DSA Risk Assessment for Marketplaces: what "adequately identify systemic risks" actually means after Temu.

"Diligently identify, analyse and assess any systemic risks." Five words from Article 34 of the Digital Services Act. Five words that just cost Temu €200 million.

What Article 34 actually requires.

The Digital Services Act, in force since February 2024 for the largest platforms, requires every Very Large Online Platform (VLOP) and Very Large Online Search Engine (VLOSE) to conduct an annual systemic risk assessment. The obligation sits in Article 34.

The text identifies four categories of systemic risk that must be assessed:

1. Dissemination of illegal content through the service
2. Negative effects on the exercise of fundamental rights (including consumer protection, non-discrimination, human dignity)
3. Negative effects on civic discourse, electoral processes and public security
4. Negative effects on gender-based violence, public health, minors and serious negative consequences to the physical and mental well-being of users

The Temu fine sits firmly in the first category. The illegal content in question was illegal products: chargers failing electrical safety tests, baby toys with chemical exposure or choking-hazard parts, items that should not have entered the EU market under the General Product Safety Regulation.

What the Commission said Temu got wrong.

The Commission’s finding, in plain terms, was that Temu’s 2024 risk assessment was a generic exercise. It relied on sector-level information about online marketplaces rather than platform-specific evidence about Temu’s own listing ecosystem. It produced general statements rather than concrete identification of where the actual risks sat.

The specific failures cited in the Commission’s decision:

• The assessment was inaccurate and not grounded in evidence specific to Temu’s marketplace
• It underestimated the likelihood that EU consumers would encounter illegal products on the platform
• It lacked specificity: rather than identifying particular product categories or seller patterns carrying high risk, it spoke at a generic level
• The mitigation measures proposed in the assessment did not credibly correspond to the actual risks Temu’s data should have surfaced
• The evidence base was not comprehensive: third-party data, customs findings, and independent product testing all surfaced risks the in-house assessment missed

EVP Virkkunen’s framing of the failure was direct: the assessment "underestimates concrete risks, lacks specificity, is not grounded in solid evidence, and is not comprehensive."

What an adequate risk assessment actually looks like.

The DSA does not prescribe a methodology in detail. The Commission’s decision against Temu, read against Article 34, Article 35 (risk mitigation), and the Commission’s preliminary findings from July 2025, indicates the working standard.

Platform-specific evidence base.

Generic statistics about online marketplaces are insufficient. The assessment must use the platform’s own data: listing volumes by category, seller country-of-origin distribution, product return rates, customer complaint patterns, removed-listing data, Safety Gate notification frequencies on the platform’s own products, and independent testing where appropriate.

Granular risk categorisation.

A finding that "some products on the platform may be unsafe" is insufficient. The assessment must identify particular categories (electronics, toys, cosmetics), particular seller profiles (new sellers from specific jurisdictions, sellers without verifiable Responsible Person designation), and particular failure modes (CE marking, technical documentation, conformity testing) where risk concentrates.

Quantified mitigation measures.

Risk mitigation under Article 35 must be proportionate to identified risks. "We will improve our processes" is insufficient; "we will require all electronics sellers from outside the EEA to verify Responsible Person designation through our automated check before listing, with target verification rate of 99% within 90 days" is the level of specificity that meets the standard.

Independent third-party audit.

Article 37 of the DSA requires VLOPs and VLOSEs to undergo at least one annual independent audit at their own expense. The Commission Delegated Regulation 2023/1097 sets out the audit framework. A risk assessment that has not been stress-tested against external evidence is structurally vulnerable.

Cooperation with authorities.

Article 31 imposes due-diligence duties including authority cooperation. A risk assessment that ignores information provided by national consumer protection authorities, BEUC complaints, or Safety Gate alerts cannot credibly claim to be comprehensive.

What this means for non-VLOP platforms.

The DSA differentiates obligations. Only VLOPs (45 million+ active EU users) and VLOSEs face the Article 34 systemic-risk-assessment obligation. Smaller platforms operate under the lighter Articles 11-25 due-diligence framework.

But the gravitational effect is unmistakable. The compliance posture VLOPs are now adopting is becoming the de facto industry standard. Smaller marketplaces that want to graduate to VLOP designation, that operate B2B contracts with VLOPs, or that face national competent authority scrutiny under the DSA Digital Services Coordinator regime, will increasingly be expected to operate at a comparable evidentiary standard.

The overlap with GPSR, VAT and customs.

The DSA risk assessment doesn’t sit in a vacuum. The Temu evidence drew on customs findings (Italian Agenzia delle Dogane and equivalents), product safety testing (under GPSR Regulation 2023/988), and consumer complaints (under Article 12 DSA). A defensible risk assessment requires integration across these regulatory domains.

For platforms operating in or shipping to Italy, the relevant integrations are:

• Customs data: AIDA risk register cross-references for products entering Italy via Genoa, Trieste, La Spezia and Italian air freight hubs
• Product safety: GPSR Responsible Person verification status across listings, Safety Gate notification monitoring, technical documentation audit cycle
• VAT and marketplace facilitator: Article 14a VAT Implementing Regulation deemed-supplier obligations, IOSS registration where applicable, Italian fiscal representation under Article 17 DPR 633/72
• Consumer protection: Italian Codice del Consumo (Legislative Decree 206/2005) consumer rights, dispute-handling, and pre-contractual information obligations

What CiDATax does about this.

For platform operators and marketplaces facing DSA exposure, CiDATax provides Italian fiscal representation under Article 17 DPR 633/72, EU Responsible Person service under GPSR Regulation 2023/988, VAT and marketplace facilitator advisory under our VAT compliance service, and customs and AIDA risk register coordination under our customs service. The pieces are deliberately integrated rather than sold separately.

The Temu fine made the cost of treating these as separate compliance silos visible. The €200 million is the starting bid.