The European Commission has issued preliminary findings against Meta under the Digital Services Act, saying Facebook and Instagram do not adequately prevent children under 13 from accessing the platforms.
The European Commission has preliminarily found that Meta may have breached the Digital Services Act by failing to prevent children under 13 from using Facebook and Instagram. The findings relate to the company’s handling of underage access, risk assessment and mitigation measures on two of the world’s largest social media platforms.
The Commission said Meta’s existing measures do not appear to be effective in enforcing the company’s own minimum age rule. Facebook and Instagram require users to be at least 13, but the Commission said children below that age can enter a false date of birth when creating an account, with no effective controls to verify whether the information is accurate.
The findings are preliminary and do not amount to a final decision. Meta will now be able to examine the Commission’s case file and respond in writing before any formal conclusion is reached. If the Commission ultimately confirms a breach of the DSA, it may impose financial penalties and require the company to take corrective measures.
Under the EU enforcement framework for the DSA, fines for non-compliance can reach up to 6 per cent of a provider’s global annual turnover. The size of any penalty would depend on the nature, gravity, duration and recurrence of the infringement.
The case is part of a wider regulatory effort by Brussels to strengthen online safety for minors. The DSA places additional duties on very large online platforms, including obligations to assess and mitigate systemic risks linked to the design and use of their services. Those risks include harm to minors, exposure to inappropriate content and the possible impact of platform design on children’s wellbeing.
The Commission’s position is that platforms cannot rely only on self-declared dates of birth where they already know that underage users may be able to bypass entry rules. It also said that children who have already gained access must be identified and removed promptly where they are below the permitted age.
The issue is not limited to account registration. Age assurance has become one of the most difficult areas of digital regulation. Platforms are expected to restrict access by underage users while avoiding disproportionate collection of personal data from all users. That tension has made the subject politically and technically sensitive across member states.
In July 2025, the Commission published guidelines on the protection of minors under the DSA and presented an age-verification prototype intended to support safer online services. Those measures are designed to help platforms apply age checks in a way that is effective, proportionate and compatible with privacy requirements.
The preliminary finding against Meta gives the issue a concrete enforcement test. Until now, much of the EU debate on minors online has centred on guidance, platform commitments and national-level proposals. The Commission’s action moves the discussion towards whether major platforms have met binding legal duties under EU law.
For Brussels, the case also carries institutional significance. The DSA gave the Commission direct supervisory powers over very large online platforms and search engines. Enforcement against a company of Meta’s scale will be closely watched by other platforms subject to the same regime.
The practical question is whether Meta can demonstrate that its systems are sufficiently robust to prevent underage access or whether it will need to introduce stronger age-assurance tools. Any new approach would have to balance child protection, user privacy, fraud prevention and ease of access for legitimate users.
The proceedings also underline the broader direction of EU digital regulation. The Commission is not only targeting illegal content or advertising transparency, but also the design of major platforms and the risks created by their user-access systems. That approach places compliance obligations closer to the structure of digital services themselves.
Meta has not yet been found definitively in breach. The company’s response will be central to the next stage of the procedure. The outcome will help determine how far Brussels is prepared to go in requiring large platforms to verify age, remove underage users and demonstrate that child-protection rules are being applied in practice.
For users, regulators and technology companies, the case is likely to become a reference point in the enforcement of the DSA. It raises a direct question at the centre of Europe’s digital policy: whether platforms with hundreds of millions of users can rely on self-declared age declarations, or whether the legal standard now requires stronger proof.
