Digital Services Act Annual Risk Assessment Report (Non-Confidential version) September 2025 2 Table of Contents 1. Executive Summary ..................................................................................................................... 4 2. Abbreviations and Definitions..................................................................................................... 5 3. Introduction ................................................................................................................................ 10 3.1. Commitment to Digital Services Act Compliance and a Safer EU Marketplace............ 10 3.2. AliExpress Risk Governance Framework ....................................................................... 11 3.2.1. Embedded and Multi-Layered Risk Governance ................................................ 11 3.2.2. Frontline Risk Controls ....................................................................................... 11 3.2.3. Performance Monitoring and Quality Assurance ................................................ 11 3.2.4. Specialised Expertise and Compliance Oversight ............................................... 12 3.2.5. Board Oversight and Continuous Assurance....................................................... 12 4. Risk Assessment Methodology .................................................................................................. 13 4.1. Overview ......................................................................................................................... 13 4.2. Our Commitment to Continuous Improvement............................................................... 13 4.3. Evolving to a Refined Data-Centric Risk Assessment Framework................................. 13 4.4. Enhanced Risk Identification and Mapping .................................................................... 13 4.5. Data-Driven Model for Risk Assessment........................................................................ 15 4.6. Additional Assessment of Mitigations and Control Strength.......................................... 17 4.7. Measuring and Prioritising Risk ...................................................................................... 17 4.8. Our Mitigation Philosophy .............................................................................................. 17 5. Overview of Risk Assessment Results and 2025 Residual Risk ............................................. 18 6. Detailed Risk Assessment Findings .......................................................................................... 19 6.1. Overview of the Risk Environment................................................................................. 19 6.1.1. Inherent Risks from Misuse of Core Platform Design and Functionalities......... 19 6.1.2. Inherent Risks from System-level Operations (DSA Art. 34(2) Factors) ........... 22 6.2. Common Risk Mitigations and Control Framework ....................................................... 23 6.2.1. Proactive Content Moderation and System Controls .......................................... 23 6.2.2. Ongoing Monitoring and Detection..................................................................... 23 6.2.3. Post-listing Monitoring and User Empowerment................................................ 24 6.2.4. Seller Vetting and Onboarding Controls ............................................................. 24 6.2.5. Enforcement and Remediation ............................................................................ 25 6.3. Intellectual Property Rights ............................................................................................. 26 6.3.1. Overview ............................................................................................................. 26 6.3.2. Inherent Risk ....................................................................................................... 26 6.3.3. Residual Risk....................................................................................................... 27 6.3.4. IPR Risk Mitigation and Control......................................................................... 29 6.3.5. Overall Mitigation and Control Effectiveness..................................................... 32 6.3.6. Future Mitigation Plan......................................................................................... 33 6.4. Data Protection ................................................................................................................ 35 3 6.4.1. Overview ............................................................................................................. 35 6.4.2. Inherent Risk ....................................................................................................... 35 6.4.3. Residual Risk....................................................................................................... 36 6.4.4. Risk Mitigation and Control................................................................................ 37 6.4.5. Overall Risk Mitigation and Control Effectiveness ............................................ 41 6.4.6. Future Risk Mitigation Plan ................................................................................ 42 6.5. Consumer Protection and Related Fundamental Rights.................................................. 43 6.5.1. Overview ............................................................................................................. 43 6.5.2. Inherent Risk ....................................................................................................... 43 6.5.3. Residual Risk....................................................................................................... 45 6.5.4. Risk Mitigation and Controls .............................................................................. 46 6.5.5. Overall Mitigation and Control Effectiveness..................................................... 49 6.5.6. Future Risk Mitigation Plan ................................................................................ 50 6.6. Prohibited \& Controlled Products ................................................................................... 51 6.6.1. Overview ............................................................................................................. 51 6.6.2. Inherent Risk ....................................................................................................... 51 6.6.3. Residual Risk....................................................................................................... 52 6.6.4. Risk Mitigation and Control................................................................................ 53 6.6.5. Overall Control Effectiveness ............................................................................. 58 6.6.6. Future Risk Mitigation Plan ................................................................................ 59 6.7. Content Compliance ........................................................................................................ 61 6.7.1. Overview ............................................................................................................. 61 6.7.2. Inherent Risk ....................................................................................................... 61 6.7.3. Residual Risk....................................................................................................... 62 6.7.4. Risk Mitigation and Control Effectiveness ......................................................... 63 6.7.5. Mitigation and Control Effectiveness Score........................................................ 67 6.7.6. Future Risk Mitigation Plan ................................................................................ 68 7. Synthesis of Risk Posture - Continuous Monitoring and Improvement ............................... 69 4 1. Executive Summary Launched in 2010, AliExpress is a global business-to-consumer (B2C) e-commerce platform guided by a mission of “Smarter Shopping, Better Living”. This report presents our third annual risk assessment, conducted in line with our obligations as a designated Very Large Online Platform (VLOP) under the Digital Services Act (DSA) of the European Union (EU). It outlines our progress in further enhancing our risk management capabilities and our commitment to ensuring a safe and trustworthy marketplace for all our users, including those in the European Union. Driven by our commitment to continuous improvement and the availability of new market benchmarks and data, this year’s assessment was conducted using an enhanced methodology designed to bring greater transparency to our stakeholders. Our approach has evolved to a more data-led evaluation of risk, supporting our assessment of how effectively our controls mitigate potential harms. This evidence-based framework moves beyond broad analysis to provide a more granular and objective understanding of systemic risks specific to our services. The assessment confirmed a risk profile consistent with a large-scale online marketplace, where high inherent risks are an operational baseline. The findings show a continuous improving risk management framework, demonstrating the effectiveness of our multi-layered controls and the proportional design of our mitigation measures. To provide greater depth and transparency into our risk environment, this report details how risks can manifest across services and how we mitigate them. The analysis was a cross-functional effort conducted through our established risk governance framework, with oversight from compliance, legal, and operational leadership. It is structured around five risk modules that ensure a comprehensive review and continuity with previous reports: (i) Prohibited and Controlled Products (PCP), (ii) Intellectual Property Rights (IPR), (iii) Content Compliance, (iv) Data Protection, and (v) Consumer Protection and Related Fundamental Rights. This annual assessment is a critical component of our dynamic and iterative approach to safety. Our framework is an adaptive and advanced system, designed to monitor and respond to evolving challenges and emerging harms. The findings and risk indicators detailed in this report will serve as a direct input for the continued enhancement of our mitigation strategies, ensuring AliExpress remains a resilient and safe platform for our users. 5 2. Abbreviations and Definitions Table 2-1: Relevant acronym, abbreviations, and terms used across this document Abbreviation/Term Definition Actioned Report Rate Number of actioned reports in corresponding risk module / Total number of validated/established reports in corresponding risk module API Application Programming Interface [Confidential] [Confidential] [Confidential] [Confidential] CE mark The letters “CE” are an acronym for the French phrase “Conformité Européenne”, which means “European Conformity”. The CE marking (or CE mark) is a mandatory conformity marking for many products placed on the market in the European Economic Area (EEA) Cleanliness Rate Number of confirmed products either illegal or incompatible with Terms and Conditions in sampled review/Total number of products in a sampled review CRO Chief Risk Office DPO Data Protection Officer DSA Digital Services Act of the European Union [Regulation (EU) 2022/2065] DSR Data Subject Request EC European Commission ESU Emergency Service Unit EU European Union Exposure Score Ratio This ratio measures the composition of risk among all illegal items moderated GDPR General Data Protection Regulation of the European Union [Regulation (EU) 2016/679] GPSR General Product Safety Regulation of the European Union [Regulation (EU) 2023/988] 6 Table 2-1: Relevant acronym, abbreviations, and terms used across this document Abbreviation/Term Definition IM Instant Messaging functionality IPP Platform Intellectual Property Protection Platform IPR Intellectual Property Rights KRI Key Risk Indicator [Confidential] [Confidential] Median Survival Time Median time (in days) for which illegal products reappear on the Platform Miss Rate A variable used specifically in Content Compliance Module - The percentage of violations not intercepted by proactive systems, calculated as (missed violations ÷ [proactively detected violations + missed violations]) [Confidential] [Confidential] PCP Prohibited and Controlled products Post-listing Interception Control Product compliance control strategies after listings are posted Pre-listing Interception Control Product compliance control strategies before listings are posted Pre-listing Interception Rate Pre-listing Interception Rate = Number of Moderations of illegal items before Publication / Total Moderations of illegal items Proactive Control Rate The percentage of all illegal content moderations that were initiated by AliExpress’ own proactive systems, as opposed to total moderations QC Quality Control RA Risk Assessment Reappearance Fail Rate The rate at which moderated illegal items reappear on the platform. It is calculated by dividing the number of unique items that reappeared after removal by the total number of unique items that were moderated in that period 7 Table 2-1: Relevant acronym, abbreviations, and terms used across this document Abbreviation/Term Definition Recall Rate Number of recalled orders issued under product recall notifications / Total number of recalled orders in the EU Refund Rate Number of refunded items / Total number of items that fulfil AliExpress’ conditions for refund in different scenarios either illegal and/or incompatible with terms and conditions (e.g., illegal products, fake shipment, inferior product quality, etc.) Safety Gate The EU rapid alert system that facilitates the quick exchange of information relating to dangerous non-food products between European Union and European Economic Area member states, as well as the European Commission Scenario Violation Rate Total volume of violating content in each scenario / Total volume of scenario content SKU Stock-Keeping Unit [Confidential] [Confidential] SOP Standard Operation Procedure Systemic Risks Risks of systemic nature as foreseen in the DSA, that stem from the design, functioning, or use of a Very Large Online Platform or search engine, which may contribute to: 1. Dissemination of illegal content 2. Actual or foreseeable negative effects on fundamental rights 3. Actual or foreseeable negative effects on civic discourse, electoral processes, or public security 4. Actual or foreseeable negative effects concerning gender-based violence, public health, minors, or serious harm to physical/mental wellbeing Trusted Flagger An independent and expert entity, officially designated by an EU Member State’s Digital Services Coordinator in accordance with Article 22 of the DSA, recognised for its expertise, and granted the right to submit notices of illegal online content that online platforms must treat with priority and without undue delay [Confidential] [Confidential] UGC User-Generated Content 8 Table 2-1: Relevant acronym, abbreviations, and terms used across this document Abbreviation/Term Definition Validated Reports Reports filed by users, stakeholders, and other parties, which are validated to be either illegal or non-compatible with terms and conditions VLOP Very Large Online Platform, as defined in the DSA 9 Table 2-2: Background information on data points used and referenced across this Report Term Definition Data All datasets considered reflect AliExpress’ EU moderation decisions, as may be indicated, and span across 1 July 2024 to 30 June 2025, unless otherwise indicated 10 3. Introduction 3.1. Commitment to Digital Services Act Compliance and a Safer EU Marketplace As the online ecosystem evolves, regulations like the DSA are crucial for fostering a safer online environment. User safety is fundamental to our company and to the integrity of the AliExpress Platform. We are dedicated to ensuring user safety in the continuous integration of DSA principles into our operational and risk management frameworks. The foundation of our compliance approach is the premise that stakeholder trust is contingent upon platform safety. This premise governs our commitment to continuous improvement and risk management strategy. Our risk assessment framework includes regular market benchmarking, reviews from previous cycles, and the incorporation of insights from authorities such as the European Commission to ensure consistency, thoroughness, objectiveness and continuous improvement. Our improved risk assessment methodology (detailed in Section 4) has now become even more objective and data-driven. This report brings more depth and transparency to how we view the risk environment, how risks can manifest, and how we mitigate them. This annual risk assessment exercise is a snapshot of an ongoing, iterative risk management process. Our framework is an adaptive system that monitors relevant data points and risk indicators throughout the year, allowing us to track evolving risks and measure the long-term effectiveness of our controls. To ensure our approach remains adequate, we supplement our internal efforts with engagement from third parties, including regulators, industry experts, and Trusted Flaggers. Our risk management framework translates into a safer digital experience. For example, our assessment under the 'Prohibited \& Controlled Products’ module is focused on achieving a marketplace with fewer illegal items. Additionally, our assessment under the 'Intellectual Property Rights’ module will help us protect consumers from encountering and purchasing counterfeit items while simultaneously protecting the economic rights of IPR holders and consumers’ ability to purchase authentic goods. This process demonstrates our commitment by translating complex processes and regulatory requirements into tangible digital safety for users on our Platform, including those based in the EU. Our risk management efforts are ongoing and extend beyond this report. We continue to monitor emerging challenges, such as advancements in generative AI and the protection of minors, and are constantly investing in the technologies and partnerships required for enhancing compliance. 11 3.2. AliExpress Risk Governance Framework 3.2.1. Embedded and Multi-Layered Risk Governance Risk governance at AliExpress is a shared responsibility, embedded across all organisational levels and functions. Our approach is designed to be a continuous and proactive process, ensuring that all internal stakeholders are equipped to identify and monitor potential risks. This protects users and, consequently, builds trust and enhances our reputation and business. Organisationally, our risk governance structure follows a tiered model, headed by the Board of Alibaba Singapore E-Commerce Private Limited (i.e., the service provider of AliExpress), with specialist teams and functions that ensure clear accountability, focused expertise, and effective oversight. 