EU Hits Temu With €200 Million DSA Fine Over Illegal Product Risks

Key Takeaways

• €200 Million Penalty: The European Commission fined Temu €200 million for breaching the Digital Services Act's risk assessment requirements.
• Illegal Product Concerns: Regulators concluded EU consumers were highly likely to encounter illegal products on the platform, including unsafe chargers and baby toys that failed safety testing.
• Deficient Risk Assessment: The Commission found Temu's 2024 assessment relied on general e-commerce risks rather than evidence specific to its own platform and significantly underestimated consumer exposure.
• Platform Design Scrutiny: Regulators said Temu failed to adequately assess how its recommender systems and influencer promotion programs could contribute to the spread of illegal products.
• Compliance Deadline: Temu must submit a remediation action plan by August 28, 2026, or risk further enforcement measures, including periodic penalty payments.

Deep Dive

The European Commission has fined Temu €200 million for violating the European Union's Digital Services Act (DSA), concluding that the online marketplace failed to properly assess and address the risks posed by illegal products offered through its platform.

The decision is one of the most biggest enforcement actions taken under the DSA to date and underscores the growing willingness of EU regulators to scrutinize not only the content and products available on major online platforms, but also the internal governance processes those companies use to identify and mitigate risks.

Temu's assessment of systemic risks associated with illegal products sold through its service was the focus of the investigation. Under the DSA, Very Large Online Platforms are required to conduct diligent risk assessments and implement measures designed to reduce identified risks.

According to the Commission, Temu's 2024 risk assessment failed to meet those obligations.

Regulators found that the assessment relied largely on broad information about risks across the e-commerce sector rather than evidence specific to Temu's own marketplace. The Commission also said the company significantly underestimated how often consumers in the European Union were likely to encounter illegal products.

That conclusion was supported by evidence gathered during the Commission's investigation, including a mystery shopping exercise conducted by an independent testing organization. According to the Commission, a very high percentage of selected chargers failed basic safety tests, while a high percentage of tested baby toys presented safety concerns ranging from medium to high severity. The Commission said some toys contained chemicals exceeding legal safety limits, while others posed suffocation risks because of detachable parts.

The investigation also concluded that Temu failed to adequately evaluate how aspects of its platform design could contribute to the spread of illegal products. The Commission specifically pointed to recommender systems and product promotion programs involving affiliated influencers as factors that could amplify dissemination risks.

The size of the penalty shows what the Commission described as a particularly serious violation of the DSA. Officials emphasized that proper risk assessments are one of the law's foundational requirements because they enable regulators and platforms to identify and address systemic harms before they spread across large user populations.

"Risk assessments are not box-ticking exercises — they are the backbone of the DSA," said Executive Vice-President for Tech Sovereignty, Security and Democracy Henna Virkkunen. "Temu's risk assessment underestimates concrete risks, lacks specificity, is not grounded in solid evidence, and is not comprehensive. It leaves regulators, users, and the public in the dark about the true scale of potential harm posed by illegal products sold on Temu. Now it is time for Temu to comply with the law."

The Commission said the fine was calculated based on the nature of the infringement, the number of affected EU users, the seriousness of the breach, and its duration.

Temu must now submit an action plan by August 28, 2026, outlining how it intends to remedy the deficiencies identified by regulators. Under the DSA process, the European Board for Digital Services will have one month to issue an opinion on the plan after receiving it. The Commission will then have an additional month to adopt a final decision and establish a deadline for implementation.

Failure to comply could expose the company to periodic penalty payments. The Commission said its findings were based on Temu's 2024 and interim 2025 risk assessment reports, responses to formal information requests, submissions from third parties, data from EU customs and market surveillance authorities, and the mystery shopping exercise conducted during the investigation.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.