Regulation (EU) 2022/2065 Digital Services Act (DSA) Systemic Risk Assessment and Mitigation Report for Instagram August 2025 1 Table of Contents Executive Summary 4 DSA Systemic Risk Assessment Overview 4 Key Enhancements 5 Risk Results Overview 6 The Road Ahead 7 1\. Introduction 8 1.1 Purpose 8 1.2 Scope 8 1.3 Approach 9 1.4 Limitations and Assumptions 9 2\. An Overview of Instagram 10 3\. A Balancing Act: Respecting Rights and Mitigating Risk 11 3.1 Meta’s Commitment to Respecting Voice and Enhancing User Safety 12 3.2 Complaints and Appeals 13 4\. Systemic Risk Landscape 13 4.1 External Stakeholder Engagement 16 4.2 Systemic Risk Areas 18 4.2.1 Deceptive and Misleading 19 4.2.2 Civic Discourse and Elections 19 4.2.3 Public Health 21 4.2.4 Public Security 21 4.2.5 Gender-based Violence 22 4.2.6 Protection of Minors 23 4.2.7 Fundamental Rights 25 4.2.8 Illegal Content 26 4.3 Influencing Factors 27 4.3.1 Recommender Systems 27 4.3.2 Content Moderation Systems 29 4.3.3 Terms of Use and their Enforcement 30 4.3.4 Ads Systems 32 4.3.5 Data Related Practices 33 4.3.6 Intentional Manipulation 34 4.3.7 Generative Artificial Intelligence 35 5\. Our Detailed DSA Systemic Risk Assessment Results 36 5.1 Risk Analysis 36 5.1.1 Risk Rating 37 5.1.2 Problem Area Analysis: Inherent Risk 37 5.1.3 Problem Area Analysis: From Inherent Risk to Residual Risk 38 5.1.4 Scoring Overview: Year-Over-Year (YoY) Comparisons and Drivers of Change 40 5.1.5 Systemic Risk Area Analysis: Residual Risk Ratings 42 5.2 Mitigating Measures Analysis 43 5.2.1 Meta’s Ecosystem of Controls 44 5.2.1.1 Policies and Standards 44 5.2.1.2 Systems and Product Integrity 46 5.2.1.3 Detection 51 5.2.1.4 Enforcement 54 2 5.2.1.5 Response and Notification 56 5.2.1.6 User Rights and Recourse 57 5.2.1.7 External Awareness and Support Resources 59 5.2.1.8 Internal Training and Resources 61 5.2.1.9 Risk Assessment 61 5.2.1.10 Governance 63 5.2.2 Detailed Risk Observations and Mitigating Measures 65 5.2.2.1 Account Integrity and Authentic Identity 65 5.2.2.2 Adult Nudity and Sexual Activity 66 5.2.2.3 Adult Sexual Exploitation 67 5.2.2.4 Adult Sexual Solicitation and Sexually Explicit Language 68 5.2.2.5 Bullying and Harassment 70 5.2.2.6 Child Sexual Exploitation, Abuse and Nudity 71 5.2.2.7 Coordinating Harm and Promoting Crime 73 5.2.2.8 Dangerous Organisations and Individuals 74 5.2.2.9 Discriminatory Practices 76 5.2.2.10 Fraud and Deception 77 5.2.2.11 Hateful Conduct 78 5.2.2.12 Human Exploitation 79 5.2.2.13 Inauthentic Behaviour 81 5.2.2.14 Intellectual Property (IP) Infringement 83 5.2.2.15 Misinformation 84 5.2.2.16 Privacy Violations 86 5.2.2.17 Restricted Goods and Services 87 5.2.2.18 Spam 89 5.2.2.19 Suicide, Self-Injury and Eating Disorders 90 5.2.2.20 Violence and Incitement 91 5.2.2.21 Violent and Graphic Content 93 5.2.2.22 Voice and Free Expression 94 6\. Risk Mitigation Enhancements 95 7\. Conclusion 98 8\. Appendix 99 8.1 Risk Assessment Process 99 8.2 Rubrics and Scoring 99 8.2.1 Inherent Risk Rubrics 99 8.2.1.1 Severity Rubrics 100 8.2.1.2 Likelihood Rubrics 101 8.2.2 Control Effectiveness Rubric 102 8.2.2.1 Control Effectiveness Calculation 103 8.2.3 Residual Risk Calculation 104 8.3 Principles for ensuring Reasonable, Proportionate, and Effective Mitigation Measures 104 3 Executive Summary Meta’s mission is to build the future of human connection and the technology that makes it possible. We helppeople discover and learn about what is going on in the world around them, enable people to share theirexperiences, ideas, photos and videos, and other activities with audiences ranging from their closest familymembers and accounts that they follow (or are a friend of) to the public at large, and stay connectedeverywhere by accessing our products.1 For the 6-month period ending 31 December 2024, we haveapproximately 272.0 million average monthly active users on Instagram in the European Union (EU) who arereaping the benefits of connectedness.2 Although Instagram has been used to build communities, raise awareness, and grow small businesses, therisk remains for our services to be, in some instances, misused and manipulated. We take a risk-basedapproach for implementing mitigation measures to combat bad actors, behaviour, and content on Instagram.We refer to our collective work combating bad actors, behaviours, and content on Instagram as “IntegrityEcosystem” efforts, and the specific mitigating measures we deploy as “controls”.3 The backbone of ourIntegrity Ecosystem is our suite of Content Policies, specifically our Community Standards, AdvertisingStandards, and Commerce Policies, which outline what is and is not allowed on Instagram.4,5,6 Meta employs aThree Lines of Defence (LoD) model to help effectively identify and manage risks, ensure accountabilityacross our business functions, and enable risk-based decision making across Meta. DSA Systemic Risk Assessment Overview Meta Platforms Ireland Limited, as the provider of Instagram in the EU, has conducted its 2025 Systemic RiskAssessment (“Year 3 Assessment”) for Instagram in accordance with Article 34 of the Digital Services Act(DSA). This document (“Report”) sets out the results of the Year 3 Assessment for the period between 1September 2024 and 31 August 2025. The data collection period was 18 May 2024 - 31 March 2025. Any risks that are identified or mitigations that are implemented after this data collection period will becaptured through next year's Systemic Risk Assessment. This includes additional mitigations such as: ● further recalibrations of Meta's enforcement strategy to address the risks of over-enforcement; ● providing additional user education materials and tools to help users avoid scams.7 This also includes the launch of new products in the region, such as the introduction of Meta AI features toInstagram. We will release a public version of this Report. 7 https://about.fb.com/news/2025/05/avoiding-investment-payment-scams-online/ 6 https://www.facebook.com/policies_center/commerce 5 https://transparency.meta.com/policies/ad-standards 4 https://transparency.meta.com/en-gb/policies/community-standards/ 3 Controls are a combination of people, processes, policies, and tools that Meta has put in place to mitigate integrity risksand prevent, detect, or correct integrity issues. Controls include any system, process, policy, device, practice, or otheractions which reduce the likelihood or impact of a given risk occurring. 2 Regulation (EU) 2022/2065 Digital Services Act Transparency Report for Instagram (October - December 2024) 1 https://www.meta.com/about/company-info/ 4 Our Risk Assessment Methodology follows a phased approach to identify, assess, measure, validate, respondto, mitigate, and report on risks. Meta's Content Policies, which include our Community Standards, Advertising Standards, and CommercePolicies, address various Systemic Risk Areas. To better align with Meta's risk categorisation approach, wehave further divided these Systemic Risk Areas into more specific categories, which we refer to as 'Problem Areas’.8 For more detailed information, please refer to Section 4: Systemic Risk Landscape. Meta continuously evolves our practices to respond to the evolving risk landscape and regulatoryenvironment. Meta’s Integrity Governance, Risk, and Compliance (“Integrity GRC”) Programme and EUIntegrity Compliance Office (ICO) provide ongoing risk governance and oversight of Meta’s services, systems,and processes. Our Risk Assessment Process consists of six steps and is applied in our annual Systemic Risk Assessment. We have designed and implemented this process by leveraging guidance and standards relevant to integrityrisks in the EU, such as ISO 31000:2018 and the United Nations Guiding Principles on Business and HumanRights. 9,10 Key Enhancements For the Year 3 Assessment, Meta made several methodology enhancements to improve the accuracy,consistency, and utility of the assessment. These improvements reflect lessons learned from previousassessments, informal feedback from the European Commission including via Request for Information (RFIs)and engagements, gathering external stakeholder feedback, and the evolving regulatory and riskenvironment. The most significant updates include: 1. Refinements to the Integrity Risk Taxonomy: In Year 3, we refined the Integrity Risk Taxonomy tobetter align with the platform violations as stated in the Community Standards. This has allowed usto be more precise when assessing the risks, as we can directly apply the enforcement data forpolicy-violating content to the risks in our Taxonomy. As part of the refinements, we reduced thenumber of individual risks from 122 in the 2024 Systemic Risk Assessment (“Year 2 Assessment”) to71 in the Year 3 Assessment by consolidating similar risks into fewer categories based on thecategory of violation. Though the risks have been consolidated, this shift has enabled more precisemeasurement due to the direct linkage to the Community Standards violations for each risk. We alsoincreased the number of Problem Areas from 19 to 22 to better align to the revised risks. Forexample, we created new Problem Areas forViolent and Graphic Content,Spam, andAdult SexualSolicitation and Sexually Explicit Language. The risks within these new Problem Areas were assessedin Year 2, but under broader categories. This reclassification reflects a more granular and preciseapproach to risk identification and management. 10 https://www.ohchr.org/sites/default/files/documents/publications/guidingprinciplesbusinesshr_en.pdf 9 https://www.iso.org/standard/65694.html 8 These Problem Areas map to our Instagram Community Standards and may vary in naming convention. 5 2. Systemic Risk Landscape Updates: As part of our efforts to enhance our Risk Assessment Process,we reassessed the mappings between Problem Areas and the eight (8) Systemic Risk Areas definedby the DSA. These changes were informed by external stakeholder feedback, internalcross-functional consultation, and updates to our Integrity Risk Taxonomy, ensuring alignment withthe DSA while building on Meta’s longstanding commitment to assessing real-world risks. In Year 3,we mapped four Problem Areas—includingBullying and Harassment,Hateful Conduct,Adult SexualSolicitation and Sexually Explicit Language, andViolent and Graphic Content—to theFundamentalRights Systemic Risk Area to better reflect the link between platform risks and users’ rights. OtherProblem Areas with mapping updates to Systemic Risk Areas in Year 3 includeAdult Nudity andSexual Activity,Coordinating Harm and Promoting Crime,Discriminatory Practices,Restricted Goods and Services,and Violent and Graphic Content. Details can be found in the Section 4: Systemic Risk Landscape. 3. Inherent Risk Framework Improvements: We have updated our inherent risk rubrics to enable a moreunified and data-informed perspective. Our likelihood assessments now more consistently integratekey factors, including the proportion of Monthly Active Users (MAU) in the EU online population, aswell as enforcement trends and subject matter expert input to determine volume. 4. Control Effectiveness Methodology Updates: During the Year 3 Assessment, we have expanded ourcontrol effectiveness evaluation framework by incorporating a more comprehensive range ofqualitative and quantitative data points. We have also updated our methodology for aggregatingcontrol effectiveness scores to now consider the additive impact of all relevant controls for each risk. This enhancement allows us to assess the value of adding new controls. These methodology enhancements have enabled more consistent risk understanding and directly informinternal strategic investment and prioritisation. Risk Results Overview Although the updated methodology introduced greater variation in scores, many Problem Areas remainedstable in residual risk tiers year-over-year. Areas such asHuman Exploitation andDangerous Organisationsand Individuals remained in Tier 2, reflecting the continued impact of mature controls and targeted mitigationstrategies. For eight (8) Problem Areas, the underlying risks changed significantly from Year 2, impacting theability to compare year-over-year. For example, theAdult Sexual Exploitation Problem Area is now distinctfrom theAdult Nudity and Sexual Activity Problem Area to better account for the difference in severitybetween the two areas. In prior years, these were one Problem Area,Adult Sexual Exploitation andAdultNudity. As the Year 3 Problem Areas ofAdult Sexual Exploitation andAdult Nudity and Sexual Activity havedifferent risks and risk scores, they are incomparable to the one Problem Area from Year 1 and Year 2. Where residual risk tiers increased from last year —such as inChild Sexual Exploitation, Abuse, and Nudity,Fraud and Deception, Intellectual Property (IP) Infringement, Misinformation, Privacy Violations, Voice andFree Expression,Restricted Goods and Services, Coordinating Harm and Promoting Crime, Policy Violations, andSuicide, Self-Injury, and Eating Disorders (SSIED)—the shifts were driven by a combination of refined riskmeasurement inputs and/or the control environment. Looking ahead, our goal is to not only mature in our ability to assess Systemic Risks but also to act on thatunderstanding through reasonable, proportionate, and effective mitigation of risks—strengthening our abilityto fulfil our obligations under the DSA and uphold the fundamental rights of users across the EU. 6 Inherent Risk Shifts The methodological improvements significantly impacted the assessment of inherent risk, leading to arebalancing of scores across several Problem Areas. The adjustments in taxonomy, data inputs, andclassification logic, resulted in more precise measurements for Year 3, but it also limits direct comparabilitywith Year 2 inherent risk scores. For example, minor nudity, which includes less severe violations like a parentposting a photo of a minor in a bathtub, is now categorised as lower risk, which reduces the inherent risk oftheChild Sexual Exploitation, Abuse, and Nudity area. In some cases, the shift in inherent risk was also due tothe evolving risk environment. Control Effectiveness Shifts In Year 3, the precision of control effectiveness assessments improved due to the incorporation of additionalqualitative and quantitative data, allowing for more nuanced evaluations but also leading to greater variationin assessed control environments across risks. Notable changes were observed in theVoice and FreeExpression andFraud and Deception areas, with control effectiveness declining due to identification ofincreased false positives and limitations in our ability to proactively detect scams and violating networks,respectively. The SSIED area saw an increase in residual risk from Tier 2 to Tier 3, partly due to limitationsidentified in the control environment. In many cases, observed changes in control effectiveness scores are due not to actual changes in theunderlying controls, but rather to improved data availability and more refined estimation approachescompared to prior years. As a result, direct year-over-year comparability is limited, as score shifts may reflectimproved measurement rather than true improvement or deterioration. Meta has implemented new andenhanced controls designed to improve overall effectiveness, with ongoing efforts to address identifiedissues while respecting users' human rights. Some enhancements that have been implemented since we finished our analysis and scoring for this assessment can be found in Section 6: Risk Mitigation Enhancements. Residual Risk Shifts While many residual risk tiers remained stable year-over-year, some residual risk scores show a generalincrease from Year 2, which we attribute mostly to refinements in risk measurement and deliberate accuracyadjustments to our control effectiveness methodology rather than actual changes in risk exposure.ChildSexual Exploitation, Abuse, and Nudity, Fraud and Deception, Inauthentic Behaviour, IP Infringement,Misinformation, Voice and Free Expression, Restricted Goods and Services, Coordinating Harm andPromoting Crime, Privacy Violations, Account Integrity and Authentic Identity, andSSIED, increased inresidual risk tier due primarily to methodology updates, and in some cases, limitations in the controlenvironment. In addition, a direct comparison year-over-year cannot be determined for some risks withinProblem Areas such asAdult Nudity and Sexual Activity andHateful Conduct, due to revisions in the riskstatements from Year 2 as well as updates to refined or new Problem Areas in Year 3. As Meta's Integrity GRCfunction matures, year-over-year comparisons are expected to become more reliable, enabling moreinformed mitigation decisions that align with human rights commitments and DSA obligations. The Road Ahead We remain committed to providing a platform that provides value to our users and society at large andrespects people’s rights, including freedom of expression, while continuing to enable innovation. 7 We look forward to continuing to work with the European Commission and European Board for DigitalServices to incorporate feedback from this Year 3 Systemic Risk Assessment, and any additional guidanceprovided by the European Commission such as recently published Guidelines on the Protection of Minors, and to continue enhancing our integrity measures towards the shared objectives of minimising harmeffectively, protecting and empowering people, and upholding their fundamental rights.11 1. Introduction Pursuant to Article 34 and Article 42 of Regulation (EU) 2022/2065 (DSA), Meta Platforms Ireland Limited(“Meta”) is pleased to provide our annual DSA Systemic Risk Assessment Report (the “Report”) forInstagram. We are committed to maintaining a safe, reliable, and trustworthy online environment across all ofour services, including Instagram. Our apps and services are designed to give people a voice and supportfundamental rights, which is aligned with the EU’s goal of creating “...a safer digital space in which thefundamental rights of all users of digital services are protected”.12 1.1 Purpose The purpose of this Report is to detail the results of Meta’s annual DSA Systemic Risk Assessment and thereasonable, proportionate, and effective mitigation measures in place to address Systemic Risks evaluatedduring this assessment in accordance with Articles 34, 35, 42(4)(a) and (b) of the DSA. Meta has identified, analysed, and assessed the Systemic Risks in the EU that could stem from or beinfluenced by the following: ● Bad actors, behaviour (e.g., harassment), or content (e.g., hate speech) that violates our Termsand/or may be considered illegal; ● App design or functionalities, including but not limited to algorithmic systems (e.g., recommendersystems); or ● The use made of our services. 1.2 Scope Meta’s third annual DSA Systemic Risk Assessment of Instagram is for the period of 1 September 2024 - 31August 2025. The data collection period was 18 May 2024 - 31 March 2025. The scope of this assessment is limited to the Systemic Risk Areas defined in Article 34 of the DigitalServices Act (DSA), including the Deceptive and Misleading Systemic Risk Area, which was introduced in ourYear 1 assessment to address behaviour and content designed to deceive, mislead, or defraud users, typicallyfor personal gain. The eight (8) Systemic Risk Areas analysed are as follows: 12 https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package 11 On 14 July 2025, the Commission published its guidelines on the protection of minors under the DSA to ensure a safe onlineexperience for minors and young people. 8 Pursuant to the European Commission’s decision designating Instagram as a Very Large Online Platform(VLOP) in accordance with Article 33(4) of the DSA, the Instagram VLOP does not include private messagingservices like Instagram Direct which, based on its technical functionalities, does not meet the definition of anonline platform. As such, Instagram Direct is not in scope for this Report. The focus of this assessment is on the Systemic Risk Areas defined in Article 34 of the DSA and ourinterpretation of the associated Systemic Risks in the EU. While our systems and policies are global in nature,this Systemic Risk Assessment reflects risks that could have an impact in the EU, as well as the reasonable,proportionate, and effective mitigation measures Meta has in place to address the aforementioned SystemicRisk Areas. Similarly to the Systemic Risk Areas, before deploying functionalities on Instagram in the EU that couldcritically impact Systemic Risks, Meta conducts a Critical Impact Risk Assessment (CIRA) in accordance withArticle 34. This assessment identifies potential impacts on Systemic Risks and determines the reasonable,proportionate, and effective mitigations required prior to launch. 1.3 Approach Meta continues to evolve its practices and respond to content-related regulations, including by establishingand continuously enhancing our Integrity GRC Programme. This programme includes an Integrity RiskManagement Process that pulls from ISO 31000:2018 as well as the Digital Trust and Safety Partnership(DTSP) framework, is tailored to meet the needs of our environment, builds on the existing integritymeasures we have had in place for years, and accounts for feedback provided by the European Commission.13 1.4 Limitations and Assumptions There were a number of limitations and assumptions associated with carrying out this Systemic RiskAssessment, including: ● Guidance and Standards: Meta has leveraged guidance and standards relevant to integrity risks inthe EU, such as ISO 31000:2018 and the United Nations Guiding Principles on Business and HumanRights, to inform the design and execution of our Integrity Risk Assessment Process.14 We lookforward to receiving guidance from the European Board for Digital Services to understand thelessons learned from industry Risk Assessments, which we expect will contribute to the furtherdevelopment of guidance and standards for the industry. ● Signal Parity: To inform the evaluation of risks and controls, we gathered internal signals fromvarious sources, including subject matter experts, our Issue Management Programme, assuranceresults, internal metrics, and publicly available transparency reporting data. These signals provide a 14 https://www.ohchr.org/sites/default/files/documents/publications/guidingprinciplesbusinesshr_en.pdf 13 https://www.iso.org/iso-31000-risk-management.html 9 foundation for our Risk Assessment, however, signal quality and strength can vary across differentrisks and controls. Meta is on a journey of continuous improvement, and the quality of our risk andcontrol signal will further improve and mature as we enhance our Risk Assessment Process andprogramme. 2. An Overview of Instagram Meta builds technologies that help people connect, find communities, and grow businesses. Instagram helpsgive people the power to build community and bring the world closer together. It's a place for people to sharelife's moments and discuss what's happening, nurture and build relationships, discover and connect throughshared interests, and create economic opportunity. With over 272.0 million average monthly active Instagram users in the EU between 1 July 2024 to 31December 2024, Instagram helps people make connections and navigate life’s many milestones with itsvarious features and services.15 There are different types of content that enable our communities to interact,including: ● Organic content (e.g., content generated by users); ● Paid content (e.g., ads created by brands and businesses); and ● Commerce content (e.g., products listed by merchants on Instagram). Instagram provides the tools for people to do more together and empowers people to support each otheraround the world. Examples of how people are using Instagram to support each other around the world andhow Meta is enabling this include the following: ● Promoting Well-Being: Instagram collaborates with leading experts, trusted organisations, parentsand young people in our shared mission to build positive online experiences for families. Through ourFamily Centre, parents can set up supervision tools and access an education hub with tips andarticles from trusted experts that include information about safety and well-being tools andfeatures.16 We introduced Instagram Teen Accounts to automatically place teens in built-inprotections and reassure parents that teens are having safe experiences. Teen Accounts will limitwho can contact teens and the content they see, and help ensure their time is well spent.17 ● Media: Inspired to help users and creators reach their goals, Instagram has a seamless set upexperience for setting up your Instagram account to start creating and sharing photos and videoswith your followers. Users can join other creators and businesses managing their content with thehelp of tools such as Creator Studio, Rights Manager and News Page index, to connect with friends,family and communities of people who share similar interests.18 ● Business Growth: Instagram contributes significantly to the EU economy, and it is helping usersdiscover new products and brands that are most relevant to them. Personalised advertising enablesbusinesses of all sizes to find customers and grow their presence. 18 https://www.facebook.com/formedia/goals/get-started 17 https://about.fb.com/news/2024/09/instagram-teen-accounts/ 16 https://about.instagram.com/safety 15 EU Digital Services Act: Transparency Reports for VLOP Instagram (October - December 2024) 10 3. A Balancing Act: Respecting Rights and Mitigating Risk Meta is committed to respecting the fundamental rights of our users located in the EU as outlined in the DSA. Our third annual Human Rights Report demonstrates how we are living up to the commitments made in our Corporate Human Rights Policy.19,20 We strive to respect human rights in every action we take and everyproduct we build. However, certain aspects of human rights can at times be in tension with one another, requiring, for example,a balance between freedom and prohibiting hateful conduct. At Meta, we strive to strike this balance: ● Our Community Standards outline what content is and is not allowed on Instagram. These policiesare informed by international Human Rights Standards as outlined in our Corporate Human RightsPolicy. This helps us strike a balance between promoting free expression and respecting other users’rights. ● We engage with our community and experts to inform our Community Standards, using a robustpolicy management engagement process that includes outreach to global stakeholders, includingcivil society organisations and academia, feeding into revised policy language in our TransparencyCentre. ● As a part of the policy development process, the Human Rights Team conducts separaterights-based analysis and due diligence of proposed policies, submits analysis to policy leadershipand presents views to each Policy Forum. Human rights impacts and mitigations are a consistentconsideration in the policy development process. ● We assess potential human rights impacts through due diligence, aligned with United Nation GuidingPrinciples (UNGPs) 17 and 21, the International Bill of Rights and the EU’s Charter of FundamentalRights, among others.21 ● We provide pathways for stakeholders to report potentially sensitive content, taking a remediationapproach consistent with UNGP 31. We maintain multiple grievance pathways, including an appealsprocess to the Oversight Board.22 ● We undertake proactive measures to address human rights-related risks, including ourComprehensive Human Rights Salient Risk Assessment (CSRA), ongoing product counselling, andintegration of human rights risks into content risk forecasting. We offer human rights training,including customised training sessions tailored to specific teams, such as Regulatory Complianceand Content Policy, which may include specialised training on our commitments as a member of theGlobal Network Initiative (GNI) or the Rabat Plan of Action.23 ● We have strengthened our governance systems, empowering the Oversight Board to provideindependent review and decision-making on content moderation and enforcement. The Oversight 23 https://www.ohchr.org/en/freedom-of-expression 22 https://www.oversightboard.com/ 21 https://www.ohchr.org/sites/default/files/documents/publications/guidingprinciplesbusinesshr_en.pdf 20 https://about.fb.com/wp-content/uploads/2021/03/Facebooks-Corporate-Human-Rights-Policy.pdf 19 https://humanrights.fb.com/wp-content/uploads/2024/09/2023-Meta-Human-Rights-Report.pdf 11 Board has issued 292 non-binding recommendations across policy, enforcement, and transparencyfrom January 2021 through 27 February 2025.24 3.1 Meta’s Commitment to Respecting Voice and Enhancing User Safety In our commitment towards balancing freedom of expression and safety, we developed our CommunityStandards that outline what is and what is not allowed on Instagram. These standards are based on feedbackand advice from global stakeholders in fields like digital rights, freedom of expression, public safety,journalism, elections, and human and civil rights. We have developed an Inclusivity Framework to ensure thatthe views of our diverse stakeholders are considered in the development of our policies and CommunityStandards.25 At Meta, we believe and work to protect freedom of opinion and expression as foundational human rights thatenable other rights. While we remain committed to respecting our users’ voices, we also need to balancesafety. For example, while we do not allow content that promotes or celebrates suicide, we do allow contentthat depicts recovery from attempted suicide, self-injury, or eating disorders, such as healed wounds, asdescribed in our Suicide, Self-Injury and Eating Disorders Community Standards.26 We also provide context about what users see and provide warning screens for content that some may findsensitive. This allows users to make their own decisions on what to read, and share.27 In rare cases, we mayallow content that may violate our Community Standards, if it is newsworthy and if keeping it visible is in thepublic interest. We do this only after conducting a thorough review that weighs the public interest valueagainst the risk of harm.28 We also look to international Human Rights Standards, as reflected in ourCorporate Human Rights Policy, and trusted experts to make these judgments.29 In January 2025, Meta introduced changes to the Community Standards regarding Hateful Conduct andrelated guidance. These changes were made to enable more public debate and discussion about social issuesof political and social importance, as well as to reduce possible over-enforcement.30 Before introducing thechanges, we identified and assessed the potential risks associated with the changes. We also confirmedthrough the assessment that we employed reasonable, proportionate, and effective mitigations to addressthe potential risks associated with the changes. We continue to conduct robust external engagement, including through our network of Trusted Partnerscomposed of over 400 non-governmental, not-for-profit, national, and international organisations in 113countries who report content, accounts, and behaviour. We frequently benefit from having local context fromour Partners when we review these reports.31 We have also established mechanisms for reviewing reports ofallegedly illegal content from “Trusted Flaggers” in compliance with the DSA. 31 https://transparency.meta.com/en-gb/policies/improving/bringing-local-context 30 https://transparency.meta.com/policies/community-standards/hateful-conduct/ 29 https://about.fb.com/wp-content/uploads/2021/03/Facebooks-Corporate-Human-Rights-Policy.pdf 28 https://transparency.meta.com/en-gb/features/approach-to-newsworthy-content/ 27 https://about.meta.com/actions/promoting-safety-and-expression/ 26 https://transparency.meta.com/policies/community-standards/suicide-self-injury/ 25 https://transparency.meta.com/policies/improving/stakeholders-help-us-develop-community-standards/ 24 https://transparency.meta.com/en-gb/oversight/meta-H2-2024-bi-annual-report 12 3.2 Complaints and Appeals As with any set of complex systems and processes, we recognise that it is not possible to always getenforcement actions right. Our complaints and appeals mechanisms have long been in place and madeavailable to reporters of content and users who are affected by decisions. For example, in the first quarter of2025, out of 4.9 million pieces of content related toViolence and Incitement that were actioned on Instagramglobally, we received appeals for 618,000 pieces of content, of which 129,000 pieces of content were laterrestored.32 If we change our decision, we notify the reporter and the user and implement our revised decision. If we have reviewed an appeal and the user still does not agree with our decision, they may be able to appealto the Oversight Board.33 The Oversight Board independently reviews some of the most difficult andsignificant content decisions we make across our global operations. After completing its review andpublishing their decision, the Oversight Board may issue non-binding recommendations related totransparency, policy, and enforcement. Meta responds to these recommendations within 60 days of theBoard's decision with initial commitments and provides updates in regular reports. In the second half of 2024alone, Meta completed work on 15 recommendations made by the Oversight Board. The recommendationswe undertook in 2024 spanned our operations, policies, and services, contributing to broad and meaningfulimprovements in policy, transparency, and enforcement across the company and our global community.34 Additionally, Meta provides a user-friendly process for users to appeal to certified Out-of-Court Dispute Settlement Bodies (ODS) bodies, as detailed in Section 4.1: External Stakeholder Engagement and Section 5.2.1.6 User Rights and Recourse. 