3.2.2. Frontline Risk Controls The foundational layer of our risk governance framework consists of preventive controls integrated directly into our daily operations. These controls include vetting sellers before onboarding, pre-listing and content screening, along with product-level controls, aimed to ensure user legitimacy and prevent malicious activity on the Platform. ● Seller Onboarding: All sellers undergo a comprehensive verification process during onboarding, including validating their legitimacy against official databases, including the EU’s VAT Information Exchange System (VIES), and reviewing the onboarding company documentation. This process was enhanced in March 2024 to further reduce risks from malicious actors. In addition, in February 2025 we completed a verification of the existing sellers on the platform. ● Pre-listing and Content Screening: We operate an internal risk management platform to detect and block potential prohibited and controlled items-related violations, items with safety concerns, and IPR infringing items before publication. We rely on a combination of algorithmic controls and expert human review to assess product listings, descriptions, and user communications. ● Product-Level Controls: Risk management is also integrated into the Platform’s features, such as anonymising sensitive order details to protect user data during order fulfilment and using real-time risk control strategies to detect and block content that is either illegal or non- compatible with terms and conditions. 3.2.3. Performance Monitoring and Quality Assurance The second layer of our risk governance framework continuously tests the effectiveness of our frontline controls to ensure they are performing as intended. 1. Quality Assurance Functions: Dedicated Quality Assurance (QA) teams review general Platform content on a sample basis to verify its “cleanliness”. This continuous exercise consistently meets high performance targets, averaging over [Confidential]. This exercise is not just a measurement; its findings directly inform necessary updates to our Platform policies and operational processes. 12 2. Key Risk Indicator (KRI) Monitoring: We actively track Key Risk Indicators (KRIs), such as the “cleanliness rate” of listed products on the Platform’s front end. This provides a view of the Platform’s health and guides operational teams in the management of risks in their day-to-day activities. 3. Moderation Accuracy Rate: We ensure quality of QA review by employing a “moderation accuracy rate” to measure the performance of our content moderators. This standard, which holds moderators to a recently-increased stringent [Confidential] minimum accuracy rate, is monitored through random sampling. The results provide continuous assurance that our moderation efforts are effective, thereby upholding the integrity of our Platform. 3.2.4. Specialised Expertise and Compliance Oversight Specialist functions provide expertise thereby setting the standards for the entire organisation. These teams include our DSA Compliance Function, the Legal and Compliance Department, the Platform Rules Department, the Internal Control Department, our Global IP Enforcement Team, the Emergency Service Unit, and the Chief Risk Office (CRO). The CRO’s role extends beyond simple oversight to actively monitoring the overall content risk and operating environment, assessing risks on an ongoing basis, and informing policy and operational teams of areas for improvement. Together, these functions set the enterprise-wide risk framework, define Platform rules, ensure new products undergo structured risk reviews, and are responsible for conducting the annual DSA risk assessment and escalating any systemic issues. 3.2.5. Board Oversight and Continuous Assurance The Risk Assessment exercise is overseen by and reported to the Board, which actively oversees the platform’s risk management framework. The Board reviews the results of our annual risk assessments, insights from engagements with the Commission and how they are incorporated, and the findings of our independent external auditor. This third-party auditor, engaged in line with DSA requirements, provides independent validation of our controls, and the Board ensures their recommendations are adopted to continuously strengthen our risk governance framework. This is complemented by other forms of high-level assurance, such as our reporting to an Independent Monitoring Trustee regarding the implementation of commitments reached with the Commission in June 2025. To ensure our mitigations remain effective, we will introduce additional Key Risk Indicators (KRIs) in this cycle for the ongoing monitoring of their effectiveness. We continually evaluate further assurance steps to ensure independent reviews are ongoing and that improvements are consistently considered[Confidential] certifications. 13 4. Risk Assessment Methodology 4.1. Overview The Year 3 Risk Assessment exercise, as summarised in this Report, reflects the risk profile of our services as of 30 June 2025. In compliance with Article 34 of the DSA, AliExpress’ risk assessment methodology evaluates how the design and operation of the Platform may contribute to systemic risks in the EU. The assessment takes into account the relevant recitals of the DSA, i.e., 12, 79, 80, 81, 82, 83, 84, 85, 89, and 90, and covers the four categories of systemic risks as outlined in Article 34(1): 1) the dissemination of illegal content through our services; 2) any actual and foreseeable negative effects to the exercise of fundamental rights; 3) any actual or foreseeable negative effects in relation to civic discourse, electoral processes, and public security; and 4) any actual or foreseeable negative effects in relation to gender-based violence, the protection of public health and minors, and serious negative consequences to a person’s physical and mental well-being. 4.2. Our Commitment to Continuous Improvement Our approach to risk management is proactive and grounded in a foundational commitment to continuous improvement. AliExpress has built on insights from previous assessment cycles and prior work to inform this year’s risk assessment. This section outlines our revamped methodology, which has been enhanced with a focus on creating a more nuanced and granular risk assessment. This evolution is driven by four key factors: (1) our commitment to continuous improvement, (2) incorporating insights from the EC, (3) applying key learnings from market benchmarks, and (4) a deeper understanding of regulatory concerns. The result is a refined methodology and a greater depth of analysis, designed to ensure our framework is thorough, complete, and clear. 4.3. Evolving to a Refined Data-Centric Risk Assessment Framework Drawing on the learnings from our first two assessment cycles, our methodology has matured to be even more data-driven. This has been achieved through two core pillars of enhancement, (1) a refined data-driven assessment model, and (3) a deep-dive analysis of the mitigation designs, implementation and mitigation effectiveness. 4.4. Enhanced Risk Identification and Mapping To ensure thoroughness, our process began with a comprehensive mapping of our service and its risk environment. We also conducted a refreshed user journey walkthrough that simulated risks across both buyer and seller experiences on the Platform. All identified risks have been thoroughly reviewed and categorised within our five established risk modules: Prohibited and Controlled Products (PCP), Intellectual Property Rights (IPR), Content Compliance, Consumer Protection, and Data Protection 14 (See Table 4 below). This exercise was supplemented by a dedicated features and functionalities mapping to account for all aspects of the service, including any new relevant launches in the past year. Importantly, we have integrated the influencing factors, outlined in Article 34(2) of the DSA, consistent with previous assessments. In conducting our assessment, we specifically take into account how the following factors influence systemic risks on the Platform: ● The design of our recommender systems and any other relevant algorithmic systems. ● Our content moderation systems and their operational capacity. ● The applicable terms and conditions and their enforcement. ● Our systems for selecting and presenting advertisements. ● Data-related practices on our service. This aligns our methodology to the requirements of DSA Article 34(1), which mandates that risk assessments be specific to the service. By doing so, we (i) better capture the intended use of AliExpress as an online marketplace, and (ii) address the specific risks associated with the functioning of the Platform. Table 4: Risk Register for Year 3 Risk Assessment Risk Modules Year 3 Risk Sub-Categories Prohibited \& Controlled Products Public security (dangerous products) Sale of products either illegal or incompatible with terms and conditions Content Compliance Illegal hate speech Unlawful discriminatory content Terrorist content Public Security (mass violence) Child Sexual Abuse Material Gender Based Violence 15 Table 4: Risk Register for Year 3 Risk Assessment Risk Modules Year 3 Risk Sub-Categories Non-consensual sharing of private images Data Protection Protection of personal data Consumer Protection and Related Fundamental Rights Online stalking Rights of the child \& Protection of Minors Online interface design that may stimulate behavioural addictions of recipients of the service Right to effective remedy and to fair trial Risk to public health (Previously called coordinated disinformation campaign related to public health) Sale of products or provisions of services in infringement of consumer protection law Freedom of expression and information Freedom to conduct a business Intellectual Property Rights IPR infringement (including patent, trademark and copyright) (Previously called non-authorised use of copyright protected material) 4.5. Data-Driven Model for Risk Assessment Our methodology for the assessment of systemic risks on the Platform has been enhanced to rely on more objective evidence and quantifiable data points. 16 First, we assess inherent risk – the risk level before any controls are considered. These risks are inherent to the design and operation of online platforms. As the foundation of our process, we have considered these inherent risks and assessed them in the specific context of the AliExpress service. Our assessment has shifted from a qualitative exercise to a clear, evidence-based model, where the presence of a risk is formally determined by concrete evidence from three key sources: ● Condition 1: Historical occurrence of the systemic risk on AliExpress. ● Condition 2: The risk’s occurrence on other VLOP marketplace platforms, based on their transparency reports. ● Condition 3: Reports of the risk by the Commission, market researchers, consumer bodies, or reputable news sources. [Confidential]This approach provides a basis for determining the likelihood of a risk manifesting, while also recognising that certain risks may not materialise on AliExpress itself but could be observed on other VLOP marketplaces, helping to ensure a more comprehensive understanding of the overall risk landscape. Where applicable, risks that do not pertain to the nature or functionality of AliExpress may be marked as not applicable (‘N/A’), with accompanying justifications. This includes risks for which there is no evidence of occurrence on AliExpress or other comparable marketplaces, nor any known relevant historical precedent based on market research, regulatory research publications, or reputable news sources. Second, we assess residual risk – the risk that persists after all relevant mitigations and safeguards have been applied. This is calculated using the formula: Probability x Severity = Residual Risk The data points selected for the probability calculation aim to reflect the impact of existing mitigation measures and controls currently in place. The severity component is assessed as a combination of scope, scale, and remediability. To measure scope, we evaluate the range of users that could be affected by a specific risk and the extent to which the harm is physical, psychological, informational, economic, and/or societal; and how the harm may be experienced by vulnerable groups. Remediability is grounded in AliExpress’ operational capabilities, such as refund mechanisms and product recall processes, which offer insights into how effectively harms can be reversed or mitigated once detected. 17 4.6. Additional Assessment of Mitigations and Control Strength As an additional layer, separate from and complementary to the residual risk calculation, we perform a deep-dive assessment into the strength of our specific controls. While residual risk measures the outcome of our mitigation efforts, this analysis examines the quality of the controls themselves as well as their effectiveness. We evaluate the strength of each control based on three distinct criteria: ● Design adequacy: Whether the design is proportionate and suitable. ● Intent: Whether there is evidence of control implementation, and that it is operating as intended. ● Mitigation Effectiveness: Quantifiable evidence to evaluate the control’s direct impact on reducing or maintaining the risk level. 4.7. Measuring and Prioritising Risk The quantitative formula for residual risk produces a clear score that combines probability and severity into a single value. This score is then translated into a five-level scale, ranging from “Low” to “High”, allowing for objective comparison and prioritisation. This structured scoring system ensures that risks with the greatest potential for harm are clearly distinguished and prioritised for further attention and mitigation. 4.8. Our Mitigation Philosophy Our philosophy on risk mitigation is built on a proactive commitment to proportionality, evidence, and effectiveness. The results of our risk assessment directly inform the design and implementation of further mitigation measures, in alignment with Article 35 of the DSA. We believe effective mitigation requires a dual-focus approach: our control strength assessment provides qualitative insight, supported by quantitative KRIs, into why our mitigation framework is effective, while the measurement of residual risk provides quantitative proof. A sustained year-on-year reduction in residual risk serves as the key indicator that controls are functioning as intended, and demonstrates the tangible success of our long-term mitigation strategy. 18 5. Overview of Risk Assessment Results and 2025 Residual Risk The Year 3 assessment confirms a risk profile characteristic of large-scale marketplaces, where inherent risks are naturally high across systemic areas. These include attempts to introduce prohibited or counterfeit goods, efforts to manipulate consumer trust through fake reviews or scams, and the ongoing challenge of harmful or illegal content. Residual risks, however, are materially reduced through AliExpress’ multi-layered control framework. Proactive detection, rapid takedown, refund and recall mechanisms, and robust user reporting and appeals processes demonstrate that risks are managed to medium or low levels. In practice, this means that while residual risk remains in certain areas due to the potential severity of harms, operational evidence shows that these risks are significantly limited in scope and impact. Looking ahead, this year’s assessment provides a strong foundation for AliExpress’ continuously improving program. The findings confirm that the risks observed are not unique to any one platform, but are systemic across large-scale marketplaces, while also highlighting how AliExpress’ framework materially reduces exposure in practice. These results will guide our mitigation roadmap under Article 35 of the DSA, ensuring that controls remain proportionate, effective, and transparent. In doing so, we aim to reinforce trust for users, provide confidence to regulators, and demonstrate that our safeguards are designed to adapt to evolving technologies and online behaviours. 19 6. Detailed Risk Assessment Findings 6.1. Overview of the Risk Environment As with any global online marketplace, the AliExpress risk environment is inherently dynamic. Our open nature, which facilitates legitimate commerce between sellers and millions of users, also presents opportunities for malicious actors. These actors may misuse platform functionalities and devise tactics to evade content moderation, creating systemic risks to the Platform’s integrity, user trust, and safety. The following taxonomy provides a comprehensive map of the AliExpress risk environment providing depth and transparency into our risk environment, how risks can manifest across our services and how we mitigate them. 6.1.1. Inherent Risks from Misuse of Core Platform Design and Functionalities The following table details the platform's inherent risks without any consideration to our existing controls and mitigations. Table 6-1: Overview of Inherent Risks Stemming from Platform’s Design and Functionalities Risk Area Risk Description Account Takeovers Malicious actors threaten account integrity in two ways: banned sellers may use [Confidential] to circumvent enforcement and create new accounts, and external actors can use methods [Confidential] for account takeovers – leading to risks of consumer harm, financial loss, and data breaches. Affiliate Program Misuse The Affiliate Program can be misused by participants who knowingly promote counterfeit products as genuine to earn commissions, extending the reach of infringing content to external platforms. Affiliates can promote links to PCP products, potentially through concealed or redirected links, and may even share external links that have content compliance risks. [Confidential] [Confidential] Coordinated Multi-Feature Abuse Sophisticated actors may concurrently misuse multiple features [Confidential] to amplify infringement and evade single-point controls. 20 Table 6-1: Overview of Inherent Risks Stemming from Platform’s Design and Functionalities Risk Area Risk Description Dark Patterns Risk that the design of certain standard e-commerce features (e.g., time-limited offers, checkout flows) could be perceived by users as pressuring or creating confusion, potentially impairing their ability to make a free and informed decision. Delivery \& Fulfilment Malicious sellers may exploit the Platform’s shipping and fulfilment tools[Confidential]. This misleads consumers about the status of their orders and hinders their ability to seek timely refunds for undelivered goods. Exploitation by Buyers Buyers may unfairly exploit promotional offers (e.g., coupon abuse), undermining the integrity of the Platform and the interests of other users to enjoy discounts and benefits under equal terms. Exposure of Minors Minors who circumvent the Platform’s age controls may be exposed to products that, while legal for adults, pose specific safety risks to children [Confidential]. Instant Messaging (IM) Sellers may exploit the IM feature to lure buyers into off-platform transactions, stripping them of platform protections. IM can also be used to disseminate PCP products, [Confidential]redirect buyers to counterfeits, or phish for deceptive data collection. Misuse by bad actors could also allow other illegal or incompatible content, such as illegal hate speech or content promoting mass violence, to be shared via the IM tool. Interactive Games The highly engaging nature of interactive games, coupled with online interface design that may stimulate addictions of recipients, may lead to patterns of prolonged or excessive use by some individuals, potentially impacting well-being or leading to unintended spending. Misuse of AliExpress Live The AliExpress Live feature may be misused to market and demonstrate infringing goods in real-time. Bad actors may use the Live Chat feature to disseminate content that violates compliance requirements, such as illegal hate speech. Live streams also risk privacy violations or data leakage if users share personal information. 