The Importance of a Risk Assessment – Meta’s DSA Breach

The Importance of a Risk Assessment - Meta’s DSA Breach

On 29 April 2026, the European Commission issued preliminary findings that Meta’s Instagram and Facebook breached the EU Digital Services Act (DSA). The Commission found that Meta failed to diligently identify, assess, and mitigate the risk of minors under 13 accessing its services, despite its own terms setting that minimum age.

In the words of Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy:

“Meta’s own general conditions indicate their services are not intended for minors under 13. Yet, our preliminary findings show that Instagram and Facebook are doing very little to prevent children below this age from accessing their services. The DSA requires platforms to enforce their own rules: terms and conditions should not be mere written statements, but rather the basis for concrete action to protect users – including children.”

The Commission’s preliminary findings included that Meta “built an incomplete and arbitrary risk assessment, which inadequately identifies the risk of minors under 13 accessing Instagram and Facebook and being exposed to age-inappropriate experiences”.

The Commission considered that Meta's risk assessment contradicted large bodies of evidence from all over the European Union indicating that roughly 10-12% of children under 13 are accessing Instagram and/or Facebook. The Commission further found that Meta disregarded readily available scientific evidence indicating that younger children are more vulnerable to potential harms caused by services like Facebook and Instagram.

If the Commission’s findings are ultimately confirmed Meta is at risk of a fine up to 6% of its total worldwide annual turnover.

What these findings teach us about compliance

The case is a timely reminder of the pitfalls of a superficial “check-box” approach to a risk assessment, and the importance of thoroughly identifying vulnerabilities and implementing effective controls.

Compliance is never a static obligation. It demands active systems that prevent, detect, and resolve non-compliance. Merely publishing a reporting form, or putting to paper a document titled “risk assessment” will not hold water with the enforcement authorities.

The lesson for all organisations is the same: if you are required to conduct a risk assessment by an EU legislation – ensure that your risk assessment is:

1. Based on sound methodology (preferably in accordance with a harmonised standard);
2. Takes into account all available data (even if that data is unfavourable)
3. Is properly documented and explainable to any enforcement authority.

Detailed information together with Media contacts is available here.

If you would like help with ensuring that your risk assessments are compliant let us know here.