European Commission Finds Meta in Preliminary Breach of Digital Services Act Over Failure to Block Under-13s

The European Commission delivered its first major preliminary finding against a US tech giant under the Digital Services Act on 29 April 2026. Meta’s Instagram and Facebook were found in preliminary breach of the DSA for failing to put in place adequate measures to prevent children under 13 from accessing their services. The Commission concluded after a 17-month investigation that Meta’s current age-verification mechanisms — primarily self-declared birth dates at sign-up — are “manifestly insufficient.”

The legal stakes

The DSA, fully applicable to Very Large Online Platforms since August 2023, requires platforms with over 45 million EU users to identify and mitigate systemic risks, including risks to the protection of minors. Article 28 specifically obliges platforms to ensure a high level of privacy, safety and security of minors. Breach of these obligations can trigger fines of up to 6% of global annual turnover — for Meta, around €9.6 billion based on 2025 revenue.

The evidence

The Commission’s investigation drew on three sources: complaints from EU Digital Services Coordinators, child-safety NGOs, and journalistic investigations including a 2025 BBC report demonstrating that 11-year-olds could open Instagram accounts in under three minutes. Meta’s own Transparency Reports, mandatory under the DSA, provided further evidence: the company removed roughly 4.5 million accounts in 2025 belonging to under-13s — but Commission analysts argue this volume itself demonstrates that detection happens too late, after harm exposure.

Meta’s response

Meta strongly disputes the finding. The company points to recent investments: facial age-estimation AI deployed in 2025, mandatory parental supervision tools for accounts marked as belonging to teens, and integration with the EU’s pilot age-verification app. Meta argues the Commission applies a standard “impossible to meet without mandatory ID verification, which would itself create privacy risks.” The company has 30 days to formally reply before the Commission issues a non-compliance decision.

The age-verification debate

The Meta case lands as the EU finalises its European age verification app — a mini-application designed to allow parents and platforms to verify users are over a given threshold without disclosing identity. The app is being piloted by France, Italy, Spain, Greece and Denmark in 2026 and is expected to become available across the EU in early 2027. Brussels presents this as a privacy-respecting middle path between Meta’s current self-declaration and full identity verification.

The wider DSA enforcement push

The Meta finding follows preliminary breach decisions against X (formerly Twitter) for advertising transparency, against TikTok for addictive design and content moderation, and a separate investigation against AliExpress for illegal product sales. Commission Vice-President Henna Virkkunen, in charge of digital policy, has signalled that 2026 will be the year DSA enforcement “moves from process to consequence.” Whether this materialises in actual financial penalties, rather than commitment-based settlements, will determine the regulation’s deterrent effect.