21 Table 6-1: Overview of Inherent Risks Stemming from Platform’s Design and Functionalities Risk Area Risk Description Misuse of Links (Internal and External) Sellers may use platform features to share direct, concealed, or “hidden links” that redirect users to off-platform sites selling infringing goods or to different on-platform listings, a tactic that complicates detection and enforcement. Users may also share links that lead to external sites hosting content in breach of compliance requirements. Misuse of User-Generated Content (UGC) UGC spaces like Customer Reviews and Q\&A sections can be exploited by users and bad actors to discuss or inquire about counterfeit/unsafe or PCP products[Confidential]. Additionally, bad actors may misuse these spaces to disseminate illegal content or content incompatible with terms and conditions (e.g., hate speech, terrorist content, CSAM) [Confidential]. Users may be exposed to data protection risks by inadvertently sharing personal data via these channels. Onboarding of Sellers Risk that malicious actors may attempt to bypass seller onboarding controls [Confidential]. A separate risk exists that automated vetting systems could incorrectly flag legitimate sellers (false positives), potentially delaying their access to the platform. Product Listings Sellers may post deceptive listings with false information on quality or features. [Confidential]There is also a risk of sellers misusing this feature to edit product listings in a manner that facilitates or includes illegal content or content incompatible with T\&Cs, or using misleading text, images, or videos to disguise illegal products as compliant. Search \& Discovery Manipulation The search function can increase the visibility of PCP products if such listings surface in search results. It can also be manipulated by infringer to increase the visibility of counterfeit goods, causing them to surface in prominent search results and amplifying consumer exposure. 22 6.1.2. Inherent Risks from System-level Operations (DSA Art. 34(2) Factors) Table 6-2: Overview of Inherent Risks from System-level Operations of the Platform (in line with Article 34(2) of the DSA) Risk Area Risk Description Advertising Systems The advertising system can be exploited to disseminate content that is illegal or incompatible with our T\&Cs, infringing, or unsafe through paid promotions and targeted ads. A seller may also use these targeted ads to promote additional infringing products to a previous buyer, exploiting the established contact and trust. Malicious sellers may promote deceptive offers, luring users into fraudulent transactions. Additionally, advertising systems could unintentionally exclude certain user groups from promotions, and user-generated advertisements may contain illegal content or content incompatible with T\&Cs due to obfuscated violations or post-approval edits. Content Moderation Systems The inherent scale of content moderation means that despite high accuracy rates, a risk of error (both false positives and false negatives) exists. False positives could result in the temporary removal of compliant content, while false negatives could allow illegal content and/or content incompatible with Terms and Conditions to remain visible pending detection. Data Practices In the course of fulfilling orders, sellers receive access to certain buyer data. A risk exists that sellers may misuse or abuse this personal data in breach of our privacy policies and data protection regulations. Recommender Systems Infringing or unsafe products that evade initial controls may be algorithmically recommended to users once published (e.g., counterfeit sneakers suggested in “You may also like”), amplifying their visibility and creating a perception of platform endorsement. This also includes listings with inaccurate, misleading, or fraudulent descriptions. Furthermore, the recommender system could inadvertently expose or disseminate prohibited content by amplifying illegal content or content incompatible with T\&Cs through search and ad keywords that gain traction. Relevant Policies and Enforcement The dynamic nature of online abuse means new circumvention tactics can emerge that may not yet be explicitly covered by existing 23 Table 6-2: Overview of Inherent Risks from System-level Operations of the Platform (in line with Article 34(2) of the DSA) Risk Area Risk Description policies. A risk exists in the period before policies and enforcement tools are updated to address these novel methods. 6.2. Common Risk Mitigations and Control Framework To address the diverse risks identified in the Risk Environment, AliExpress employs a multi-layered control framework. This section describes the foundational, platform-wide controls that apply across multiple risk modules. The subsequent detailed risk assessments will refer back to this common framework and highlight any additional, module-specific controls. 6.2.1. Proactive Content Moderation and System Controls These controls are integrated into our systems to detect and block potential violations before they are widely exposed to users. 1) Pre-listing Content Review: We use our internal [Confidential] platform to scan all product listings before publication. The system scans listings to detect potential products and content that is either illegal or incompatible with terms and conditions. The [Confidential] system proactively blocks content by matching text with restricted keywords, which are created and maintained by risk management personnel to improve text algorithm performance. The system also relies on various detection algorithms that analyse different elements of a listing, including text, images and text embedded in images, and a reference database that keeps track of the correct categorisation of listings. [Confidential] All listings flagged by the[Confidential] system are subject to manual review and may only be published after validation by human review. To enhance detection performance, risk management personnel also conduct manual checks on algorithm-generated results, verifying keywords and using the algorithm to delete any identified prohibited content. Only keywords that pass these content moderation filters are visible to users. 2) Pre-listing interception for advertising and recommender systems: To mitigate the risk of disseminating products and contents either illegal or incompatible with terms and conditions through advertisements or recommendations to users, all materials are run through our [Confidential]system pre-publication. Products and sellers that are blocked or identified as high-risk are automatically excluded from the advertising and recommendation pools, preventing their amplification. 6.2.2. Ongoing Monitoring and Detection 1) Feature-Specific Controls: We embed controls directly into platform features, such as automated IM scanning and using our internal system to anonymise sensitive buyer data during order fulfilment. To ensure end-user safety, we employ real-time risk control strategies to prevent the misuse of 24 AliExpress Live, using real-time monitoring and image frame capture of livestreaming content, filtering live chat comments, or suspending the comment function entirely. 2) Continuous monitoring: Dedicated Quality Assurance (QA) teams and internal teams continuously monitor live content to assess and maintain the Platform’s “cleanliness” and identify infringements. 6.2.3. Post-listing Monitoring and User Empowerment Regardless of the robustness of our pre-listing control, it cannot prevent all risks. The post-listing controls are designed to detect risks that may have bypassed initial checks and to empower our community and external partners to report issues. 1) User Reporting Channels: We provide accessible channels for buyers, sellers, and non-registered users to report potentially illegal content and/or content incompatible with Terms and Conditions. This includes our notice and action (and appeal) portal, the IP Protection Platform (IPP Platform) for rights holders, and a priority channel for Trusted Flaggers. Users and other stakeholders can report fraudulent or misleading products through these portals, including for instance, for users specific report types like “guided off-platform transaction” and “account takeover” via the Help Centre’s Suspicious Report toggle. Both registered and non-registered users can also raise notice requests using our notice submission tool, available via the site footer, to report illegal content or content incompatible with T\&Cs as well as to challenge moderation decisions. Users can track the status of their report and outcomes of successful or rejected appeals online. 2) Internal Monitoring: Our customer service team, internal inspection team, and public sentiment teams monitor and discover for any residual risk that our risk management system fails to capture. Our teams collect and verify reports and cases, then take down content incompatible with our T\&Cs accordingly. 3) Third-Party Monitoring: We partner with EU-background external experts to conduct independent monitoring, monitor for emerging threats like hidden link schemes, and audit our systems. 6.2.4. Seller Vetting and Onboarding Controls These controls are designed to verify the identity and qualifications of a seller and funding account information before they can operate on the Platform. 1) Seller Verification: All sellers must be officially registered as a business with a government authority. We verify China-based sellers using the [Confidential] verification system and European sellers against official databases such as the EU’s VAT Information Exchange System (VIES) and against onboarding official documentation provided. 2) Preventing Re-registration and Repeat Offenders: Based on our database and algorithms[Confidential], we perform verifications of seller accounts to detect any similarities between new applicants and sellers previously banned from AliExpress. We [Confidential]. We also enforce a 25 limit on stores number per entity, and if a store is terminated for breaches of T\&Cs, the seller cannot reopen it or open new ones. 6.2.5. Enforcement and Remediation These controls ensure that when a risk is detected, we take decisive and consistent action and provide appropriate remedies. 1) Violation Penalty System: We utilise a transparent store penalty and closure mechanism that applies escalating sanctions for misconduct, punishing repeated offenders of severe violations with store closure. This includes a 48-point penalty system to punish sellers’ misconduct and a three- strike rule for serious IPR infringements such as counterfeits. All penalties for merchant fraud are reviewed by a human before being issued. 2) Appeals and Remedy Mechanisms: We provide clear processes for sellers to appeal enforcement decisions, supported by dedicated multilingual customer service teams. AliExpress recognises the rights of sellers to a fair process, ensuring that all penalties for merchant fraud have been reviewed by a human before being issued. If a merchant disputes a penalty, they can submit an appeal, and if the appeal is successful, the penalty will be reversed. Buyers are protected through robust refund and return policies. 3) Rapid Takedown and Recall Processes: We have a direct API integration with the EU Safety Gate system for rapid product recalls and employ a robust Notice \& Action system for IPR takedown requests. 4) Cooperation with Authorities: We maintain channels for cooperation with EU market surveillance authorities and respond to legal orders in a timely manner. 26 6.3. Intellectual Property Rights 6.3.1. Overview The Intellectual Property Rights (IPR) module assesses the systemic risk of disseminating IPR- infringing content. Our IPR protection policies continue to be defined in accordance with applicable EU legislation, including Directive 2001/29/EC (“the Copyright Directive”), Directive 2004/48/EC (“the Enforcement Directive”), and Directive (EU) 2019/790 (“the Directive on Copyright in the Digital Single Market”). Our assessment confirms a High inherent risk, characteristic of a large-scale marketplace. However, our multi-layered control framework mitigates this risk, resulting in a Medium residual risk. This is evidenced by a high proactive control rate and a very low reappearance rate for removed products. The residual risk remains at a Medium level [Confidential]. This is a persistent challenge in a dynamic environment where malicious actors continuously devise new tactics to evade detection. AliExpress is continuously enhancing its detection technology to address this and better protect both rights holders and consumers. 6.3.2. Inherent Risk Inherent IPR risks arise from the misuse of platform functionalities, as catalogued in Section 6.1. Critical vectors include deceptive listings, livestream promotions, and high-volume uploads, which are primary tactics for disseminating counterfeit goods at scale. [Confidential] While our Advertising and Recommender Systems are equipped with their own pre-publication screening and controls to exclude high-risk and illegal and/or incompatible with Terms and Conditions content, a residual risk of amplification remains for infringing products that evade all layers of proactive detection. In such instances, this could manifest as targeted ads or as algorithmic suggestions for counterfeit goods in a user’s “You may also like” feed. 27 6.3.2.1. Inherent Risk Score for IPR Based on an evaluation of three key conditions (See Table 6-3), the inherent risk of IPR infringement absent any controls is assessed as High. Table 6-3: IPR Inherent Risk Score Condition 1: Historic Occurrence of IPR risks on AliExpress Based on a documented pattern of violations in our internal data, IPR infringement is an evident and inherent risk on the AliExpress platform. Between July 2024 and June 2025, we took a number of distinct actions against IPR-infringement which showed us: ● [Confidential]IPR-illegal products were identified and penalised, and ● [Confidential] validated and actioned items identified as IPR infringements (reactive measures, i.e., Notice \&Action). Condition 2: Historic occurrence of IPR risks on other marketplaces Peer VLOPs public reports suggest similar systemic IPR risks. Condition 3: External evidence from regulators, consumer bodies, researchers External evidence from regulators, consumer bodies, and independent researchers, including monitoring initiatives such as the Commission's Counterfeit and Piracy Watchlist, consistently identify online marketplaces as high-risk environments for counterfeit goods. 6.3.3. Residual Risk While the inherent risk assessment is high, our assessment places the residual risk at Medium. This is driven by strong performance across our controls, including [Confidential]. Residual risk remains given the complexity of IPR enforcement at scale and the emergence of new evasion tactics, which are continuously monitored and addressed. The primary challenges are minimising the 'survival time' of infringing content that evades initial detection and reducing its potential for amplification through recommendations. This balance of strong performance against a dynamic threat supports the Medium risk rating. Table 6-4: IPR Residual Risk Score Dimension Metric Result Probability Ratio of Violative Products from Total Total illegal IPR products exposed to EU consumers: [Confidential] 28 Table 6-4: IPR Residual Risk Score Dimension Metric Result EU Products Proactive Control Rate Our Proactive Control Rate is [Confidential], representing the proportion of IPR illegal moderations done based on AliExpress’ own initiative. Actioned Report Rate Number of actioned reports on items: [Confidential]. Actioned Report Rate: [Confidential] and a median removal time [Confidential]. Reappearance Fail Rate Recurring data from 1 April 2025 to 30 June 2025, data on repeated violations of IPR illegal products: [Confidential]. Severity - Scale Exposure Score Ratio Data from April to June 2025: [Confidential] products were penalised during this period, of which [Confidential] fell into low-risk IPR categories. [Confidential] Rate of Infringing Purchases in EU Number of illegal items ever been purchased in the EU market: [Confidential] Severity - Scope The extent to which the harm is physical, psychological, informational, economic, and/or societal; and how the harm may be experienced by vulnerable groups The impact is primarily related to economic harm and may interfere with a buyer’s ability to use or enjoy the purchased product as intended. While such violations are not typically intended to cause physical or mental/emotional harm, they may still result in minor to moderate economic harm, such as a buyer paying a premium price for a counterfeit product. In rare cases, the harm could be more significant if a counterfeit item also poses a safety risk, for example in cases with fake electronic or cosmetic products. 29 Table 6-4: IPR Residual Risk Score Dimension Metric Result Severity - Remediability Refund rate1 [Confidential] 6.3.4. IPR Risk Mitigation and Control This section details AliExpress’ comprehensive risk mitigation framework for mitigating and controlling the risks of IPR infringement as identified in the Inherent Risk section. This year, AliExpress has continued to employ strong risk mitigation control mechanisms while expanding capabilities to ensure they properly respond to new and emerging risks. AliExpress’ IPR control framework is anchored by the [Confidential]system, an integrated risk detection platform employing a dual-mechanism approach of pre-listing interception and post-listing interception controls. This mechanism ensures that IPR-infringing content is identified and blocked in a timely manner. Our comprehensive strategy combines sophisticated algorithmic detection with rigorous manual review to address risks holistically, listings and content are screened for IPR infringement both before and after publication. In alignment with Article 34 of the DSA, this section systemically outlines how AliExpress’ risk mitigation and control measures directly correspond to the systemic factors contributing to IPR infringement as outlined in our Inherent Risk section above. Our risk mitigation framework is implemented using the three-tiered approach as highlighted in Section 6.2. Despite our multilayer framework, the risk landscape for IPR infringement continues to change as new forms of infringement emerge. While new risk tactics continue to emerge, the framework is designed to adapt and incorporate new improvements, and the design and operational effectiveness of our controls are continuously iterated upon to manage these persistent and dynamic risks. However, challenges persist due to the potential misuse of personal data by sellers and the evolving tactics of bad actors seeking to extract user information. 