14 July 2026

Press-Release Governance

The Question of Legality and the Function of the Commission’s Preliminary Findings Against Meta

On 10 July 2026, the European Commission announced that it had preliminarily found Meta in breach of the Digital Services Act (DSA) for the “addictive design” of Instagram and Facebook. Infinite scroll, autoplay, push notifications, and the platforms’ personalised recommender systems, the Commission says, were not adequately assessed for their risks to users’ physical and mental wellbeing, and Meta’s mitigation measures did not meaningfully reduce those risks. The Commission considers that Meta should disable autoplay and infinite scroll by default, build in real screen-time breaks, and make the recommender system “less engagement-oriented.”

Five months earlier, on 6 February 2026, the Commission issued similar preliminary findings against TikTok, in what commentators rightly called the first DSA enforcement action to target platform architecture rather than illegal content, disinformation, or market conduct. Both cases ostensibly rest on the enforcement of the same legal provisions: Articles 34-35 DSA, the general obligation for very large online platforms to assess and mitigate “systemic risks”.

In this blogpost, I will argue that this decision is better understood from its strategic and symbolic dimensions in view of its contestable legal basis. Indeed, as a matter of legality and rule of law, I believe that these findings are on shaky ground and that the Commission knows it. The finding makes more sense read as a strategic opening move in a negotiation than as the enforcement of a settled legal standard. They make even further sense as a symbolic performance of “digital sovereignty” for a domestic and Brussels audience, timed to a media cycle that will have moved on long before any court gets to rule. None of this means the underlying concern is misplaced. Platform design that monetises compulsive use, especially among minors, is a real and serious harm. But the mode of enforcement matters, and I will end by suggesting the Commission has a real alternative that it is choosing not to take.

Rule of Law and the Legality Requirement

The legality principle provides that a public authority may only impose sanctions on the basis of a norm that is sufficiently clear, precise and foreseeable in its application. Anchored in Article 49 CFR and in European jurisprudence on legal certainty, it applies with particular force where the Commission itself acts upon a “novel theory of harm” (addictive design) as an investigator, prosecutor, and quasi-adjudicator.

Articles 34-35 DSA hardly meet this requirement when read against what the Commission is now asking of Meta. Article 34 requires VLOPs to identify and assess “systemic risks” flowing from the “design, functioning and use” of their service, including risks to physical and mental wellbeing. Article 35 requires “reasonable, proportionate and effective mitigation measures, tailored to the specific systemic risks identified”. Legal scholarship on these provisions has seemingly converged on the fact they were drafted to be vague and open-ended to ensure they would be “future proof” and to render the relevant harms “undefined” almost by-design. While these provisions mention that platforms should adapt the design, interface, and recommender systems and while the DSA does address so-called “dark patterns” elsewhere, it does not define addictive design. It does not mention infinite scroll, autoplay, or engagement optimisation. The interpretive path from “assess and mitigate systemic risks of recommender systems to mental wellbeing” to “autoplay must be disabled by default” is one that platform firms will likely deploy considerable resources to challenge on the grounds that they could not have foreseeably reconstructed it in advance from the statute alone.

Crucially, the Commission has the tools to fix this and has chosen not to use them here. Article 35(3) DSA empowers it to issue guidelines on risk mitigation for specific categories of risk, developed together with the Digital Services Coordinators and through public consultation. It has already exercised exactly this ability for the protection of minors, publishing guidelines under Article 28. No equivalent guidelines exist for “systemic risks” in general or – apart from a rather vague Parliamentary resolution – “addictive design” in particular. The Commission is, in effect, adjudicating a novel and highly specific design obligation through an individual enforcement decision against two of the largest platforms in the world, rather than through the general normative instrument the DSA itself makes available for precisely this purpose. The General Court’s first serious engagement with the meaning of “systemic risk,” in its 2025 Amazon judgement, gestured toward the concept as one of large-scale societal risk explicitly declining to import the kind of quantifiable, criteria-based understanding from financial systemic-risk regulation. The decision underlines how much interpretive work is still to be done and how little platforms can rely on it to plan their compliance.

If and when Meta – like TikTok, which has already signalled it will “challenge the Commission’s findings through every means available” – takes the outcome of this investigation to the General Court and eventually the CJEU, we should expect the absence of any published interpretive guidance to be decisive. Courts asked to assess whether a sanction met the legality requirement do not ask whether the underlying harm is real; they ask whether the legal basis, at the moment of the conduct, was sufficiently clear to allow the addressee to know what was expected of it. On that narrow but load-bearing question, the Commission’s own restraint in never converting years of “systemic risk” discourse into binding, addiction-specific guidelines will likely count against it.

I do not think this is lost on the Commission. This is, after all, the same institution that co-negotiated a DSA whose risk provisions were kept deliberately “flexible” enough to remain “future-proof” against a fast-moving technology landscape by mobilising the “efficiency” of supervised corporate risk management. A solution presented, at the time, as a political compromise for the platforms and member states resistant to more prescriptive rules. Having built a regulatory regime centred around risk that avoids hard, litigable rules, the Commission is now enforcing it as though it contained them. Such a constellation of vague law, direct enforcement, and little interpretive scaffolding involving the public seems to be less a straightforward act of law application than a contingent exercise of political authority dressed in legal form.

The Strategic Dimension of Unenforceable Enforcement

While they may be legally contestable and may not pass judicial review, the preliminary findings are strategically significant. Here, the DSA’s enforcement timeline gives the game away. In the Commission’s non-compliance proceedings against X (the first fine issued under these provisions) the final decision arrived roughly seventeen months after the corresponding preliminary findings. A comparable timeline for Meta or TikTok would push a binding, fineable decision into 2027 or later, with subsequent appeals adding years on top of that.

