Verein für Konsumenteninformation v Amazon EU Sàrl, 28 July 2016, case C-191/15, ECLI:EU:C:2016:612, recitals 66,71.

[30] See Leerssen, et al., Pathways to Private Enforcement of the Digital Services Act, 12, 20-21 and 26.

[31] See Judgment CJEU Rewe-Zentralfinanz, 16 December 1976, case 33/76, ECLI:EU:C:1976:188, recital 5, where the Court held that national procedural rules must not render the exercise of EU rights impossible or excessively difficult, and CJEU Unibet, 13 March 2007, case C-432/05, ECLI:EU:C:2007:163, recital 37-44, where the Court reaffirmed effective judicial protection as a general principle of EU law requiring judicial remedies capable of protecting rights derived from EU law.

[32] Maria José Rangel Mesquita, “Article 47”, in The charter of fundamental rights of the European Union: A commentary, 439-446. See also Joana Covelo de Abreu, “Princípio da tutela jurisdicional efetiva”, In Enciclopédia da União Europeia, ed. Ana Paula Brandão, et al., (Lisbon: Petrony, 2017), 329-332.

[33] Thomas Regnier, Statement on the Commission’s decision fining Temu, 28 May 2026, cited in: Thomas Regnier, LinkedIn post, 28 May 2026, available at: https://www.linkedin.com/posts/thomas-regnier-24a05810b_today-the-european-commission-has-imposed-activity-7465717713747927042–di_/. See also: European Commission, Commission fines Temu €200 million for breaching the Digital Services Act.

---

Picture credit: by V H on pexels.com.