6.3.4.1. Addressing Risks from Platform Design and Functionalities 1) Deceptive Images and Modified Listings: To combat risks that sellers may use deceptive images or modified listings to evade detection, AliExpress has implemented a mandatory pre-publication review for all product listings [Confidential]. This screening process combines automated analysis with 1 While AliExpress informs users in accordance with Article 32 of the DSA of the fact that the product purchased was deemed as illegal and the relevant means of redress, and facilitates the refund for such purposes, not all buyers may decide to apply for such redress for various reasons (e.g., the product has already been consumed or had already been disposed of). 30 manual verification (all listings flagged by the [Confidential]system are subject to manual review and may only be published upon verification of compliance). 2) Bulk Uploads and Re-uploads: To prevent mass uploads of counterfeit goods and re-upload of previously removed listings, our controls are designed to detect and prevent large-scale and repeated violations. ● [Confidential]Overall Store Closure Penalty Related to IPR: In practice, these measures have led to the closure of [Confidential] stores due to qualifying as certain extreme / conspicuous situations IPR serious violations, and an additional [Confidential] stores after penalties accumulated under the three-strike rule qualified as serious violations, demonstrating consistent enforcement against repeat violators. These measures have kept the reappearance rate of previously removed IPR-infringing products at a low rate [Confidential]. In practice this means the vast majority of infringing listings, once removed, do not reappear on the Platform. 3) Misuse of Instant Messaging (IM) \& Hidden Links: AliExpress actively mitigates the sharing of “hidden” or “secret” links to infringing goods in our IM channel through the following measures: [Confidential] 4) Repeat Offenders: Our Platform requires all sellers to be registered as a business with a relevant government authority. During onboarding, we collect and verify comprehensive information from both China-based and European sellers. Since March 2024, we have further strengthened these controls by directly collecting additional information about the registration authority for sellers during the onboarding process. In addition to the controls mentioned in Section 6.2, the following measures are also included for IPR: ● Brand Authorisation / Seller Vetting System: Seller must provide proof of product legitimacy (e.g., genuine invoices and/or an authorisation chain) to list branded products and repeat attempts lead to serious infringement penalties. We also continuously improve our capability of identifying and rejecting forged documents. 5) Livestream Promotion: We have specific internal control measures to prevent the misuse of AliExpress Live, which includes a strict onboarding assessment for all streamers, behaviour controls that allow us to issue warnings, suspend broadcasts, or terminate accounts for policy violations. We also apply measures to ensure end-user safety, including the temporary suspension of the live comment function. The Platform reviews pre-listing stream content (e.g., pre-broadcast announcements) to ensure compliance before airing. During the broadcast itself, advanced real-time monitoring mechanisms are deployed, including image frame capture with algorithmic review to detect high-risk content. Additionally, live chat comments are filtered through real-time risk control strategies to detect and block illegal content. 6) Misuse of Affiliate Program: Mitigations around IPR risks on AliExpress are closely linked to content compliance risks on the Platform, therefore most mitigations around misuse of the Affiliate 31 Program are highlighted in the Content Compliance module. However, to specifically mitigate against the risk that the Affiliate program may be misused to promote and sell counterfeit goods, since October 2024, we have put in place specific controls against hidden links that may be spread through the affiliate program. After an infringement is discovered, AliExpress disconnects the tracking of the link, so that each click on the disconnected link will show a “404 page”. Any related order will also not be recorded for commission; for repeated offenders, AliExpress will suspend the account. 7) User-Generated Content (UGC): To mitigate the risk that user-generated spaces like Customer Reviews and Q\&A can unintentionally facilitate IPR violations, an internal inspection team sweeps the Platform, performing user-like searches to check for infringing content. Our post-listing interception moderation mechanism also applies to textual data, and we conduct manual reviews of high-traffic content. 6.3.4.2. Addressing Risks from Other Systemic Factors AliExpress also mitigates broader systemic risks from advertising, content moderation, and recommender systems through operational controls and policy enforcement. 1) Advertising \& Recommender Systems: To mitigate the risk that infringing goods may be promoted through paid ads or recommended to users, we have implemented a pre-listing interception risk management system for all advertisements. Advertisement content for Pay-Per-Click will be published only after passing a risk control review that combines algorithmic and manual review. We also actively monitor public forums, news, and regulatory developments to identify emerging concerns and optimise our risk control rules accordingly. [Confidential] 2) Content Moderation Systems: To mitigate the risk that bad actors may use tactics to bypass proactive detection, we have implemented a multi-layered approach: ● We continuously improve our IPR knowledge bases, and refine the Metrix used in our detection algorithms. ● Personnel \& Training: Our manual review process is managed by the CRO team, with [Confidential] outsourced staff dedicated to IPR content moderation as of July 2025 [Confidential]. ● Standard Operation Procedure (SOP): Once an algorithm flags a suspicious product, our audit team follows a SOP to guide their review. These SOPs are regularly updated by our full- time employees and contractors to reflect new risk vectors. The manual review process is managed by the CRO - Business Risk Management team, which assigns reviews to specialised teams. As of July 2025, the staff personnel under outsourcing contracts were dedicated to IPR content moderation, operating in specialised sub-teams: [Confidential] 32 3) Process Improvements: We have improved the handling of algorithmically flagged listings, which, along with the other improvements, ensures that our systems are also highly efficient. We have also implemented a two-tiered post-detection mechanism to address residual risks, including: ● Targeted Manual Front-End Inspections: This inspection process is designed to mimic how consumers interact with the Platform and thereby detect infringing products that evade standard controls and are exposed to consumers. ● EU-based Third-Party Independent Monitor: The Platform has engaged a third-party expert firm to conduct periodic sampling of live listings to provide regular and objective assessments. Cleanliness rate is one such metric that is tracked and if it falls below a certain threshold, our escalation process is triggered. 4) Policies and Enforcement: We ensure our policies are consistently enforced to prevent and deter infringement. Relevant policies prohibit the posting or offering for sale of products that infringe on IPR and set out appropriate penalties. These policies are actively updated to include new Platform rules for product recalls and updates to our IP Rules. For example, we have also introduced specific penalties for concealed counterfeiting and updated our regulations for cross-border merchant fraud. Furthermore, we have implemented online rules to address fraudulent bidding by full-service merchants. Our IPR policy defines infringement types and corresponding penalties. According to our penalty point system, repeat violations can result in immediate store closure upon accumulating up to 48 points, or 3 strikes (“3 strikes” being a principle adopted for penalising serious violations on IPR infringements 2 ). We have also addressed certain technical issues that previously delayed the effect of penalty records, ensuring full synchronisation between detection and enforcement processes. 5) External Risk Identification \& Cooperation - A robust Notice \& Action system: We maintain a system for external reports from various stakeholders, including users and IPR owners, providing multiple avenues for reporting such as a dedicated IP Protection (IPP) Platform, an online notice form, and an email address for IP rights holders. The maintenance of three takedown request submission channels provides convenient ways for rights holders to lodge removal requests. Through the daily work of the GIP Enforcement team as well as our involvement in the EU Memorandum of Understanding on the Sale of Counterfeit Goods on the Internet (MoU), we also receive and action feedback from rights holders. Additionally, we use automated means to periodically crawl brands’ official websites, extracting and analysing relevant non-personal data to enhance our risk identification measures. 6.3.5. Overall Mitigation and Control Effectiveness As outlined in our methodology, our control effectiveness assessment is a multi-dimensional analysis of design and actual performance. The results show our IPR controls have a strong, multi-layered design, proven by key indicators like a prompt reactive response time of under two business days for 2 Update of Enforcement Actions for Intellectual Property Rights (IPR): https://rule.aliexpress.com/rule- channels/37978936/127561565 33 valid notices and a low [Confidential] reappearance rate. This assessment has also identified key priorities for our mitigation roadmap, such as further reducing content 'survival time', strengthening our risk feedback loop, and expanding our non-English language support. Table 6-5: IPR mitigation and control effectiveness Design Mitigations and controls in place are multi-layered in design integrating algorithmic detection, human review, systemic penalties, and continuous monitoring. In addition to our internal systems, we continuously engage with third parties and key global brands to combat IPR risks. [Confidential] For any reports we do receive, we also ensure a prompt reactive response, typically within two business days. Moreover, new circumvention tactics (e.g., hidden links, product edits) are assessed, and well-designed mitigation means are incorporated into our design to mitigate risk. Intent While our controls are largely implemented and functioning as intended, this year’s assessment has identified key priorities to further improve our framework, such as expanding our non-English language support; further strengthening our feedback loop across all controls. Mitigation effectiveness and KRI The controls designed and implemented during the course of this reporting period have reduced the residual risk of IPR infringements on the service. [Confidential] 6.3.6. Future Mitigation Plan We plan on improving our mitigation measures against IPR risks in the following areas: Strengthened prevention against repeat IPR infringements: [Confidential]Dynamically supplement proactive control database: [Confidential] Expand human resources \& QA oversight: We will hire more specialised reviewers for brand authorisation requests, to reinforce the accuracy and timeliness of moderations. In addition, we will establish a QA-led framework to oversee the quality of moderation related with Enhanced Brand Authorisation System on a quarterly basis. Increased Security Deposit Requirements: Regarding severe violations of platform rules, we will increase the seller’s performance security deposit to improve the effectiveness of our policy enforcement. 34 35 6.4. Data Protection 6.4.1. Overview This module assesses data protection risks, grounded in our DSA and GDPR obligations. Our assessment places the inherent risk at Medium, reflecting the large-scale data processing required to operate our marketplace. To manage this, we employ a multi-layered and Highly Effective control framework featuring robust measures such as strict seller onboarding, data minimisation, and anonymisation. These strong controls materially reduce risk, resulting in a Low residual risk profile, which is supported by the low probability of significant incidents and the absence of any material data breaches in the reporting period. 6.4.2. Inherent Risk The inherent risks of data protection on AliExpress manifest through the Platform’s design, functionalities, and other operational factors that necessitate the transfer and processing of personal data. As a global marketplace, AliExpress facilitates transactions between buyers and sellers, which necessitates the transfer of personal information. While this transfer is essential for Platform operations, it introduces risk of misuse or unauthorised access. Key risk vectors include the potential for misuse of user data by sellers, the complexities of cross-border data transfers, and the possibility of unauthorised access through external cyberattacks. Platform features like IM and Reviews also present a risk of unintentional data leakage or phishing attempts by malicious actors. At a systemic level, risks of privacy intrusion can arise from the use of data in advertising and recommender systems, while any system processing user data carries an inherent risk of potential breaches or processing errors. 6.4.2.1. Inherent Risk Score for Data Protection The inherent risk for Data Protection is assessed as Medium. This conclusion is based on a balance of three factors: while our internal data shows a limited scale of data-related violations, the large volume of personal data processed on our platform creates inherent exposure. This is corroborated by the consistent evidence of privacy risks across peer platforms and research from external authorities highlighting ongoing privacy concerns in the e-commerce sector. Table 6-6: Data Protection Inherent Risk Score Condition 1: Historic Occurrence of Data Protection Risks on AliExpress Our internal data shows evidence of limited risk occurring on the Platform with: ● No data breaches were recorded on the Platform in the reporting period ● No risk of data breaches or privacy violations involving buyer information (e.g., addresses, contact details) were reported in after-sales in the reporting period ● No privacy risk incidents were reported or detected for AliExpress Live in the reporting period ● [Confidential] isolated cases were recorded of requests to delete 36 Table 6-6: Data Protection Inherent Risk Score comments in Reviews that contained personal data at the request of users in the EU region in the reporting period ● No data privacy violations related to advertising systems were detected or reported in the reporting period ● No data leakages were reported in content moderation system in the reporting period ● [Confidential] EU users exercised Data Subject Requests (“DSRs”) to opt out of the personalised recommendation function in the reporting period Condition 2: Historic occurrence of Data Protection risks on other marketplaces Peer platforms report risks such as impersonation scams during peak shopping periods, and record high volumes of user information requests and law enforcement information requests. Condition 3: External evidence from regulators, consumer bodies, researchers Privacy authorities around the world identify risks of potential violations of cross border personal data transfers against the GDPR and local privacy laws in marketplaces. 6.4.3. Residual Risk Even though no platform can entirely eliminate the risk of data protection violations, our assessment places the residual risk at Low. This is driven by the strength of our control systems, and the fact that no material breach was reported or detected in the last year. Residual risk still exists given the potential misuse of personal data and evolving tactics of malicious actors, which are continuously monitored and addressed. This balance of strong performance despite a dynamic threat supports the Low risk rating. Table 6-7: Data Protection Residual Risk Score Dimension Metric Result Probability Evidence of risk occurring Based on historical evidence of incidents on the Platform, there is evidence of limited risk occurring on AliExpress. The low number of actual incidents proves controls shows effectiveness at preventing harm. Severity - Scale The number of users and The potential impact of a worst-case scenario in a 37 Table 6-7: Data Protection Residual Risk Score Dimension Metric Result non-users that are, or could be, affected. major data breach or illegal cross-border data transfer is high. Severity - Scope The extent to which the harm is physical, psychological, informational, economic, and/or societal; and how the harm may be experienced by vulnerable groups. Impact is likely to result in moderate mental/emotional and/or financial harm, or a moderate interference with fundamental rights, and the harm has the potential to impact vulnerable groups. As the protection of personal data is a fundamental right under Article 8 of the EU Charter, data protection risks may therefore amount to an interference with this right. Severity - Remediability The ability to restore impacted individuals to their prior state Once user data has been breached, it is unlikely the remedy will restore the person/situation to the state before impact. 6.4.4. Risk Mitigation and Control In Year 3, AliExpress has continued to operate strong control mechanisms while expanding capabilities in response to new and emerging risks. 6.4.4.1. Addressing Risks from Platform Design and Functionalities 1) Misuse or unauthorised access to user data: To prevent the misuse of Platform functionalities that could expose user data, we verify all buyers and sellers from the moment of account registration. This process mitigates the risk that anonymous or fake accounts may be exploited for malicious purposes, including the illegal collection, use, and dissemination of other users’ personal information. Buyers are required to create secure passwords and verify their identity via phone or email. Sellers, specifically those aiming to sell products to EU consumers, undergo a robust onboarding process where we collect and verify key information, including business details and their undertaking to only offer products that comply with applicable EU laws. Sellers must provide this information and related documentation, and pass verification before they can sell their products to EU consumers on AliExpress. Since March 2024, we have further strengthened these controls by directly collecting the name of the registration authority (i.e., the trader register or similar public register) during onboarding. This additional verification step further reduces the risk of malicious actors using fake accounts to access or misuse user data. In addition, in February 2025 we completed a verification of the existing sellers on the platform. 2) Misuse of Platform Functionalities (e.g., Product Listings, IM, AliExpress Live) to exploit personal information: AliExpress employs its [Confidential] Risk Management Platform to identify 38 data privacy risks, such as personal contact details, within buyer-seller conversations and in product reviews. Hyperlinks sent via IM to redirect users to a third-party website that could illegally collect, process, transmit/share, and store user personal information are blocked after they trigger the Platform’s risk control rules. 