Brief № 051 · Regulation
Meta's DSA case is a risk-file lesson, not a feature ban
The Commission's preliminary case against Facebook and Instagram targets an inadequate systemic-risk file, not one interface pattern in isolation.
On this page
The European Commission has put four familiar interface choices into one enforcement file: infinite scroll, autoplay, push notifications and highly personalised recommendations. Its preliminary finding of 10 July says Meta did not adequately assess or mitigate how that design could harm the physical and mental wellbeing of Facebook and Instagram users, including minors and vulnerable adults.
The word preliminary carries weight. Meta can inspect the Commission’s investigation file and reply in writing; the European Board for Digital Services will also be consulted. No final non-compliance decision has been issued. The useful lesson for smaller product teams is therefore narrower than the headline and more practical than a ban list: a feature is only the visible end of a system whose purpose, signals, interactions and safeguards need an owner.
Four features, one system
The Commission did not describe infinite scroll in isolation. It examined a loop in which a recommender selects the next item, autoplay removes a stopping point, the feed supplies another item without a deliberate request, and notifications invite the user back. Each component can have a defensible use. Together, optimised primarily for continued engagement, they can create a different risk profile.
That distinction matters. A finite catalogue that loads more products as a customer browses is not automatically equivalent to a social feed tuned from thousands of behavioural signals. Nor is every notification designed to pull a user back into an open-ended session. Context includes the audience, the service’s scale, the optimisation target, the time of use and whether a person can reach a natural stopping point.
The Commission says its preliminary view rests on Meta’s risk-assessment reports, internal data and documents, replies to information requests, scientific research and expert interviews. It also points to the time minors spend on the services at night and to the interaction between formats such as Reels and Stories. That is a system-level inquiry, not a screenshot review.
The duty follows the scale
The Digital Services Act is deliberately tiered. All covered intermediary services have duties appropriate to their role, while designated very large online platforms and search engines — those reaching more than 45 million monthly users in the EU — carry additional obligations because their design choices can create systemic effects.
Under Arts. 34–35, those services must identify, analyse and mitigate systemic risks. The categories include protection of minors, public health, physical and mental wellbeing, fundamental rights and civic discourse. The Commission is primarily responsible for enforcing those additional duties; national Digital Services Coordinators supervise the wider framework.
That is why the Meta finding should not be flattened into “the EU banned autoplay”. It is a preliminary view that a designated platform’s assessment and mitigation were insufficient for the risks of its service at its scale. The Commission’s own DSA overview says micro and small companies face lighter requirements. A two-person software firm does not inherit Meta’s exact compliance file because it uses the same interaction pattern.
| Question | Meta investigation | Useful SME product file |
|---|---|---|
| What is being assessed? | A combined engagement system on two designated very large platforms | One user journey and the features that extend it |
| Which harm matters? | Compulsive use and effects on physical and mental wellbeing, including for minors | A specific foreseeable harm for the service’s actual users |
| What evidence exists? | Risk reports, internal data, research, expert interviews and information-request responses | Product analytics, support reports, user research and a dated design decision |
| What counts as mitigation? | A measure that materially addresses the identified systemic risk | A change whose effect can be observed and reversed if it fails |
Source: European Commission preliminary findings of 10 July 2026 and DSA Arts. 34–35. Last verified 2026-07-13.
A control that can be dismissed is not enough
The Commission’s sharpest operational point concerns mitigation. It says Facebook and Instagram time-management tools, including defaults for teenagers, can be dismissed easily and do not produce meaningful control or reduction of use. It also questions parental controls that only work when an adult has enough technical knowledge, time and persistence to configure them.
This is a familiar product failure beyond social media: the team ships a warning, a settings page or a help-centre article and records the control as complete. The existence of the control becomes the metric. Whether people notice it, understand it and change behaviour remains untested.
A credible mitigation needs a result to observe. If the risk is late-night compulsive use, the team can measure whether a default break creates an actual pause rather than one more tap. If the risk is a recommendation loop, it can test a chronological option, a session boundary or a less engagement-led ranking. If the intended safeguard is parental control, it can test completion with adults who have not seen the interface before.
The point is not that every intervention must reduce time spent. A map, language-learning tool or support forum can create real value through a longer session. The point is to state which behaviour would indicate harm and which outcome would show that the chosen control works.
Public pressure is moving in the same direction
The enforcement file did not appear in isolation. On 2 July, the European Board for Digital Services and the Commission published their second annual report on systemic risks on very large platforms and search engines. It highlights how interface choices and recommender systems can contribute to addiction-like behaviour among children, alongside exposure to harmful content, cyberbullying and grooming.
On 13 July, a Flash Eurobarometer added a public-attitude signal: 60% of respondents identified exposure to addictive platform design as a concern for children. Cyberbullying and harassment ranked higher at 71%, followed closely by grooming, harmful content and misuse of children’s data. Those figures do not prove that a particular interface causes a particular harm. They do explain why regulators are asking platforms to show more than a generic wellbeing page.
For product teams, the sequence is worth noting. Public concern, annual systemic-risk reporting and a platform-specific investigation are separate forms of evidence. Combining them carelessly would overstate the case. Keeping them distinct produces a stronger file: what users report, what the service measures, what external research suggests and what the product team changed.
The five-line product record
An SME does not need a VLOP compliance department to borrow the discipline. Before releasing an engagement feature, write five lines:
- Benefit: the user problem the feature is meant to solve.
- Foreseeable harm: the behaviour or group that could be adversely affected.
- Signal: the metric, complaint pattern or research finding that would reveal the harm.
- Owner: the person authorised to change or disable the feature.
- Mitigation test: the alternative, default or stopping point to trial if the signal moves.
That record is not a legal safe harbour, and it does not replace advice where a service is itself covered by platform, consumer or data-protection rules. It does stop a more ordinary failure: a recommendation or notification system with a growth target but nobody responsible for its side effects.
Meta’s case may still change as the company answers and the Commission completes its procedure. The practical standard is already visible. Do not copy a feature without also copying the question that should stop it.
Frequently asked questions
Did the EU ban infinite scroll?
No. The Commission issued preliminary findings in a case about Meta's assessment and mitigation of systemic risks on Facebook and Instagram. It identified infinite scroll among several design features under investigation, but did not announce a general ban on the pattern.
Does the same systemic-risk duty apply to a small online service?
The DSA is proportionate. Its additional systemic-risk obligations apply to designated very large online platforms and search engines, while micro and small companies have lighter requirements. Other consumer, data-protection and platform rules can still apply to a smaller service.
What should an SME product team document?
For each engagement feature, record the intended user benefit, a plausible harm, the signal that would reveal it, the person who can change the design, and the result of one mitigation test.
Sources
- Official Commission preliminarily finds the addictive design of Instagram and Facebook in breach of the Digital Services Act European Commission accessed
- Primary Regulation (EU) 2022/2065 (Digital Services Act) EUR-Lex accessed
- Official The Digital Services Act European Commission accessed
- Official Second report on systemic risks on very large online platforms and search engines under the Digital Services Act European Board for Digital Services and European Commission accessed
- Data Flash Eurobarometer: Europeans call for stronger action on children's online safety, democratic resilience, defence, and the energy transition European Commission accessed
Image credit: Photo: Woman using a smartphone on a train — Jacob Boavista, Unsplash License (Unsplash)
Eleanor Whitcombe covers EU AI regulation for Flint Brief.
Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).