4. Systemic Risk Landscape A core part of Meta’s commitment to online safety is identifying and understanding potential Problem Areas,which are categories of content or behaviour that can pose risks to our users, and the specific risks that mayarise within them. Our policies, teams, systems, and processes are organised around these Problem Areasand we have dedicated internal experts and targeted approaches to mitigate each of these Problem Areas. The Systemic Risk Landscape depicts Problem Areas either mentioned in Article 34 of the DSA orunderstood by Meta to impact potential Systemic Risks in the EU. We used our deep knowledge of theseProblem Areas and their associated potential risks to assess the DSA Systemic Risk Areas and defineInstagram’s Systemic Risk Landscape. While the Risk Assessment Process mainly focuses on identifying and assessing known risks, we haveestablished processes in place to assist us in identifying emerging risks and gathering signals on unknownrisks. These processes include, but are not limited to, our threat intelligence capabilities, engagement withexternal research institutions, advocacy groups, law enforcement, and industry information-sharingpartnerships. A visual representation of Meta’s Systemic Risk Landscape and the Problem Areas aligned to each SystemicRisk Area is detailed in Figure 1. This landscape is meant to depict our most recent analysis andunderstanding between Problem Areas and the DSA Systemic Risk Areas. Some risks may map to multiple 34 https://transparency.meta.com/oversight/meta-quarterly-updates-on-the-oversight-board/ 33https://help.instagram.com/185474462526094?helpref=faq_content 32 https://transparency.meta.com/reports/community-standards-enforcement/violence-incitement/instagram/ 13 Systemic Risk Areas, and we periodically update these mappings. As referenced in the Executive Summary, we have revised the Problem Area to Systemic Risk Areas mappings in Year 3. Figure 1. Meta’s Systemic Risk Landscape Our approach to Illegal Content Our Risk Landscape graphic above highlights Problem Areas that may be considered to be Illegal Contentunder certain regulatory regimes and legal frameworks. However, these are not directly mapped to the IllegalContent Systemic Risk Area (per Art 34(1)(a) of the DSA). Our globally applicable Community Standards outline types of content or behaviour that are not allowed on Instagram; our Integrity Ecosystem supportsand enforces these standards. While our Community Standards may often overlap with common areas of illegality (e.g., minor exploitation),they do not map to specific laws due to variations across countries and nuances in legislation. In some cases, 14 content that violates our policies may also be illegal. Our policies also cover Problem Areas that would notcommonly be considered to be illegal (e.g., bullying). In the EU, we provide dedicated reporting tools for illegal content, accessible from relevant content and in ourHelp Centre.35 We may receive court orders to restrict content on Instagram or reports from governments,regulators, as well from non-government entities, and members of the public alleging content is unlawful. Wereview these requests in line with Meta’s obligations under the DSA, our Corporate Human Rights Policy, andour commitments as a member of the GNI.36 For example, in our DSA Transparency Report for Instagramcovering 1 October 2024 to 31 December 2024, we reported 98 Authority Orders to act against illegalcontent (including Article 9 orders) addressed to Meta. In that same Transparency Report, we reported163,760 notices submitted in accordance with Article 16 of which 39,675 (or ~24%) led to content removal orrestriction.37 Our approach to Fundamental Rights Meta has well established and enforceable policies for each Problem Area mapped above, with the exceptionof "Discriminatory Practices” that is mapped solely to Fundamental Rights. Meta embeds human rightsconsiderations across our product development, policy decisions, and enforcement systems to proactivelyidentify and address potential harms to users and communities, particularly those most at risk. More broadly,prevention of non-discrimination is embedded throughout our policies and enforcement systems, and humanrights considerations inform how we develop our tools, technologies, and content moderation processes at scale. For further details, see 4.2.7 Fundamental Rights, 5.2.2.22 Voice and Free Expression and 5.2.2.9. Discriminatory Practices. Our approach to Physical and Mental Well-Being Physical and Mental Well-Being is not listed as its own Systemic Risk Area in our Systemic Risk Landscape aspotential impacts to physical and mental health are applicable to all Problem Areas and risks. Our SeverityPrinciples consider Harm Type, which encompasses impacts on users' physical and psychological health, andwe evaluate these risks as part of our Inherent Risk calculation within our Severity Rubric. Higher severityscores are assigned to risks deemed to have a potentially elevated impact on an individual’s physical andpsychological well-being. Meta also continuously develops resources to help support our users' well-being.These include external resources such as our Safety Centre and Help Centre, which provide tailored supportmaterials for communities that can be most impacted by harmful content.38 Given the importance of this riskand its potential impacts, such as Suicide, Self-Injury and Eating Disorders (SSIED), we also assess andmonitor a risk dedicated to how users might engage with Meta’s platforms in ways that could lead toproblematic use and affect their well-being. This ensures focused attention on these critical aspectsalongside our cross-cutting evaluation. See Appendix 8.2: Rubrics and Scoring for more information on the Severity Rubric and Section 4.2.3: Public Health for information on how we support users with digital wellness. 38 https://about.meta.com/actions/safety/topics/wellbeing/ 37 EU Digital Services Act: Transparency Reports for VLOP Instagram (October - December 2024) 36 https://globalnetworkinitiative.org/gni-principles/ 35 https://www.meta.com/help/policies/1138173423768570/ 15 4.1 External Stakeholder Engagement Meta actively engages external stakeholders to gather diverse insights on integrity risks and their potentialimpacts on users and society. These insights inform internal teams on how to improve integrity risk mitigationstrategies. We receive a wide range of perspectives, often from competing global viewpoints, which wecarefully balance to guide decision-making. In line with Recital 90, we have continued to engage with Civil Society Organisations (CSOs) and considertheir feedback in the Year 3 Assessment. In addition, in the relevant time period, we participated in a series ofDSA stakeholder engagement forums organised by the Global Network Initiative and the Digital Trust \&Safety Partnership, which provided opportunities to exchange insights on platform-related risks. We collaborate closely with internal stakeholders to understand CSO input and integrate it into ourassessment. For example, based on CSO feedback and continuous learning, we refined our Systemic RiskLandscape by updating the mapping of key Problem Areas—namelyBullying and Harassment, HatefulConduct,and Violent and Graphic Content—with Fundamental Rights to better reflect evolving risks. This ismerely one example; below are additional examples of how we work with external stakeholders to inform ourapproaches and processes: ● Labelling AI-Generated Content: Meta’s approach to labelling Generative Artificial Intelligence(GenAI) content and manipulated media is informed by feedback from external stakeholders,including the Oversight Board. We engage with external stakeholders to gather diverse insights onintegrity risks and their impact on users and society.39 ● Brussels Artificial Intelligence Forum (November, 2024): Meta convened academics and researchersto evaluate Meta AI, Meta’s GenAI assistant, focusing on EU-specific use cases and regional risksbefore its anticipated launch in the EU. Participants included experts from policy think tanks andacademia, covering areas such as persuasive design, formal verification, AI personalisation, and AIethics and regulation. This engagement enhanced our understanding of regional AI risks, includingthe spread of false information, contested foreign policy issues, narratives surrounding refugees, andcontentious historical subjects. ● Women’s Safety: Meta collaborates with external women’s safety advisors, specialising innon-consensual intimate images (NCII), adult sexual exploitation, and other online harms affectingwomen. Their expertise shapes the design of our policies, products, and programmes to prevent andrespond to online abuse, including efforts to detect and remove NCII and support victims of onlineharassment.40 ○ Meta Roundtable for Women’s Safety \& Human Rights Partners (March 2025): During theUN Commission on the Status of Women, Meta hosted a small roundtable with Women’sSafety and Human Rights Partners to discuss new tools, safety features, and policy updates.Participants included global organisations, such as the United Nations Population Fund(UNFPA), the United Nations High Commissioner for Refugees (UNHCR), and the GlobalNetwork of Women's Shelters (GNWS). The discussion enhanced our understanding ofplatform risks and emerging trends in Women’s Safety and Human Rights. We also shared 40 https://about.meta.com/actions/safety/ 39 Our Approach to Labelling AI-Generated Content and Manipulated Media | Meta 16 planned policy updates on sensitive images and NCII services (e.g., Nudify apps) andcollected feedback to inform future policy launches. ● Minor Safety: At Meta, protecting young people from harm is a top priority, as such we implement anumber of ongoing and new mechanisms to support this effort. Meta is a founding member of the"Take It Down" platform, in partnership with the National Centre for Missing and Exploited Children(NCMEC), to prevent the spread of intimate images of minors and support their removal. Thisinitiative addresses online harm at its root and reflects our approach to protecting vulnerablepopulations through expert and industry collaboration. Since 2023, Meta has partnered withThinkYoung as well as Our Feed Our Future, engaging youth from France, Germany, Spain, Belgium,Denmark, and Italy to discuss the digital future.41 ○ Engaging through Meta Youth Summit (February 2025): In February 2025, Meta hosted the Meta Youth Summit in Brussels, focusing on "Youth Safety in a Digital World." The eventgathered over 130 stakeholders, including representatives from the European Parliament(EP), and European Commissioner for Intergenerational Fairness, Youth, Culture and Sport, representatives from member states, youth organisations, parent networks, civil society,industry experts, and policymakers from various institutions, as well as media and creators. ● Oversight Board: In Half 2 (H2) 2024, we worked alongside the Board to enhance transparency andexternal accountability regarding its governance role across Meta’s platforms. For details on Oversight Board recommendations and their implementation, see Section 5.2.1.6: User Rights and Recourse and Section 6: Risk Mitigation Enhancements. ● Out-of-Court Dispute Settlement (ODS) Bodies: Meta collects insights from external stakeholdersvia the non-binding decisions submitted by certified Out of Court Dispute Settlement (ODS) bodiesas part of the dispute settlement process set forth by DSA Article 21. Members of our Operationsteam conduct regular assessments of non-binding decisions to identify potential opportunities toimprove integrity systems and policies and, thus, Meta’s enforcement outcomes. For additional examples of how external stakeholder engagement informs our policies and enforcement,please see: ● 4.2.1 Deceptive and Misleading ● 4.2.2 Civic Disclosure and Elections ● 4.2.5 Gender-based Violence ● 4.2.6 Protection of Minors ● 5.2.2 Detailed Risk Observations and Mitigating Measures 4.2 Systemic Risk Areas The following sections detail how Meta understands and approaches managing the DSA Systemic Risk Areasfor Instagram with respect to the EU. We continued to evaluate the risk landscape across all Systemic RiskAreas in Year 3, recognising that risks are not static and can be impacted by both internal and external 41 Launching Our Feed Our Future, a Youth Advisory Network in Partnership with ThinkYoung 17 factors. Each Systemic Risk Area is mapped to one or more Problem Areas and Meta has implemented compensating controls to help manage these risks across the Problem Areas. Please see Section 5.2.2: Detailed Risk Observations and Mitigating Measures of this Report for an overview of each Problem Area and the risks and controls associated with each DSA Systemic Risk Area. 4.2.1 Deceptive and Misleading With the ongoing rise of new technologies and increasing interconnectedness, bad actors find new ways totarget victims with evolving deceptive tactics that may be fraudulent or seek to exploit others for money orproperty. Our goal is to detect and mitigate these risks while continuously updating our mitigations as badactors evolve their behaviour. Meta takes a multifaceted approach to reducing inauthentic behaviour and associated content. We prohibitpeople from misrepresenting themselves on Instagram, using fake accounts, artificially boosting contentpopularity, or engaging in behaviours that enable other Community Standards violations. To help usersprotect themselves, Instagram allows users to complete a privacy check-up and update their settings tochoose who can contact them and who can see their personal information, such as their online status, profilephoto, and activity. This helps, for example, avoid unwanted contact from accounts users don’t know thatmay be scammers. In addition, in the EU, we are rolling out measures that use facial recognition technology tohelp detect and prevent scams and enable faster account recovery on Instagram.42 Moreover, Meta is proud to be one of the founding members of the Tech Against Scam Coalition (TASC) and amember of the Global Anti Scam Alliance (GASA). Additionally, our Fraud and Deception Team engages with anumber of external, trusted third parties, such as CSOs, to gather information about scam-related accountsand content. For our assessment of Deceptive and Misleading risks in 2025, we identified that the risk landscape could beimpacted by the continued high number of EU elections, which may lead to inauthentic behaviour risks acrossthe platform impacting political figures and groups, including through the use of GenAI-powered tactics.Foreign influence operations, including from Russian operations, and cross-internet Coordinated InauthenticBehaviour (CIB) campaigns have continued to persist as a trend on the platform. Additionally, we’ve observeda trend in attempts to deceive or scam users through fraud, deception, and misinformation tactics (e.g.,deepfakes and digitally created or altered photorealistic video or audio). Lastly, threat actors continue toexploit user reporting systems with false reports and appeals, making it more challenging to accuratelyidentify benign requests such as hacked accounts recovery support. 4.2.2 Civic Discourse and Elections Meta continues to invest in a comprehensive approach to managing risks related to Civic Discourse andElections with a focus on preventing interference, increasing transparency, reducing the spread ofmisinformation, and empowering people to vote. We have dedicated teams responsible for identifying andaddressing emerging threats, including foreign interference and domestic influence operations. We regularlyreview and update our election-related policies and approaches to ensure they remain effective in mitigating 42 https://about.fb.com/news/2024/10/testing-combat-scams-restore-compromised-accounts/ 18 risks. In Europe, we rely on fact-checkers who are independent from Meta and certified through the EuropeanFact-Checking Standards Network (EFCSN) to address misinformation on Instagram.43,44 Last year, more than two billion people went to the polls across some of the world’s biggest democracies,including the EU.45 Meta increased its investment in election-specific mitigation measures, includingactivating a dedicated team to develop a tailored approach to help prepare for the EU ParliamentaryElections. As a result, we implemented the following election-specific risk mitigation measures: ● External Engagement: In November 2024, Meta participated in the DISICON, an InformationIntegrity Conference convened by the National Democratic Institute in Croatia, which broughttogether different field experts to discuss threats to information integrity. Meta organised aroundtable with CSOs from the Balkan region to discuss cooperation methods ahead of electionsand explain our work on mitigating adversarial threats. Following the event, we added more civilsociety groups to our Rapid Response System (our dedicated channels of intel / signal exchange) tosupport our election integrity efforts. Additionally, last year, Meta signed the AI Elections Accordalongside dozens of other industry leaders, pledging to help prevent deceptive AI content frominterfering with global elections.46 For details on external stakeholder engagement more broadly, see Section 4.1: External Stakeholder Engagement. ● Managing Inauthentic Behaviour: Meta has been an active member of the EU Disinformation CodeTaskforce’s Election Working Group and participates in its Rapid Alert System. Meta attended aroundtable on 10 July 2024, to discuss our efforts in countering misinformation and foreigninterference in France.47 Additionally, in 2024, our teams took down around 20 new covert influenceoperations around the world, including in Europe.48 ● Proactive Measures: Our teams of expert investigators work with engineers to feed the insightscollected through investigations of global adversarial networks into automated detection systems.Through this cycle, we are able to proactively detect other bad actors engaged in similar violatingbehaviours, including networks that attempt to re-enter the platform after being removed. Metacontinues to report publicly on the efforts to disrupt CIB and detect and remove fake accounts orspam through our Community Standards Enforcement Report, Newsroom posts, and AdversarialThreat Report. ● Awareness of GenAI Images and Media: Last year, Meta signed the AI Elections Accord alongsidedozens of other industry leaders, pledging to help prevent deceptive AI content from interfering withglobal elections.49 For our assessment of Civic Discourse and Elections risks in 2025, we identified that the risk landscape couldbe impacted by continued trends that Meta monitors around EU elections and GenAI advancements. Ourprevious report (Year 2) covered the period leading up to the EU Parliamentary Elections, which took place inJune 2024. This year's report (Year 3) covers the close-out of the EU Parliamentary Elections. While the EU 49 https://about.fb.com/news/2024/12/2024-global-elections-meta-platforms/ 48 https://about.fb.com/news/2024/12/2024-global-elections-meta-platforms/ 47 Meta France Post-Election Report November 2024 46 https://about.fb.com/news/2024/12/2024-global-elections-meta-platforms/ 45 https://about.fb.com/news/2023/11/how-meta-is-planning-for-elections-in-2024/ 44 https://transparency.meta.com/features/how-fact-checking-works 43 https://efcsn.com/code-of-standards/ 19 Parliamentary Elections have concluded, our assessment showed that elections continue to pose apersistent, though reduced, risk. Additionally, foreign influence operations, including from Russianoperations, and cross-internet CIB campaigns have continued to persist as a trend on the platform. 4.2.3 Public Health Meta strives to foster an environment that supports public health globally, including within the EU, andstrives to empower users by increasing access to credible health information, enabling people with similarhealth issues to connect with one another, and empowering them to make informed decisions about theirhealth and well-being. We have targeted measures to identify and manage Public Health risk on the platform. We take steps to limitthe visibility of potentially harmful content on our platforms, such as hiding search results for restrictedgoods and services and deploying search enforcement interstitials to connect individuals with resources to report content (please refer to Section 5.2.2.17: Restricted Goods and Services for more information). For minors, Meta applies age-gating restrictions to specific harmful content, such as content related to dietproducts, cosmetic procedures, real money gambling, alcohol, tobacco, among other content types, andleverages enforcement actions to reduce visibility of this type of content to minors. For example, Meta hasinvested in classifiers and infrastructure to limit minors’ exposure to self-injury and other age-inappropriatecontent, even if the content is shared by someone they follow on Instagram.50 We consult with leading health organisations to identify health misinformation likely to directly contribute toimminent harm to public health and safety. This includes misinformation about vaccines, promotion oradvocacy for harmful miracle cures for health issues, and misinformation about health during public healthemergencies. Although Public Health risks can potentially arise from the use of Instagram, the platform also enables peopleto seek help and support. We offer resources, including Crisis Support, the Bullying and Harassment SafetyCentre, Suicide Prevention Resources, our Emotional Health Hub, and our Family Digital Wellness Guides.51 For our assessment of Public Health risks in 2025, we identified that the risk landscape continued to beimpacted by trends, including scams being masked as drug sales, exposure of content related to alcohol,tobacco, and real money gambling to minors, and threat actors targeting minors with weight loss productsand cosmetic procedures. Additionally, it was observed that there has been an increase in videos, pictures,and ads sponsored by gambling companies featuring gambling branding in the background, but otherwise donot contain any gambling content, and are therefore harder to detect and enforce. 4.2.4 Public Security Meta is dedicated to securing our services and negating potential Public Security risks that could arisethrough the use of Instagram. We use targeted enforcement measures to identify and enforce against usersadvocating for or posting dangerous or violent content on our platforms, including enhanced automateddetection technology, proactive enforcement by human reviewers, and detection tools that highlight earlywarning signs of real-world threats. Additionally, we assess high risk events using our Crisis Policy Protocol toidentify those likely to pose a heightened risk of on-platform challenges.52 If we designate an event, we 52 https://transparency.meta.com/en-gb/policies/improving/crisis-policy-protocol/ 51 https://about.meta.com/actions/safety/crisis-support-resources 50 https://about.fb.com/news/2023/12/combating-online-predators/ 20 conduct an operational assessment to determine the scale and complexity of these risks and whetheradditional levers are required. For example this could include issuing additional policy guidance to removecontent which calls for people to bring arms to certain locations, or updating market-specific terms toimprove the accuracy of enforcement against content which violates our Community Standards. Meta continues to invest in countering the misuse of our services by authoritarian governments, terroristgroups, or other threat actors who may attempt to surveil regime critics, opposition figures, and HumanRights Defenders (HRDs).53 Meta blocks domain infrastructure linked to malicious operations from beingshared on our services. When appropriate and in line with our Terms of Use and applicable laws, we notifyusers who are likely targeted by these operations. These notifications are delivered through secure, indirectchannels such as in-app alerts or verified emails to protect user privacy and safety. Where appropriate, we continue to share findings about threats we detect with our industry peers andsecurity researchers to help our entire community better understand and counter internet-wide challenges,including threats to fundamental societal interests, such as threats to the functioning of essential publicservices and large-scale threats to life, such as aspects of terrorism. Additionally, we have a robust processfor reviewing and prioritising countries with the highest risk of offline harm and violence every six months.54 To help support users who may be experiencing public security concerns on our platforms, Meta hasdeveloped safety tools, such as Crisis Support in our Safety Centre, where users can get urgent expert localsupport.55 For our assessment of Public Security risks in 2025, we identified that the risk landscape could be impactedby continued trends that Meta monitors around EU elections and GenAI advancements. We have alsoobserved ongoing trends related to violent and graphic content shared in the EU, particularly related to thecontinued conflicts in Gaza. 4.2.5 Gender-based Violence Meta is committed to protecting freedom of expression and ensuring that women and people of all genderidentities can safely use our platforms to share their voice, build community, and access opportunity. Werecognise that certain communities, including the lesbian, gay, bisexual, transgender, queer (LGBTQ+) community, may face challenges when engaging on our platforms. Over the years, we have sought the help of experts in the field to ensure our platforms are safe for women. Our five-pillar approach works to keep abuse off our platforms:56 ● Resources: We continue to offer access to resources designed with the safety of women in mind. TheInstagram Help Centre provides step-by-step guides to protect users against threatening or unsafecontent. We also have our Women's Safety Hub, which is a centralised location for our online safetyresources geared towards women. ● Policies: We maintain policies to help protect women from online abuse, including instituting rulesagainst behaviours that disproportionately impact women, such as the sharing of NCII and 56 https://about.meta.com/actions/safety/audiences/women/ 55 https://about.meta.com/actions/safety/crisis-support-resources/ 54 https://about.fb.com/news/2021/10/approach-to-countries-at-risk/ 53 https://humanrights.fb.com/wp-content/uploads/2024/09/2023-Meta-Human-Rights-Report.pdf 21 harassment. These policies have been developed in partnership with Meta’s Global Women’s SafetyExpert Advisors.57 ● Tools: We continue to build tools to help people take control of their online experience, stay safe fromunwanted content and contact, report problems, and fight against the sharing of private imageswithout consent and sextortion. ● Expert Engagement: Meta actively collaborates with external stakeholders to deepen ourunderstanding of integrity risks and effective mitigations, focusing on the safety of our users,particularly women and vulnerable groups. Notable engagements include the Meta Roundtable forWomen’s Safety \& Human Rights Partners held in March 2025, ongoing partnerships with NGOsthroughout the year, and a virtual panel hosted by the Council of Europe in January 2025 discussingtechnology-facilitated gender-based violence and Meta’s efforts to address it. These collaborationsprovide valuable insights that inform our strategies to create safer online environments globally. For details on external stakeholder engagement more broadly, see Section 4.1: External Stakeholder Engagement. ● Community Engagement: We continue to gather input and support from external experts to developthe policies, tools, and resources that promote women's safety online. For example, we have beenexpanding on-device nudity controls, combatting nudify apps, and managing sensitive images. More examples of community engagement can be found in 5.2.2.3 Adult Sexual Exploitation. For our assessment of Gender-based Violence risks in 2025, we identified that the risk landscape could beimpacted by the high number of elections in the EU, which may lead to hateful conduct and bullying andharassment risks on the platform. Additionally, due to conflicts in adjacent regions, trends associated withhuman exploitation have continued to persist, including human smuggling. Lastly, new and emerging trendshave been identified that may impact risks related to adult sexual exploitation (e.g., AI kissing apps,nudification tools, breastfeeding content). 4.2.6 Protection of Minors At Meta, minor protection remains a top priority. We are committed to protecting young people from harmand ensuring that our platform is a positive and enriching experience for them. We've developed athree-pronged, industry-leading approach to protecting young people online. First, we focus on preventingharm from happening in the first place by enforcing zero-tolerance policies and developing cutting-edge,preventative tools. Second, we make it easy to report potential harms, and we respond to take action. Third,we continue to collaborate with global experts and industry partners to update our tools that keep youngpeople safe.58 Our three prongs are enabled through implementing a robust, proactive, and responsibleapproach to online safety of minors, including but not limited to following: ● Safety by Design: Meta takes steps to embed safety by design to help users engage safely online andon our products, particularly for minors. In order to use Instagram, users must be at least 13 yearsold. Following the launch of Teen Accounts on Instagram in September 2024, we automaticallyplaced teens into Teen Accounts and teens under 16 need a parent’s permission to change theirbuilt-in protections and account settings. So this will limit who can contact them, the content they 58 https://about.meta.com/actions/safety/onlinechildprotection/ 57 https://about.meta.com/actions/safety/audiences/women/#partners 22 see and limit the time they spend in the app. These protections include Hidden Words to filter wordsand phrases and block words on comments. Sensitive controls for under 18s place them into thestrictest settings and on-device nudity protection, that uses on-device machine-learning to detectand blur images that contain nudity and notify people to think twice before sending them. ● Support Resources: Meta continuously develops a library of tools and resources to help users staysafe online and understand our policies, reflecting our Community Standards and fostering a cultureof respect and empathy. This includes, for example, Meta’s Safety Centre, Meta’s Crisis Supportresources by country and offers guidance for parents, educators, and law enforcement, as well asFamily Centre that provides users with resources, insights and expert guidance to help users supporttheir families’ online.59 ● Detection: Meta uses automated detection mechanisms designed to detect and removepolicy-violating content. For example, in Q1 2025, globally, we removed 1.5 million pieces of contenton Instagram for violating our Child Sexual Exploitation Policy, out of which 94.5% of the contentwas found before users reported it.60 Meta has introduced protective measures at the messagingentry-point on Instagram profiles—the "Message" button where users initiate direct conversations.These measures target interactions flagged as risky by our machine-learning-based detectionsystem. When an interaction is identified as potentially risky or suspicious, the system can triggervarious alerts including display warnings to users interacting with suspicious accounts and limitingthe ability for flagged accounts to interact with other users by blocking their ability to postcomments. ● User Reporting: We continue to maintain and quickly respond to user reporting channels, which helpprevent the spread of harmful content in violation of our policies including, for example, harassment,bullying, graphic violence, and sexually explicit content. Meta made reporting functionality availableand easily accessible across Instagram to all users, including minors.61 ● Protection of Minors’ Privacy, Safety, and Security: Year-over-year, we continue to invest inprotection of minors’ privacy, safety, and security. Instagram defaults to private accounts andlocation settings when a minor signs up for an account, though minors can choose to turn theiraccount to public and/or share their locations. Given that minors can make this choice, Instagram hasimplemented mechanisms, including tooling and classifiers, to help protect minors from interactingwith potentially suspicious adults. However, this continues to be challenging when threat actorsattempt to evade detection and enforcement, which is why we remain committed to continuallyadapting and improving our safeguards. ● Enforcement: We take comprehensive action against accounts that violate our policies related tominor sexual exploitation, abuse, and nudity, including online grooming of minors. This includesdisabling linked accounts and devices across all our products, not just the original offending account.Furthermore, Meta's Global Response Operations (GRO) team maintains an escalation channelwhere internal teams can escalate complex, sensitive, and urgent issues including those pertaining toprotection of minors. 61 https://help.instagram.com/2922067214679225 60 Community Standards: Child Endangerment: Nudity and Physical Abuse and Sexual Exploitation 59 https://familycenter.meta.com/ 23 ● External Engagement: Meta collaborates with industry partners, law enforcement, and specialiststakeholders, such as the NCMEC, to tackle online safety of minors. For example, we partner withexternal organisations, like Orygen that developed #chatsafe for Educators and suicide proventionand Thorn’s NoFiltr brand, to enhance our educational materials on topics such as youth safety andminor protection.62,63 Furthermore, Meta is part of the WeProtect Global Alliance industrycommittee. WeProtect brings together experts from government, the private sector, and civil societyto protect minors from sexual exploitation and abuse online. For more details on external stakeholder engagement more broadly, see Section 4.1: External Stakeholder Engagement. For our assessment of Protection of Minors risks in 2025, we identified that the risk landscape could beimpacted by the evolving GenAI technologies, including nudification tools and GenAI tools that createimagery depicting minors that are not real. Furthermore, Meta has continued to observe trends related tobullying and harassment of minors, increased risk of exposing minors to content related to alcohol, tobaccoand real money gambling, and threat actors targeting minors with weight loss products and cosmeticprocedures. 4.2.7 Fundamental Rights Meta seeks every day to translate human rights principles into meaningful action. The foundation of our workis the Meta Corporate Human Rights Policy. Our commitment and approaches are informed by the UnitedNations Guiding Principles on Business and Human Rights plus the international and regional Human RightsStandards listed in our Corporate Human Rights Policy. These approaches include (1) applying Human Rights Standards to our policies, products and operations; (2)conducting due diligence and disclosure; (3) providing access to remedy; (4) maintaining oversight,governance, and accountability; and (5) protecting Human Rights Defenders.64 Further details are available inour annual Human Rights Reports. These approaches inform and are complementary to our DSA regulatorycompliance work. Through our day-to-day due diligence work, many different teams collaborate to continuously integrateHuman Rights Standards into our activities. For example, a specialised subject matter team at Meta providesongoing advice to assess and mitigate rights-related risks with regard to Content Policies, productdevelopment, crisis and conflict response, and election preparation. To support the Content Policydevelopment process, our experts review proposals through the lens of human rights law and the EU humanrights framework to take account of freedom of expression and the right to non-discrimination, among otherrights risks. In 2024, this included refining our Dangerous Organisations and Individuals Policies, Commercialcontent with potential health and safety risks, and the removal of sensitive imagery. We provide dedicated human rights and civil rights training. These trainings help employees understandhuman rights concepts and principles, how to identify issues and concerns in their work, and where to go forhelp. In parallel, we continue to provide users with pathways to report concerns and appeal decisions made abouttheir content. We have enabled the Oversight Board to make fully independent content moderation decisions 64 https://about.fb.com/wp-content/uploads/2021/03/Facebooks-Corporate-Human-Rights-Policy.pdf 63 https://about.meta.com/actions/safety/audiences/childsafety 62 https://about.meta.com/actions/safety/topics/wellbeing/suicideprevention/educators 24 and recommendations about Content Policy, services, and operations. A member of the Global NetworkInitiative, Meta stays committed to the GNI Principles of Freedom Expression and Privacy in responding togovernment content takedown and user data requests, and is currently undergoing its periodic independentassessment of our implementation of the GNI principles. 