3) Data sharing and data transfers: We take significant steps to mitigate data protection risks associated with the transfer of EU users’ personal data to non-EU countries. To ensure legal compliance, these data transfers are conducted based on the necessity of fulfilling contracts between users and the Platform, legitimate interests, and/or users’ consent. Meanwhile, we sign Standard Contractual Clauses (SCCs) approved by the EC, conduct Transfer Risk Assessment (TRA), and implement certain security measures to reduce the risks of data transmission. We have also made efforts to minimise international data transfers by promoting the use of EU-based warehouses, which not only enhances the user experience and speeds up logistics but also reduces the number of logistics providers involved, thereby lowering the risk of data breaches. The personal data of EU users is securely stored within the EU, specifically in a data centre located in Germany, with cross-region crisis recovery back-ups in Singapore and the United States. To mitigate privacy risks associated with third-party partners, we clearly inform users in our Privacy Policy about third-party partners and the basis for processing personal information, stating that the AliExpress Privacy Policy does not apply to these third-party sites, and we do not impose any limitations or obligations on users accessing or using such third-party sites. We advise users to review the relevant privacy policies of these sites before engaging with any offers, products, or services they advertise. Throughout Year 2 and Year 3, we have implemented training programs to educate both sellers and third parties on effective data protection. For sellers, we published the “Notice on the implementation and compliance of personal data protection security measures”. Additionally, cooperation agreements with sellers include clauses on “personal information protection” and “relief measures” to provide agreement-level support and guarantees for personal data protection. [Confidential] Furthermore, internal Privacy Impact Assessments are conducted to proactively assess related risks and deploy mitigation measures. We also enforce strict security measures for third parties that may access users’ personal information. This includes conducting data due diligence and ensuring that, where applicable, data processing agreements (DPAs) are signed with the corresponding collaborating third parties. We share only the minimum necessary user data with third parties to maintain security and privacy throughout our collaborations. [Confidential] [Confidential] At the same time, AliExpress assesses whether the security level of third parties can meet the security requirements by sending out security questionnaires and conducting regular security scans. We also conduct regular compliance reviews and update measures on these third-party partners to avoid situations where the current compliance status is inconsistent with the compliance status at the time of their onboarding. 39 4) After-sales: [Confidential] 6.4.4.2. Addressing Risks from Other Systemic Factors AliExpress also mitigates broader systemic risks from advertising, content moderation, and recommender systems through operational controls and policy enforcement. 1) Advertising \& Recommender Systems: To mitigate data protection risks from advertising and recommender systems, we employ a multi-layered approach prioritising user control and data transparency: ● Enhanced user control of personalised systems: We rigorously protect users’ right to make independent decisions regarding personalised content. We perform quality tests [Confidential] to ensure that when users opt out of personalised recommendations, their information is not used for such purposes. Our testing team audits this functionality, with results reviewed by both the PIC (“Person-in-Charge”) and QA. Users can also easily exercise their rights to control personal data via the Platform customer service, privacy centre, or by contacting the DPO (Data Protection Officer) to manage personalised advertisements. We also provide a simple switch to turn off all personalised product recommendations, as these are never based on sensitive categories of personal data. When a user first visits AliExpress, a proactive cookie banner allows them to refuse data use for advertising recommendations. They can refuse to use their personal data for personalised recommendation purposes by clicking the “Reject” button on the banner, or they can set their own consent status for each type of cookie (except essential cookies) through the Cookie preference page. We also offer users enhanced control over their experience through our Privacy Centre, where they can understand how to manage push notifications and customise data collection preferences. ● Enhanced Data Transparency: We ensure transparency in all data processing matters. Upon registration, our privacy policy clearly outlines what information we collect and its purpose. Any policy adjustments are communicated promptly, and major revisions require user reconfirmation. When a user/visitor visits AliExpress for the first time, the Platform will proactively inform the user of the details of our use of cookies and similar technologies in the form of a cookie banner. If users want to know more details, they can also click the hyperlink on the banner to visit the “Cookie Notice” for more information. ● Enforcing Data Privacy Policies: We ensure transparency in all data processing matters. Upon registration, our privacy policy clearly outlines what information we collect and its purpose. Any policy adjustments are communicated promptly, and major revisions require user reconfirmation. ○ [Confidential] 2) Content moderation systems: Our content moderation system has implemented a strict permission control to minimise data protection risks. This means that only the reviewers who have passed the 40 permission approval can view or operate the content to prevent personal information leakages. We also have designated a dedicated organisation and person in charge of personal information protection (i.e., Data Security Compliance Team). The team is responsible for overseeing personal information protection, and formulates and maintains policies related to data security. 3) Data security breaches and user notices: To protect against external data scraping and malicious cyber-attacks, we ensure that personal data is anonymised when possible. [Confidential] Three entry channels (i.e., DPO email, customer service, and privacy centre) are provided on our platform to facilitate users to exercise their data subject rights easily and directly. In Year 3, AliExpress handled and responded to users’ reports in a timely manner in accordance with the requirements of applicable laws and regulations [Confidential]. We optimised the relevant SOP to better meet the diversity of user requests, better protect user data rights and to improve the response time and processing efficiency of related requests. Processing procedure and the responsible person in SOP for each type of Data Subject Right Request are mandated in detail. For example, when a user requires the Platform to disable personalised recommendations, the staff person who receives the user’s request will create an internal processing ticket, which will be distributed to the person in charge of the corresponding operation. After the technical side processing is completed, the relevant staff person will reply to the user that the request has been processed. 4) Policies and Enforcement: Our Privacy Policy is a key component in mitigating data protection risks on AliExpress. It clearly outlines how we collect, process, store, and transmit personal data in compliance with the GDPR principles of lawfulness, fairness, and transparency. By detailing the types of information, we collect and the contexts in which it is processed, we empower users to understand and control their data. The policy covers essential areas such as information collection, data retention, user rights, security measures, and international data transfers, making sure users are informed and can exercise their rights, including requesting data deletion or opting out of personalised ads. Between 1 July 2024 and 30 June 2025, our Privacy Policy in the EU region was updated once. To mitigate data protection risks from possible insufficiencies of our policies, our Legal team continuously monitors and records information around relevant laws and regulations regularly to stay updated on any changes that may affect our platform’s operations. If new regulations are introduced or existing regulations are adjusted, we compare them against our internal policies to identify any gaps. For example, we monitor data protection-related legislation and enforcement activities through specialised data compliance websites. Additionally, our Legal team regularly reviews our business operations to ensure that the information we disclose and the rules we formulate are consistent with our actual business practices. AliExpress makes its Privacy Policy easily accessible through multiple channels, including the portal and app settings, so users can fully understand how their data is handled. We provide high-level information about the parameters used for our advertising system in the Privacy Policy, Cookie Notice and Transparency Centre. AliExpress users can exercise their data subject rights via the Privacy Centre or by contacting the DPO. For instance, users can delete their accounts, unsubscribe from marketing 41 messages, or turn off personalised ads. Additionally, we display to EU users a cookie banner, allowing them to refuse data collection by cookies and other similar technologies. [Confidential] When users register with AliExpress, we disclose what information is collected and its purpose, as stated in our Privacy Policy. If the Privacy Policy is adjusted, users can access the latest and the previous version of the Privacy Policy at any time. In some cases when we make major revisions to the key terms of the Privacy Policy, users will be informed of these changes and will be prompted to read and agree to the new terms. 5) External Risk Identification \& Cooperation: AliExpress implements a policy for crisis management3 , and has built an emergency response team to deal with incidents of personal data leakage in a timely manner. The emergency response team includes staff from business, legal and public affairs departments; at the same time, we have put forward time requirements for incident response. In accordance with laws and regulations, AliExpress requires that personal information leakage incidents be discovered within [Confidential] and notified to the competent regulatory authorities. We conduct a security incident drill [Confidential] to formulate standardised and practical business emergency plans for common personal data security incidents. We also actively strengthen staff’s experience on crisis response to improve emergency response efficiency. If data leakages need to be reported to regulators according to applicable laws and regulations, AliExpress will handle them in accordance with the requirements of such relevant laws and regulations. 6.4.5. Overall Risk Mitigation and Control Effectiveness The design and intent of our Data Protection controls are robust, with strict onboarding, minimisation of seller access to personal data, and anonymisation measures[Confidential]. Controls are consistently applied and supported by independent validation [Confidential], as well as documented internal monitoring. Operational indicators further confirm the effectiveness [Confidential] demonstrating that the controls materially reduce residual risk and function as intended, with residual exposure primarily linked to the scale of data requests and the complexity of cross-border multiple-party transfers, which are managed through established safeguards. Table 6-8: Data Protection mitigation and control effectiveness Design AliExpress’ controls are well-designed to mitigate data protection risks. Seller onboarding requires robust verification, and buyers’ and sellers’ access to personal data is strictly minimised to shipping and transaction-related purposes [Confidential] 3 Specifically the “Alibaba International Digital Commerce Group Emergency Management General Outline”. 42 Table 6-8: Data Protection mitigation and control effectiveness Intent Controls are effective and user rights mechanisms (opt-outs, cookie banners, account deletion, privacy centre) are consistently applied. Safeguards are embedded through impact assessments and policy reviews, with compliance for cross-border multiple-party transfers remaining an area of ongoing review and improvement. Mitigation effectiveness and KRI Quantitative indicators show the controls are functioning effectively in practice. [Confidential]Three entry channels (customer service, privacy centre, DPO email) facilitate user access to rights. These outcomes show clear evidence that the controls reduce residual risk. 6.4.6. Future Risk Mitigation Plan In Year 3, the residual risk rating of “Low” remains consistent with the progress achieved in Year 2, reflecting the effectiveness of our ongoing mitigation strategies. [Confidential] We will further strengthen our mitigation strategies to address evolving challenges. Key areas of improvement include: ● Maintain the sustainability of the data security [Confidential] ● Conducting EU-specific data security drills We will conduct an EU-specific data security drill in accordance with the compliance requirements of the EU, the drill will simulate real-world scenarios (e.g., users privacy data breaches) to test the resilience, response mechanism and compliance readiness. This will inform the iterative improvement of our data governance framework, ensuring alignment with the regulatory requirements of the EU. These measures aim to proactively address residual risks while reinforcing our commitment to data protection across global operations. 43 6.5. Consumer Protection and Related Fundamental Rights 6.5.1. Overview The Consumer Protection and Fundamental Rights module assesses systemic risks linked to potential violations of consumer rights, in line with EU law and the EU Charter (2012/C326/02), with particular reference to Article 38. We considered how platform features and other influencing factors identified in Article 34(2) of the DSA may affect users’ rights, including access to fair information, protection from exploitation, effective remedy, and the safeguarding of minors. 6.5.2. Inherent Risk Our assessment confirms a High inherent risk, reflecting the realities of operating at the scale of a global marketplace. This conclusion is informed by attempts and instances of product listings incompatible with Terms and Conditions, fraudulent merchants, and manipulated reviews that have been detected on the Platform, alongside comparable evidence from peer marketplaces facing the same systemic risks. Regulatory findings and independent research reinforce that these challenges are sector- wide and not unique to AliExpress. The inherent risk also reflects both emerging threats, such as attempts to use AI to generate reviews, and persistent areas of attention, including safeguarding minors and monitoring design features that could unintentionally encourage excessive use. Taken together, these observed and anticipated dynamics establish consumer protection and related fundamental rights as a High inherent risk area. 6.5.2.1. Evolving and Emerging Risks to Consumers’ Rights 1) Inherent Risks to Minors: In line with growing efforts to protect minors – individuals less than 18 years old – online, including on online marketplaces like AliExpress, we have assessed the risks our Platform could pose to minors who circumvent existing controls to access our service. The most critical risk vector, in this regard, is account creation (i.e., the risk that minors may misrepresent their age to create an account), thereby circumventing the Platform’s controls and gaining unauthorised access to the service. Other risks include age-inappropriate content, where minors who have circumvented minimum age access requirements could be exposed to content or product listings that are compliant with platform policies but are still age-inappropriate (e.g., listings for adult products). In addition, interactive Games on the Platform could also pose a risk, as minors who gain unauthorised access to the Platform may be particularly vulnerable to the risks of prolonged or excessive engagement. 2) Fake or manipulated reviews are an inherent risk in any large-scale online marketplace. Such risks can originate from different sources [Confidential]. Emerging technologies, including generative AI, add a further dimension by enabling bad actors to produce reviews at scale that closely mimic authentic content, making detection more challenging. 6.5.2.2. Inherent Risk Score for Consumer Protection The inherent risk of consumer protection and users’ fundamental rights being violated on the Platform is High based on the evaluation of three key conditions, where higher scores indicate greater likelihood of risk occurring absent any controls. 44 Table 6-9: Consumer Protection Inherent Risk Score Condition 1: Historic violations of consumer rights and related fundamental rights on AliExpress ● Based on internal historical data, violations of consumer rights and related fundamental rights is an existent and inherent risk on AliExpress. [Confidential] Condition 2: Historic violations of consumer rights and related fundamental rights on other marketplaces Peer platforms report: ● The receipt of Article 16 notices for scams and fraud perpetuated on their relevant services. ● Proactively blocking millions of suspected fake reviews. ● The receipt of notices regarding the protection of minors. Condition 3: External evidence from regulators, consumer bodies, researchers There is evidence of consumer-protection-related risks on marketplaces, as shown in reports from regulatory bodies and credible third-party organisations: ● In 2022, an EC press release reported that 55% of 223 major websites checked by EU consumer protection authorities were found to potentially violate the EU’s Unfair Commercial Practices Directive, which requires truthful information like genuine reviews to be presented to consumers.4 ● A 2021 OECD report on “The role of online marketplaces in enhancing consumer protection” noted that while online marketplaces benefit consumers, they face key challenges like fake reviews, scams, counterfeit products, and dark commercial patterns. 5 4 Available at Protecting consumers from misleading reviews. [Last accessed 28 August 2025]. 5 Available at The role of online marketplaces in enhancing consumer protection. [Last accessed 28 August 2025]. 