Musk said he’ll follow national laws — and specifically reassured concerned EU officials that he’ll follow the DSA — but this will be difficult in practice with so few staff left to moderate content. It won’t be easier in the EU’s lawmaking capital of Brussels, where Twitter’s office is now lifeless.

EU leaders know Musk himself was a controversial speaker on Twitter — he was taken to court for defamation after he called a British caver a “pedo guy” (Musk won), the US SEC sued him for tweets about taking Tesla Inc. private (Musk settled), he tweeted a Nazi meme (then deleted it), and posted misinformation about an attack on US House Speaker Nancy Pelosi’s husband (also deleted.)

While most if not all of these wouldn’t have breached the DSA, it’s certainly made lawmakers attentive to the possibility that they were signs of what’s to come.

What new rules must Twitter follow in Europe?

One rule makes it a requirement for platforms like Twitter to remove content that’s illegal in any of the EU bloc’s member states. For instance, content promoting Nazism would have to be taken down in Germany, where such speech is illegal. But it wouldn’t have to be taken down across the border in Denmark, where it isn’t. Another rule is that platforms like Twitter must show the European Commission, the bloc’s executive arm, that it’s doing an appropriate amount of work to decrease the spread of content that breaks no law, but can be seen as harmful. This would include disinformation. Companies will have to show how they’re tackling such posts this summer. If the EU concludes not enough is being put in place, this second rule gives them the power to demand changes to algorithms or policy, for instance. 

What other rules must Twitter follow in Europe? 

Musk will have to follow the EU’s landmark data protection rules, the GDPR, which requires Twitter to have a data protection officer in the EU. It also means Twitter must get consent before targeting ads to specific user groups, and makes Twitter liable for any data breaches. Musk will have to keep his eye on other legislation in the works like the EU’s AI Act. The current proposal bans the use of algorithms shown to discriminate against people, which could impact Twitter’s face-cropping tools that have been shown to favor thin, young women. The EU’s Child Sexual Abuse Materials proposal could force Twitter to screen private messages for child sexual abuse imagery, or grooming. These are still being debated in the EU.

How will EU regulators enforce the rules?

In extreme cases, they could ban Twitter from operating in the bloc. In more modest scenarios, they could sanction raids on its remaining offices to see if it’s doing what it says it’s doing, and use what they discover to force stronger changes to behavior. And in more likely initial situations, they would issue strongly-worded demands, fines, and dangle the threat of further action. 

These are options open to all companies subject to Brussels’s law, including Meta Platforms Inc., Alphabet Inc., Microsoft Corp. and others. However, Musk’s stance on free speech and his dismissal of about half of Twitter’s employees have already put him in regulators’ spotlight. Twitter will have to do a lot more work to comply with the DSA, including adding a mechanism for users to easily flag illegal content and having enough moderators to review content in each EU country. The EU has not been afraid of taking on big US tech companies in the past. Ireland’s data protection watchdog fined Twitter €450,000 ($448,360) in 2020 for violating the GDPR. Amazon.com Inc., Meta’s WhatsApp, and Alphabet’s Google have been slapped with fines in the millions of euros, although critics argue these symbolic fines do little to change big tech’s behavior as companies see them as cost of doing business in Europe.

When could action be taken?

As far as the DSA is concerned, no time soon. Twitter will have to publish the number of users it has in February, which kick-starts the process of commission supervision, but it won’t have to submit a risk assessment until next summer. Instead, Musk’s first chance to show the EU that he takes content seriously is by upholding the EU’s Code of Practice on Disinformation. Twitter signed the code this summer, promising to not profit off disinformation and to fight fake accounts and bot driven amplification. While the code is voluntary, it’s obviously not a great look if Musk backs out of the promise or violates it right away. 

Ireland’s supervisor has said it’s “closely” monitoring Musk’s moves. After the departure of Twitter’s sole chief privacy officer, the company reassured Ireland’s data watchdog that it was complying with the GDPR and would have someone in charge of data in the meantime. The biggest risk could be having too few staff to safeguard the platform from hacks that expose user data.

Is the EU the only place Musk should be worried about?

The US Supreme Court will hear two cases that could make social media companies liable for algorithms that promote illegal or harmful content. This could dramatically change how companies in the US moderate content. Meanwhile, Twitter sued India over a new law that essentially gives the government control to censor social media posts. It’s unclear if this goes against Musk’s ideas of free speech enough that he’ll continue the suit or if he’ll just adhere to the law.