65,66,67 We recognise the importance of meaningful engagement with stakeholders from marginalisedcommunities.68 Engagement with external stakeholders, including European civil society groups andfundamental rights experts, helps us live up to our human rights responsibilities, creates an important leverfor accountability and transparency, and strengthens our work. Beginning in 2024, Meta has convened anexpert roundtable of global human rights experts to share insights with the company about human rightsbest practices. Additional information on how we approach fundamental rights via our efforts to champion respect for human rights in our actions and products is outlined in Section 3: A Balancing Act: Respecting Rights and Mitigating Risk and Section 5.2.2.11: Hateful Conduct. In Year 3, we undertook a comprehensive reassessment of the mappings between Problem Areas and theSystemic Risk Area framework for Fundamental Rights, that identified opportunities for improvement. As aresult, we refined our approach by explicitly mappingBullying and Harassment, Hateful Conduct, andViolentand Graphic Content Problem Areas to Fundamental Rights. Additionally, we incorporated the newAdultSexual Solicitation and Sexually Explicit Language Problem Area into the Fundamental Rights mapping. For our assessment of Fundamental Rights risks in 2025, we identified that the risk landscape could beimpacted by the high number of elections in the EU, which may lead to discrimination, bullying andharassment, especially against women candidates, and hateful conduct risks on the platform. Additionally,due to conflicts in adjacent regions, trends associated with human exploitation have continued to persist,including human smuggling. Lastly, new and emerging trends have been identified that may impact risksrelated to adult sexual exploitation, in addition to child sexual exploitation, abuse, and nudity (e.g., AI kissingapps, nudification tools, breastfeeding content). Meta recognises that the other Systemic Risk Areas identified in the DSA, such as Civic Discourse andElections, Public Security, Public Health, Gender-based Violence, Illegal Content, or Protection of Minors canall have potential fundamental rights implications. 4.2.8 Illegal Content We provide user-friendly reporting for content alleged to be illegal or violating our Community Standards.Users across EU member states can refer decisions on illegal content to a designated Out-of-Court DisputeSettlement Body. We also notify law enforcement of suspected criminal offences involving threats to life orsafety. In 2024, we responded to over 124,527 government requests in the EU across our platforms.69 Our process reviews reports of content alleged to be illegal under applicable member states and EU law(s) byfirst assessing compliance with our Community Standards. Content violating our policies is removed unlessdeemed newsworthy. Our Community Standards cover many harms overlapping with illegality, such as Hateful Conduct and Child Sexual Exploitation, as mentioned above in Section 4: Systemic Risk Landscape. 69 https://transparency.fb.com/reports/government-data-requests/data-types/ 68 https://humanrights.fb.com/wp-content/uploads/2024/09/2023-Meta-Human-Rights-Report.pdf 67 https://transparency.meta.com/reports/government-data-requests/ 66 https://transparency.meta.com/reports/content-restrictions/ 65 https://globalnetworkinitiative.org/gni-principles/ 25 For IP Infringement, rights holders can report various content types, which are reviewed by our IP operationsteam. If reported content violates applicable local law(s) within the EU but not our Community Standards, we mayrestrict its availability in the relevant country or region, consistent with our Corporate Human Rights Policyand GNI membership. For our assessment of Illegal Content Risks in 2025, we did not identify any new trends since Year 2 thatcould impact the risk landscape. 4.3 Influencing Factors As detailed in Figure 1, we evaluated the impact of our Integrity Ecosystem and its operations on theSystemic Risk Landscape and the associated risks. We refer to these factors collectively as InfluencingFactors, which includes those outlined in Article 34(2), and encompasses design-related factors that caninfluence systemic risks. We also consider other cross-cutting features or factors beyond the list in Article34(2), such as the presence of industry GenAI. These considerations and risks were identified through ourRisk Assessment Process, which evaluated the potential impact on all Systemic Risk Areas. Specifically,through the Assess Phase, we engaged with integrity teams and posed a series of questions for eachProblem Area to deepen our year-over-year understanding of how these systems influence Problem Areasand the associated risks. Through the Measure Phase, and for each Problem Area, we took into considerationinsights from integrity teams including any issues and improvement areas identified through various signals,including assurance testing, where applicable, and analysed data, where available. This section details the overall objective and scope of each factor, circumstances by which it introduces orreduces risks, and key insights and learnings. Specific details on how we mitigate these factors using Meta’s set of controls are provided in Section 5.2: Mitigating Measures Analysis. 4.3.1 Recommender Systems Instagram’s recommender systems are designed to help users discover content that is useful, interesting,relevant, and valuable. To determine what content is eligible for recommendations, we have establishedRecommendation Guidelines, which are published in the Instagram Help Centre, providing context on whysome types of content are not included in the recommendations and may not be distributed as widely.70 We provide information to users on how content is recommended and offer various tools to help themmanage their online experience. These tools include customisable feeds, such as Most Recent, Favourites,Feed, and Content Controls, enabling users to adjust the types of content they see and interact with. We alsoprovide tools to users to control the amount of political content they see.71 Our recommender systems are also designed to prevent the recommendation, recirculation, or amplificationof potentially policy-violating or otherwise potentially sensitive content. We filter content to remove itemsthat potentially violate our policies and standards, and then use machine-learning algorithms and humancuration to select content that users are most likely to be interested in.72 This multi-step approach helps ensure that our recommendations are both relevant and responsible. While our recommender systems have 72 https://about.fb.com/news/2024/04/introducing-our-next-generation-infrastructure-for-ai/ 71 https://help.instagram.com/339680465107440 70 https://help.instagram.com/313829416281232/ 26 robust controls in place, some potentially potentially sensitive content may still be recommended before wecan detect and remove it. We are taking steps to enhance the transparency and control of our recommendation systems. Specifically,we will be recommending more political content based on personalised signals, allowing users who want tosee more of this type of content in their feeds to do so.73 This change is part of our ongoing effort to giveusers more control over their online experience and to promote a more diverse range of perspectives on ourplatform. To support these efforts, we have updated our system cards in the Transparency Centre, to providemore clarity on how recommender systems function (e.g., AI System Card explains how and why users seecontent on Instagram). We implemented a refresh cycle for all system cards across each recommendersystem to ensure our documentation remained accurate, up-to-date, and reflective of the latestdevelopments in our systems. As a result of the Assess and Measure Phases of the assessment, we have identified several key riskconsiderations related to recommender systems: ● Content Ranking: We routinely evaluate whether the signals we use to enable users to get relevantcontent could lead to exposure of potentially sensitive content. We reduce this risk by limiting therole of shares and comments in the distribution of sensitive topics.74 We continue to work onenhancing our capabilities to address mitigations needed on Instagram, including improving existingor introducing new mitigations as appropriate. ● Recommendation Surfaces: Meta has taken steps to improve user safety across ourrecommendation surfaces by launching risk mitigations measures on Instagram Search, which aim toreduce the spread of harmful content. In addition, Meta employs a system to identify policyviolations from both connected and unconnected search results, aimed at reducing the visibility ofpotentially harmful content. ● Recommendation Features: We continuously work to improve and enhance our capabilities toaddress mitigations needed on Instagram. As an example, the Accounts You May Follow (AYMF)feature is designed to help users connect to the people who matter to them most and to help themmake new friends on Instagram. Some of these features could connect bad actors to minors, whichhas an impact on risks in theChild Sexual Exploitation, Abuse and Nudity andHuman ExploitationProblem Areas. To mitigate these risks, we utilise specialised tooling to identify suspicious actors andtake appropriate action, including removing them from recommendation surfaces. On Instagram, welimit the discovery of Teen Accounts in the AYMF, and default everyone who is under the age of 18into more private settings when they join Instagram.75 Additionally, users can remove unhelpfulsuggestions, which helps improve the AYMF feature by reducing similar suggestions in the future.Users also have the option to block someone, preventing them from appearing as a friend suggestionand vice versa.76 76 https://help.instagram.com/426700567389543 75 https://about.fb.com/news/2022/11/protecting-teens-and-their-privacy-on-facebook-and-instagram/ 74 To help inform users about what they see and read, we include warning screens over potentially sensitive content onInstagram, such as: violent or graphic imagery; posts that contain descriptions of bullying or harassment, if shared to raiseawareness; some forms of nudity; and posts related to suicide or suicide attempts. 73 https://about.fb.com/news/2025/01/meta-more-speech-fewer-mistakes/ 27 ● Infrastructure Capabilities: We have implemented new infrastructure capabilities to optimise ourrecommendation systems. This involves exploring innovative technologies, such as elastic rankingand GenAI, which can facilitate more efficient, scalable, and responsive ranking processes. Byintroducing these enhancements, we aim to provide users with more personalised and engagingrecommendations, ultimately enhancing their overall experience and satisfaction. 4.3.2 Content Moderation Systems Instagram’s content moderation systems (“integrity systems”) are designed to detect and review potentiallyviolating content and accounts, including organic, paid content, and commerce. We utilise technology anduser reports to identify potentially policy-violating content, and use both technology and human review toconfirm policy violations and take action on content and accounts that go against our policies. We continue toinvest extensively in updating our integrity systems to keep up with new behaviours and trends. While our detection technology has proven effective in detecting violating content before anyone reports it,as with any complex system, there are certain limitations. That’s why we also leverage users' reports so wecan identify and take appropriate action. In addition, signals from our Trusted Partner and Trusted Flaggerreporting channel (the latter as defined under the DSA) help inform proactive detection of emerging trends,potential policy violations, and certain types of illegal content. We may remove, reduce the distribution of, orinform users of potentially sensitive content based on our Community Standards. We also have our StrikeSystem to hold users accountable for continuous violations of the Community Standards. For mostviolations, the first strike will result in a warning with no further restrictions. If we remove additional poststhat go against our Community Standards, we may also apply additional strikes to the user’s account, whomay lose access to some features for longer periods of time. In addition, we seek to prevent threat actorsfrom creating new recidivist accounts to engage in continued abusive/violating behaviour. Our integrity systems enable policy-violating content to be detected and removed systematically, helping tokeep users safe online. At the same time, making mistakes in enforcement can impact user voice and userexercise of freedom of expression and other fundamental rights on our platform. The latter directly impactsthe Fundamental Rights Systemic Risk Area and is a delicate balance we must strike when managing risk anduser rights. As a result of the Assess and Measure Phases of the assessment, we have identified several key riskconsiderations related to content moderation: ● Detecting Infrequent, High-Risk Content: Our automated-detection systems are trained andimproved when a specific type of content occurs more regularly on our platform, generating asufficient body of examples to build effective classifiers. However, for low prevalence yet high-riskcontent such as suicide and self-injury, we have to rely more on user reporting and human review dueto the limited availability of training data. ● Enforcements: Starting in Q4 2024, Meta implemented several changes to our policies andenforcement measures for both content and users in order to protect free expression on Instagram.By improving the accuracy of our enforcement and preventing mistakes, we were able to significantlyreduce "over-enforcement" of our users and their content. Through monitoring of harm prevalenceand reports, we are confident these changes did not significantly impact enforcement against relatedharms, with minimal integrity regressions and maintenance of existing protective guardrails that 28 mitigate risk to users. Meta teams continue to work on protecting user voice while also balancing theprevention of high harms on our platforms. ● Recidivism Prevention: We continue to invest in recidivism prevention as it remains a challenge thatwe manage across Problem Areas. We have enhanced our recidivism enforcement by implementingadditional cross-platform propagations and establishing measurement for under and over-enforcement. This enables more consistent removal of Violation Actor Networks (VANs) andimproves the accuracy and fairness of enforcement actions. For example, in Q4 2024, Meta hasapplied over 16 million account restriction termination measures for Account Integrity violations inthe EU for Instagram.77,78 ● Circumvention: Threat actors continue to test new strategies and behaviours to evade detection andenforcement requiring Meta to consistently update and strengthen systems and processes in place(e.g., use of emojis and hashtags, implicit threats, slurs, and coded language). Meta has proactiveteams and mechanisms to identify and subsequently integrate these patterns into the automationdetection system, all within respect of existing personal data protection laws. In addition, within thehuman review process, reviewers may be able to use a highlighting tool for slurs and dangerousorganisations based on the region where the content is reviewed, tooltips that explain the definitionsof certain words, and guidance regarding how they should use these details to inform decisions.79 4.3.3 Terms of Use and their Enforcement Instagram is a global community, so the Instagram Community Standards apply equally to everyone,everywhere and to all types of content. Our Terms of Use and Content Policies, including the CommunityStandards, are designed to help define what is and isn't allowed on Instagram and manage systemic risks byproviding clear guidelines on our approach to these issues in a way that is easy to understand for users. Theyform the foundational structure of our Integrity Ecosystem so that we can help keep users safe and maintaina trusted, equitable, and secure environment. We also provide further information on how those policies andother relevant procedures are applied. All of our policies can be accessed through the Help Centre andTransparency Centre, both of which are readily available to users on the platforms, and are available in morethan 90 languages, including the official EU languages. Our foundational policies that determine how we operate Instagram include, but are not limited to, thefollowing: ● Terms of Use: These terms contain the contractual relationship with users that govern access toInstagram’s services, detail the services we provide, how our services are funded, user commitmentsto Instagram and our community, additional provisions, and other Terms and Policies applicable tousers;80 ● Community Standards: These standards outline our approach to content that users post toInstagram and user activity on Instagram and other Meta services; 80 https://help.instagram.com/termsofuse 79 EU Digital Services Act: Transparency Reports for VLOP Instagram (October - December 2024) 78 EU Digital Services Act: Transparency Reports for VLOP Instagram (October - December 2024) 77 Account restriction terminations restrict access to a user’s account in its entirety. 29 ● Advertising Standards: These standards apply to partners who advertise across Meta's services andspecify what types of ad content are allowed and prohibited; ● Commerce Policies: These policies outline the policies that apply when users offer products orservices for sale on Facebook and Instagram; ● Privacy Policy: This policy details how we collect, use, share, retain and transfer information, alongwith detailing user rights;81 ● Corporate Human Rights Policy: This policy commits to respecting human rights as set out in theUnited Nations Guiding Principles on Business and Human Rights; and ● Code of Conduct: This Code of Conduct defines the expectations we have for how we act and howwe make decisions as a company.82 We have processes in place to review, maintain, and validate our policies, standards, and terms to reflect theevolving world. Specifically for our Community Standards, our Content Policy Team includes subject matterexperts in issues like hateful conduct, minor safety and terrorism as well as people with experience in criminalprosecution, rape crisis counselling, academics, human and civil rights, law, and education.83 The ContentPolicy Team consults with internal and external stakeholders from around the globe to discuss potentialpolicy updates on a routine basis. These updates are communicated to our engineering teams and humanreview teams who will adjust our detection and enforcement systems. Additionally, our enforcement systemsare routinely trained using data sets of human decisions. We review metrics to validate that our precisionagainst our standards is accurate. Sometimes it is not possible for us to get the enforcement of our terms right (e.g., over-enforcement), whichcan impact a user’s fundamental rights like freedom of expression or other fundamental rights. Like contentmoderation systems, Terms of Use, Community Standards, and other policies and their enforcement can haveboth a positive (e.g., establishing behavioural and content guardrails and enforcing them) and negativeinfluence (e.g., over-enforcement). As a result, this Influencing Factor could have an impact on all SystemicRisk Areas. As a result of the Assess and Measure Phases of the assessment, we have identified several key riskconsiderations related to Terms of Use: ● Policy Governance: The integrity risk landscape is always evolving with the changing internal andexternal factors and emerging trends. This requires us to continuously review our policies to stayahead of new trends and adversarial actors. Meta is working to improve our policy governance andpolicy update processes to maintain tight alignment with other cross-functional teams, providetransparency at all levels, and establish accountability across teams. ● Unified Community Standards: On 22 August 2024, Meta announced a shift to a unified set ofCommunity Standards across Facebook, Instagram, Messenger, and Threads. By consolidatingmultiple policy frameworks into a single set of standards, Meta aimed to reduce fragmentationacross services and improve clarity for users about what content is permitted, how enforcement 83 https://transparency.meta.com/en-gb/policies/community-standards/ 82 https://www.meta.com/people-practices/code-of-conduct/ 81 https://www.facebook.com/privacy/policy 30 decisions are made, and how to seek recourse. This change took effect in 2024, and wasaccompanied by a Terms of Use update relevant to EU users.84 ● Change Management: At Meta, we recognise that policy changes have far-reaching implications,affecting multiple aspects of our operations and user experience. Any policy change has upstreamand downstream impacts, such as related product design changes, legal approvals, usernotifications, internal process changes, lags in system updates, and updates to Terms of Use. Toaddress these complexities, we are committed to ongoing year-over-year efforts to improve andenhance our coordination across various cross-functional teams to enable seamless changemanagement as we work towards addressing the various integrity systems risks. 4.3.4 Ads Systems Instagram’s ad systems and processes are designed to help the millions of people who use our services todiscover ads that they will hopefully find interesting and help businesses build a community, increase onlinesales, drive in-store traffic, and find new customers. Our Advertising Standards provide policy detail andguidance on the types of ad content we allow, our ad review process, and ad transparency requirements forEU users pursuant to Article 39 of the DSA. We want our users to feel empowered and provide options to allusers to control or customise their ad preferences on Instagram, which may include, but are not limited to, thefollowing: hide an ad, hide all ads from an advertiser, select “Why am I seeing this?” to get more context,manage their ad preferences, and restrictions around targeting ads to minors. Additionally, Meta strives toprovide transparency around ad targeting through our Ad Library.85 As part of our ads review process, all ads are automatically reviewed against our Advertising Standardsbefore launching on Instagram. We also use human reviewers to improve and train our automated systems,and in some cases, to manually review ads. Ads remain subject to review and re-review at all times, and maybe rejected or restricted for violation of our policies at any time. We continue to improve our existingenforcement systems by testing and implementing new approaches to ensure a fair and effective ad reviewprocess. More information on how our ad systems work and how user data is leveraged to providepersonalised ads can be found in our Advertising Standards. As part of our DSA compliance efforts, Metaestablished advertiser self-disclosure of beneficiary / payer as part of the ad buying process. We also updatedour ads systems to prohibit the use of sensitive categories of data for ads generally. While ads systems are a core feature of our platform and we have an extensive ecosystem of controls in placeto manage them, some potentially sensitive content that does not violate our guidelines and policy-violatingpaid content may be disseminated before we can detect and remove it. In other instances, some violatingaccounts may evade our content moderation systems. This Influencing Factor could have an impact on allSystemic Risk Areas. This insight was derived through the execution of our Risk Assessment where weevaluated and accounted for ads systems as an Influencing Factor. As a result of the Assess and Measure Phases of the assessment, we have identified several key riskconsiderations related to ads systems: ● Intentional Manipulation: Similar to what was observed in Year 2, threat actors continue to exploitour systems to evade detection and enforcement, such as disguising encoded content as organic. 85 https://www.facebook.com/ads/library/ 84 https://transparency.meta.com/integrity-reports-q2-2024/ 31 Our mitigation strategies remain consistent, including limiting account posting capabilities, removingaccounts, and conducting thorough research on potential network operations. Our ads approachcontinues to mature, with increased action at the account level. ● Ad Technology: Instagram’s ad systems and processes are constantly innovating and improving.Meta has also increased investment in the fraud and scams space. Specifically, we have devotedadditional resources to fraud and scams prevalence and detection, including classifiers andenforcement. ● Less Personalised Ads: People in the EU have the option to choose between subscribing for anad-free experience or continuing to access our services for free. For those people who choose tocontinue using our services for free, they’ll now also be able to choose to see less personalised ads.This less personalised ads option relies on less data, so we’ll show ads based only on context. Wefirmly believe that personalised ads are a vital component of the ad-supported internet and we willcontinue to advocate for regulations that support the responsible use of personalised advertising,allowing us to maintain the high-quality, free services that people have come to expect from us.86 4.3.5 Data Related Practices Privacy and the protection of personal information are fundamentally important values for Instagram. Asexpectations around privacy evolve, it’s critical Meta continues investing in guardrails and processes to meetpeople’s privacy needs and expectations. We work hard to safeguard a user’s personal identity andinformation, and we do not allow people to post certain types of personal or confidential information aboutthemselves or others.87 We have a robust Product Compliance and Privacy Programme in place, led by ourChief Privacy and Compliance Officer, with extensive controls to protect privacy and security across Meta’sservices in line with privacy regulations, including the EU’s General Data Protection Regulation (GDPR), andour GNI commitments. Since 2019, we have overhauled privacy at Meta, investing over $8 billion in a rigorousprivacy programme that includes people, processes, and technology designed to identify and address privacyrisks early and embed privacy into our services from the start. We have grown our product, engineering, andoperations teams focused primarily on privacy across the company from a few hundred people at the end of2019 to more than 3,000 people at this time.88 Additionally, our Privacy and Data Policy Team leads our engagement in the global public discussion aroundprivacy, including new regulatory frameworks, and ensures that feedback from governments and expertsaround the world is considered in our product design and data use practices. Furthermore, we want our users to feel empowered and provide options to all users to control their privacy onInstagram, including, but not limited to, the following: easy access to manage user information, controllinguser experiences across our services with tools such as “Why Am I seeing this Ad”, our privacy check-up Tool,and Two-Factor Authentication.89 Our technology detects the vast majority of privacy-related risks, but likeany complex infrastructure, there are limitations. 89 https://about.meta.com/actions/protecting-privacy-and-security/#privacy-controls 88 https://about.fb.com/news/2025/01/meta-8-billion-investment-privacy/ 87 https://transparency.fb.com/en-gb/policies/community-standards/privacy-violations-image-privacy-rights/ 86 https://about.fb.com/news/2024/11/facebook-and-instagram-to-offer-subscription-for-no-ads-in-europe/ 32 Maintaining good data practices is critical to upholding our users rights (e.g., data retention allows us torestore accounts and actioned content that has been successfully appealed) and protecting our mostvulnerable population from harmful content (e.g., age-gating content and deployment of controls thatprotect minors). As a result of the Assess and Measure Phases of the assessment, we have identified several key riskconsiderations related to data practices: ● Privacy-Focused Identity Verification Tools: In March 2025, Meta began testing a voluntary facialrecognition feature in the EU to help users recover compromised accounts and reduceimpersonation-based scams. The tool requires explicit opt-in and promptly deletes biometric dataafter use, reflecting Meta’s commitment to privacy-by-design. This approach enhances accountsecurity while respecting user autonomy and data minimisation principles—core to protecting userrights under the DSA.90 ● Data Retention Policies: Meta has enhanced its data retention policies, specifically for geo-blockingactions, to align with evolving content regulations. This includes thorough documentation andtransparent communication of our data handling practices to ensure accountability. ● Data Use Limitations: Meta does not utilise user level data in the EU due to an EU privacy regulationthat restricts Meta from collecting and analysing personal data to identify if a medical orlife-threatening issue is at hand. While protecting EU user data is a priority, this particularly impactsour ability to provide resources and a greater level of support to many users as it relates to suicideand self-injury risks. Additionally, Meta does not collect data regarding certain protectedcharacteristics or types of users, to protect user privacy, making it difficult to determine if certaingroups are being targeted disproportionately. 4.3.6 Intentional Manipulation Intentional manipulation negatively influences experiences on our platform and manifests in a variety of waysincluding, but not limited to, manipulated media, inauthentic use, or automated exploitation of our services.While we have an extensive ecosystem of controls in place to manage intentional manipulation, some threatactors can continue to evade our controls and safeguards which could result in policy-violating and illegalcontent and behaviour occurring on the platform. This Influencing Factor could have an impact on all of theSystemic Risk Areas. As a result of the Assess and Measure Phases of the assessment, we have identified several key riskconsiderations related to intentional manipulation: ● Circumvention: Circumvention continues to be a challenge as threat actors test new strategies andbehaviours to evade detection and enforcement requiring Meta to consistently update andstrengthen systems and processes in place (e.g., use of emojis and hashtags, implicit threats, slurs,and coded language). ● Spam and Platform Manipulation: Spammy content continues to be one of the challenges onInstagram. Year-over-year, we continue to invest in improving our processes and leveraging existingmitigations, for example we manage adversarial spamming by launching Strategic Network 90 https://about.fb.com/news/2024/10/testing-combat-scams-restore-compromised-accounts/ 33 Disruptions (SND), which allow us to disable multiple threat-related accounts at once and also helpaddress coordinated attacks. Furthermore, we continue to remove accounts that coordinate fakeengagement and impersonate others as well as exploring steps to lower the reach of accountssharing spammy content. ● Coordinated Inauthentic Behaviour: CIB, including coordinated interference in elections, remains apersistent challenge. Meta has dedicated teams to address this issue, including to counter theanticipated surge in adversarial activities around elections. Furthermore, we continue to invest in ourdetection and enforcement systems to mitigate these risks, including enhancing our capabilities torespond to an expanding range of adversarial behaviours as global threats evolve. 4.3.7 Generative Artificial Intelligence As a leader in the AI space, Meta continues to drive innovation through major investments and maintains itsdedication to open innovation in our foundational AI technologies.91 Meta also believes that an openecosystem brings transparency, scrutiny, and trust to the development of AI and leads to innovations thateveryone can benefit from.92 We continue to engage with external stakeholders, organisations, academics,civil society groups, and other experts to better understand the AI ecosystem and deepen our understandingof the complex factors influencing our work.93 Examples of our external engagement efforts can be found in Section 4.1: External Stakeholder Engagement (e.g., specifically the Brussels AI Forum, November 2024). As GenAI technology continues to advance, the risk of third-party misuse or exploitation becomesincreasingly concerning. Through our ongoing collaboration with MLCommons, we’re working alongsideresearchers, security experts, and industry peers to create a set of third-party tools for evaluating andmitigating a wide-range of possible risks. This maximises the power of the AI community to develop thesafest and most useful models.94 To support management of this Influencing Factor and associated risks, we have set up a number of activitiesto monitor and respond to the use of GenAI by users. For example, we work to understand the comprehensivelandscape of the use of GenAI on our platforms by analysing potential GenAI violations. We are alsoimplementing transparency labelling, such as utilising synthetic data to improve labelling performanceagainst AI content and providing signals to human reviewers when we know something is created by GenAI.95 We will continue to keep a pulse on the evolving use of GenAI and scale monitoring and response activities toaddress identified risks. While we have an extensive ecosystem of controls in place to manage the evolving use of GenAI, somepotentially sensitive content may still be generated and disseminated before it is detected and removed. ThisInfluencing Factor could have an impact on all of the Systemic Risk Areas. As a result of the Assess and Measure Phases of the assessment, including our evaluation of the impact ofGenAI on inherent risk, we have identified several key risk considerations related to GenAI: 95 Synthetic data is artificially generated rather than data that is collected from actual events, observations, or people. 