45 6.5.3. Residual Risk Our controls reduce exposure to a Medium residual risk, supported by the low ratio of products incompatible with Terms and Conditions, high refund rates, and dedicated after-sales resolution process. Residual risk persists mainly because some violating products that evade initial controls may still appear through recommender systems, which is a current focus of optimisation. In addition, evolving risks such as AI-generated or fake reviews remain sector-wide challenges. These areas are embedded in our strategic improvement roadmap, with ongoing investment in recommender optimisation, advanced review detection, and strengthened redress mechanisms. Table 6-10: Consumer Protection Residual Risk Score Dimension Metric Result Probability Ratio of violative content or products against all products or content on the service [Confidential] Reappearance fail rate Not applicable as products assessed in this regard are not illegal. Actioned report Rate Consumer complaints are managed and resolved through after-sales customer service. [Confidential] Severity - Scale Exposure Score Ratio [Confidential] Severity - Scope The extent to which the harm is physical, psychological, informational, economic, and/or societal; and how the harm may be experienced by vulnerable groups The impact of violating consumer and users' fundamental rights can range from economic to physical and psychological. Consumers may lose money on products that are never delivered, are not as described, or are fraudulent. Inaccurate or fraudulent product descriptions could also lead to the purchase of potentially harmful products, thereby impacting the physical safety of customers. Violations of consumer rights can also lead to feelings of anger, frustration, and helplessness, which could take a serious emotional toll, especially when the 46 Table 6-10: Consumer Protection Residual Risk Score Dimension Metric Result purchased item was intended for a special purpose, like a gift. Furthermore, such violations can result in an overall loss of trust in the Platform. Minors are also at heightened risk as they could be exposed to age-inappropriate content or be particularly vulnerable to potentially addictive features. Severity - Remediability Refund rate I - Ratio of products refunded based on fraud-related fake shipments over total number of fake shipments [Confidential] Refund rate II - Ratio of products refunded for product related issues such as misleading descriptions over total number of products purchased with such product related issues [Confidential] 6.5.4. Risk Mitigation and Controls AliExpress employs a multi-layered control framework to protect consumers and uphold fundamental rights. This combines preventive measures at entry, in-platform safeguards, and responsive remediation processes. Preventive controls at entry include strict seller onboarding, product listing checks, and fraud detection strategies such as monitoring logistics data for fake shipments. Age restrictions and transactional hurdles (e.g., valid payment methods) also act as deterrents against underage access. In-platform protections filter potentially harmful or age-inappropriate content, prevent the recommendation of sensitive categories, and monitor interactive features to avoid exploitative or addictive patterns. Fraudulent or misleading practices, including fake reviews, are detected using algorithmic tools and penalised accordingly. Responsive action and redress mechanisms ensure prompt consumer protection. Refund and return policies resolve the vast majority of disputes, complemented by after-sales support and product recall 47 processes. Parental reporting channels and accessible user complaints systems reinforce consumer empowerment, while penalties for fraudulent or abusive sellers ensure accountability. This framework is continuously updated in line with evolving risks — including generative AI, fake reviews, and emerging design patterns — to ensure strong consumer protection across the Platform. 6.5.4.1. Addressing Risks from Platform Design and Functionalities AliExpress mitigates risks inherent in platform features through a multi-tiered control framework focused on product integrity, platform interactions, and transaction security/redress. Controls are designed to intercept attempted misuse and address detected instances, consistent with sector-wide dynamics. 1) Product integrity controls: We monitor and act on misleading product information, qualifications, and fake reviews. This includes proactively moderate prohibited keywords from product information (e.g., titles, images and descriptions) and using tools to verify submitted documents. We also enforce strict rules against fake reviews and addressed through penalties ranging from review removal to account termination. 2) Platform interaction controls: We review interactive experiences and interface patterns to prevent exploitative designs and reduce amplification risks. Potential dark-pattern issues are proactively investigated and resolved, and recommender safeguards are continuously refined. To ensure our approach remains adequate and considering the lack of relevant guidance in this space, we supplement our internal efforts with engagement and feedback from third parties, including feedback from users, regulators and auditors, to continuously guide our enhancement efforts. 3) Transaction security and redress: Fraud risks in delivery and fulfilment are addressed through proactive transaction monitoring, including the analysis of spikes in transaction data and reverse arbitration trends (e.g., refunds and disputes). Refund and return mechanisms consistently ensure effective remediation for consumers, supported by proportionate penalties such as freezing funds, order cancellation, joint liability sanctions across linked accounts (stores under the same legal entity), and store closures. AliExpress operates both after-sales customer service and out-of-court settlement mechanisms, designed to ensure consumer complaints are addressed and resolved in a fair and timely manner. To reinforce accountability, we also apply the AliExpress Cross-Border Merchant Service Capability Assessment Standards, which evaluate seller performance across logistics fulfilment, product quality, and customer service. 6.5.4.2. Addressing Risks from Other Systemic Factors AliExpress also addresses systemic risks linked to its advertising, recommender, and content moderation systems through coordinated operational controls and policy enforcement. 1) AliExpress’ Advertisement System 48 Strict admission standards are applied to sellers wishing to participate in promotions, including review of moderation history and penalty records. Our product control system is directly linked to advertising, so when a product is delisted, any associated advertisements are immediately blocked. We also prevent discriminatory targeting by limiting sellers’ ability to select sensitive demographics, with user choices and controls enabling individuals to manage personalised advertising preferences directly through the Privacy Centre within the service and through marketing communications like emails. 2) AliExpress’ Recommender Systems Our recommendation pool is continuously filtered to exclude adult content, sensitive categories, and illegal products and/or products incompatible with Terms and Conditions. The pool is directly linked to CRO department controls, ensuring flagged items are automatically removed from eligibility. Products with consistently negative buyer feedback are also excluded, with fairness embedded as a guiding principle to ensure recommendations promote compliant, trusted listings and provide balanced visibility across the Platform. Residual exposure is closely monitored and used to guide ongoing optimisation. 3) Content Moderation System Our multi-layered moderation framework integrates proactive detection, rapid takedown processes, and proportional enforcement. Alerts from external sources, such as EU Safety Gate notifications and complaint from public, are reviewed and actioned promptly, and escalating sanctions are applied against repeat offenders. Users have access to clear reporting channels, including priority pathways for Trusted Flaggers, with fairness embedded in the process through transparent appeals and review mechanisms that ensure all users can seek redress in a timely and impartial manner. 4) Policies and Enforcement AliExpress maintains a comprehensive set of platform rules aligned with EU and Member State consumer protection laws. These rules are regularly updated to reflect regulatory developments and evolving user behaviour, and are enforced through proportionate sanctions such as refunds, order cancellation, delisting, or store closure. Fairness is embedded in the framework by ensuring policies are transparent, enforcement is proportionate, and all users have access to remedies and appeals. Our rules cover the full range of consumer protection risks: ● Trading practices [Confidential]. ● Product integrity and fulfilment [Confidential]. ● User behaviour and trust [Confidential]. ● Product listing standards – including restrictions on categories like adult products, alcohol, and unsafe goods, with special provisions for controlled items under EU law. 49 Together, these policies form a coherent, enforceable framework that ensures users’ rights are protected while enabling legitimate sellers to operate in a fair, transparent environment. 6.5.5. Overall Mitigation and Control Effectiveness We continue to strengthen consumer protection through the development of policies, controls, and mitigations. Our evolving framework has already achieved a very low ratio of violative products relative to total listings, alongside other strong indicators reflected in the residual risk assessment. At the same time, the complexity of the environment and the emergence of new harms—such as risks to minors and generative AI-driven manipulation—mean this will remain an ongoing priority and a central part of our strategic improvements. Table 6-11: Consumer Protection mitigation and control effectiveness Design Our multi-layered mitigations and controls combine proactive and reactive measures, supported by strong policies and protocols for addressing customer grievances. We will continue to build on this foundation and enhance our framework, including expanding algorithmic audits to strengthen oversight of potential bias and discrimination. Intent Most assessed controls are implemented and operate as intended, with effectiveness evident across seller onboarding, product integrity, redress, and enforcement. Fraud prevention is being further enhanced through the integration of high-quality logistics data, alongside initiatives to reinforce safeguards against manipulated reviews and to optimise recommender systems. These areas are embedded in our continuous improvement roadmap, ensuring the framework continues to mature in line with regulatory expectations and evolving risks. Mitigation effectiveness and KRI Refund Rate for fake shipments: [Confidential] Refund rate for product-related issues: [Confidential] Dispute settlement: [Confidential] Dark Patterns [Confidential] Promotion of Products incompatible with Terms and Conditions via recommender system [Confidential] 50 Table 6-11: Consumer Protection mitigation and control effectiveness Reviews [Confidential] 6.5.6. Future Risk Mitigation Plan We plan on improving our mitigation measures against Consumer Protection risks in the following areas: 1. Proactive Risk Management for Fraudulent Merchants: Implement early-warning systems to monitor and address violations by fraudulent merchants. In addition, enforce penalties such as fines, funds freezing, and warnings based on the severity of violations to reduce the likelihood of further non- compliance. 2. [Confidential] 3. Detection and Removal of Fake Reviews: Deploy algorithmic models to identify false positive reviews in product comments. Proactively remove identified fake reviews to prevent consumer misleading and maintain platform trust. 51 6.6. Prohibited \& Controlled Products 6.6.1. Overview In the Prohibited and Controlled Products (PCP) module, we assess the systemic risk of disseminating illegal content in the form of Prohibited and Controlled products, grounded in our obligations under the DSA and the EU Regulation 2023/988, on General Product Safety Regulation (the “GPSR”). Our assessment considers both Prohibited products (items banned by law) and Controlled products (items requiring specific legal qualifications for sale). In line with applicable EU laws – including the Charter of Fundamental Rights of the European Union (2012/C 326/02) (the “EU Charter”), our assessment focuses on the risk of disseminating illegal and dangerous products as outlined in Article 34(1)(a) of the DSA: ● The sale of non-compliant products; and ● The dissemination of dangerous products that pose a threat to public health or security. Our assessment places the inherent risk for PCP on AliExpress at High, reflecting the persistent attempts by malicious sellers to introduce unsafe, prohibited, or controlled products, a systemic risk characteristic of all large-scale marketplaces. 6.6.2. Inherent Risk The inherent risks of Prohibited and Controlled Products (PCP) on AliExpress manifest through the misuse of the Platform’s design, systems, and various functionalities as catalogued in Section 6.1. For PCP specifically, the most critical of these risk vectors are misuse of search, deliberate mis categorisation, and the falsification of qualification documents. These are common tactics that malicious actors attempt to use to introduce unsafe or illegal goods while bypassing detection controls. Furthermore, the Advertising, Content Moderation, and Recommender Systems can present amplification risks if illegal products and/or products incompatible with Terms and Conditions that evade initial checks gain visibility. These risks are actively monitored as part of AliExpress’ enforcement framework and are also consistently identified across peer marketplaces. The scale of detection demonstrates that these risks are systemic across online marketplaces and are continuously monitored through AliExpress’ control systems. External evidence of risk alerts, including the EU Safety Gate updates and findings of other regulatory institutions, further reinforces the systemic nature of these risks. 6.6.2.1. Inherent Risk Score for Prohibited \& Controlled Products Based on an evaluation of three key conditions (see Table 6-12), the inherent risk of PCP infringement absent any controls is assessed as High. 52 Table 6-12: PCP Inherent Risk Score Condition 1: Historic Occurrence of PCP risks on AliExpress Internal data confirms that the dissemination of prohibited and controlled products is a continuous and inherent risk on the AliExpress platform. [Confidential] Condition 2: Historic occurrence of PCP risks on other marketplaces Recent peer DSA transparency reports provide consistent evidence of recurring detection, removal, and regulator-driven actions against unsafe and prohibited products Condition 3: External evidence from regulators, consumer bodies, researchers External evidence, including the 2024 Safety Gate Report and recent EC proceedings, consistently identify online marketplaces as high-risk environments for unsafe goods 6.6.3. Residual Risk PCP Residual Risk Score is Medium. Though the inherent risk of PCP is rated High based on Conditions 1–3, AliExpress’ mitigation strategies and enforcement measures have materially reduced residual risk exposure. [Confidential] The overall violative ratio is low at [Confidential]. Together, these outcomes support a Medium residual risk rating. Table 6-13: PCP Residual Risk Score Dimension Metric Result Probability Ratio of Illegal Products from Total EU Products Total illegal PCP products exposed to EU consumers: [Confidential] Proactive Control Rate Our proactive control rate is [Confidential], representing the proportion of PCP illegal moderations based on AliExpress' own initiative. Actioned Reports Rate [Confidential] 53 Table 6-13: PCP Residual Risk Score Dimension Metric Result Reappearance Fail Rate [Confidential] Safety Gate Alerts Data on platform recalls or products removals from alerts: [Confidential] Severity - Scale Exposure Score Ratio [Confidential] Rate of infringing purchases in EU [Confidential] Severity - Scope The extent to which the harm is physical, psychological, informational, economic, and / or societal; and how the harm may be experienced by vulnerable groups The impact of prohibited and controlled products is often physical, posing direct safety risks to consumers’ health and well-being, with heightened dangers from unsafe electronics, hazardous chemicals, unregulated medicines, and toys for minors. Such risks can include severe harms, which in some cases may be lasting. In addition, financial or emotional impacts may arise, for example where consumers discover that a purchased product was unsafe and must be refunded or recalled. Severity - Remediability Refund rate From 1 July 2024 to 30 June 2025, the percentage of items with refund records was [Confidential]Note: These comparatively low refund rates align with the operational scale of AliExpress, where millions of orders are processed daily. This indicates that the vast majority of consumer transactions are fulfilled successfully and without issue, with only a small fraction requiring redress. Recall rate [Confidential]. This figure represents the number of recalled orders that were successfully fulfilled, divided by the total number of recalled orders issued within the EU during that period. 6.6.4. Risk Mitigation and Control This section details AliExpress’ comprehensive risk mitigation framework for mitigating and controlling the risks of PCP as identified in the Inherent Risk section. This year, AliExpress has 54 continued to employ strong risk mitigation control mechanisms while expanding capabilities to ensure they properly respond to new and emerging risks. AliExpress uses a comprehensive, multi-layered framework to mitigate PCP risks, combining advanced algorithmic detection, human review, proactive seller oversight, consumer protection, and collaboration with third parties. The entire system is anchored by the [Confidential] platform, which continuously scans all product listings for violations. The control framework operates through four strategic pillars: 1) Seller Oversight: AliExpress ensures strict compliance at the source by applying rigorous onboarding and ongoing seller management. This includes comprehensive policy guidance via the Rules Centre, training through the Seller Learning Centre, and enforcement via the 48- point store closure penalty system that enables immediate termination for severe violations. 2) Proactive Interception: Product safety is safeguarded through a two-phase approach: pre- listing checks through algorithm and expert human review, and post-listing surveillance combining automated detection with rapid responses to regulatory notices, consumer reports, and EU Safety Gate alerts. [Confidential] 3) Consumer Protection: To mitigate harm, AliExpress operates a proactive recall mechanism ensuring that consumers are notified promptly and provided redress when unsafe products are identified. Dispute resolution services further empower consumers to seek remedies, and consumer protection policies are aligned with EU standards such as the GPSR and the Consumer Rights Directive. 4) Collaborative Governance: AliExpress partners with regulators, third-party monitors, and external stakeholders to reinforce oversight and independent validation. This includes engagement with EU and international regulators, partnerships with monitoring providers [Confidential], and ongoing compliance cooperation with authorities in the EU [Confidential]. In alignment with Article 34 of the DSA, this section systemically outlines how AliExpress’ control measures directly mitigate the systemic risks identified. Our risk mitigation framework is implemented using a three-tiered approach, ensuring that risks are prevented in the pre-listing stage, continuously detected during operation, and remediated through enforcement and external validation. 