On 29 April 2026, the European Commission issued its preliminary finding that Meta is in breach of the Digital Services Act (“DSA”) for failing to prevent minors under 13 from using Facebook and Instagram. It found that Facebook and Instagram failed to diligently identify, assess and mitigate the risks of minors under 13 from accessing their platforms.

Background

These preliminary findings are part of the Commission’s proceedings against Meta pursuant to the DSA which it launched on 16 May 2024.The preliminary finding follows an investigation into the platform’s’ terms, internal documents and data and replies to requests for information.

The DSA

The DSA aims to make the online environment safer, more transparent and accountable and applies to online platforms such as marketplaces, social networks and content-sharing platforms. It aims to prevent illegal and harmful activities online and the spread of disinformation. The DSA focuses on the protection of minors online and requires platforms to put high levels of privacy and safety in place to ensure a safe online experience for children and young people. 

The DSA introduced a tiered regime, with enhanced obligations applying to Very Large Online Platforms (“VLOPs”) such as Facebook and Instagram, including risk assessments, independent audits and additional transparency requirements.

Preliminary Finding

Although Meta’s terms and conditions set the minimum age of access to Instagram and Facebook at 13, its age verification measures are not effective as they do not prevent under 13’s from accessing the platforms nor do they facilitate easy reporting and removal of those that are under 13.

The Commission used the 2025 Guidelines on the Protection of Minors (the “Guidelines) which is available here as a benchmark to evaluate the platforms’ compliance with their obligation to ensure a high level of privacy, safety and security for minors under the DSA.  The Guidelines confirm that age assurance methods, including age estimation and age verification, are appropriate and proportionate ways of ensuring a high level of privacy, safety and security for minors. 

The Commission noted Meta’s incomplete and arbitrary risk assessment that failed to properly identify and consider the risks posed to minors and says that Instagram and Facebook must now change their risk assessment methodology, in order to accurately evaluate what risks arise on the platforms. Instagram and Facebook must strengthen their measures to prevent, detect and remove minors under the age of 13 from their services to ensure a high level of privacy, safety and security for minors.

Next Steps

As this is a preliminary finding, Meta, who disagrees with the findings, now has the opportunity to review the Commission’s file and reply in writing. Meta can take measures to remedy the breaches and provide a safer online space.

If the findings are confirmed, the Commission may issue a non-compliance decision and a fine proportionate to the infringement which can be up to 6% of Meta’s annual turnover.

The DSA requires VLOPs to consider the best interest of minors and to take measures to protect minors from content that may impair their physical, mental or moral development. We previously discussed the Commission’s commitment to protecting children online here (include DSA article by CC and DOS) and this preliminary finding is representative of Commission’s continued focus to better protect children and young people online and create a safer online environment.