94 https://ai.meta.com/blog/responsible-ai-connect-2024/ 93 https://about.fb.com/news/2024/04/metas-approach-to-labeling-ai-generated-content-and-manipulated-media/ 92 https://engineering.fb.com/2024/03/12/data-center-engineering/building-metas-genai-infrastructure/ 91 Accelerating Open-Source Innovation Across Sub-Saharan Africa: Introducing the Llama Impact Accelerator Program 34 ● Deepfakes Detection: Our processes continue to evolve year-over-year to detect content thatviolates our policies and this issue specifically gets more complicated with regard to deepfakes andany other forms of altered content, including impersonation of celebrities and high-profileindividuals. We are improving detection of AI generated content with visible and invisible markers tofurther mitigate this issue. ● Scaled Content Volumes: GenAI makes possible the creation of large volumes of content, whichcould impact areas, such asMisinformation, Fraud and Deception, andInauthentic Behaviour. Metahas dedicated teams who continuously monitor the evolving risk landscape, and we continue ourinvestment in mitigating risks arising from increased GenAI adoption. 5. Our Detailed DSA Systemic Risk Assessment Results Meta is committed to maintaining a safe and trusted environment on Instagram. Risks can arise on ourservice not only when users share policy-violating content or engage in policy-violating behaviour, but alsofrom system-level design choices that may contribute to or facilitate harm. We recognise that these risks can be influenced or exacerbated by certain ‘Influencing Factors’ (as described in Section 4.3: Influencing Factors), which have the potential to create or extend risks beyond user-generated content—such as through recommendation systems or product features—and that we have also sought to mitigate. Despite our bestefforts, we alone cannot identify and address every risk that may arise. To address this limitation, weempower our Instagram community with tools to help us identify potential risks. We also respond to lawfulrequests from law enforcement, regulators, and courts, and work closely with other external partners in an effort to learn and to help keep users in the EU safe on our service (as described in Section 5.2.1: Meta’s Ecosystem of Controls). Meta is committed to identifying, assessing, and mitigating systemic risks associated with use of Instagram,using the DSA Systemic Risk Assessment as one of our key primary assessment instruments. 5.1 Risk Analysis Meta evaluated the inherent risk of 71 risks that cut across the 22 Problem Areas and determined theeffectiveness of controls for Instagram to determine the residual risk for each in-scope risk. Notably, thisyear's assessment involved a more focused evaluation of risks, with fewer risks assessed compared to lastyear, but a greater number of Problem Areas considered, reflecting our continued maturation of the Risk Assessment methodology, as detailed in the Executive Summary. Controls were evaluated individually to determine how effectively they mitigated each risk, as applicable.96 All residual risk scores were ranked andrated using an ordinal tiering scale from Tier 1 to 5 that allows us to measure Problem Areas consistently. 96 More information on our Integrity Risk Assessment Methodology and Severity, Likelihood, and Control EffectivenessRubrics can be found in Appendix 8.1 Risk Assessment Process. 35 5.1.1 Risk Rating These Tiers denote the significance of the risk to users in the EU and are described as follows: 5.1.2 Problem Area Analysis: Inherent Risk Inherent risk is a measurement of risk without mitigations in place. Meta currently has integrity riskmitigations in place, therefore, these inherent risk measurements are based on estimates. In order to measurethis risk, we estimate the significance of: 1) the potential negative impact of a systemic risk to users andsociety (“Severity”), and 2) the possibility that the risk will occur in a specific time frame (“Likelihood”), absent any mitigation measures. As part of this evaluation, we consider how various Influencing Factorsincrease or reduce each of the Problem Areas and the associated risks. During the assessment, we considered certain trends that could potentially impact the inherent risk exposureacross the platform, such as elections in the EU, increasing adoption of GenAI, and conflicts in adjacentregions. The Inherent Risk Results for each Problem Area are included in Figure 2 and details on how inherent risk is calculated and broken down into Tiers can be found in Appendix 8.2.1: Inherent Risk Rubrics. 36 Figure 2. Inherent Risk Results 5.1.3 Problem Area Analysis: From Inherent Risk to Residual Risk Inherent Risk represents the level of risk without controls or mitigating factors. Figure 2 illustrates theinherent risk levels for each Problem Area in the Year 3 Assessment. While most Problem Areas encompass avariety of risks with varied Inherent Risk Scores, theSuicide, Self-Injury, and Eating Disorders Problem Areahas the most risks with high Inherent Risk Scores. When factoring in our controls designed to mitigate andcontrol risk, the overall inherent risk is reduced across all Problem Areas, resulting in a measurement of theresidual risk. Some of the Problem Areas with the highest average inherent risk, which also have some of the most notablereductions in residual risk due to the effectiveness of mitigations, are: (1)Child Sexual Exploitation, Abuse andNudity, (2)Adult Sexual Exploitation, (3)Dangerous Organisations and Individuals, (4) Voice and FreeExpression,and (5)Suicide, Self-Injury and Eating Disorders. The actual and foreseeable risk context of these 37 Problem Areas are further described in Section 5.2: Mitigating Measures Analysis along with controls in place to mitigate and control for their associated risks. Figure 3. Residual Risk Results The visual in Figure 3, demonstrates the residual risk results with the grey box representing inherent risk. Theevaluation we conducted reveals our controls meaningfully reduce the inherent risk across all Problem Areas,shifting residual risk to Tier 2 and Tier 3.Adult Sexual Exploitation,Child Sexual Exploitation, Abuse, andNudity, Fraud and Deception, Restricted Goods and Services, andSuicide, Self-Injury, and Eating Disordersmoved to Tier 3 residual risk due to a combination of methodology updates and in some cases, identifiedlimitations in the control environment during the assessment period. 38 5.1.4 Scoring Overview: Year-Over-Year (YoY) Comparisons and Drivers of Change In Year 3, Meta enhanced its Risk Assessment methodology to improve accuracy and reliability. Theseupdates included refinements to our risk taxonomy, incorporation of additional quantitative and qualitativeinputs, and improvements to how control effectiveness is modelled. As a result, these changes led to moreTier 3 and Tier 2 designations, reflecting a more precise distribution of scores—not a material increase in risk. For a summary of our control effectiveness modelling, see Section 8.2.2. Control Effectiveness. While these methodological changes enhance the precision of our scoring, they also limit direct comparabilitywith Year 2 scores. Still, both assessments offer valuable insights into platform-wide Systemic Risk anddemonstrate the evolution of our risk measurement practices. Details outlining the methodology changes can be found in the Executive Summary. Inherent Risk Changes These methodological improvements are most apparent in our assessment of inherent risk—where changesin taxonomy, data inputs, and classification logic led to a rebalancing of scores across several Problem Areas. We saw some of the most notable changes from Year 2 scores in relation to theVoice and Free ExpressionandChild Sexual Exploitation, Abuse, and Nudity Problem Areas. The majority of differences in inherent riskbetween DSA Systemic Risk Assessment Year 2 and Year 3 can be attributed to the methodology improvements implemented for Year 3, detailed in the Executive Summary. By more closely aligning the risk taxonomy with Community Standards and incorporating additional data on historical enforcement trends, weare able to better assess the inherent risk environment, which results in differences from the Year 2Assessment. For example: ● TheChild Sexual Exploitation, Abuse, and Nudity Problem Area was refined to better represent therange of severity. For example, previously, a parent posting a photo of their minor in thebathtub—which, while in some circumstances may be policy-violating policy-violating, wouldgenerally be considered non-malicious—was not distinguished from more severe violations. Theupdated taxonomy now categorises such behaviours separately, while maintaining high scrutiny forsevere cases. ● In theVoice and Free Expression Problem Area, in addition to the noted methodological changes, wealso observed that as our content moderation systems and processes have become more complexover time, over-enforcement of our policies has consequently increased. Control \& Mitigation Updates Generally the changes in control effectiveness observed from Year 2 are due to increased precision of ourassessment in Year 3. We incorporated additional quantitative and qualitative data into the controleffectiveness calculation and adjusted the calculation to better recognise the additive value of layeredmitigations, which resulted in greater variation in the control environment between risks. However, we did observe changes with theVoice and Free Expression, Fraud and Deception, andSSIEDProblem Areas that are also due to changes in the control environment. ● Control effectiveness for theVoice and Free Expression Problem Area declined due to an increase infalse positives driven by the growing complexity of content moderation systems. For example, in Q1 39 2025, 825,000 of 1.6 million appeals on content removed under the Adult Nudity CommunityStandards were ultimately restored. Similar insights informed residual risk scoring.97 ● The reduction in control effectiveness in theFraud and Deception Problem Area is due to limitationsin Meta’s ability to proactively detect scams and violating networks, as observed during theassessment period; remediation efforts are underway. ● TheSSIED Problem Area saw a shift in residual risk, increasing from Tier 2 in Year 2 to Tier 3 in Year 3.While this change is partly attributable to the revised methodology, it also reflects identifiedlimitations in the control environment during the assessment period—specifically, regardingpathways for escalating credible threats of suicide. These issues have been prioritised andremediation efforts are underway. The control environment will be reassessed once improvementsare confirmed. We worked to improve the overall effectiveness of our control environment. Since Year 2, Meta implemented new controls and enhanced existing controls, which are described in detail in Section 5.2: Mitigating Measures Analysis. Some enhancements that have been implemented since we finished our analysis of this assessment can be found in Section 6: Risk Mitigation Enhancements. Our approach to risk mitigation involves developing and executing mitigations that are reasonable,proportionate, and effective to reduce risk exposure while maintaining our commitment to respect the humanrights of our users, including the fundamental rights recognised in the EU Charter. Residual Risk Movements Many residual risk tiers remained stable year-over-year, while some risks increased in tier. In most cases, theshift in tiers reflects refinements in measurement rather than changes in the platform’s underlying riskexposure. ● Differences in Year 2 and Year 3 residual risk tiers were observed forChild Sexual Exploitation, Abuse,and Nudity, Fraud and Deception, Inauthentic Behaviour, IP Infringement, Misinformation, Voice andFree Expression, Account Integrity and Authentic Identity,Restricted Goods and Services,Coordinating Harm, and Promoting Crime, Privacy Violations, andSuicide, Self-Injury, and EatingDisorders due to revised methodology as noted above, as well as limitations in the controlenvironment in some cases. ● TheViolent and Graphic Content, Violence and Incitement, Adult Nudity and Sexual Activity, AdultSexual Exploitation, Adult Sexual Solicitation and Sexually Explicit Language, Disinformation,Discriminatory Practices, andSpam, Problem Areas were either refined or new for Year 3, preventingyear-over-year comparisons. As Meta’s Integrity GRC function continues to mature, we expect year-over-year comparisons to becomeincreasingly reliable. Our evolving methodology enables more precise measurement of Systemic Risk,positioning us to make more informed, proportionate mitigation decisions in alignment with our human rightscommitments and obligations under the DSA. 97 Community Standards: Adult and Sexual Activity 40 5.1.5 Systemic Risk Area Analysis: Residual Risk Ratings Once we assessed, evaluated, and measured all the identified Problem Area risks and accounted formitigating measures in place, we then derived an overall risk rating for each Systemic Risk Area by combiningthe risk scores of each Problem Area associated with a Systemic Risk Area based on the Systemic Risk Landscape described in Section 4: Systemic Risk Landscape. The image below depicts the current Tier Ratings across all Systemic Risk Areas, with a comparison to theirrelative rankings. Several Systemic Risk Areas have undergone tiering changes since 2024, includingDeceptive \& Misleading, Public Security, Protection of Minors, Fundamental Rights and Illegal Content. ● The Protection of Minors Systemic Risk Area has shifted year-over-year from Tier 2 to Tier 3 due tomethodology updates that revised inherent risk by more consistently integrating key factors such asenforcement trends and subject matter expert input. Additionally, increased qualitative andquantitative signals enabled greater variation in control effectiveness, highlighting the improvedaccuracy of our assessment. This Systemic Risk Area has the greatest number of Problem Areasmapped, including the highest risk harms, so it was impacted the most from the scoring changes thatoccurred as a result of the methodology improvements. ● The Deceptive \& Misleading Systemic Risk Area has shifted year-over-year from Tier 1 to Tier 2 duemethodology updates as well as assessed limitations in proactive detection ofFraud and Deception(e.g., scams) on our platforms, as well as challenges in enforcing against violating actor networks. ● The Illegal Content Systemic Risk Area has shifted year-over-year from Tier 1 to Tier 2 due to methodology updates including a revised estimation of Inherent Risk forIP Infringement driven byseverity and historical enforcement trends that indicate a high volume of counterfeit content and IPinfringements. ● The Public Security Systemic Risk Area has shifted year-over-year from Tier 1 to Tier 2 due tomethodology updates as well as challenges in keeping policies and enforcement systems up-to-dateamid an ever-evolving terrorism risk landscape. ● The Fundamental Rights Systemic Risk Area has shifted year-over-year from Tier 1 to Tier 2 primarilydue to methodology updates, as this Systemic Risk Area also has a comparatively high number ofProblem Areas mapped. Limitations in detecting and escalating sex trafficking content were alsoidentified. 41 5.2 Mitigating Measures Analysis Meta has a robust set of controls in place to identify, mitigate, and manage risks. We continuously improveour ecosystem of controls and the Integrity GRC Programme to address evolving risks and regulatoryrequirements, including Article 35 of the DSA. Our Integrity Common Control Framework groups documented integrity measures across our lines ofdefence including, but not limited to, governance models, platform infrastructure, operating processes,Instagram services, and the Integrity GRC Programme. We maintain an inventory of these controls, whichmaps them to risks ahead of assessment execution (see Figure 4). This framework allows us to document controls clearly and consistently maintaining a single source of truthacross all efforts requiring an understanding of Meta’s hundreds of integrity controls. Figure 4. Meta’s Integrity Common Control Framework: Control Domain 5.2.1 Meta’s Ecosystem of Controls As illustrated in Figure 4 above, Meta’s controls are organised into control domains, encompassing controlsthat are implemented across Problem Areas and specific Problem Areas. This subsection details how these control domains operate, in particular highlighting foundational controls.Information on some of the critical controls for each Problem Area is detailed below. 5.2.1.1 Policies and Standards Meta is committed to giving people a voice while keeping them safe through globally applicable policies andstandards, including our Terms of Use, Community Standards, and Advertising Standards. These define whatis allowed and prohibited on our platforms. 42 We collaborate with global experts—spanning technology, public safety, human rights, CSOs, activist groups,thought leaders, and academics—to develop and update these policies. We prioritise collecting input from allcommunities, particularly marginalised communities. Our policies guide the development of safety featuresand enforcement through technology and human review. Transparency is maintained via our TransparencyCentre, where policies, enforcement impacts, and reports are publicly available. Our Community Standardsare translated into over 97 languages to ensure accessibility. The table below details the foundational controls assessed in the Year 3 Systemic Risk Assessment as itrelates to this control domain. 43 Foundational Control Name Foundational Control Description AI Studio Policy Meta maintains the AI Studio Policy, which governs the standards users must comply with when utilising AI Studio to create characters. The AI Studio Policy is public-facing and outlines standards such as subjects, names, photos or embodiments, attributes, and intellectual property that users must adhere to. Child Safety Playbooks Meta maintains playbooks that document how teams operationalise minor safety measures across Meta's platforms. These playbooks, which are embedded into the Meta Integrity Standards, inform the deployment of technology and enforcement activities related to minor safety at the content or account/actor level, including detection technology, classification systems, machine-learning (ML) algorithms, reactive user reporting, and root cause evaluations. Commerce Policies Meta publicly maintains Commerce Policies within our Transparency Centre Community Standards and other Policies page to provide guidance to sellers and buyers over products sold on Meta's platforms. The Commerce Policies are accessible by both users and non-users and include specific policies over prohibited and restricted content, as well as steps to take to appeal decisions, as needed. Instagram Community Standards Meta maintains public Instagram Community Standards that provide policy detail and guidance on what is and is not allowed on Instagram. The Instagram Community Standards detail the policies in place, rationale and aims of the policies, and behaviours that may result in a violation of the Community Standards. Internally Assigned Turnaround Time (TAT) on User Initiated Reports Meta maintains a process to respond to user initiated reports within the appropriate internally assigned turnaround times (TATs). Meta's Problem Integrity Operations sets and executes the Service Level Agreements (SLAs). Operational teams monitor performance against SLAs and put interventions into place so reports that pose the highest risk to users and society are reviewed expeditiously. Meta Advertising Standards Meta maintains public Advertising Standards that provide policy detail and guidance on the types of ads allowed at Meta and the types of ad content that are prohibited. The Advertising Standards also detail the ads review process and advertiser behaviour that may result in ads restrictions. The standards are reviewed periodically and updated on an as-needed basis. Meta Integrity Standards Meta maintains the Meta Integrity Standards (MIS) which are a set of standards that inform integrity mitigations to products prior to launch. Meta Integrity Standards require product integration with Meta's applicable integrity systems and apply to product launches that impact user-generated content and/or what users will be able to view on Meta's platforms. 5.2.1.2 Systems and Product Integrity Beyond standards enforcement mechanisms, we embed safety by design to protect users—especially minorsand marginalised communities. Measures include age-gating certain content, parent guides (additional control details in Section 5.2.1.7 External Awareness and Support Resources), and default privacy settings for minors. We automatically place minor users into stricter content control settings to reduce exposure tosensitive or potentially sensitive content.98 Safety features like prompts, friction, blocking, and snoozing helpusers avoid or limit policy violations and unwanted interactions. To maintain system integrity, we prioritise investment in new tools, routine training, evaluation, andmonitoring of detection and enforcement systems. This includes testing efficacy, monitoring metrics, andtriggers, preventing coordinated attacks, and reviewing new or updated services before launch. The table below details the foundational controls assessed in the Year 3 Systemic Risk Assessment as itrelates to this control domain. 98 https://about.fb.com/news/2024/01/teen-protections-age-appropriate-experiences-on-our-apps/ 44 Meta's Code of Conduct Meta maintains a Code of Conduct that defines the expectations for behaviour and decision making for Meta personnel. The Code of Conduct is readily accessible on the People Portal to ensure that all employees are informed and accountable for maintaining integrity standards. Policy Change Management Meta develops and maintains a policy change management process to enable governance over changes made to Meta's Integrity policies. The policy change management process provides guidance over how teams at Meta can draft, propose, and make changes to existing Integrity policies, including references to the relevant sign-offs and forums used throughout the process. This policy change management process also covers vendor change management that impacts integrity work. Policy Lab Meta maintains internal Implementation Standards which outline how multiple vendors can differentiate between content that constitutes violations, and those that do not. The standards are broken down by Problem Area and include policy rationale and types of content that fall within different tiers of violation. Privacy Policy Meta maintains the inventory of its Privacy Policies, and ensures the completeness and accuracy of the inventory. The team reviews and, as appropriate, updates its privacy policies and disclosures when there is a material change in the way Meta collects, uses and shares Covered Information. Product Policies Meta’s teams develop product-specific policies that are published on the Transparency Centre that aim to protect users and society from potentially harmful content or behaviour on Instagram and other Meta technologies, while also seeking to show them the content they want to see, thereby enhancing user value. These policies establish guidelines on how these products are managed, established, and governed for user safety. Terms of Use (ToU) Meta maintains and updates the Terms of Use which outline the restrictions and guidelines that govern the use of the platform. The Terms are written in clear, unambiguous language, and are easily and publicly accessible. 45 Foundational Control Name Foundational Control Description Account Integrity and Verification Meta maintains verification processes for official accounts related to elections, commerce, and paid content on Meta's platforms. Accounts may be reviewed by Meta prior to these accounts being able to post content and interact with users. Actor and Behavioural Framework (ABF) Meta maintains the Actor and Behavioural Framework (ABF) to leverage behavioural signals and patterns for proportional actor-level enforcement actions. The ABF Framework is used to inform automated systems and human reviewers who work on enforcement across various policy areas. Ad Restrictions for Minors Meta has safeguards and restrictions around advertising, including minor-specific safeguards. This is done by limiting the types of ads that can be shown to minors; limiting both the ad targeting available to advertisers as well as the data used to reach minors with ads across Meta’s platforms; and enabling a pause on serving ads for those users that we identify as minors in the relevant jurisdictions. Age Appropriate Content Experiences Meta implements processes to provide users under 18 years with age-appropriate content experiences on Meta's platforms. Meta leverages age-appropriate content detection and filtering methods to reduce minors’ exposure to potentially harmful and inappropriate content. Age Identification and Verification Meta has processes to identify and verify users' ages on its platforms allowing Meta to provide age-appropriate experiences. Depending on the platform, Meta requires users seeking to change their age from under 18 to over 18 to verify their age through various verification options, such as uploading an identification (ID), and/or recording a video selfie. Age-related Recommendation Restrictions Meta implements age-related recommendation restrictions to reduce the likelihood of minors encountering potentially sensitive or low quality content. Through the Recommendations Guidelines, Meta works to avoid making recommendations that could be low-quality, objectionable, or particularly sensitive, and/or also inappropriate for younger viewers. Meta's integrity systems classify content as recommendable or not. Age-Related Safety Measures Meta has built age-related safety measures through features that minors and parents/guardians can access to further protect minors. Minors can adjust their settings and curate the content they see, subject to parental permission for users under 16 (U16) and parents will have access to supervisional tools and controls to adjust their minor's settings. AI Labelling (Meta-generated) Meta maintains tools to automatically label photorealistic images created using MetaAI and posted on Meta platforms. The GenAI Trust team uses a tool to label and identify images exhibiting certain industry standard AI technical identifiers which users post to Instagram that were generated using MetaAI. Behaviour Meta maintains a Behaviour Pillar to address and fight abuse across a spectrum of scale and sophistication from scripted and coordinated activity to deceptive links to various types of scams. Meta builds on multiple enforcement strategies (a mix of actions on actors, content, links, etc.) and complex sets of signals to respond to sophisticated adversaries. Best Interest of the Child (BIOC) Framework Meta maintains the Best Interest of the Child (BIOC) Framework to help product and research teams understand and apply the UN’s Convention’s Guidance when building products for youth. The framework is intended to be referenced by all product teams during roadmapping efforts, strategic planning, and investment decisions at Meta, whether or not they are explicitly designed for youth in order to ensure that the best interests of the minor are actively considered in product design. 46 Blocking Function Meta operates a technical blocking mechanism that allows a user to prevent another user from seeing their activity on Meta's products, including the user's profile, posts, or stories. Users can either go into their settings or profiles of another user to block. Bug Bounty Programme Meta maintains and promotes a Bug Bounty Programme to incentivise external individuals to responsibly disclose security bugs that could compromise the integrity of Meta user data, circumvent the privacy protections of Meta user data, and/or enable unauthorised access to a system within the Meta infrastructure. Individuals submit their findings, which are then triaged, validated, and remediated, as needed. The Bug Bounty Programme then compensates individuals for discovering impactful vulnerabilities to the organisation accordingly, with cash or other incentives. Celeb-Bait Playbook Meta maintains the Celeb-Bait Playbook which provides holistic guidance for the detection and enforcement of Celeb-Bait Ads. The Playbook guides Market Specialists on detecting both content, as well as actor behaviour signals, to retrieve relevant data points for effective enforcement. Civic Actors (CVA) List Meta maintains and updates the Civic Actors List to quickly provide protections for people in high risk election countries, as deemed by the Global Response Programme, due to their contributions to civic affairs, either online or offline. Individuals are identified to be Civic Actors (CVAs) through an internal submission form where approved employees may provide evidence of a high-risk individual's authentic account for consideration. Individuals are also identified based on vetted sources and through various platform signals. The CVA List is used to apply specialised protections, including enforcements related to impersonation, account compromise, and harassment. Content Interstitials Meta maintains content interstitials to warn or provide contextual information to users with regards to content that is not policy-violating but that may be sensitive for certain users. The interstitial is introduced to enable users to decide how to engage with potentially sensitive content. Community to Actor Feedback (C2AF) Meta maintains the C2AF, which is an ongoing norm-setting initiative aimed at improving actor behaviour and reducing repeat offences. When a user's comment or media is reported by another user for hate speech or bullying on IG, if the comment or media meets the targeting criteria, the actor receives an Activity Feed notification indicating that their comment or media was found to be hurtful and giving them the option to remove it. Content Interstitials Meta maintains content interstitials to warn or provide contextual information to users with regards to content that is not policy-violating but that may be sensitive for certain users. The interstitial is introduced to enable users to decide how to engage with potentially sensitive content. Coordinated Attack Prevention Meta maintains and uses the Coordinated Attack Discovery System to defend against coordinated attacks on Meta's platforms related to authenticity/identity verification. This system includes near-real-time visualisations of possible attacks, along with investigation tools to find and explore connections among attack clusters, particularly looking at recent traffic patterns. Dangerous Organisation and Individuals (DOI) Designation Meta oversees the process by which entities (organisations and individuals) that qualify as a 'Dangerous Organisation and Individual" (DOI) are added to the DOI Designations List. Designations are proposed through a designations nomination form and assessed by a cross-functional team of experts. This cross-functional team conducts a review of both on-platform and off-platform information to see if the nominated organisations or individuals meet the threshold for designation. If designated, measures are taken to remove all of the DOIs assets from the platform, as well as bank terms and images that represent the DOI in order to bolster continued scaled enforcement. All glorification, support, and representation of the designated DOI is also prohibited. 47 Design Taxonomy Meta has a taxonomy of design patterns that have been identified as likely to be deceptive in order to avoid implementing such designs on Meta's platforms. The taxonomy utilises patterns flagged as noteworthy by key external sources (i.e., Digital Services Act DSA), European Data Protection Board (EDPB), and Federal Trade Commission (FTC)) to provide examples that represent deceptive designs that may lead a reasonable person to feel tricked, misled, coerced, or unduly pushed into doing something they wouldn't have otherwise chosen to do. The taxonomy is used by product designers as guidance for their designs to avoid deceptive designs. Differential Review Meta maintains a code review process within the Differential Tool where peer review is performed by an independent reviewer prior to the change being committed to the Central Code Repository. The author and reviewer of the change cannot be the same person. Once code has been reviewed and committed to the Central Repository, changes to the code cannot be made without re-initiating the code review process. GenAI User Safety Measures Meta protects users from potential harm or discomfort when interacting with Meta's AI products. Meta has mechanisms to respond to potentially sensitive issues. Hack and Leak Playbook Meta removes content claimed or confirmed to be from hacked sources, except in limited cases of newsworthiness. When a suspected hack and leak of material becomes known, the Strategic Response Policy team will drive a review of the content and actors, and escalate to leadership for a decision. Hidden Words Function Meta maintains the Hidden Words Function to empower users to filter out potentially offensive messages and comments on Meta's platforms. Users can better control their experience on Meta's platforms by hiding what they may find to be offensive, abusive, or otherwise unwanted interactions. Identification of Suspicious Adults (Detection) Meta maintains processes to proactively identify adults who display suspicious behaviour towards minors before they potentially perform policy-violating actions. Meta uses detection systems to identify risky interactions which are likely to be policy-violating behaviour. Identity Verification and Authenticity Meta has processes in place to verify a user's identity on Meta's platforms. Meta requests users provide a copy of an item with their name and date of birth or name and photo on it as proof of identification, such as a photo identification (ID) issued by a government, an ID from a non-government organisation, an official certificate, a licence that includes the user's name, with potential special ID requirements for some cases, such as advertisers running ads about social issues, elections or politics. Proof of identification is checked for usability and forgery via machine-learning models or human reviewers, then matched against the account profile. Individual Verification for Account Ownership Meta maintains processes for individuals to regain access to their accounts on Meta’s platforms. When individuals are unable to access their accounts, they can recover them by following steps detailed on the specific platform’s Help Centre based on the login issue they are experiencing, such as forgot password, forgot username, and disabled account, following necessary individual verification processes. Large Language Model Safety Meta maintains processes to improve the quality and safety of its large language models (LLMs). Quality processes include but are not limited to finetuning, hotfixing, redteaming, and pre-launch review. Limits Function Meta maintains a user control for users to temporarily limit unwanted comments and messages from accounts on Instagram allowing users to take control of their online experiences and keep their accounts safe from unwanted behaviour and harassment. Users can enable this feature and choose who to limit, including recent followers and accounts that aren't following the user but may be spam, fake or created to harass them. Users can limit accounts for up to 4 weeks. 