1) Proactive Prevention: Our operational teams conduct a mandatory pre-publication review of all product listings through the [Confidential] system. Within this layer, Platform Prohibitions ensure that both legally banned products (e.g., firearms, narcotics) and platform-specific unsafe products (e.g., amber necklaces for children, small magnetic balls) are blocked. Controlled Product qualification checks require sellers to submit compliance documentation, including CE markings, declarations of conformity, and lab test reports for categories such as toys, electronics, and cosmetics. Additional measures include seller onboarding and vetting systems (more details in Section 6.2). Paid advertisements and recommender systems are also screened before going live, preventing amplification of unsafe or illegal products. Targeted manual front-end inspections and independent cleanliness checks reinforce this first line of defence. 2) Ongoing Monitoring and Detection: [Confidential] 3) Enforcement and Quality Assurance: [Confidential] 55 The following section illustrates how this framework is deployed across specific platform features and functionalities, focusing on the risk of dissemination of PCP products through core marketplace mechanisms. 6.6.4.1. Addressing Risks from Platform Design and Functionalities 1) Prohibited \& Controlled Product Listings AliExpress applies a multi-layered governance architecture across the entire product lifecycle to maximise early detection and interception of illegal products and products incompatible with Terms and Conditions. The framework is applied consistently to high-risk functionalities most prone to misuse by sellers. ● Algorithmic Controls: [Confidential] Content is automatically reviewed against a combination of restricted keywords, algorithms, and risk behaviour indicators to effectively identify illegal content or content incompatible with T\&Cs. [Confidential] We continuously expand our risk identification system by continuously updating our risk product database. We have increased proactive monitoring of public-facing interfaces to identify and remove any illegal products that may have bypassed initial checks. This is accomplished through regular internal checks by a dedicated team, complemented by third-party cleanliness assessments. Newly identified circumvention tactics are analysed and integrated as new control points into our pre-listing risk mitigation framework to enhance the strength of our risk control system. ● Human Expert Review: To prevent illegal items from entering the marketplace, product listings screened and flagged by the [Confidential] system undergo a manual review for mainly the following: ○ Manual Product Review: After automatic screening, suspicious listings are sent to a dedicated team of [Confidential]moderators for manual analysis of text and images. This team also conducts daily platform sweeps and manual searches for problematic products, such as medicines. When a violation is confirmed, the listing is removed and the seller is penalised. We ensure adequate staffing to prevent backlogs and have a quality assurance process that includes sampling and retraining. Capacity is managed through rostering to match risk levels and prevent backlogs. Quality assurance is maintained by sampling reviewer outputs and retraining where needed, while staffing levels are continuously monitored and reinforced if backlogs arise. AliExpress has expanded its moderation workforce, adding [Confidential] new reviewers in October 2025, and enhanced its review pool product with secondary risk information alerts to improve efficiency and review quality. Product Compliance Certificate Control: AliExpress requires sellers to upload compliance documentation through a certificate upload system. Categories are managed by risk level: high, medium, or low – based on recalls, regulatory guidance, legal requirements, and consumer hazard severity. All documentation is human-reviewed. ○ Account-level Verifications: To open a store, sellers must pass verification covering their qualifications as traders and funding account information. This requires submission of business registration and license details, Ultimate Beneficial Owner and legal representative information, and corporate structure documentation. Only verified 56 sellers are permitted to operate, ensuring product traceability across the Platform. Product listings found to be in violation are removed and the sellers will be penalised, or even have their store closed, in accordance with the rules stipulated by our violation penalty points system. ● Post-listing surveillance uses dynamic monitoring systems and rapid response protocols to address notices from regulators, including EU Safety Gate alerts, as well as consumers and other stakeholders. AliExpress has a direct API integration with the EU Safety Gate, which ingests recall information daily. We use similarity-image algorithms to automatically compare new and existing listings against this data. Any flagged items are immediately escalated for manual review and removal. We also provide appeal and consultation channels for service restrictions in line with the DSA Article 20. [Confidential] We have a team dedicated to investigating and taking action against PCP items reported by users and detected by AliExpress’ own monitoring of the relevant regulators’ product recall websites. Affected buyers are supported by AliExpress’ product recall process and through refunds. 2) Deliberate Miscategorisation: To combat deliberate miscategorisation, where sellers list prohibited products under a different category to evade detection [Confidential], AliExpress uses a multi-stage control mechanism as part of its[Confidential] system. This process begins with an automated scan of both the text and images of listings to identify potential miscategorisations, These flagged listings are then sent for a manual review by a dedicated team of experts. If the miscategorisation is confirmed, the listing is promptly removed and the seller is penalised, with more severe penalties for repeat offenders. Sellers can appeal the decision, and if they provide sufficient evidence, the listing will be reinstated. 3) Instant Messaging (IM), User-Generated Content (UGC), Reviews and Q\&A: AliExpress prevents the misuse of IM and other UGC features to disseminate prohibited products. For IM, we use a hybrid system that filters text content both before and after it is live, while image and video content undergo post-listing interception moderation. In contrast, most other UGC, such as reviews and Q\&A, are subject to pre-listing automated filtering, which is supplemented by manual reviews and third-party inspections to ensure compliance. More detailed information can be found in the Content Compliance modules. 4) Affiliate Program: Prior to the product listings made visible to Affiliate Program participants, the automatic filters maintained by the CRO - Prohibited Product/Content \& IPR team and the Platform Rules team will review eligible products in addition to the governance measures already applied to products on the Platform. Overall, we apply a lower tolerance threshold to the affiliate product pool – that is, we carry out a stricter review for certain categories of product listings, which will be conducted in order to prevent such product listings from becoming affiliate products and lead to potential dissemination outside our platform. Participants cannot promote non-affiliate products, but buyers may buy non-affiliate products on AliExpress after they access the AliExpress platform by clicking the promotion link of an affiliate product that has been published by an Affiliate Program Participant (i.e., buyers may end up purchasing a similar or completely different, but non-affiliate, product from other sellers, in which case a commission is in principle not payable). 57 5) Exposure of Minors: As stipulated in our Terms and Conditions, we do not provide services to minors (individuals under the age of 18), and have specific restrictions on account registration and the use of payment methods. When users register for an account, they are clearly reminded that they must be 18 years or older. Additionally, the requirement for valid payment methods acts as a further control mechanism. Further details are provided in the Consumer Protection module. 6.6.4.2. Addressing Risks from Other Systemic Factors 1) Advertising System: AliExpress applies strict pre-listing interception governance to its advertising systems to ensure that prohibited and controlled products cannot gain additional visibility or amplification. Any product identified as unsafe, incompatible with Terms and Conditions, or otherwise prohibited is automatically blacklisted from the advertising pool. This blacklist includes both items restricted under law (e.g., narcotics, firearms) and products prohibited by platform policy (e.g., amber necklaces for children, high-powered magnets), as well as any product previously penalised for violations. [Confidential]the absolute volume of advertised illegal products has decreased, reflecting improved front-end filtering and the integration of stricter pre-advertisement review mechanisms. 2) Recommender \& Content Moderation Systems: Several categories of content and products are filtered from the recommendation pool to prevent their appearance on the AliExpress Homepage. [Confidential] Beyond products and content incompatible with Terms and Conditions, poorly rated products are also limited in users' recommendation scenarios. The recommendation pool is directly linked to the CRO department controls and a database of confirmed illegal products. Products flagged by the CRO department controls or listed in this database are automatically removed from the recommendation pool to ensure a positive user experience with the Platform's recommendation system. [Confidential] The Year 3 data show that while some illegal products still appear in recommendations, these cases are limited to those that slipped past pre-screening controls. Taken together, these outcomes show that while some residual risk persists, the recommender system functions as part of a layered defence, with pre-listing interception exclusion acting as the primary control and therefore reducing the visibility of unsafe products recommended to EU consumers. 3) Policies and Enforcement: AliExpress maintains detailed policies for PCP products, updated regularly to reflect regulatory changes. Key measures include: ● Product Listing Policy (“PLP”) \& Index of PCP Items: Defines prohibited items to align with global and local laws. This list guides sellers, enhances consumer safety, and reinforces platform trust. ● AliExpress Compliance Notice on the EU General Product Safety Regulation (“GPSR”): In June 2024, AliExpress published its Compliance Notice on the EU General Product Safety Regulation, requiring sellers to provide information on manufacturers, EU responsible persons, 58 and product labelling. Mechanisms were also introduced for cooperation with market surveillance authorities, improving safety and traceability. ● Consumer safety warning: Applied to product categories with potential risks even where no explicit policy violation exists, ensuring buyers are alerted to relevant guidance. ● Enforcement: Violations are penalised through a points system. Severe breaches can trigger account removal under a one-strike policy, deterring malicious actors. Additionally, a new alert function now monitors the entire penalty action chain to ensure timeliness and consistency of enforcement, with system anomalies promptly flagged and remedied. ● Seller Training: Compliance education is delivered through the Seller Centre, notifications, and events. For example, over 12,000 sellers attended the GPSR training in August 2024, with 24,000 additional views of the recording. 4) External Risk Identification \& Cooperation: AliExpress provides various external reporting channels to complement the internal identification of PCP product risks. The reporting function of the Platform is provided to multiple types of users, such as sellers, buyers and Trusted Flaggers (in line with Art. 22(1) of the DSA). Users will be provided with an acknowledgment of their reports, and once the decisions are made by the Platform (which are all manually reviewed) users will be informed of the decision. Moreover, the Platform has a designated mailbox (eu.productsafety@aliexpress.com) to receive reports or orders from competent market surveillance authorities in the EU. Dedicated personnel have been charged with promptly handling these complaints from these authorities. After receiving an illegal content report or order from an authority, the illegal products will be taken down and relevant notifications will be sent to the seller to recall the products when applicable. Pursuant to the EU GPSR regulation coming into effect, AliExpress has upgraded its recall notification system. In addition to notifying sellers and consumers, a new “safety business gate” will also notify manufacturers directly. Additionally, any information about the illegal product will be added to our proactive monitoring system if they are not already included. We also work with external professional service providers to carry out regular monitoring and manual sampling reviews of the Platform’s product listings targeting EU and other markets across multiple languages in high-risk product categories to look for suspected illegal listings. These vendors provide regular reports to us to identify latest illegal product risk trends to support our enforcement against illegal products on the Platform and enhance our corresponding proactive product compliance controls. To further improve the detection of unsafe products on the Platform, AliExpress, as an original signatory to the first Product Safety Pledge (in 2018), signed the revamped Product Safety Pledge+ in March 2023. As a signatory to this Pledge, we undertake voluntary commitments going beyond what is already established in EU legislation, including those requirements applicable on product safety. 6.6.5. Overall Control Effectiveness To manage this high-risk environment and adapt to new circumvention tactics by bad actors, AliExpress employs a multi-layered control framework designed to proactively prevent, detect, and remediate PCP risks. [Confidential] While most indicators show high effectiveness, residual risks 59 remain in recommendations and in reducing survival time, both of which are ongoing priorities for optimisation. The Platform’s commitment to control PCP dissemination risks is further evidenced by continuous third-party audits and validation from partners [Confidential]. The PCP control framework reduces residual risk through rapid removal, proactive interception, and third-party validation, keeping risk at a manageable level consistent with DSA Article 34. Table 6-14: PCP Overall Control Effectiveness Score Design The design is comprehensive, integrating algorithmic pre-screening, mandatory human verification, and post-listing enforcement. This is validated by multiple independent third parties, including [Confidential], confirming the framework's reliability. Intent Controls are fully implemented and consistently applied [Confidential]. Evidence of continuous improvement includes expansion of recall coverage (via Safety Gate API integration, launch of Safety Business Gate), stricter review timeouts for listings, and strengthened seller verification. Enforcement is systematic, and penalties are escalated for repeat offenders. No systemic deficiencies have been reported in the last 12 months. Mitigation effectiveness and KRI The controls designed and implemented during the course of this reporting period have reduced the residual risk of PCP on the service. [Confidential] 6.6.6. Future Risk Mitigation Plan We plan on improving our mitigation measures against PCP products in the following areas: • Enhancing effectiveness and accuracy of content moderation: We will increase human resources to fulfil pre-listing moderation, front-end inspection and complaint and report handling to reduce the listing of illegal products, which will significantly lower the likelihood of users encountering risky products. • [Confidential] • Enhancing risk control system to promptly remove illegal products: We will expand our internal reference database to include [Confidential]. Using such data in our risk control system by applying automatic scanning and prevention coverage, we will promptly remove true hit listings from the EU market relevant listings after successful validation of cases flagged. • Increased Security Deposit Requirements: Regarding severe violations of platform rules, we will increase the seller’s performance security deposit to improve the effectiveness of our policy enforcement. 60 61 6.7. Content Compliance 6.7.1. Overview The Content Compliance module assesses risks linked to the dissemination of content that is illegal or incompatible with AliExpress’ Terms and Conditions. This includes illegal hate speech, unlawful discriminatory content, terrorist content, threats to public security, child sexual abuse material (CSAM), gender-based violence, and non-consensual intimate imagery. These risks are systemic across all large-scale platforms. AliExpress applies a multi-layered control framework, anchored by the [Confidential] system and complemented by human review, enforcement measures, and user reporting channels. This framework is designed to prevent, detect, and remediate content compliance risks consistently and at scale. 6.7.2. Inherent Risk Our assessment confirms a Medium inherent risk, reflecting the nature of user-generated content (UGC) and the scale of activity on the Platform. Internally, large volumes of content incompatible with Terms and Conditions are detected each year through pre-live controls, spot checks, and user reports. Similar risks are consistently reported by other marketplaces, and external authorities and research identify content compliance as a systemic challenge across online services. The tactics used by malicious actors, including obfuscation, hidden links, and evolving slang - mean that content compliance risks remain systemic even with advanced detection systems, and are continuously monitored. These risks are continuously monitored and addressed as part of AliExpress’ enforcement environment, consistent with sector-wide patterns. 6.7.2.1. Inherent Risk Score for Content Compliance Based on an evaluation of three key conditions (see Table 6-15), the inherent risk of Content Compliance infringements absent any controls is assessed as Medium. This conclusion reflects recurring detections of content incompatible with Terms and Conditions internally, consistent evidence of similar risks across other marketplaces, and findings from regulators and independent research. The persistence of these risks, even when they represent a small proportion of overall user-generated content, demonstrates that content compliance is a systemic challenge that is continuously monitored within AliExpress’ enforcement framework. 