What preliminary findings do achieve immediately is leverage. They put a highly specific, technically legible remedy on the table – disable autoplay, disable infinite scroll, and insert screen-time breaks – before any court has tested whether the Commission may lawfully demand it. This is an offer for negotiation rather than litigation. A negotiation in which Meta can offer voluntary redesign commitments of the kind the DSA’s own commitment-offer mechanism under Article 71 is built to formalise and, thereby, avoid the multi-year uncertainty, legal costs, and reputational drag of contesting the finding outright – especially against a backdrop in which Meta and TikTok have also just been found liable for addictive design before US courts. For the Commission, a negotiated design change, however modest, is a tangible policy win that does not require it to win the harder legal argument about whether Articles 34-35 authorised the demand in the first place. In this sense, the preliminary finding is more about rapidly setting up an issue-specific co-regulatory process conducted mostly behind closed doors, insulated from judicial or public scrutiny of its formal legality or its broader normative desirability.

The Symbolic Dimension of Losing Slowly

The third dimension in which these findings operate is symbolic, and here the audience is not Meta’s legal department but the European public and political establishment. In the press release accompanying the decision, Executive Vice-President for “Tech Sovereignty” Henna Virkkunen framed the action explicitly around law enforcement, and the story that Meta “violated” EU law ran, predictably, in every major outlet within hours. This lands at a moment when the Commission is poised to display the effectiveness of EU-wide platform governance in response to several member states actively debating national minimum-age social media bans that may run counter to the harmonisation ambition of the DSA. It also lands as the Commission is preparing the “Digital Fairness Act” to address exactly this cluster of harms and the mechanisms for their enforcement legislatively. A high-profile finding against Meta – following one against TikTok five months earlier – lets the Commission perform decisive digital sovereignty now, on a timescale compatible with news cycles and EU-level politics, rather than waiting for the time a legally robust process would require.

At the symbolic level, the Commission does not need to win in court, because the temporal horizon of legal success and the temporal horizon of political salience are entirely decoupled. If the final decision fails to pass judicial review, the proceedings will have long since receded from public attention. If it does somehow pass judicial review, the Commission will have another political victory it can release to the press. The DSA’s risk regime, in other words, functions here less as a legal standard than as a stage on which the Commission can visibly discipline “Big Tech,” with the specific harm named – addictive design, “autopilot mode”, compulsive scrolling – doing useful representational work insofar as it renders visible a very particular, individualised, and psychologically framed harm. It also leaves comparatively invisible the underlying business model of advertisement-funded data extraction that the current presidency of the Council holds to be the key to European competitiveness and, not least, the Commission’s own legislative hand in producing the vague framework it is now theatrically enforcing.

The Path Not (Yet) Chosen

I want to be clear about the importance of addressing infinite scroll, autoplay, and engagement-optimised recommenders. These are not merely neutral design choices. The evidence on compulsive use is substantive, and platforms have for years treated “user wellbeing” as a page on their safety centre rather than a meaningful design constraint. Action against these practices is overdue, and in that general sense this is a welcome step.

But welcome and lawful are not the same thing, and welcome and wise are not the same thing either. What the Commission has done is legally dubious, strategically clever, and symbolically potent – three qualities that do not require each other and that, taken together, describe a mode of governance that treats legality as optional so long as the politics work. A Commission genuinely committed to the rule of law in its own enforcement practice has a clear solution: use its guideline-issuing power under the DSA to (democratically) develop, in consultation with member states, civil society, and academia, a proper interpretive framework for what “systemic risk” and “effective mitigation” mean in the context of platform governance. This would also show responsiveness to calls for more meaningful stakeholder involvement in platform governance. Civil society reporting and academic research on the DSA’s risk provisions have been mapping a far broader landscape of platform harms—discriminatory amplification, harmful advertising, manipulative data consent practices, disinformation dynamics, and the distortion of political processes, to name a few—that a narrow addiction frame does not capture holistically. Doing this work openly and publicly, before enforcement rather than instead of it, would cost the Commission some of the expediency and spectacle that makes this kind of “press-release governance” so attractive. Importantly, however, it would also make the next finding against Meta, or TikTok, or whichever platform is next more responsive to public debate and considerably more likely to survive the court challenges that are almost certainly coming.


SUGGESTED CITATION  Morgan, Julian: Press-Release Governance: The Question of Legality and the Function of the Commission’s Preliminary Findings Against Meta, VerfBlog, 2026/7/14, https://verfassungsblog.de/meta-addictive-commission-dsa/.

Leave A Comment

WRITE A COMMENT

1. We welcome your comments but you do so as our guest. Please note that we will exercise our property rights to make sure that Verfassungsblog remains a safe and attractive place for everyone. Your comment will not appear immediately but will be moderated by us. Just as with posts, we make a choice. That means not all submitted comments will be published.

2. We expect comments to be matter-of-fact, on-topic and free of sarcasm, innuendo and ad personam arguments.

3. Racist, sexist and otherwise discriminatory comments will not be published.

4. Comments under pseudonym are allowed but a valid email address is obligatory. The use of more than one pseudonym is not allowed.




Explore posts related to this:
Digital Policy, Digital Services Act, Digital Sovereignty, EU, European Commission, Meta, Platform Regulation, Tik Tok


Other posts about this region:
Europa