48 Log Out Meta maintains mechanisms to protect user accounts through a Log Out feature on Meta platforms. Users can log out of their account on different devices by navigating to the "Security and Login" section of the settings feature and view the "Where You're Logged In" section. Users are able to view a list of devices that have been recently used to log in to their account and have the option to log out of those accounts by following the instructions provided. ML Model Change Management Meta maintains a code review process that requires any changes to machine-learning (ML) models and algorithm code to be reviewed by at least one other engineer before being pushed to the production environment. Differentials are drafted and reviewed by engineers who provide feedback on the code to help identify bugs and increase code quality. The differential review process tracks changes and ensures no one engineer can make changes to code on their own. Muting Function Meta maintains a mechanism that allows users to mute other accounts and specific threads, which empowers them to control their online experiences on Instagram. Users can mute specific accounts or threads to control their visibility of specific content. Risk Review Meta maintains the Risk Review process to review new product launches across Meta's platforms, covering Privacy, Integrity, AI and Youth. Risk Review leverages a methodology that assesses products against established standards, identifies potential risks and provides mitigations, facilitated through the Launch Manager (LaMa) tool. Private Accounts Meta maintains privacy settings to protect user accounts, including minors, from their content being visible to users outside of their approved network. On Instagram, users have the option to limit who can see their content and profile details. When minor users under the age of 18 in the EU sign up for Instagram, specific privacy settings are defaulted so content is only visible by accounts that the user follows or is a friend of. Restrict Function Meta provides users with the ability to restrict other users from viewing their content. Users can restrict other users by going to their profile. Scam Account Score (SAS) Meta maintains and develops an actor level signal, the Scam Account Score (SAS), that predicts the likelihood of an active account being a scammer on Instagram. The SAS is a score inclusively between 0 and 1 that is available on internal Meta platforms that provides a canonical signal for the probability that an Instagram user is a scammer. Teams across Meta can leverage the score to take action against accounts, such as restrictions or disable, depending on relevant thresholds. Screen Time Insights Meta provides guardians with visibility of their linked minor's screen time from usage of Meta's products. Guardians are able to view their linked minor's app screen time for the last seven days via a time chart on the Family Centre. Security Checkup Meta maintains security resources for users to access on Instagram, respectively. Security Checkup enables the review and addition of security measures to Meta users' accounts. Instagram users can enable Security Checkup at their own discretion and via account recovery flows to review their contact points, password and 2FA features. Strategic Network Disruption (SND) Meta maintains the SND process which guides the strategic removal of actors and organisations involved in coordinated behaviours that facilitate real-world harm via the Meta family of apps and services. SND is done via Integrity, Investigations, and Intelligence’s (i3) intelligence lifecycle which involves developing intelligence to understand the threat landscape, delivering targeted deference by proactively discovering and disrupting complex cases, enabling scaled problem reduction through institutional knowledge, and engaging the security and safety stakeholder community to build legitimacy and build programming. 5.2.1.3 Detection Meta has automated detection systems to identify and act on content that violates our InstagramCommunity Standards, Advertising Standards, Commerce Policies, and other applicable policies andguidelines. Our technology proactively detects and removes the majority of violating content across formats 49 Tag and Mention Controls Meta maintains Tag and Mention controls to allow users to choose and customise when and who can tag them or mention them on Instagram. Tag review is not on by default, but users can use in-product settings to customise when they tag other people, when others tag them, and when they mention others or get mentioned. Teen Accounts Meta manages a Teen Accounts feature to protect users in the defined and designated teen age range 13-17. These accounts come with built-in protections that limit who can contact teens and the type of content teens can see. The accounts are set to private by default and teens under 18 require guardian permission to change these settings to be less strict. Built-in protections also help teens manage their time spent. Two-Factor Authentication Meta maintains a two-factor authentication (2FA) process to increase security and decrease an account's vulnerability to hacks or unauthorised access on Meta platforms. There are several 2FA methods which send a notification to users at the time of login and allow users to utilise a second factor during the login process. A second factor can be a Short Messaging Service (SMS) sent with a code once or a security key that generates a code (a first factor is generally a password) which helps Meta authenticate a user's identity. Unwanted Contact Restrictions Meta maintains processes to protect minors from unwanted contact with adults. Features and resources on surfaces provide additional friction between adults and minors to prevent unwanted or unsafe behaviour. User Consent Flow Meta maintains an Internal Data Policy for User Consent Experiences which are product experiences that request permission to process user data. Each consent flow contains privacy elements including the consent request and consent options. User Facing Privacy Controls (IG) Meta maintains user facing privacy controls to permit users to manage their privacy settings on Instagram. Users can navigate to the Privacy Settings page to adjust settings related to their privacy preferences. User Mental Well-being Support Meta maintains a repository of resources and tools to promote healthy online behaviours and provide resources for users on Meta's platforms. Resources and tools on mental health and well-being are accessible on the Safety Centre. Well-Being Meta maintains a programme to support users on IG to feel safe and supported to express themselves. Meta encourages users to maintain well-being tactics on IG through various tools such as time management measures. Why Am I Seeing This (WAIST) Meta maintains the Why Am I Seeing This (WAIST) tool to provide users with information about why a particular ad appears in their feed or other surfaces across Meta's platforms. WAIST generates an explanation, based on machine-learning models and algorithms to personalise a user's experience, to highlight the most relevant factors that contribute to the ad shown to a user. Youth Cross-Functional (XFN) Reviews Meta manages the Youth XFN Review process which reviews applicable new product launches that target or impact youth users in order to protect youth users and comply with various regulatory obligations. New products or feature changes, with identified youth impact, are reviewed to help identify, assess and mitigate potential youth risks to user safety, rights, and protection. If potential youth risks are identified, relevant youth XFN teams document and communicate mitigation requirements. (e.g., image, text, and video) before it is reported, as demonstrated in our Quarterly Community StandardsEnforcement Reports.99 Engineers, data scientists, and review teams continuously enhance these systemsand measure their accuracy through precision metrics. While no detection system is 100% accurate due to technical limitations that impose trade-off decisionsbetween over and under enforcement (i.e. precision vs recall optimisation), we train models on the latestpolicies developed with input from CSOs, human rights defenders, marginalised groups, internationalorganisations, Trusted Partners, investors, advertisers, and users.100 This stakeholder engagement helpsimprove detection and understand the impact on diverse global communities.101 Working in close partnership with members of our Trusted Partner Network, we enhanced the Network’ssignal-sharing capabilities by standardising escalation channels and integrating them more effectively withour case management tools. The Trusted Partner Programme enables select civil society organisations toreport harmful content directly to a specialised global escalations team via a dedicated submission form oremail—separate from standard user reporting. The programme focuses on addressing content that maycontribute to imminent harm, escalate social tensions, or undermine democratic processes, with prioritygiven to content posing the highest salient human rights risk. Over a two-year period, spanning from Q2 2022to Q4 2024, these improvements led to 120% increase in content reported via the Trusted Partners inEurope, enabling us to better identify complex cases, novel harms, and inform policy and enforcementupdates.102 We continue investing in technology, including model training on safety guidelines, content labelling, andsupport for detection efforts. The table below details the foundational controls assessed in the Year 3 Systemic Risk Assessment as itrelates to this control domain. 102 https://transparency.meta.com/en-gb/governance/tracking-impact/measuring-performance/ 101 https://transparency.meta.com/policies/improving/bringing-local-context 100 Precision tells us the percentage of cases that were genuinely true, out of the cases Meta labelled as true. Recall tells usthe percentage of true cases Meta found, out of the possible true cases in the population. 99 https://transparency.meta.com/reports/community-standards-enforcement/ 50 Foundational Control Name Foundational Control Description Automated Proactive Detection Technology Meta develops and maintains automated proactive detection tools for different content types across different surfaces. The automated proactive detection tools proactively detect and route potentially policy-violating content for automated decisions or manual review. External Sharing of Blocklist Meta develops and maintains processes and infrastructure to ingest and externally share signals related to harmful content on Meta's platforms. Depending on the programme, various APIs and processes are used to connect Meta and industry partners, non-governmental organisations (NGOs), and trade groups, governments to fight harm both on and off Meta. Sharing involves heavy privacy, legal, policy, and other stakeholder reviews, as well as a variety of contracts. 51 Fact Checkers Meta partners with independent third-party fact-checkers in certain jurisdictions, who are certified through the non-partisan groups EFCSN within Europe and International Fact-Checking Network (IFCN) outside of Europe, to address viral misinformation. Fact-checkers review a piece of content and rate its accuracy. This process occurs independently from Meta and may include, but is not limited to, calling sources, consulting public data, and authenticating images and videos. Limits for Repeated Non-Violating Reports Meta maintains mechanisms to identify users, entities, or individuals that frequently submit notices or complaints that are manifestly unfounded. Meta suspends the processing of these notices or the user's ability to submit notices for a reasonable period of time. A query is run on a quarterly basis to identify potential repeated non-violating reporters and findings are reviewed with Legal. If confirmed, a prior notice will be sent out to the identified reporter and limits may be applied by tagging reporters via highlighting, which indicates to reviewers to ignore incoming reports from this reporter after receiving the prior notice for a reasonable period of time. Proactive Detection Quality and Governance Meta develops and maintains quality and governance measures to ensure proactive detection systems are operating effectively and efficiently, while also minimising the risk of false positives, biases, and other potential negative consequences. Meta establishes policies and protocols, develops and maintains high-quality training, monitors and evaluates model performance, and conducts regular audits and reviews. Proactive Detection Systems - GenAI Meta's AI Safety Team implements and adapts Meta's proactive detection technology to enable identification of potentially violating GenAI prompts and responses. Proactive detection systems are trained with synthetic data to identify and improve performance against GenAI content on Meta’s platforms. The AI Safety team determines strategy, confidence and accuracy requirements, and determines which systems should be leveraged to meet their goals. The team also works with cross-functional partners to review automated proactive detection results, identify areas of improvement, and train the model with new examples and/or data. Proactive Detection Systems Implementation / Adaptation Meta implements proactive detection systems through a combination of technology, data analysis and human expertise for relevant Problem Areas on Meta's platforms. Proactive detection systems are adapted by each Problem Area team to address concerns and nuances aligned with their respective policies by developing and maintaining high-quality training data, building and optimising detection models, and continuously improving and updating models. Repeated Offender Identification - Manifestly Illegal Content Meta maintains an internal tracking mechanism to identify individuals or entities that frequently post manifestly illegal content. This mechanism operates by tracking the number of times a user posts illegal content, and then on a case-by-case basis applying temporary suspension at the account-level based on set thresholds after having received a prior warning. Rights Holders Reporting Tools Meta maintains a variety of tools to support right holders to protect their content on Meta's platforms. The tools provide proactive and reactive levels of support, as well as the ability to request dedicated digital rights support, review channels, and enforcement methods. Strike Policy Meta maintains strike and persistent violator processes to identify repeat policy-violating offenders on in-scope platforms. Meta identifies repeat offenders through a variety of detection methods and continuous review over organic, commerce, and paid content areas. Takedown Requests - Specialised Platforms Intake System (SPInS) Meta maintains the Specialised Platforms Intake System (SPInS) to enable external parties such as governments, regulators, and law enforcement the ability to report and request the takedown of locally violating content. Meta administrators configure access or create new forms for external parties to submit relevant takedown requests. These submissions are then routed to the appropriate review teams. 5.2.1.4 Enforcement Meta uses technology and review teams to detect and assess potentially violating content and accounts onInstagram. Enforcement is triggered by automated detection or user reports. Our machine-learning modelsand human review teams are trained on Instagram Community Standards, other policies, and human decisiondata to enforce content rules. We apply a three-part enforcement approach to content enforcement:103 ● Remove: Policy-violating content is removed; ● Reduce: Distribution of potentially sensitive but non-violating content is reduced; and ● Inform: Users receive additional context to make informed decisions. Meta holds users accountable for repeated violations of our Community Standards through mechanisms likeour Strike System and associated account restrictions. Content may be restricted in a particular countryfollowing regulatory requests, court orders, or reports of unlawful local content after Meta’s review. Meta continuously evolves enforcement to balance effectiveness, user experience, and regulatorycompliance. Key Year 3 updates related to enforcement include the following: ● In Q4 2024, Instagram implemented changes to its policies and enforcement measures. Thisimproved the accuracy of our enforcement, helped prevent mistakes, and resulted in a significantreduction of “over-enforcement.” The table below details the foundational controls assessed in the Year 3 Systemic Risk Assessment as itrelates to this control domain. 103 https://transparency.meta.com/enforcement 52 Trusted Flaggers Meta maintains Trusted Flaggers who are designated by the relevant regulatory authority. They are prioritised through their onboarding to a dedicated reporting channel via Specialised Platforms Intake System (SPInS). Trusted Flaggers submit reports of alleged illegal content on an ad hoc basis through a single point of contact form which are prioritised for review. User/Entity Initiated Reports - Escalated Meta operates and maintains forms that allow users and non-users to escalate potentially policy-violating or illegal content that are high-risk. The forms allow users and non-users to submit reports pertaining to potential policy-violating or illegal content that may require faster review turnaround times and higher priority. The report submissions contain relevant information, including substantiation and explanation of the content, the electronic information of the content, and the name and email address of the individual or entity submitting the report, as applicable. User/Entity Initiated Reports - Policy Violating Meta operates and maintains forms that allow users and non-users to report potentially policy-violating content and entities. The forms allow users and non-users to submit reports, either through in-app reporting options or through a form linked on the IG Home Page, containing relevant information, including substantiation and explanation of the content's illegality, the electronic location of the content, and the name and email address of the individual or entity submitting the report, as applicable. 53 Foundational Control Name Foundational Control Description Ad Review Process Meta proactively reviews all advertisements before they are able to be published on Meta's platforms and implements an automatic 24 hour hold on distribution while in review. Some ads are also selected for reactive review after they are published for various reasons, including if a user reports the ad as potentially violating. The entire ad is reviewed to determine if it violates Meta's Advertising Standards. The decisions made during these reviews determine whether ads are approved and go live, or if they are disapproved and returned to the advertiser. Automated Enforcement Decisioning Meta develops and maintains enforcement technologies that review content and behaviours identified as potentially violating Meta's policies and determine whether to take enforcement action. The enforcement technologies leverage training data, including previous decisions made and policy language, to determine if the content or behaviour is in violation of Meta's policies. If the content or behaviour is deemed policy-violating, the enforcement technologies assign the appropriate enforcement action based on the severity of the violation and language in Meta's policies. If there is insufficient information to make an automated decision, the content or behaviour is sent for manual review by the human review teams. Automated Enforcement Decisioning - Accuracy and Consistency Meta maintains mechanisms to ensure its automated systems for detection are operating as intended. Meta has both quality assurance processes (e.g. training of models) and monitoring processes (e.g. metrics) to maintain and improve its quality of automated review processes. Content and Entity Removal Meta utilises enforcement technologies to remove individual accounts, complex objects, content, commercial listings, and ads found to be violating Meta's policies. Enforcement technologies leverage signals from automated and/or manual decisioning processes and remove violating entities from Meta's platforms. Content and Entity Restriction Meta utilises enforcement technologies to restrict content and/or entities on both paid and organic surfaces that violate Meta's policies across violation types. Each problem team may take different actions to restrict content and/or entity based on policies and protocols, including using enforcement technologies and leveraging signals from automated and/or manual decisioning processes. Content Review Prioritisation Meta maintains a content review prioritisation process to rank and prioritise content in order of importance for reviewers to action on potentially policy-violating content on Meta's platforms. The content review prioritisation process for enforcement considers the severity, virality, and likelihood of violation when determining what the human review team should prioritise. Enforcement Actions \- Accuracy and Consistency Meta maintains mechanisms to ensure its automated systems for detection are operating as intended. Meta has both quality assurance processes (e.g., training of models) and monitoring processes (e.g., metrics) to maintain and improve its detection capabilities, the quality of automated review processes, and its enforcement mechanisms. Integrity Actions Platform (IAP) Meta maintains a centralised actioning tool to execute various enforcement actions. The centralised actioning tool is integrated with decision processes and tools to intake appropriate enforcement actions to apply. Language and Cultural Coverage Meta incorporates language and cultural coverage into its products and services, such as translation tools, to support agnostic review for automated and manual review processes. Meta also develops and maintains knowledge management tooling and internal repositories of policy documents, operational guidelines, and user education tools to be utilised in its automated and manual review processes. 5.2.1.5 Response and Notification Meta has established response actions for crises that may impact platform risks, imminent threats to life, andwhen there is illegal activity. These include escalation and reporting to law enforcement and relevantauthorities, following our Terms of Use and legal requirements. Cooperation with law enforcement agenciesand collaboration with CSOs through dedicated reporting channels is central to our crisis response. We also notify users and inform them of decisions related to their content and accounts in line with ourstandard processes. The table below details the foundational controls assessed in the Year 3 Systemic Risk Assessment as itrelates to this control domain. 54 Manual Enforcement Decisioning Meta has dedicated review teams for manually reviewing potentially violating content and entities identified through proactive detection systems and third-party reports and determining whether the content and/or entities are in violation of Meta's policies. Human reviewers utilise review tools and guidelines to make enforcement decisions in accordance with Meta's policies. Manual Enforcement Decisioning - Accuracy and Consistency Meta maintains mechanisms to ensure the manual enforcement processes are operating as intended. Meta uses operational guidelines to establish standards, measurement systems to evaluate performance, and performance monitoring and continuous improvement processes to maintain performance. Repeated Offender Enforcement - Manifestly Illegal Content Meta applies warnings and enforcement actions on repeated offenders who frequently post manifestly illegal content by leveraging records of previous violations and determining appropriate action based on the number of violations and their severity. Foundational Control Name Foundational Control Description Crisis Response Protocols Meta maintains Crisis Response Protocols to help appropriately respond to an external event that may impact how Integrity risks materialise on Meta's platforms. Meta's response consists of cross-functional groups with varied areas of expertise (Global Ops, Policy, Comms, and Product Integrity) to evaluate risks associated with the crisis and their potential impacts, assess the effectiveness of controls to mitigate these risks, determine whether additional measures or actions are needed to address impacts, and implement measures to mitigate risks. Elections Readiness Meta maintains elections readiness processes to ensure rapid support for the period immediately around critical events. XFN stakeholders collaborate to establish operational handbooks, policy clarifications, and response processes, and training for relevant external parties on how to leverage existing content reporting channels (such as our Trusted Partner programme), and may also create new content reporting channels within the requirements set out by local law, as appropriate. 55 Enforcement Notification Processes Meta maintains a notification process to notify users/non-users when Meta takes an enforcement action, including in response to a report of potentially illegal content or Community Standard violations, by sending notifications and statements of reason. The notification and statement of reason informs the recipient of the use of automation in decision-making and whether a review can be requested to appeal the decision. Where applicable, other potential options of redress, including out of court dispute settlement rights, are also provided to the user. Notifications are communicated in a timely manner, for both initial enforcement and relevant appeal decisions. Mandatory User Data Preservation and Disclosure Obligations Meta maintains processes to identify mandatory user data preservation and disclosure obligations. Meta reviews these processes to ensure compliance with user data preservation and disclosure obligations. Potential Threat Investigation Meta maintains a process to investigate potential threats to life or safety on Meta's platforms on a case by case basis and determine if law enforcement disclosure is necessary, in accordance with Meta's Terms of Use and applicable laws. Reporting Acknowledgement Processes Meta maintains a report acknowledgement process to inform users that their reports have been received. For in-app reporting, users receive automatic in-app confirmations on their reports, and there is a display for the status of their requests. For out-of-app reporting using the contact form, users receive the acknowledgement via email. Reporting Credible Threats to Authorised Government Authorities Meta maintains processes for reporting credible threats to life or safety, when identified on Meta's platforms, to authorised government authorities via established processes on a case-by-case basis. Meta reports credible threats to life or safety in accordance with Meta's Terms of Use and applicable laws. Statement of Reasons Meta provides a statement of reasons in notifications sent to users after Meta takes an enforcement action that explains why the respective enforcement action was taken and informs users which of the Community Standards, or other relevant terms or policies have been violated. Meta notifies users of their decisions, and provides a formal “statement of reasons” explaining any decision to remove or restrict visibility to a specific item of content and/or a user’s account and to inform users of what redress mechanisms are available to appeal the decision. Targeted Search Meta maintains a process where individuals with relevant clearance can search Instagram for measurement, intelligence gathering, and/or enforcement purposes, given that the search meets a defined search criteria. They are intended to identify contents violating Meta’s Community Standards where there is a sense that searching for such content could be broadly justified (e.g., real-world threat of harm). Targeted Searches are initiated, tracked and determined to be eligible for legal approval (meets the defined search criteria) through the Targeted Search Form. The Targeted Search Form incorporates within it the legal guardrails to ensure that the Targeted Search meets the criteria legal has determined to be permissible. Temporary Risk Reduction Measures Meta deploys temporary processes or tools to reduce the likelihood that people see harmful content on its platforms during critical moments or in situations with elevated risk of violence or other severe human rights risks. Meta's teams of specialised cross-functional experts closely monitor trends on and off platform and investigate situations to determine whether and how best to respond. Meta also may coordinate with teams to determine responses. As appropriate, Meta may apply limited, proportionate, and time-bound measures that can be quickly implemented to address a specific emerging risk. Voter Interference Meta prohibits content conveying incorrect information regarding methods and logistics of voting (how to vote/when to vote), or instructions or intent to commit voter fraud. Meta aims to remove all instances of voter interference by identifying new violating claims, finding similar violating claims, and removing any violating claims. 5.2.1.6 User Rights and Recourse Meta is committed to respecting the fundamental rights of our users located in the EU and upholding humanrights in all actions. Users can appeal content removal decisions through dedicated review teams andtechnology, which reassess the content against our Community Standards. Users are then notified if theircontent is reinstated or confirmed as violating standards. Users may also appeal to the independent Oversight Board, which reviews complex content moderationcases and issues recommendations based on international Human Rights Standards. Since inception, theOversight Board has reviewed 146 cases, and Meta has responded to 309 of the Oversight Board’srecommendations with details published in our Transparency Centre.104 These include, among others,decisions about content regarding explicit images generated through AI and updates to our TransparencyCentre about “Our Approach to Dangerous Organisations and Individuals” where we provided details abouthow and why we designate an organisation or individual.105,106,107 Additionally, Meta provides a user-friendly process for users to appeal to certified ODS bodies as required byDSA Article 21. Users are informed of their right to escalate disputes, and Meta supports ODS bodies via asecure portal and API to exchange dispute information. Human reviewers assess ODS decisions andcommunicate outcomes accordingly. The table below details the foundational controls assessed in the Year 3 Systemic Risk Assessment as itrelates to this control domain. 107 https://transparency.meta.com/oversight/oversight-board-recommendations/ 106 https://transparency.meta.com/oversight/oversight-board-cases/shaheed-pao 105 https://transparency.meta.com/en-gb/oversight/oversight-board-cases/explicit-ai-images 104 https://transparency.meta.com/en-gb/oversight/overview 56 Foundational Control Name Foundational Control Description Ads Targeting Meta maintains technical and organisational measures to ensure information with special protections (including Sensitive Categories of Data (SCD)) are not used to show users personalised ads. Meta uses automated systems to prevent this information from being used for ads profiling and verifies the effectiveness of these measures. Appeals Handling Standard Operating Procedures SOPs Meta maintains Standard Operating Procedures (SOPs) that detail processes and activities to ensure complaints such as appeal processes are handled in a timely, impartial, and non-arbitrary manner regardless of the content or user involved. SOPs include processes and criteria for consistent decision-making, training and human reviewers, user notifications, record-keeping, and turnaround times for handling of appeals. Appeals Process - Actors Meta maintains a process for actors to appeal Meta's enforcement decisions over content the actor created/posted and that was taken down. If the actor chooses to appeal Meta's original enforcement decision, the content is re-reviewed to determine if it violates Meta's Content Policies. Actors may appeal the original enforcement decision within six months and are able to provide further context for Meta to review. Appeals Process - Reporters Meta maintains a process for reporters to appeal Meta's enforcement decisions. If reporters choose to appeal Meta's original decision, the content is reviewed to determine if it violates Meta's policies or where applicable, local law. Reporters may appeal the original enforcement decision within six months and are able to provide further context/rationale for Meta to review. 5.2.1.7 External Awareness and Support Resources Meta continuously develops a library of tools and resources to help users stay safe and understand platformpolicies, reflecting our Community Standards and fostering a culture of respect and empathy. Our Safety Centre offers support on topics, such as mental health and well-being, bullying and harassment,online minor protection, intimate image abuse, and sextortion. It includes tailored resources for vulnerablecommunities, including women, youth, journalists, human rights defenders, public figures, and the LGBTQ+community. 