62 Table 6-15: Content Compliance Inherent Risk Score Condition 1: Historic Occurrence of Content risks on AliExpress Based on a continuous pattern of violations documented in our internal data, infringements of content that is incompatible with our T\&Cs is an evident and inherent risk on the AliExpress platform. In the period from 1 December 2024 to 30 June 2025, we took a number of distinct actions against content that is incompatible with our T\&Cs which showed us: [Confidential] - Condition 2: Historic occurrence of Content risks on other marketplaces Recent peer transparency reports suggest similar systemic content risks Condition 3: External evidence from regulators, consumer bodies, researchers External evidence, including the Global Network Initiative \& Digital Trust Safety Partnership and recent EC proceedings, have highlighted content related risks 6.7.3. Residual Risk Content Compliance Residual Risk Score is Low. Though the inherent risk is Medium, AliExpress’ mitigation strategies and enforcement framework materially reduce residual exposure. [Confidential] Residual risk therefore persists but is continuously monitored and addressed. 63 Table 6-16: Content Compliance Residual Risk Score Dimension Metric Result Probability Ratio of Violating Content from total EU Content [Confidential] Actioned Reports Rate [Confidential] Severity - Scale The number of registered users and guest users that are, or could be, affected. Any registered users and guest users on AliExpress may be exposed to content that is incompatible with our T\&Cs (for example, through product listings or reviews) and content that is incompatible with our T\&Cs may remain present on the Platform if not reported or identified following evasion of proactive controls Severity - Scope The extent to which the harm is physical, psychological, informational, economic, and/or societal; and how the harm may be experienced by vulnerable groups Content risks (e.g., self-harm content, hateful content, pornographic content) could hold the potential to cause direct psychological harm to users, and may cause specific harm to minors and any other vulnerable groups who access the Platform. Severity - Remediability The ability to restore impacted individuals to their prior state The remediability of content compliance risks varies. Certain types of illegal content or content incompatible with terms and conditions, once seen, may have lasting impact and cannot be fully reversed, while other categories such as listings that may contain misleading information can be effectively addressed once removed. Our strategy is therefore focused on minimising exposure and reducing survival time across all content types. 6.7.4. Risk Mitigation and Control Effectiveness This section details AliExpress’ comprehensive risk mitigation framework for mitigating and controlling the risks of Content infringements as identified in the Inherent Risk section. AliExpress’ Content control framework is anchored by the [Confidential] system, which ensures that content that is illegal or incompatible with our terms and conditions is identified and blocked in a timely manner. Please refer to Section 6.2.1 for more information. 64 Our comprehensive strategy combines sophisticated algorithmic detection with rigorous manual review to address risks holistically, screening for infringements is conducted both before and after the publication of content. In alignment with Article 34 of the DSA, this section systemically outlines how AliExpress’ risk mitigation and control measures directly correspond to the systemic factors contributing to Content infringement as outlined in our Inherent Risk section above. 6.7.4.1. Addressing Risks from Platform Design and Functionalities 1) Dissemination of content that is incompatible with our terms and conditions through UGC publicly accessible on the Platform (e.g., Product Reviews, Q\&A, AliExpress Live) AliExpress actively prevents the dissemination of content that is incompatible with our T\&Cs across all public features that contain UGC. We have two risk control mechanisms, pre-listing and post-listing, to ensure that content that is incompatible with our T\&Cs is identified and blocked automatically and in a timely manner. Additionally, a designated team continuously works on optimising the risk management system, strategies, and algorithms on a daily basis. An internal inspection system is used to evaluate the performance of the risk management system and to detect already published prohibited content. Pre-Listing Controls As a first point of control, only registered AliExpress users can post content on the Platform. We specifically prohibit external links and remove link-related keywords from UGC (e.g., product reviews, Q\&As and Feed, Instant Messages). The risk management system starts by matching text content with restricted keywords created and maintained by risk management personnel to improve text algorithm performance. If there is a confirmed match, the associated content is blocked. However, as algorithm results can vary in real- world circumstances, to enhance detection performance, risk management personnel conduct manual checks on the generated results. They verify the actual keywords and use the algorithm to delete any identified prohibited content. [Confidential] [Confidential]To further ensure the effectiveness of our content moderation, we conduct [Confidential] risk-based inspections. During these inspections, recommended keywords with high user exposure are randomly checked for whether they provide content that is incompatible with our T\&Cs. This process helps us assess and manage the risk levels associated with the recommended keywords. We also monitor external public sentiment to continuously refine and improve our risk control strategies. Post-Listing Interception Controls In most UGC publishing scenarios, our risk management system operates as a pre-listing mechanism, requiring all content to pass through the system before being published online. [Confidential] Therefore, we have implemented a post-listing mechanism for channels like IM. To improve our ability to perceive new risks, the reporting functions for Q\&A and Review on the App side were launched on 30 65 September 2024. Additionally, the reporting functions for AliExpress Live, guest users, and PC side Q\&A and Review were launched in October 2024. Our Content Control framework addresses risks in the following areas: ● Reviews, and marketing \& promotional messages: [Confidential]A strict evaluation system prohibits harmful reviews and messages, with penalties ranging from point deductions and product removal to account suspensions or closure (depending on the type of content infringement as well as whether repeated violations have occurred), affecting both credit records and platform privileges. Users are able to report reviews containing content that is incompatible with our T\&Cs. As committed in Year 2, we enhanced detection of click farming by refining algorithms to better recognise suspicious user behaviour. [Confidential] ● Pornographic and vulgar content: We run text algorithm models for detecting content that is incompatible with our T\&Cs, optimised for pornographic and vulgar content. It covers major international languages. ● Non-English Content: AliExpress has risk moderation expertise with Spanish, French, English, German and Portuguese for carrying out manual review. For automated content moderation, any content originated or to be displayed in a language other than English will be translated into English through automated translation tools. To enhance the detection of prohibited content that is incompatible with our T\&Cs, especially in less-covered EU languages, we developed an LLM-based multilingual model to expand language coverage and improve localised risk control (e.g., detect slang). ● Harmful content in product listings is safeguarded through a two-phase approach: pre-listing checks through algorithmic detection, and post-listing surveillance combining automated detection with rapid responses to regulatory notices and consumer reports. For more information, please refer to the PCP module. ● AliExpress Live: All users seeking to access the AliExpress Live function must pass an onboarding assessment before being allowed to participate in streams. Users must undergo a qualification process to be granted permission to stream. Users must have a registered account on AliExpress to be able to comment streams. We review pre-listing stream content (e.g., pre- broadcast announcements). During the live broadcast, real-time monitoring and image frame captures are conducted with algorithmic review. Additionally, live comments are filtered to detect and block content that is incompatible with our T\&Cs. ● Seller Storefronts and User Profiles: Every time a seller edits or creates new store information or a user updates their profile information it is scanned by our algorithms. As indicated in Post-Listing Interception Controls, all text will be scanned by our pre-live controls, while images will go through our post-live controls ● Instant Messaging: The IM environment is continuously scanned by our [Confidential] system that intercepts or deletes detected content that is incompatible with our T\&Cs. [Confidential] we have also implemented a post-listing mechanism for the IM feature. External links are detected and users are warned of associated risks before clicking. Users can also report or mute other users who engage in harassing or bullying behaviour. Following a user report, appropriate enforcement measures are taken after manual review. For spam messages, upgraded text and image similarity models and mailbox anomaly detection strengthen the blocking of spam advertisements. [Confidential] 66 2) AliExpress Affiliate Program: AliExpress teams manually review the information provided by Affiliate Program applicants [Confidential] The AliExpress CRO team is involved in the above process, assigning specific governance and operation standards to the reviewers, depending on the type of promotional channel. All application materials will be sent to the CRO team for review. 3) Repeat Offenders: We take proactive steps to prevent the reappearance of content that is incompatible with our T\&Cs. The Platform channels new violation data into a structured online library, which helps in identifying emerging risks and keeping an updated database of prohibited keywords. Stricter penalties are imposed on repeat offenders, such as account deletion or temporary content bans, and mechanisms are in place to prevent banned sellers from re-registering on the Platform. As what committed to in Year 2, we implemented a more targeted governance approach for repeated violations across a broader range of content scenarios. This layered penalty system involves measures such as blocking/deleting content, disabling the ability to publish content, suspending accounts, and permanently closing accounts for repeat offenders. 4) AI-generated content: The rapid growth of AIGC (AI-generated Content) in text and image forms has highlighted an increase in the speed in which content that is incompatible with our T\&Cs can be uploaded on AliExpress. We are aware that designing and deploying corresponding algorithms are necessary to detect AIGC in order to better mitigate content compliance risks. As of April 2024, the core content types that are subject to review and content moderation are text, image, and video and the AIG texts and images. 6.7.4.2. Addressing Risks from Other Systemic Factors 1) Advertising \& Recommender System: To mitigate against risks of advertisements containing content that is incompatible with our T\&Cs or recommender systems serving content that is incompatible with our T\&Cs, AliExpress runs all materials through its pre-listing risk management system, including text, images, and videos, before publication. [Confidential] Any materials identified as incompatible with Terms and conditions are automatically rejected. This approach is identical to the Platform's broader mitigation for misuse and inauthentic use of platform functionalities. For more detail, refer to Section 6.2.1. 2) Content Moderation System: By July 2025, platform personnel dedicated to content compliance proactive control was expanded by adding [Confidential] human moderators designated for content moderation (including non-English content such as Spanish, Portuguese, French and German). [Confidential] Regular reviews of moderation decisions are conducted to assess the accuracy and quality of the decisions made by our moderators, and review teams are encouraged to provide feedback on policies and processes. For more detail, refer to Section 6.2. 3) Process Improvements: AliExpress continually refines its proactive and reactive controls to enhance the detection of content that is incompatible with our T\&Cs. Proactive strategies are enhanced by monitoring algorithm performance and optimising detection mechanisms through insights from 67 predicted violation scores and performance indicators. Risk management personnel contribute to algorithm improvement by providing restricted keywords and detected prohibited content as training data, and risk behaviour indicators are used to expand recall rates by correlating keywords incompatible with Terms and Conditions with relevant product categories. Reactively, a manual review team addresses content flagged but not conclusively identified by automated systems, combining automated detection with human verification to mitigate the spread of content that is incompatible with our T\&Cs across all channels. 4) Policies and Enforcement: Policy enforcement is central to our content compliance strategy. AliExpress maintains comprehensive policies in its Community Guidelines and channel-specific rules (e.g., AliExpress Live), covering risks from hate speech and terrorism to public security threats and non-consensual content. Policies are continuously updated to align with EU and Member State requirements. Key measures include: ● Content compliance policy: Our policies are regularly iterated to reflect legislative changes, with recent updates to our Product Review Rules and Community Guidelines in July 2024 and July 2025 for increased control scenarios. ● Product Listing Policy (PLP) on adult and obscene materials: It strictly prohibits pornographic and obscene materials to protect minors and market integrity. Under Article 8 of our PLP, while sex toys are permitted, any pornographic or sexually explicit content is banned. The AliExpress Index of Prohibited and Controlled Items enforces prohibitions across all markets on content such as bestiality, sexual abuse, incest, rape, CSAM, violent or obscene imagery, and vulgar language. ● Risk Controls and SOPs: We thoroughly assess and enhance our content risk controls, updating our content risk register, scope and internal Standard Operating Procedures (SOPs). [Confidential] ● Penalty Policy: We employ a range of actions against inappropriate behaviour and content, including blocking or deleting content, disabling publishing functions, and suspending or closing accounts. Enforcement measures include immediate content blocking, temporary restriction on posting, manual reviews of high-traffic content, and more severe penalties for repeat offenders. For severe violations, AliExpress will disable user accounts temporarily or permanently, depending on the nature and frequency of the infractions. 6.7.5. Mitigation and Control Effectiveness Score AliExpress continues to strengthen Content Compliance through the development of policies, controls, and enforcement measures. Our framework has achieved a very low rate of content incompatible with Terms and Conditions relative to total UGC, supported by rapid takedown times and comprehensive reporting and appeals mechanisms. At the same time, the complexity of the environment and the emergence of new risks, including AI-generated content and evolving evasion tactics, mean that Content Compliance remains an ongoing priority and central to our strategic improvements. 68 Table 6-17: Content Compliance mitigation and control effectiveness Design The Content Compliance framework is multi-layered, combining algorithmic pre-screening, human verification, and post-listing enforcement. Reports are handled promptly, typically within two business days, complementing proactive detection with responsive measures. Controls are adapted to new circumvention tactics, supported by weekly inspections of detection systems and internal monitoring. Current priorities include expanding keyword detection to improve multilingual accuracy and strengthening documentation and auditability of control design. Moderation resourcing is also audited on an ongoing basis, with accuracy, volumes, and efficiency collectively monitored to ensure capacity remains aligned with platform scale and complexity. Intent Most Content Compliance controls are implemented and function as intended, combining proactive detection with timely reactive measures. Moderation processes are embedded across the platform, supported by escalation and appeals mechanisms that reinforce fairness. The framework is subject to continuous monitoring and enhancement to ensure controls remain effective, transparent. Mitigation effectiveness and KRI [Confidential] According to the penalty data trend [Confidential], repetitive violations have been well monitored and controlled as the user’s violation turns more severe [Confidential]. [Confidential] 6.7.6. Future Risk Mitigation Plan 1. Content Domain Risk Inspection Capability Development: In the coming year, we will introduce a new content inspection product and increase risk control personnel dedicated to inspection. Key content domains—such as product reviews, Q\&A, Feeds, Instant Messaging and search/recommendation queries—will be covered by this system, enabling rapid frontline inspection and handling of content incompatible with Terms and Conditions, thereby further reducing the exposure of risky content. [Confidential] 69 7. Synthesis of Risk Posture - Continuous Monitoring and Improvement The risk assessment detailed in this report represents a key point-in-time analysis within our broader, dynamic framework for risk management. Our commitment to platform safety extends beyond this annual exercise and is embedded in a continuous cycle of monitoring, evaluation, and enhancement. As this report has clearly introduced, our risk assessment methodology has evolved to be even more data-centric. Our continuous monitoring will therefore be anchored to the specific, measurable Risk Indicators detailed throughout this assessment. Tracking these KRIs over time will allow us to measure the direct impact of our enhancements and verify that residual risk is maintained within an acceptable range. Where this assessment has identified control frameworks as requiring improvement (i.e., those not rated ‘Highly Effective’), these areas will be subject to structured review. This process will involve developing targeted roadmaps for enhancement, with progress monitored by our internal risk governance functions. Through this iterative process of monitoring and action, AliExpress reaffirms its commitment to enhancing the safety and integrity of its platform for all EU users.