57 Automated Review of Appeals Meta utilises automated review systems to determine whether the appealed content violates Meta's policies. These systems perform tasks including recognising content in photos, videos, or text in accordance with Meta's policies to inform appropriate enforcement actions for appealed content. This excludes unlawful content appeals and other appeals that are regulatorily required to be reviewed manually. The automated review systems undergo governance measures including sampling and feedback loops to update the systems as needed to ensure they are operating effectively and efficiently. Content and Account Restoration and Reinstatement Meta maintains processes to restore content, reinstate suspended accounts, or reverse an enforcement action after a successful appeal. After an appeal is accepted, the applicable enforcement action is reversed by restoring removed content, removing warning labels, removing demotion actions, or reinstating accounts and account features. Content Experience Personalisation Meta offers users the ability to control how much of certain types of content (sensitive) they see in their feeds. Users can control if they wish to see more or less (depending on the content type) of this content in their feed. Edit Rejected Ad Meta provides capabilities in Ads Manager for advertisers to edit ads that have been rejected due to non-compliance with Meta's policies. Advertisers can edit an ad by reviewing the rejection details in Ads Manager and can edit the ad, request another review of the ad, and monitor the review status. Editing the ad also triggers an integrity re-review for violation of Meta's ads policies. Newsworthy Inform Treatment Meta maintains and operates a tool to label content as newsworthy. Upon escalation, Meta determines and may allow newsworthy content potentially in violation of Community Standards on their platforms for public awareness, even if it violates the Meta Community Standards. Non-Profiling Experience Meta offers experiences not based on profiling across different product surfaces, which allows users in specific jurisdictions to experience those products without the use ofthe GDPR definition of profiling in content ranking or recommendations. Users are able to access the non-profiling options directly in the browsing surface as well as through alternative experiences, and are thus provided with a choice if they do not want to use recommender systems based on inferences that Meta's systems make based on the profiling options. Out-of-Court Dispute Settlement Options Meta educates users/non-users on their out-of-court-dispute settlement options. Meta engages in good faith with out-of-court dispute settlement bodies (ODS bodies), such as DSA Article 21 certified bodies, to resolve these disputes. Product Specialist Reviews Meta regularly monitors bugs and reports from users and reports out to product teams. Product specialists perform a monthly analysis of the user bugs and document actions being taken on the product side to resolve the issues. We provide crisis support resources by country and offer guidance for parents, educators, and lawenforcement.108 The Instagram Help Centre also offers safety information for users. In the last year, Meta updated its external resources, including updates to our policy documentation on theTransparency Centre related to new or enhanced AI features like AI-generated images.109 The table below details the foundational controls assessed in the Year 3 Systemic Risk Assessment as itrelates to this control domain. 109 https://transparency.meta.com/policies/other-policies/meta-AI-disclosures 108 https://about.meta.com/actions/safety/crisis-support-resources 58 Foundational Control Name Foundational Control Description Ad Blueprint Training Meta provides external e-Learning training through its Meta Blueprint programme for agencies, marketing partners, clients and Small Business Groups. Content is readily available on Meta Blueprint and enables people to gain foundational knowledge on Meta's advertising practices, including explaining how ads work and restrictions that apply. Branded Content Tool Meta maintains the Branded Content Tool, which provides users with the opportunity to declare that their content contains commercial communications by adding the "paid partnership" label to their content via a self-serve tool provided by Meta. The user can indicate a relationship with the affiliated Brand/Company before being able to tag them and tagged branded content must comply with the content-level prohibitions and restrictions prescribed in Meta's Branded Content Policies for IG. Family Centre Meta maintains the Family Centre, which provides users with resources, insights and expert guidance to help users support their family’s online experiences on Meta's apps and across the internet. The Family Centre has information about the tools across products, as well as the Education Hub which provides informational resources and tools across Meta's products. Help Centre Meta maintains the Help Centre, which provides users with a centralised hub for support across Meta products and services. The Help Centre provides links to product support, Meta shops, Meta help, specific help centres for Meta apps, and support for different types of users. Parent's Guide Meta proactively maintains and updates the Parent's Guide to support parents and guardians with policies, resources and tools that help to protect the safety and well-being of minor’s online experiences on Meta's platforms. The guide is accessible to Parents through the Family Centre which includes information on how to manage minor’s privacy, interactions, comments, time security, and supervision tools and resources across Instagram. Privacy Centre Meta maintains the Privacy Centre with resources for users, including minors, to access and learn how to manage and control privacy across Meta Products. The Privacy Centre provides references, tools, education, and answers to privacy-related questions to empower users to customise their privacy experience. 5.2.1.8 Internal Training and Resources Meta provides comprehensive training to employees and contingent workers, including human reviewers, tosupport enforcement of Community Standards and policies. Training covers Meta's Community and IntegrityStandards, moderation processes, Problem Area trends, risk and compliance best practices, and regulatoryrequirements. We have routine updates and retraining processes to address policy changes and enforcement issues.Additionally, Meta offers resilience, health, and wellness resources to support reviewers who handleobjectionable or graphic content. The table below details the foundational controls assessed in the Year 3 Systemic Risk Assessment as itrelates to this control domain. 59 Quick Promotions on Campaign Studio Meta updates, deploys, and monitors Quick Promotions (QP) that are created via the Campaign studio tool or directly via API provided by QP team. These QPs are running on off-app channels (i.e., notifications and emails) and in-app Meta-to-User communication platform across the Family of Apps. The Quick Promotions team launches QPs to drive growth/engagement for products, deliver critical legal notices, educate users, deliver surveys, or provide any other communication with users. The Campaign Studio tool and QP creation APIs allows for the creation and management of QPs, including choosing the surface it will appear on, defining the eligibility rules and content, testing the QP, and deploying it in production and monitoring it. Safety Centre Meta maintains a Safety Centre to house documentation about Meta's approach to safety across Facebook, Instagram, and other products. The Centre, available in over 60 languages, can be accessed by users and non-users and includes information, resources, and news to document Meta's approach toward safety for all users on their platforms. These resources can be accessed by users and non-users for specific safety topics and communities to empower individuals to obtain the support they need, specific to the area they are looking for. Self-Disclosed Transparency Reporting Meta maintains self-disclosed reporting and report writing processes to develop and publish their self-disclosed transparency reports and to ensure compliance with their self-disclosed reporting requirements. This process is managed by a cross-functional team that develops and publishes transparency reports supporting materials, templates and roles and responsibilities in accordance with Meta's reporting cycle and by the required timelines. Sponsored and Paid Partnerships Labels Meta maintains “Sponsored” Labels for paid ads across Meta's platforms to communicate to users that the content being viewed is being promoted in an advertisement. This is done through applying a prominent "sponsored" label on this content. Suicide and Self-Injury Content Response Meta sends resources to users who have posted/reported content that is identified as being suicidal or self-harm related. If the content indicates credible intent, the team escalates the content for further action as appropriate. Users reporting such content are also provided with a link to resources that direct them to the Help Centre page that has information and resources, including the suicide hotline. Transparency Centre Meta maintains its publicly accessible Transparency Centre that provides further information regarding Meta's content moderation policies, how Meta enforces its policies, complaints handling process, self-disclosed and statutory transparency reports, and parameters used in recommender systems. Voter Empowerment Features Meta maintains and launches election-specific product features to encourage voter participation in free and partly-free elections globally. Resources with information relevant to voting-age users are provided to connect them to authoritative information regarding elections. 5.2.1.9 Risk Assessment Meta manages a complex and evolving integrity risk landscape due to the global scale of our services, risingonline challenges, and rapid growth in user-generated content. To address this, we have established RiskAssessment Processes, including the annual DSA Systemic Risk Assessment and CIRAs (as applicable) toidentify, analyse, and mitigate integrity risks. As our compliance programme matures, we remain committed to strengthening risk management andcoordinating both ad-hoc and annual Risk Assessments. The table below details the foundational controls assessed in the Year 3 Systemic Risk Assessment as itrelates to this control domain. 60 Foundational Control Name Foundational Control Description Policy Role Based Training Meta develops and provides training to employees based on the role they undertake in order to equip them with the necessary knowledge and skills to perform their specific roles effectively. The exact nature of the training varies depending on their role, but includes onboarding, technical, and policy and compliance training, as needed. Foundational Control Name Foundational Control Description Crisis Response Assessments Meta reports on Crisis Response Assessments to identify and assess whether external events impacting the functioning and use of Meta's services are significantly contributing to a serious threat. Meta's crisis response reporting includes specifically internal crisis response protocols (IPOC, Global Response Operations Crisis Protocol, etc.) using internal protocols to evaluate the impact of the risks associated with crisis response, and Crisis Policy Protocol (CPP). Assessment of the risks associated with sensitive external events, such as wars, protests, and elections, may require controls to be updated to ensure the external events are managed appropriately. Critical Impact Risk Assessment Meta conducts Critical Impact Risk Assessments, which are targeted Risk Assessments prior to deploying new functionalities that are expected to have a critical impact on our systemic risks. Meta utilises guided questions to assess whether a new functionality, operational change, or similar event could create or influence a systemic risk and meet the threshold to trigger the need for a Critical Impact Risk Assessment to be completed. If a Critical Impact Risk Assessment is triggered, systemic risks that could arise given the functionality being deployed are identified, analysed, and assessed with subject matter experts using a defined methodology, framework, and templates. Election Risk Assessments Meta conducts Risk Assessments to identify and assess high risk election events impacting how risk materialises on Meta's platforms in the context of elections. These assessments consist of examining the risks associated with the elections and assessing the effectiveness of relevant control frameworks to better understand any areas for improvement and stress-test current systems. The Risk Assessments help identify specific content spikes and operational, policy, or product gaps that may require controls to be updated to ensure risks are appropriately managed. 5.2.1.10 Governance Meta maintains robust governance frameworks across the three lines of defence for integrity matters,covering decision-making, accountability, compliance, and oversight. Key components include: ● Enforcement Decisions (First Line of Defence - 1LOD): Monitoring and measuring enforcementaccuracy against policy-violating content on Instagram; ● Integrity System Changes (1LOD): Managing changes to integrity systems, including multi-personreview and sign-off for detection system updates; ● Integrity Reviews (1LOD): Assessing planned services and feature launches against defined integrity standards before release (additional control details found in Section 5.2.1.2 Systems and Product Integrity); 61 Human Exploitation Market Prioritisation Framework Meta updates and maintains the Human Exploitation (HEx) Market Prioritisation (MPri) Framework tool on an ongoing basis to quantify the problem manifestation risk and solutions coverage per market in order for Meta to decide where to dedicate resources. The framework covers Minor Sex Trafficking (MST), Sex Trafficking (ST), Coordinated Commercial Sexual Activity (CCSA), Human Smuggling (HS) and Labour Exploitation (LEx). MPri employs a data-driven methodology integrating diverse internal and external data sources and uses a weighted scoring system for quantification of these risks. Investigations - i3E Meta conducts investigations regarding actors and their behaviours that have been internally or externally identified as potentially pertaining to Problem Areas including Child Sexual Exploitation, Abuse, and Nudity and Human Exploitation. The team reviews actors and uses their analyses of on-platform activity to improve detection signals, route for appropriate enforcement actions and, if applicable, escalate to other internal partners. Meta AI Risk Assessment Meta conducts Risk Assessments to systematically evaluate the potential risks associated with AI models and systems prior to launch. The Risk Assessment evaluates potential risks, documents mitigation strategies and residual risks across a comprehensive set of risk categories prior to in scope AI launches. Salient Human Rights Risk Assessment Meta manages a company-wide Human Rights Risk Assessment performed by a third-party vendor to identify and document Meta's salient risks in order to provide recommendations to mitigate identified risks. The assessment is performed to develop recommendations to help mitigate risks and inform future strategy. In the event the salient Risk Assessment cannot be successfully completed, the Meta Human Rights Director will document the reasoning with appropriate sign-off. SEV (Site Events) Reviews Meta maintains the SEV Review tool that facilitates the SEV Review process to learn from site events (SEVs) across Meta with the goal of not repeating similar SEVs. Corresponding teams at Meta discuss a selection of SEVs in periodic meetings to permit first responders to present their incident reports to an audience and discuss root causes and follow up items. The SEV Reviews happen at team, organisational and company levels, depending on the level of severity of the incident and the incident impact. Trend and Issue Analysis Meta generates intelligence through trend analysis, issues analysis, and discoverability stress testing methodologies to determine potential emerging risks that may impact Meta's operations. Meta works with cross-functional partners to identify, assess, and drive accountability for high risk threats through various high quality analytics reporting such as continuous intelligence update (CIU), preliminary trend analysis, deep dive issues analysis, and stress testing. ● Risk and Compliance Oversight (Second Line of Defence - 2LOD): Executing routine risk andcompliance processes to identify risks and assess the effectiveness of our controls carried out by theIntegrity GRC team with oversight from our EU Integrity Compliance Office (ICO); ● Internal Audit (Third Line of Defence - 3LOD): Independent assurance on the design andeffectiveness of risk, compliance, governance, and control processes; ● External Audit: Independent verification of compliance with DSA requirements and governanceprocesses; and ● Management Body Oversight: The DSA Head of Compliance reports to the management body,which oversees risk management for Instagram services in the EU. Meta continues to strengthen and adapt its governance mechanisms as its compliance programme evolves. The table below details the foundational controls assessed in the Year 3 Systemic Risk Assessment as itrelates to this control domain. 62 Foundational Control Name Foundational Control Description Human Rights Due Diligence Meta conducts human rights due diligence and impact assessments to identify salient human rights issues in the context of Meta's products, policies, and operations. The outcome of the due diligence and impact assessments aid in the creation of strategies to mitigate these risks on Meta's platforms. Local Law Content Restrictions Meta maintains a process to identify, process, address, and restrict (where applicable) content that is reported to Meta in violation of local law. Meta has reporting mechanisms to enable governments, regulators, courts, non-government entities, and members of the public to report illegal content. If the content does not violate Meta's policies, a review is conducted to validate the reported illegality. If it is determined the content is illegal, following a human rights review, Meta may enforce upon the content by restricting the content in the relevant jurisdiction(s) and notifying the reporter accordingly. Local Law Review Meta updates procedures for how they review locally illegal content in response to local law and scale these reviews. Meta Privacy Programme and Governance Meta maintains a programme for Meta's compliance to global regulatory privacy obligations. Meta develops frameworks to help place user privacy at the centre of Meta's products and services in accordance with our regulatory obligations. Meta partners with cross-functional teams to document current practices, scale safeguards, and identify and remediate gaps as needed. Oversight Board Meta maintains an independent content appeals process that is overseen by the Oversight Board. The Oversight Board is a global body of experts that provides independent review and decisions of Meta's product content decisions. The Oversight Board hears cases in instances where users disagree with the outcome of Meta’s content decisions and have exhausted appeals or Meta directly submits the case for review. Decisions by the board are independent, binding (unless implementing the decision could violate the law), accessible to users, and transparent. Recommendations are not binding and are implemented at Meta's discretion. The only binding requirement for recommendations is for Meta to publicly disclose the action it takes in response. 5.2.2 Detailed Risk Observations and Mitigating Measures The following subsections detail some of the key trends identified in this assessment, the critical controlsthat are in place to manage these Problem Areas, including some of the ecosystem of controls that are detailed in Section 5.2.1 Meta's Ecosystem of Controls. 5.2.2.1 Account Integrity and Authentic Identity We believe that authenticity helps create a community where people are accountable to each other, and toMeta, in meaningful ways. We want to allow for the many ways that identity is expressed across our globalcommunity, while also addressing impersonation and misrepresentation. To maintain a safe and openenvironment where people can build community, we do not allow for the creation of accounts or profiles thatare created or used to deceive others. Account Integrity and Authentic Identity is associated with various Systemic Risk Areas in the DSA, includingDeceptive and Misleading, Civic Discourse and Elections, and Protection of Minors. This Problem Area relatesto the risk of Instagram being used to deceive or mislead users through the use of compromised accounts, 63 Partnerships and Collaborations Meta establishes partnerships with external groups to inform Content Policy development, enhance transparency around the policies and their implementation, and provide additional resources for Meta platform users. Meta's partnerships and collaborations help inform Meta’s Content Policies, and they help Meta develop integrity protections and informational resources that are made available to users, in an effort to minimise harm and protect voice and well-being. Resources are shared with users via designated locations on Meta's website (e.g., the Newsroom, the Safety Centre, and the Community Standards page). Response to Law Enforcement Requests for Preservation or Disclosure of User Data Meta responds to requests from law enforcement for preservation or disclosure of user data in accordance with applicable laws and our Terms of Use. Response to Law Enforcement Requests Process Meta implements and maintains jurisdiction-dependent turnaround times for law enforcement in jurisdictions where Meta is obligated to offer it. The Legal and Operations teams identify the mandated turnaround time for a response, track resolution time, triage requests as needed, and send a response to law enforcement describing the outcome of the report . Traffic Light System (TLS) / Geo-Blocking Policies Meta maintains Traffic Light System Policies based off of the Regulatory Compliance Policy (RCP) Due Diligence Assessment to support Operations teams in making efficient review decisions based on identified content trends. The policies are created in collaboration with XFN to guide Operations teams in how to respond to takedown requests from regulators/courts/users from a particular country. The TLS policies create a scalable, responsive, and future proof review model to empower Operations teams to make content decisions which reduces escalations to Legal and RCP. User/Entity Initiated Reports - Locally Illegal Content Meta operates and maintains a service that allows users / non-users to report potentially illegal content in their local jurisdiction. Users / non-users can submit reports over potentially illegal content with relevant substantiation, such as the post, comment, profile, or other information over the content in question. The content is then reviewed to determine if it is in violation of Meta's policies and local laws. Users / non-users are updated of report decisions via in-app, or email notifications. accounts and advertisers that are not authenticated or verified correctly, and threat actors returning to theservice after being banned (e.g., recidivism). As it relates to persistent, ongoing challenges and adversarialbehaviour inherent to this Problem Area, there are instances in which threat actors build tools to create manyaccounts at once, known as “scripted abuse”. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in Year 2. The EU Parliamentary Elections have contributed to activity, although at a more typical level compared to the previous year's high volume of elections. Ongoing advancements in GenAI increase impersonation of high-profile individuals and content piracy, which is more prevalent during times of geopolitical conflicts, war, or other crisis events. Additionally, industry GenAI and evolving technology makes it increasingly more difficult to verify identity using government IDs as it has become easier to forge official identification. Lastly, we see threat actors who have been able to compromise / hack other users’ account, purposefully share child sexual abuse materials (CSAM) content to get these accounts disabled, and gain control of linked business accounts. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Specifically forAccount Integrity and Authentic Identity, we have built a combination of automated and manual mechanisms to block, remove, and prohibit the creation of accounts that violate our Community Standards. On Instagram, Meta has a separate Names Policy to block inherently violating words in names (e.g. users cannot create accounts called 'Hitler'); users are able to appeal blocked names with a valid ID. In some cases, such as authorisation for advertisers running ads about social issues, elections, or politics, there may be special identification requirements. Meta protects the integrity of user accounts through proactive security measures, such as optional two-factor authentication and sophisticated machine-learning models that trigger advanced account notifications (for example, alerts following suspicious login attempts). However, because two-factor authentication is not mandatory for all users, this remains a potential vulnerability. We provide users with an in-application mechanism that enables them to view devices that have recently logged into their account and remotely log out, as needed. We have also built many impersonation related user education interventions on the platform, including in-product user messages / warnings and links to Help Centre educational resources in the event a user receives a request or message to follow or become a friend of their account from a new or unknown account with no mutual connections. Meta has built classifiers that can help detect if a threat actor that has already been removed from the platform is behind the creation of a new account or other entities, and will remove them from our platform(s). Meta continuously improves its ability to detect scripted abuse accounts, and put in place net new actions to mitigate account takeover by introducing additional verifications, age checks, and verification of contact points. Identifying compromised accounts is challenging, especially if the device itself has been compromised. However, the user can recover the account using personal documents or face recognition. To prevent any further activity from compromised accounts, Meta constantly works to improve its ability to identify compromised accounts at or before the point of compromise. For example, we are looking to improve signals from users’ trusted devices to reduce friction for account owners, as well as to give users more options to clear compromise checkpoints. There is also ongoing work to prevent users from experiencing initial account compromise by focusing on ensuring users have healthy contact points, protecting sensitive account changes and additions to the user experience to give users increased visibility of what is happening in their account. Significant investment is being made to identify and ingest more signals to identify compromised accounts, such as deploying compromise models to proactively identify when we think an account may be at risk of compromise. Depending on the model scores and risk type, accounts will be notified of suspicious activity, or automatically put into varying checkpoints in order to secure their accounts from potential threat actors (for example, Hack Lock Checkpoints). Lastly, we require users to be at least 13 years old to sign up and provide a reporting mechanism for users to report an account belonging to someone under 13. If an account is reported for someone who is reasonably verifiable as being under 13, the account will promptly be deleted.110 110 https://help.instagram.com/517920941588885?helpref=faq_content 64 5.2.2.2 Adult Nudity and Sexual Activity Meta understands that nudity can be shared for a variety of reasons, including as a form of protest, to raiseawareness about a cause, or for educational or medical reasons, and where such intent is clear, we makeallowances for the content. However, we default to removing sexual imagery to prevent the sharing ofnon-consensual or underage content, as published in our Adult Nudity and Sexual Activity CommunityStandard. Adult Nudity and Sexual Activity is associated with the Protection of Minors and Fundamental RightsSystemic Risk Areas in the DSA. This Problem Area relates to the risk of Instagram being used by threatactors to depict or promote imagery of nude adults, adult sexual activity, or extended audio of adult sexualactivity. As it relates to persistent, ongoing challenges and adversarial behaviour inherent to this ProblemArea,Adult Nudity and Sexual Activity remains a highly adversarial and profit motivated space, particularly asthreat actors develop new ways to circumvent detection and enforcement. We observe behaviour such asutilising multiple accounts, creating fake profiles, leading users to harmful external sites, or variousobfuscation techniques, including embedding violating video clips within an otherwise benign video andharmful content through picture in picture content. In some instances, threat actors use depictions of adultnudity and sexual activity as a means to bait users for other purposes or goals. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, several key trends were identified including the continued prevalence of sexualised breastfeeding content and the use of timer videos, which are typically videos lasting a few minutes and starting with a digital countdown that appears on the screen followed by hardcore pornographic or nudity content, by adversarial actors to evade detection while distributing pornographic material. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. For example, we have been working closely to mature our operational guidelines, banking mechanisms, and detection tools to address these evolving trends. Additionally, Meta continues to work with industry peers to identify preventative measures to reduce access to tools like these which may be misused. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Additionally, we’ve updated the Adult Nudity and Sexual Activity Policy on 25 July, 29 August and on 17 September 2024 to clarify language on what is permitted under the policy (e.g., real-world art nudity), what is not permitted (e.g., any imagery, including digital), and the addition of the express mention of AI- or computer-generated nudity as something that is not allowed, just like imagery of real nudity. Other updates included the addition of language to explain when certain types of nudity are permitted with restrictions, such as age-gating and sensitive content warning screens (e.g., imagery of implicit/other sexual activity or stimulation when shared in a medical or health context). Specifically forAdult Nudity and Sexual Activity over the last year, we continued to increase our investments in enforcement on recidivism, increase the number of human reviewers to address risks across this Problem Area, and improve the effectiveness of manual reviews. These policy changes directly contribute to more effective enforcement of violating content on Meta’s platforms. In the first quarter of 2025, globally, we took action against 9.8 million pieces of potential adult nudity and sexual activity content (globally) on Instagram, with 97.7% being identified by us before users reported it.111 5.2.2.3 Adult Sexual Exploitation Meta recognises that its platforms may be used to discuss sexual violence and exploitation. To foster a safeenvironment, we allow victims to share their experiences but remove content that depicts, threatens, or 111 Community Standards: Adult and Sexual Activity 65 promotes sexual violence, sexual assault, or sexual exploitation. We also remove content that displays,advocates for, or coordinates sexual acts with non-consenting parties to avoid facilitating non-consensualsexual acts. In addition, we remove any content promoting services, applications, or instructions thatpromote, threaten to share, or offer to make non-real NCII. Content that threatens or advocates rape isremoved and we may disable the posting account and work with law enforcement.112 Adult Sexual Exploitation is associated with the Gender-based Violence, Protection of Minors, andFundamental Rights Systemic Risk Areas in the DSA. This Problem Area relates to the risk of Instagram beingused by threat actors to sexually exploit adult users, including non-consensual sexual touching (NCST),necrophilia, forced stripping, sextortion, non-consensual intimate imagery, creepshots, rape threats, orreferences to adult sexual exploitation. This also potentially includes Instagram being used by threat actors to depict, threaten, or promote sexual violence or sexual exploitation associated with adults. As it relates to persistent, ongoing challenges and adversarial behaviour inherent to this Problem Area,AdultSexual Exploitation remains a highly adversarial space, particularly as threat actors develop new ways tocircumvent detection and enforcement. We observe behaviour such as utilising multiple accounts, creatingfake profiles, leading users to harmful external sites, or various obfuscation techniques, including embeddingviolating video clips or harmful content images within an otherwise benign video or image. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, net new trends were identified that impact this Problem Area. Violating apps emerged including non-consensual AI kissing apps and nudification apps that create NCII. In addition, sextortion continues to be a risk and we have seen an increase in offenders operating through fake profiles or anonymous accounts and moving victims away from Meta applications to other platforms, making it harder to track. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. For example, we have been working closely to mature our operational guidelines, banking mechanisms, and detection tools to address these evolving trends. Additionally, we continue to work with industry peers to identify preventative measures to reduce access to tools like these which may be misused. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Specifically forAdult Sexual Exploitation, as it relates to our detection controls, we are aware of patterns associated with sharing of NCII, NCST, and sextortion and have automated systems that detect and remove these accounts and harmful content at scale. In order to combat challenges with understanding intent or consent with NCII or NCST content, Meta often encourages and relies more on user reporting, as well as human review. Over the last year, we continued to increase our investments in enforcement on recidivism, increase the number of human reviewers to address risks across this Problem Area, and improve the effectiveness of manual reviews. When we identify a credible threat of real-world harm, we reach out to law enforcement in accordance with our Terms of Use and applicable law. In these instances, we do not allow identification of a victim of sexual assault without their consent. Additionally, when we take enforcement action against a user for sextortion, the network of accounts and devices owned by the threat actor are taken down and we make it difficult for them to create new accounts. Furthermore, Meta collaborates with third parties to help combat these challenges across the industry. This includes supporting StopNCII.org, which allows individuals to hash their intimate images or videos directly on their devices and share these hashes with participating tech companies globally, including Meta, to prevent the sharing of these images on the different products. Additionally, through our participation in the Tech Coalition's Lantern signal sharing initiative, we have shared ~3,800 URLs of nudify apps with 26 tech 112 https://transparency.meta.com/policies/community-standards/adult-sexual-exploitation/ 66 companies. 113 Meta has developed more than 50 tools and features to help support the safety of minors and families across our apps, including supervision tools for parents and guardians and specific education and resources about sextortion in our Safety Centre.114 We also provide links to local resources available in our Help Centre if anyone is a victim of sexual exploitation or would like resources to share with a potential victim. Meta also works with smaller groups of external women’s safety advisors to provide guidance whose areas of expertise include NCII, adult sexual exploitation, and other online harms impacting women. Their expertise guides the development of our approach to mitigating harm targeted at women on our platforms, as well as informing the design of our policies, products, and programmes aimed at preventing and responding to online abuse.115 5.2.2.4 Adult Sexual Solicitation and Sexually Explicit Language At Meta, we do not allow content that is designed to facilitate sexual encounters or commercial sexualservices between adults. We also do not allow content that asks for or offers pornographic or sexual content.We also restrict sexually-explicit language that may lead to sexual solicitation because some audiences withinour global community may be sensitive to this type of content, and it may impede the ability for people toconnect with accounts that they follow or are a friend of and the broader community. However, we do allowfor the discussion of sex worker rights advocacy and sex work regulation as well as content that is otherwisecovered by this policy when posted in condemnation, educational, awareness raising, or news reportingcontexts. We also do not prohibit discussing sexual practices under the policy. However, this content isrestricted to adults over 18 years of age. Adult Sexual Solicitation and Sexually Explicit Language is associated with the Gender-based Violence,Protection of Minors, and Fundamental Rights Systemic Risk Areas in the DSA. This Problem Area relates tothe risk of Instagram being used for the dissemination of pornographic content, solicitation of sexualservices, and depiction or promotion of explicit language with graphic sexual undertones. As it relates topersistent, ongoing challenges and adversarial behaviour inherent to this Problem Area, this type of abusecan be difficult to identify because the line between coercion and self promotion can be unclear and complexto determine online. We remove content facilitating sexual encounters in part to avoid facilitatingtransactions that may involve trafficking, coercion, and non-consensual sexual acts. Also, coercion can bedifficult to prove based on only the existence of emojis or other vague text. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in Year 2. Content attempting to engage in sexual solicitation and prostitution continues to persist as a prominent trend especially across Reels and video surfaces. There is a demand-driven cycle of harm, where users seeking explicit content create an incentive for producers to create and share it. This cycle of harm is self-reinforcing, with both producers and consumers contributing to continued prevalence of such content. In Year 3, we identified a trend where a combination of deceptive links and fake play buttons overlaid on sexually suggestive imagery or pornography were used to prompt engagement and direct users to off-platform pornography websites. 115 https://about.meta.com/actions/safety/ 114 https://www.meta.com/help/policies/safety/tools-support-teens-parents/ 113 https://about.fb.com/news/2025/06/taking-action-against-nudify-apps/ 67 Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. For example, we have updated our policies to enforce against the use of deceptive links and fake play buttons to direct users to pornography sites off-platform. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Specifically forAdult Sexual Solicitation and Sexually Explicit Language, Meta continues to curate age-appropriate experiences for minors and reduce discoverability of certain content, via features such as non-recommendation, filtering, and interstitials for content that may be suggestive of sexual practices or contain sexually explicit language. We also curate lists of slang terms across multiple markets and prevent them from being shown on search results or recommended to minors. For minor users, we do not give them the option to turn down their enforcements and default minors to the higher setting across their accounts. We deploy classifiers, which use parts of posts such as texts and comments, to identify violations. The classifier can produce scores for solicitation and we use these scores to enqueue for human review and enforcement action. We allow for auto action of sexual solicitation and sexually explicit language violations based on confidence in the probability of actual violation and prioritisation in our review queue. Additionally, Meta recognises that sexual solicitation and prostitution may shift to off-platform activities, making it more difficult to detect and enforce against such violations. This highlights the complexity of addressing these issues, as they can manifest beyond our platforms, and underscores the importance of ongoing efforts to prevent harm from occurring on our services. Meta also implements standard human review processes. Specific nuances include utilising holistic review to identify potential sexual solicitation and sexually explicit language scenarios, while scaled review is utilised to enforce against violations without the need for further escalation. 5.2.2.5 Bullying and Harassment Meta is committed to maintaining a safe and respectful environment on our platforms by prohibitingBullyingand Harassment. According to the Bullying and Harassment Community Standard, Meta takes action toremove content that is intended to degrade or shame individuals. Additionally, when there is a heightened riskof real-world harm, Meta removes targeted mass harassment. Bullying and Harassment is associated with the Civic Discourse and Elections, Gender-based Violence,Protection of Minors, and Fundamental Rights Systemic Risk Areas in the DSA. This Problem Area refers tothe risk of Meta’s systems being used to promote content that degrades, shames, or makes repeatedunwanted contact with a user (e.g., cyberbullying, threats of harm, mass harassment, sexual harassment). Werecognise thatBullying and Harassment can have disproportionate effects on minors’ well-being and mentalhealth, which is why we provide heightened protections for users under 18. We also recognise that theLGBTQ+ community, as well as public figures like female politicians—especially female politicians ofcolour—are targets ofBullying and Harassment at a disproportionate rate. This risk can manifest itself onInstagram when adversarial networks work together to engage in repetitive behaviour, which is challenging toidentify and manage, as brigading and coordination of mass harassment happen on and off the platform andcan take various forms. We also recognise that becoming a public figure isn’t always a choice and that famecan increase the risk of bullying and harassment, particularly if the person comes from an underrepresentedcommunity. As it relates to persistent, ongoing challenges and adversarial behaviour inherent to this Problem Area,Bullying and Harassment continues to evolve with the landscape of social interaction and digital connection,as it is highly individualised and context-dependent. As a result, moderators often need to understand therelationships between users, the meaning behind content and behaviour, and the nuances of language andregional context. Meanwhile, threat actors continue to explore ways to circumvent detection andenforcement (e.g., using emojis, intentional misspellings, symbols, etc.). 68 What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in Year 2 Assessment. For example, we continue to observe thatBullying and Harassment risks may disproportionately impact minors, potentially increasing the inherent risk exposure associated with this Problem Area. Additionally, it was identified that the high number of elections in the EU, including the EU Parliamentary Elections, could increase the risk of bullying and harassment against political public figures on the platform. No net new trends or impacts have been identified since Year 2 Assessment. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. For example, Meta put in place dedicated election teams to combat the likely increase in adversarial behaviour. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. We continue to provide numerous options for users to control their experiences on Instagram and limit unwanted interactions with other users. These options include blocking other users, restricting other users’ ability to comment on their posts, and limiting the visibility of posts and profile information for specific users. Additional mitigations may include notifying users when they post violating content and alerting authorities if there is a safety threat. We continue to rely on detection of new content types, such as GenAI. In the first quarter of 2025, globally, we actioned 5.2 million pieces ofBullying and Harassment content on Instagram, with 88% detected proactively before being reported by users.116 While there are no automated detection or classifiers to detectBullying and Harassment violations in ads, we may rely more on user reporting and human review. We also include a link on nearly every piece of content for reporting abuse,Bullying and Harassment, and other issues. We encourage self-reporting as it helps us understand when a person feels bullied or harassed.117 We provide heightened protection for minors and vulnerable users through our Bullying and Harassment Community Standards, given the potential disproportionate impact on these groups. For example, we protect against content targeting minors such as claims about sexual activity or romantic involvement; targeted cursing; calls for exclusion; negative character ability claims; allegations about criminal or illegal behaviour; and videos depicting physical bullying of minors. Consistent with the commitments in our Corporate Human Rights Policy, we offer more protections for public figures (e.g., journalists and human rights defenders) who have become famous involuntarily or because of their work, similar to protections assigned to other involuntary public figures.118 Examples of these protections include dehumanising comparisons (in written or visual form) to or about animals and insects that are culturally perceived as inferior, bacteria, viruses, microbes, diseases, and inanimate objects, including trash, filth, faeces; content manipulated to highlight, circle, or otherwise negatively draw attention to specific physical characteristics; and content that ranks their physical looks.119 There are many teams at Meta, including the policy and safety teams, that routinely work with external parties to understand new trends and behaviours to help improve Meta’s policies and resources, as detailed in our Section 4.1: External Stakeholder Engagement. For example, after working with over 400 women’s safety organisations and experts, we established Meta’s Global Women’s Safety Expert Advisors to advance the safety of women online. Additionally, we work with bullying prevention experts, such as the Diana Award Anti-Bullying Ambassador Programme, International Bullying Prevention Association, and Cyberbullying Research Centre, to stay informed on bullying trends and maintain our bullying prevention resources (e.g., Bullying Prevention Tips for Youth, Online Bullying Prevention Tips for Parents, Managing Bullying and Harassment in Instagram Communities, etc.).120 5.2.2.6 Child Sexual Exploitation, Abuse and Nudity Meta does not allow content, activity or interactions that sexually exploits or endangers minors, as publishedin our Child Sexual Exploitation, Abuse and Nudity Policy Community Standard. 120 https://about.meta.com/actions/safety/audiences/women/#partners 119 https://transparency.meta.com/policies/community-standards/bullying-harassment/ 118 https://about.fb.com/wp-content/uploads/2022/10/Meta-Corporate-Human-Rights-Policy.pdf 117 https://help.instagram.com/2922067214679225 116 https://transparency.meta.com/reports/community-standards-enforcement/bullying-and-harassment/instagram/ 69 Child Sexual Exploitation, Abuse and Nudity is associated with the Protection of Minors and FundamentalRights Systemic Risk Areas. This Problem Area relates to the risk of Instagram being used to promote ordisseminate content or activity relating to non-sexual child abuse, child nudity, child sexual exploitation,CSAM, including self-generated CSAM and solicitation of CSAM, sexualisation of minors, and exploitativeintimate imagery and sextortion of minors. This risk area also includes inappropriate interactions with minorsand the adverse impact on minors’ fundamental rights, specifically the respect for the rights of the minor andthe right to human dignity as enshrined in the EU Charter. As it relates to persistent, ongoing challenges and adversarial behaviour inherent to this Problem Area, threatactor behaviour is highly adversarial and constantly evolving in this space. We observe behaviour such asintentional manipulation by threat actors to persistently adapt to evade detection, use of implicit signals likekeywords and hashtags (e.g., “chicken soup”), moving conversations off the service (e.g., via posting links tooff-platform sites) to take advantage of minors and/or spread violating content (e.g., CSAM), and returning tothe service through new accounts despite being blocked. Additionally, some abuse types can be morechallenging to detect and manage than others, such as non-sexual child abuse, which may result in greaterreliance on user reporting and human review. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment period, several trends were identified that continue to impact this Problem Area, similar to those observed in Year 2. Additionally, Meta continued to actively monitor the potential for generative AI to impact risks in this space as the use of generative AI advances across the industry. In Year 3, sextortion continued to be a risk, with a rise observed in apps generating and editing NCII and CSAM, AI kissing apps, and nudification tools. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. For example, we have committed to Safety by Design principles from Thorn and All Tech is Human to proactively address minor safety risks, while also maturing operational guidelines, banking mechanisms, and detection tools to address these evolving trends. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. In Q4 2024, we launched Instagram Teen Accounts, which have built in-protections including controls to restrict visibility, expanding search interventions, removing the ability to initiate new connections (e.g., via friending/following), limiting the content teens may see as well as who can contact them. When it comes to recommender systems, we have systems that proactively find, remove, or refrain from suggesting minor-sensitive content across most surfaces and we continue to improve these systems year-over-year by streamlining them and expanding their capabilities. Meta deploys classifiers that can proactively identify violating or potentially violating content. We also leverage technologies such as Google's classifier, in order to prioritise content for reviewers. We have also expanded the existing list of minor safety related terms, phrases and emojis for our systems to find. We have many sources for these terms, including: non-profits like Thorn and experts in online safety (e.g. Tech Coalition121), our specialist child safety teams who investigate predatory networks to understand the language they use, and our own technology which finds misspellings or spelling variations of these terms. We have also introduced novel techniques to find new search terms. For example, we are using machine-learning technology to find relationships between terms that we already know could be harmful or that break our rules and other terms used at the same time. These could be terms searched for in the same session as violating terms, or other hashtags used in a caption that contain a violating hashtag. We combined our systems so that as new terms are 121 https://technologycoalition.org/ 70 added to our central list, they are subsequently actioned across Instagram simultaneously.122 Meta has specialist teams focused on understanding evolving criminal behaviours to review and eliminate abusive content, accounts, and networks. Meta’s investigation teams receive information off-platform (from various sources including open source, intelligence vendors, and partners) and then investigate the activity on Meta’s platforms. In some instances, these investigations may result in takedowns of entire networks of bad actors. Additionally, these investigations uncover behavioural signals and keywords that are fed back into Meta’s scaled systems (e.g., machine-learning), which enhanced our proactive detection of violating content. For example, we have found that financial sextortion extorters are known to use scripts that are publicly available online when interacting with their victims. As a result, we have removed assets found to be selling or purchasing these scripts, as well as additional assets controlled by the same individuals. In the first quarter of 2025, globally, we actioned 1.5 million pieces of potential child sexual exploitation content on Instagram, with 94.5% detected proactively before it was reported by users.123 Our reviewers and automated systems consider a broad spectrum of signals, which we monitor for potential suspicious behaviour such as interactions with violating accounts, searches for violating content, or membership in violating communities. These mechanisms help prevent potentially unwanted or unsafe interactions and support Meta’s enforcement actions on accounts or content that violate our policies. For example, the AYMF feature can be restricted for adults identified through our Actor Behaviour Framework for Child Safety (ABF CS) classifier. The ABF CS classifier is applied across our products to prevent potentially unwanted or unsafe interactions. The framework uses our detection mechanisms to consider evidence of content uploads, direct contact with minors and consumption, engagement or connection with minor safety violating entities before labelling actors into specific categories. When Meta identifies an account violating child sexual exploitation, the account is disabled and all linked accounts , that we identify as being owned by the same person, are also disabled. Device blocking prevents the identified user from creating another new account on the same device after violating accounts are disabled. Meta also has specially trained teams with backgrounds in law enforcement, online safety, analytics, and forensic investigations to review potentially violating content and report findings to NCMEC, in accordance with applicable law. For example, during the period 1 March 2024 to 30 September 2024, Meta submitted to NCMEC 1,994CyberTips in relation to Instagram, concerning EU users due to the apparent sextortion of users who are under 18. Following receipt and review of a CyberTip, NCMEC determines a potential geographic location, and makes the CyberTip available to a law enforcement agency in that particular country and location for review and potential investigation. Furthermore, we continue to conduct co-design sessions with parents, minors, guardians, and experts through the Trust Transparency and Control Labs (TTC Labs).124 Lastly, Meta engages with CSOs, academics, minor safety experts, NGOs, and other thought leaders, including the Instagram Safety Advisory Board, law enforcement, and governments, to gather knowledge and experience as we develop our Content Policies. For more details on relevant external stakeholder engagement, see Section 4.1: External Stakeholder Engagement and Section 4.2.6: Protection of Minors. Our efforts include developing industry best practices, building and sharing technology to fight online minor exploitation, and supporting victim services. The Take It Down platform, which allows the hashes of young people’s intimate images to be shared with Meta, has enabled more effective automated detection and enforcement of this type of content.125 Furthermore, Meta has recently launched a new campaign, informed by NCMEC and Thorn, in which we are helping minors spot sextortion scams and assisting parents in supporting their minors to avoid these scams.126 We work with experts especially focused on minor safety to build a collection of resources that foster conversations between parents, caregivers, and minors as they navigate and develop online safety habits in our Family Centre Education Hub, including our Parent's Guide via the Safety Centre.127 5.2.2.7 Coordinating Harm and Promoting Crime At Meta, we prohibit the facilitation, organisation, promotion, or admission to certain criminal or harmfulactivities targeted at people, businesses, properties, or animals, as published in our Coordinating Harm andPromoting Crime Community Standard. While discussions and advocacy regarding the legality of suchactivities are permitted, coordinating or advocating for harm is not. 127 https://about.meta.com/actions/safety/audiences/childsafety/ 126 https://about.fb.com/news/2024/10/instagram-campaign-protect-teens-sextortion-scams/ 125 https://about.meta.com/actions/safety/topics/bullying-harassment/ncii 124 https://www.ttclabs.net/ 123 Community Standards: Child Endangerment: Nudity and Physical Abuse and Sexual Exploitation 122 https://about.fb.com/news/2023/12/combating-online-predators/ 71 Coordinating Harm and Promoting Crime is associated with the Civic Discourse and Elections, PublicSecurity, and Protection of Minors Systemic Risk Areas in the DSA. This Problem Area relates to the risk ofInstagram being used to facilitate, organise, promote, or call for voter or census fraud, illegal participation inelections, coordinated interference in elections, violence against people, potentially including high-risk viralchallenges, and violence against property, including vandalism of state property. As it relates to persistent,ongoing challenges and adversarial behaviour inherent to this Problem Area, the evolving context posesdifficulties to moderating content in this space. Regional cultural barriers make it difficult to gain an adequateunderstanding of all regional or cultural nuances (e.g., slang or dialects from a particular neighbourhood, city,or region) and determine what is classified as coordinating harm. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in Year 2 Assessment. The high number of elections in the EU, including the EU Parliamentary Elections, could increase the risk of coordinating harm and promoting crime on the platform through voter and/or census fraud and coordinated interference in elections. No net new trends or impacts have been identified since Year 2 Assessment. Meta has dedicated teams that continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes as needed. For example, during elections, Meta put in place dedicated election teams to combat the likely increase in adversarial behaviour. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. In terms of coordinated harm or crime related to elections, our security teams work to dismantle manipulation campaigns and identify emerging threats. This includes investigating and taking down coordinated networks of inauthentic accounts. Our team leverages image banks to detect content in regions with high-risk elections to combat voter suppression. We also implement additional processes to perform a secondary, holistic review of politically viral content. Our Violence and Harm Team actively operates an ongoing process for proposing changes to our market-specific implicit threat terms list, which includes market-specific idioms or proxy language that enable us to identify escalation cases. In addition, in our Adversarial Threat Report for the second quarter of 2024 we shared that, in addition to cycling through fake accounts, which get quickly detected and removed, Doppelganger, a cross-internet influence operation from Russia, expanded their use of compromised accounts, likely in an attempt to appear authentic.128 We continue to detect and block these attempts by using both automation and expert investigations to monitor Doppelganger’s changes in tactics. In the second quarter of 2024, we detected and removed over 5,000 accounts. In the third quarter of 2024, we added about 600 new threat indicators to our industry’s largest repository of over 6,000 signals related to this campaign so that our peers and researchers can investigate and take action as appropriate.129 In response to our ongoing blocking of its domains, as of July 2024, we no longer observed Doppelganger attempting to direct people on our apps to its domains mimicking websites of news outlets or government entities. We have a global workforce of content reviewers in the markets where Meta operates, including in the EU. Our human reviewers review content with expert or native understanding of the language in which the content was posted, against the Coordinating Harm and Promoting Crime Community Standards, as well as other applicable policies and guidelines. They receive in-depth training and often specialise in certain policy areas. This approach helps ensure that the policy is correctly enforced and accounts for cultural and linguistic nuances. 5.2.2.8 Dangerous Organisations and Individuals In an effort to prevent and disrupt real-world harm, we do not allow organisations or individuals that proclaima violent mission or are engaged in violence to have a presence on Instagram and remove any glorification,support, and representation of various dangerous organisations and individuals. These concepts apply to the 129 Adversarial Threat Report Q3 2024 128 Adversarial Threat Report Q2 2024 72 organisations themselves, their activities, and their members, as published in our Dangerous Organisationsand Individuals Community Standard. Dangerous Organisations and Individuals is associated with the Civic Discourse and Elections and PublicSecurity Systemic Risk Areas in the DSA. This Problem Area relates to the risk of Instagram being used byterrorists, hate and/or criminal organisations, militarised social movements, violence-inducing conspiracynetworks, groups promoting hatred, or violent non-state actors to advocate for and facilitate violence. Thisrisk also includes the risk of Instagram being used by terrorists to recruit and/or radicalise users and the useof Live by such actors or entities to disseminate content in association with a terrorist act. As it relates topersistent, ongoing challenges and adversarial behaviour inherent to this Problem Area, this is a highlyadversarial space in which dangerous organisations and individuals constantly discover new ways to evadedetection and enforcement on Meta’s systems. We also experience challenges when entities we categorise asdangerous organisations or individuals are allowed or considered legal in certain countries—and vice versa,such as when organisations we consider legitimate are deemed illegal elsewhere (e.g., groups advocating forthe independence or secession of a particular territory). This makes moderating such content morechallenging. Lastly, dangerous organisations and individuals that have been identified and banned canresurface and utilise our platforms before our teams and investigators detect and remove them. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in Year 2. The high number of elections in the EU, including the EU Parliamentary Elections, could increase the risk of dangerous organisations and individuals on the platform. No net new trends or impacts have been identified since Year 2. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Specifically forDangerous Organisations and Individuals, we have developed a suite of tools under our Search Interventions programme to inform and protect users on our platforms. This includes features such as Search Intercept and Search Redirect, which work together to address problematic searches by either redirecting users to relevant help resources or displaying warning screens that highlight the concerning nature of their search. Additionally, to help prevent glorification, support, or representation by individuals or groups engaging in terrorist activity or organised hate, we make hashtags associated with designated dangerous organisations or individuals unsearchable. Meta has robust policies in place that are routinely reviewed and updated to adapt to the current climate. This helps to guide our enforcement efforts. For example, at the end of 2024, we refined our Dangerous Organisations and Individuals Community Standards, including more comprehensive definitions of dangerous organisation types and tiers. However, views of violating content that contain terrorism are very infrequent, and we remove much of this content before people see it. In the first quarter of 2025, we actioned 4.3 million pieces of content related to terrorism on Instagram globally, with 98.5% being identified by us before users reported it.130 We utilise advanced detection technology to identify dangerous or violent actors on Instagram and take an actor-centred enforcement approach. Furthermore, in October 2024, we expanded our internal criminal organisation designation signals beyond the historical focus on drug cartels to more comprehensively respond to the threat-landscape from criminal networks engaged in extortion, human smuggling, and other high risk harms. This update was informed by engagements with internal and external experts to align with best practices and definitions. In addition, we developed two Actor Behaviour Frameworks for criminal organisations and terrorist/hate organisations that aim to identify, detect, and enforce malicious actors involved in drug trafficking and violent activities at scale. Our 130 https://transparency.meta.com/reports/community-standards-enforcement/dangerous-organizations/instagram/ 73 Violence and Harm Team actively operates an ongoing process for proposing changes to our Market-specific Implicit Threat Terms List, which includes market-specific idioms or proxy language that enables us to identify escalation cases. Once a bad-actor network is identified, we use SNDs to take action against the identified network, which includes all accounts and devices that appear to be owned by the bad-actor and those in the network associated with them, in an effort to also combat recidivism. To further manage this Problem Area, Meta’s DOI Policy team oversees the process by which entities (organisations and individuals) that qualify as a DOI are added to a DOI Designation List. We assess these entities based on their behaviour both online and offline—most significantly, their ties to violence. Under this process, we designate individuals, organisations, and networks of people. When designated, measures are taken to remove all of the DOI's assets from the Product, as well as bank terms and images that represent the DOI in order to bolster continued scaled enforcement. We also updated our internal delisting process, which now provides more detailed and comprehensive criteria across all types of dangerous organisations and individuals that must be satisfied for a dangerous organisation or individual to be considered for delisting / removal from our list of designated organisations. In addition, our DOI team has continuous dialogues with other teams, such as Intelligence and Investigations, to help surface emerging risks, identify actors and objects that are connected from a network with our account enforcement propagation efforts, and drive improvements in detection and enforcement and/or policy development. Both the designation and delisting processes operate independently of each other, each having their own distinct thresholds and signals. However, they are overseen by the same DOI Policy team, who manages the historical documentation for designations and delistings and is responsible for de-conflicting any overlap between the two processes. To help tackle dangerous organisations and individuals more broadly, we work closely with external organisations and authorities, including law enforcement. We also hold and collaborate in forums, such as the Global Internet Forum to Counter Terrorism (GIFCT).131 In September 2024, Meta and GIFCT convened to discuss youth radicalisation prevention. The event emphasised empowering young users through positive messaging, parental involvement, and technology like age-verification tools. Through GIFCT, we collaborate with industry peers on signal sharing, threat-landscape mapping, and a hash matching service, which informs our automated systems and updates to the Dangerous Organisations and Individuals Database. We also engage with law enforcement on credible threats and partner with the EU Internet Forum on crisis protocols and joint programmes. Lastly, when we identify a credible threat of real-world harm, we reach out to law enforcement in accordance with our Terms of Use and applicable law. 5.2.2.9 Discriminatory Practices At Meta, we don't allow ads that discriminate or encourage discrimination against people based on personalattributes such as race, ethnicity, colour, national origin, religion, age, sex, sexual orientation, gender identity,family status, disability, medical or genetic condition. We require advertisers to comply with applicable lawsthat prohibit discrimination, as published in our Advertising Standards. Discriminatory Practices is associated with the Fundamental Rights Systemic Risk Area in the DSA. ThisProblem Area specifically relates to the risk of Instagram being used—primarily by advertisers and sellers—todiscriminate against people, particularly in housing, employment, or credit opportunity ads, that canpotentially contribute or lead to detrimental impact to users, such as excluding them from job opportunities. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, it was identified that several trends could impact this Problem Area. Threat actors continue to exploit our systems to evade detection and enforcement, such as disguising encoded content as organic. Furthermore, in the context of advertising systems broadly, the misuse of brand identities, including Meta’s identity through fake chat support messages, is a tactic that is becoming increasingly challenging to manage. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of 131 https://gifct.org/about/ 74 controls that work together to manage these Problem Area risks on Instagram. Specifically forDiscriminatory Practices, Meta uses automated and, in some instances, manual review to enforce our policies. Beyond reviewing individual ads, we also monitor and investigate advertiser behaviour, and may restrict advertiser accounts that don't follow our Advertising Standards, Community Standards, or other Meta policies and terms.132 For certain categories of ads, like ads about housing and employment, we have additional requirements designed to help protect people and provide greater transparency. If an ad is about one of these special ad categories, advertisers need to choose the correct category for their advertising campaign during its creation for the campaign to run.133 A Special Ad Category includes specific requirements such as limited audience selection tools for ads about employment, housing opportunities, or financial products and services to help protect people from unlawful discrimination across our platforms. Anytime users run ads on Meta platforms, they are agreeing to adhere to our Discriminatory Practices Policy.134 In addition, periodically, we may ask users to review the Discriminatory Practices Policy and certify their understanding of—and compliance with—it. We place particular emphasis on protecting minors. Ads with locations in the EU can’t deliver to audiences under 18. This year, we have focused on reducing the exposure of minors to restricted goods and services content on Instagram. Our efforts include automated review mechanisms that analyse ads, for-sale posts, and other commerce listings, before they go live. For more details, see the mitigation overview in Section 5.2.2.17: Restricted Goods and Services. We're strengthening the review process and continuing to enforce ad policies against discriminatory behaviour across our technologies. 5.2.2.10 Fraud and Deception At Meta, we aim to protect users and businesses from being deceived out of their money, property, orpersonal information. We achieve this by removing content and combatting behaviour that purposefullyemploys deceptive means—such as wilful misrepresentation, stolen information and exaggerated claims—toeither scam or defraud users and businesses, or to drive engagement. This includes content that seeks tocoordinate or promote those activities using our services. Fraud and Deception is associated with the Deceptive and Misleading, Public Health, Protection of Minors,and Fundamental Rights Systemic Risk Areas in the DSA. This Problem Area relates to the risk of Instagrambeing used to provide instructions on, engage in, promote, recruit, facilitate, or distribute fraudulent anddeceptive contents that could potentially impact public health; public health related investment, financial,product, or inauthentic identity/fake engagement scams; stolen information, goods, and services related topublic health; or deceive or misrepresent themselves to others for financial or personal benefit related topublic health. As it relates to persistent, ongoing challenges and adversarial behaviour inherent to thisProblem Area, threat actors are using evolving technologies, such as GenAI, to come up with new ways todefraud and deceive people, including studying how our detection and enforcement controls are designedand to evade them. There are also instances where content may promote a service or product throughsensationalist or exaggerated language, whereby the product may not exist in reality or do not match to theirpromises, but are not necessarily illegal i.e. hair growth shampoo. Additionally, threat actors use signpostingwhich leads users to harmful external sites. 134 https://transparency.meta.com/policies/ad-standards/unacceptable-content/discriminatory-practices 133 https://www.facebook.com/business/help/505720160452817?id=434838534925385 132 https://transparency.meta.com/policies/ad-standards/ 75 What are we doing to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, net new trends were identified that impact this Problem Area. A rise in the use of celebrity likeness and AI deepfakes to deceive users emerged. Usage of brand identities, such as in scam job listings, or even Meta’s identity with fake chat support messages, are tactics that are becoming more challenging to manage. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Specifically for Fraud and Deception, we use several machine-learning models to identify users that are misrepresenting themselves or displaying common scam tactics. These models are constantly evaluating our entire user base and removing accounts deemed to be violating per our Community and Advertising Standards. Meta reviews any reported content either through automation or manually. We use the insight from these cases to further iterate on our proactive detection and internal policies. Additionally, we include a reporting opportunity on nearly every piece of content to report scam, fraud, false information, and other issues as part of our enhanced user initiated reporting experience. Our teams work 24 hours a day, 7 days a week, to review content reported. We also deploy features to protect users such as product interventions with safety notices and prevention features like adding friction to the discovery of harmful content. We continue to look for and block attempts by criminal syndicate-run scam centres to create fraudulent accounts on our platforms. Since the beginning of 2024, our expert teams have detected and disrupted over seven million accounts associated with scam centres across Myanmar, Laos, Cambodia, the United Arab Emirates, and the Philippines. The criminal organisations behind these financial scams target people globally, through a variety of means such as social media and other apps.135 In Q1 2025, we launched optional measures on Instagram that use facial recognition technology to help detect and prevent celeb-bait scam ads and enable faster account recovery on our platforms in the European Union (EU). As part of this launch, public figures in the EU who are eligible will see an in-app notification letting them know they can now opt-in to receive the celeb bait protection with facial recognition technology. We have vetted these measures through our robust privacy and risk review process and built in important safeguards, like providing information to educate people about how they work, making these measures optional and ensuring we delete people’s facial data as soon as it’s no longer needed.136 Meta has developed a library of tools and resources for improved online safety to help educate users, provide guidance about scams (e.g., romance and financial scams), and encourage our users to report content they believe violates our Community Standards and policies in our Instagram Help Centre, our Scam Safety Centre, and Anti-Scams Hub.137 To supplement internal improvements, the Fraud and Deception operations and product teams continuously engage with a number of external trusted third parties to gather information about scam-related accounts and content and use this information to continue evolving our environment and response to managing these risks. In 2024, Meta vastly expanded its external partnerships with the Fraud Intelligence Reciprocal Exchange (FIRE) programme, an intelligence-sharing forum designed to prevent fraud and scams. Meta also joined the Global Signals Exchange (GSE), managed by GASA, which facilitates information sharing between government and private sector partners. Additionally, Meta is one of the founding members of the TASC. 5.2.2.11 Hateful Conduct At Meta, we define hateful conduct as direct attacks against people—rather than concepts orinstitutions—on the basis of what we call protected characteristics (PCs): race, ethnicity, national origin,disability, religious affiliation, caste, sexual orientation, sex, gender identity, and serious disease, as described 137 https://about.meta.com/actions/safety/topics/safety-basics/tools/scams 136 https://about.fb.com/news/2024/10/testing-combat-scams-restore-compromised-accounts/ 135 https://about.fb.com/news/2025/05/avoiding-investment-payment-scams-online/ 76 in our Hateful Conduct Community Standard. Additionally, we consider age a protected characteristic whenreferenced along with another protected characteristic. Hateful Conduct is associated with the Civic Discourse and Elections, Gender-based Violence, andFundamental Rights Systemic Risk Areas in the DSA. This Problem Area relates to the risk of Instagram beingused by users to propagate, endorse, or amplify content containing slurs or attacks directed at individuals orgroups based on their protected characteristics. As it relates to persistent, ongoing challenges andadversarial behaviour inherent to this Problem Area, the associated risks can be complex to manage due tothe types of content and terms used for hateful conduct changing frequently. For example, threat actorscontinue to explore ways to circumvent detection and enforcement by implying rather than explicitly makingstatements targeting protected characteristics. New trends can emerge as contentious depending onregional nuances. Additionally, often users can post content that is borderline but not explicit hatefulconduct, which creates a risk of mistakes in enforcement. 139 https://transparency.meta.com/reports/community-standards-enforcement/hateful-conduct/instagram/ 138 https://help.instagram.com/874680996209917/?helpref=hc_fnav 77 What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in Year 2 Assessment. The high number of elections in the EU, including the EU Parliamentary Elections, could increase the risk of hateful conduct on the platform. No net new trends or impacts have been identified since Year 2 Assessment. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. For example, during elections, Meta put in place dedicated election teams to combat the likely increase in adversarial behaviour. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to proactively detect and enforce against hateful conduct on Instagram. ForHateful Conduct, Meta has enhanced our approach to managing this Problem Area over the past year. In January 2025, Meta updated our Community Standards related to hateful conduct, formerly called hate speech, to enable more public debate and discussion about issues of political and social interest, such as immigration, gender identity, and gender. At a high level, we are allowing more speech around topics that are the subject of current public discourse. We also simplified the policy to reduce complexity, lessen mistakes, and focus our efforts on the most harmful content. Alongside the Hateful Conduct Community Standard, Meta provides dedicated reporting channels for users in the EU to submit legal removal requests to Instagram when they believe the content violates applicable hate speech laws in their jurisdiction.138 As it relates to detection of images for this Problem Area, we utilise classifiers and, in some cases, a central bank of content that has previously been flagged and enforced against to try and proactively identify instances of these images being posted again. In the first quarter of 2025, we actioned 6.1 million pieces of hateful conduct content on Instagram globally, with 97.4% being identified by us before users reported it.139 To help manage the linguistic and cultural nuances of this Problem Area, Meta maintains and leverages a market-specific slurs list, consisting of inherently offensive words that are used as an insult for a protected characteristic in specific jurisdictions. This list is used to identify slurs and surface them to our reviewers for review and labelling, where applicable. We have educational interstitials to deter users from posting violating hateful conduct content or from encountering potentially hateful content. This includes issuing warnings or providing a link to relevant resources in our Safety Centre based on the terms used. Additionally, we empower users with tools like blocking. When a user's content is reported and found policy-violating, the user is notified of the specific policy they have violated and may be given the option to edit their content for potential reinstatement. We also implement a Strike System, where once the threshold for repeated policy violations is met, the user’s account is removed. We collaborate with external stakeholders, such as governments, watchdog groups, and Trusted Partners, to help us identify instances of 5.2.2.12 Human Exploitation At Meta, we do not allow content that facilitates or coordinates the exploitation of humans, including humantrafficking and smuggling, as described in our Human Exploitation Community Standard. Meta defineshuman trafficking as the business of depriving someone of liberty for profit and the United Nations defineshuman smuggling as the procurement or facilitation of illegal entry into a state across international borders. Human Exploitation is associated with the Gender-based Violence, Protection of Minors, and FundamentalRights Systemic Risk Areas in the DSA. This Problem Area relates to the risk of Instagram being used bythreat actors to, ask for, or facilitate human smuggling; human trafficking; and/or facilitating content andactivities that adversely impact the dignity and rights of users. As it relates to persistent, ongoing challengesand adversarial behaviour inherent to this Problem Area, human exploitation actors are highly adversarial andmotivated to get around our enforcement tools. The signals of exploitation may not always be apparent incontent online, meaning this harm can be difficult to detect without offline context. For example, it may bechallenging to determine whether someone is being exploited or if they offered their services as an adultwithout force, fraud, or coercion. This Problem Area is also subject to adversarial actors that on the surfacelook to be engaging in exploitation, but in reality are engaging in fraud and scams. Distinguishing betweenthese actors requires resources to triage and may draw away necessary resources from managingpolicy-violating events involving trafficking. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in Year 2. It was noted that conflicts in adjacent regions could increase the risk of human exploitation, including human smuggling. No net new trends or impacts have been identified since Year 2. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. For example, during elections, Meta put in place dedicated election teams to combat the likely increase in adversarial behaviour. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Specifically forHuman Exploitation, we continue to refine our Search Interventions Programme which includes features such as Search Intercept and Search Redirect, which work together to address problematic searches by either redirecting users to relevant help resources or displaying warning screens that highlight the concerning nature of their search. In these interventions, we include links to resources for support. Other system and in-product mechanisms we implement to help protect users include cross-platform enforcement and device blocking. Meta continues to build upon Year 2 identified improvements to our human exploitation detection mechanisms. Those Year 2 improvements included incorporating new trends and signals from sources, such as Trusted Partners, updating our blocklist databases, 78 hateful conduct. We also engage with multiple governments during rollouts of EU hateful conduct tests to collect feedback for improvements regarding perception of hostile speech mitigation measures on our platforms and services. In our Safety Centre, we have developed expert-backed safety resources and tools based on topics such as mental health, bullying and harassment, and communities (e.g., women and LGBTQ+), to help our users as they face issues related to hateful conduct. Lastly, we survey Instagram users to better understand their perception of various types of potentially hateful conduct on the platform, which helps ensure we understand the views of our users. and updating our routine classifier training to more effectively remove content that violates our Human Exploitation Community Standards. We continue to leverage Media Match Service, Severity Framework, and High Risk Early Review Operations (HERO) to minimise human exploitation content on our platforms. Within the EU, law enforcement agencies in various member states can report harmful situations related to human exploitation to Meta through multiple channels, including our Law Enforcement Online Requests (LEORs) portal, Regulatory Escalation (RegEsc), or the EUropol Internet Referral Unit (IRU). We also report instances of minor sex trafficking to the NCMEC inclusive of any minors within the EU. We encourage anyone who encounters content on Instagram that indicates someone is in immediate physical danger related to human exploitation to contact local law enforcement immediately and report this content to us. Additionally, we may remove content that offers a job in locations that are high-risk for labour exploitation when confirmed by law enforcement, local non-governmental organisations, or other Trusted Partners. Meta collects feedback from our human content reviewers regularly to understand the trends they are seeing and update our policies accordingly to improve our detection capabilities. This includes making nuanced policy distinctions where necessary, such as Meta's recent policy enhancements to differentiate between minor sex trafficking and adult sex trafficking. Furthermore, Meta maintains established local market teams to help identify dialects and trends related to human exploitation in order to improve our detection and enforcement capabilities. Meta consulted with experts across academia, advocacy, victim services and support, and law enforcement to develop more than 50 tools and features to support the safety of its users and provide guidance to users.140 We provide links to local resources available in our Help Centre if anyone is a victim of human exploitation or would like resources to share with a potential victim. We work with more than 400 safety organisations worldwide, and among them, we work closely with key anti-trafficking experts, including NCMEC, International Centre for Missing and Exploited Children (ICMEC), Stop The Traffik, International Justice Mission, and End Child Prostitution and Trafficking (ECPAT) International.141 We are founding members of Tech Against Trafficking, a cross-industry group that works with companies, non-profits, academics, and relevant stakeholders to support and accelerate the impact of technology solutions combating human trafficking.142 We also collaborate with organisations to provide ad credits and/or ad support to educate users on human trafficking, including across the EU (e.g., labour trafficking campaigns), to help prevent and raise awareness of human exploitation risks. 5.2.2.13 Inauthentic Behaviour At Meta, we do not allow people to misrepresent themselves on our services, use fake accounts, artificiallyboost the popularity of content, or engage in behaviours designed to enable other violations under ourCommunity Standard.Inauthentic Behaviour refers to a variety of complex forms of deception, performed bya network of inauthentic assets controlled by the same individual or individuals, with the goal of deceivingMeta or our community or to evade enforcement under the Community Standard. Additionally, theInauthentic Behaviour Policy encompasses CIB (Coordinated Inauthentic Behaviour), which we define asnetworks of people or Pages working together to mislead others about who they are and what they are doingfor a strategic goal. CIB networks are typically a higher complexity, well-resourced form ofInauthenticBehaviour. Inauthentic Behaviour is associated with the Deceptive and Misleading and Civic Discourse and ElectionsSystemic Risk Areas in the DSA. This Problem Area relates to the risk of Instagram being used to deceive ormislead users by misrepresenting themselves or organising coordinated attacks, in addition to thecoordination of assets and manipulation of public debate across private users, organisations, andgovernments. In some instances, threat actors target users with wilfully deceptive content or misleadinginformation. This also includes the misuse of Instagram’s systems, potentially including attempts tocircumvent Instagram’s detection systems. Furthermore, there are cases involving groups participating incovert influence operations to create fictitious identities resembling media organisations and other credible 142 https://techagainsttrafficking.org/ 141 https://about.meta.com/actions/safety/audiences/women/#partners 140 https://www.meta.com/help/policies/safety/tools-support-teens-parents/ 79 sources to spread misleading and deceptive content in order to pursue a strategic objective. As it relates topersistent, ongoing challenges and adversarial behaviour inherent to this Problem Area, the ever-evolvingInauthentic Behaviour ecosystem makes it more difficult to identify these behaviours. In some cases, covertinfluence campaigns have shifted away from Meta platforms and onto other online spaces, increasingchallenges with identifying and countering these operations. If we continue to see more “offline” forms ofinfluence, we may need to approach the issue from a whole-of-society perspective, as Meta may not be bestpositioned to identify this kind of behaviour outside of our platform. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in Year 2. It was noted that conflicts in adjacent regions and the high number of elections in the EU, including the EU Parliamentary Elections, could increase the risk of inauthentic behaviour on the platform. Trends include the targeting of political groups, increased methods to evade detection by coordinated groups (e.g., Doppelganger), financially motivated organisations, and foreign influence operations. In Year 3, the following inauthentic behaviour trends emerged, between May 2024 and March 2025: ● GenAI: Throughout 2024, we continued to watch for and assess the risks associated with evolving new technologies like AI. Our findings so far suggest that GenAI-powered tactics have provided only incremental productivity and content-generation gains to threat actors, and have not impeded our ability to disrupt their covert influence operations.143 ● Russia: Since the start of Russia’s full-scale war in 2022, their operations have largely consolidated around undermining Ukraine at home and abroad, though some networks also focused on other countries in Russia’s immediate vicinity such as Georgia, Moldova, and others. Additionally, since 2022, for-hire operators have shown a much stronger persistence. For example, in response to detection, the network known as Doppelganger has continued creating new assets. On Instagram, the Russian-run Doppelganger campaign uses text obfuscation and simple memes to evade automated keyword detection and test our systems. Russian operations continue to spread influence campaigns, often utilising compromised assets which have no topical or geographic relation to the message they are attempting to disseminate. Recently, a number of Russian operations engaged people, likely witting and unwitting, to create content and amplify harmful campaigns, in many countries (e.g., Armenia and across Europe).144 ● Cross-internet nature of CIB campaigns: The vast majority of the CIB networks we disrupted globally tried to spread themselves across many online apps, including Instagram, YouTube, TikTok, X, Telegram, Reddit, Medium, Pinterest, and more. We’ve seen a number of influence operations shift much of their activity to platforms with fewer safeguards.145 Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. For example, Meta has dedicated election teams, deployed targeted tactics to manage known groups, and attempts to engage in recidivist behaviour, and has a crisis management tool to help decide on trends that should be deployed when conflicts arise. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Specifically forInauthentic Behaviour, we have implemented a number of updates over the last year. We updated our Inauthentic Behaviour Community Standards in July 2024 to include detailed definitions of different prohibited behaviours on Meta’s platforms (e.g., inauthentic distribution, inauthentic audience building, foreign inauthentic behaviour, inauthentic engagement). Additionally, Meta has implemented additional targeted system and product measures to address the risk of propagating false or misleading GenAI content, including visible labelling of AI-generated or edited content; building a feature for people to disclose when they share certain AI-generated media so we can label it; building invisible markers to help detect deep-fakes; and requiring advertisers running ads on social issues, elections, or politics to identify digitally altered and/or AI-generated content. We also implemented a number of in-product mechanisms to limit the spread of state-controlled media, 145 https://about.fb.com/news/2024/12/2024-global-elections-meta-platforms/ 144 Meta Quarterly Adversarial Threat Report Q4 2024 143 Meta Quarterly Adversarial Threat Report Q3 2024 80 including blocking ads; placing content lower in a user’s feeds; and adding nudges that ask users to confirm they want to share or navigate to content from these outlets. Given inauthentic behaviour is a complex area that is primarily behaviour driven, we focus on the actor’s behaviour itself rather than the actual content. For example, we typically enforce against adversarial networks (e.g., a covert influence operation) at the network level rather than at the user level. At a user level, we provide explicit warnings to Instagram users through the platform user interface when they are demonstrating violating behaviour under some of our protocols. To help manage this Problem Area, Meta leverages tools trained to detect and analyse behaviour related to coordinated threats. We actively maintain and track behaviour-based signals and indicators that we feed into our classifiers to detect coordinated activity. Findings are escalated to our investigation team for deep-dive analysis to identify recall gaps and support improvements. In early 2025, we updated a key indicator used to determine if an account is engaging in inauthentic behaviours, adopting a new index that allows greater flexibility against specific abuses. Additionally, Meta has a dedicated threat disruption working group which consists of product, policy, and investigation team members that analyse novel cases and false negatives to identify inauthentic behaviour trends. The output of the working group informs product teams as they adapt and mature our detection systems, which helps us identify other threat actors engaged in similar violating behaviours. We also monitor networks attempting to return to the platform after being previously removed. Some of these networks may attempt to create new off-platform entities (e.g., websites, social media accounts, etc.) as part of their recidivist activity. Furthermore, Meta has dedicated election teams, targeted tactics for managing known groups, and a crisis management tool (Athena) to help deploy mitigations when conflicts arise. Using both automated and manual detection, our teams are engaged in daily efforts to find and block threat actors’ attempts to acquire new accounts, run ads, and share harmful links before these are ever seen by our users. As an output resulting from some of our detection and enforcement efforts, Meta began publicly reporting on adversarial threats in 2017 when we first shared our findings about CIB by a Russian covert influence operation linked to the Internet Research Agency (IRA). Since then, we have identified and removed over 250 covert influence operations and evolved our capability to respond to a wider range of adversarial behaviours as global threats have continued to evolve.146, 147 Within the time period of this report, we removed 17 additional covert influence operations. In September 2024, we banned Rossiya Segodnya, RT, and other related entities from our apps globally for violations of our policies prohibiting engaging in or claiming to engage in foreign interference.148 In our Adversarial Threat Report for Q2 2024, we shared how Meta dealt with networks targeting the EU with disinformation, including three then-newly reported CIB networks originating from Russia, Doppelganger, and one CIB network originating from Vietnam.149In Q1 2025, we took action against two accounts on Instagram for violating our policy against CIB. This network originated in and targeted Romania across multiple internet services including Instagram. We detected and removed this activity before this operation was able to build an audience among authentic communities on our apps.150 Meta uses Facial Recognition Technology (FRT) to support account verification and detect impersonation and scams. FRT enables selfie-based authentication for secure, low-friction account recovery, and helps identify manipulated images and impersonation attempts—particularly of public figures who have consented to inclusion in detection systems.151 We remain vigilant and continue to monitor Instagram as threat actors and malicious tactics continue to evolve. One way in which we do this is collaborating with the industry on common standards and guidelines. For example, we are a member of the Partnership on AI and, in 2024, we signed on to the Tech Accord, which aims to combat the spread of deceptive AI content during elections.152 Furthermore, Meta leverages feedback from government authorities, law enforcement, research organisations, security experts, civil society, and industry peers to identify and stop emerging threats, inform our protocols and policies, and build new detection and enforcement tactics. Meta also allows vetted researchers to access our Influence Operations Research Archive, where they can analyse content from CIB networks that we’ve disrupted. As mentioned previously, we also share information from our investigations through our Adversarial Threat Reports to provide a more comprehensive view into the risks we tackle and ways in which we detect and counter malicious activity on the internet, as well as Community Standards Enforcement Report. 152 https://about.fb.com/news/2024/02/how-meta-is-preparing-for-the-eus-2024-parliament-elections/ 151 How We Are Using Facial Recognition Technology To Protect You From Scams That Use Your Image? 150 Meta Quarterly Adversarial Threat Report Q1 2025 149 Meta Quarterly Adversarial Threat Report Q2 2024 148 https://about.fb.com/news/2022/12/metas-2022-coordinated-inauthentic-behavior-enforcements/ 147 https://about.fb.com/news/2022/12/metas-2022-coordinated-inauthentic-behavior-enforcements/ 146 Meta Quarterly Adversarial Threat Report - Q1 2023 to Q1 2025 81 5.2.2.14 Intellectual Property (IP) Infringement Meta takes intellectual property rights seriously and believes they are important to promoting expression,creativity, and innovation in our community. Meta requires its users to respect copyrights, trademarks, andother legal rights, as published in our Terms of Use, Intellectual Property Community Standard, and otherapplicable policies. IP Infringement is associated with the Illegal Content Systemic Risk Area in the DSA. This Problem Arearelates to the risk of Instagram being used to adversely impact intellectual property rights, includingcopyright and trademark infringement. As it relates to persistent, ongoing challenges and adversarialbehaviour inherent to this Problem Area, these risks are challenging to manage as enforcement of IP rights isprimarily undertaken at the discretion of rights holders, which means that Meta relies extensively onreporting from rights holders to identify potential cases of infringement. What are we doing to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, there were no new trends identified that could potentially impact the inherent risk exposure of risks within this Problem Area. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Specifically forIP Infringement, while much of the violating content is proactively removed through Meta’s automated systems, Meta strives to help businesses that use our platforms fight against brand impersonation, IP infringement, and infringing content. Meta has several tools to help rights holders protect their IP at scale.153 Brand Rights Protection makes it easier for brands to protect their IP across all our platforms using cross-surface searching, which allows simultaneous searches across different platform areas, including ads, commerce, accounts, and posts and eliminates the need for repetitive search term entries, effectively optimising the process. Rights Manager helps Rights Holders manage and protect their copyrighted content at scale, such as performing automatic blocking of matching images and videos, image and video attribution to rights holders, and bulk actions, which allow for enforcement against multiple image reference files at once.154 In order to identify potential violations, we use various automated detection tools that take into consideration a range of different signals such as insights from machine-learning models, LLMs, and the presence of certain keywords associated with piracy and counterfeit activity and prior IP violations from problematic accounts. To supplement our detection mechanisms and ensure quick and accurate handling of IP reports, we provide dedicated channels for rights holders to report content they believe infringes their rights, including our online reporting forms available in our Help Centre. Additionally, we have custom forms dedicated to copyright, trademark, and counterfeit issues, which ensure that we receive all the information we need to process an IP report. Meta’s IP Reporting API allows rights holders to automate and streamline the reporting of infringing content by filling out the same fields as Meta’s IP reporting forms in a secure and trusted way. Furthermore, Meta provides rights holders with access to the IP Reporting Centre which allows them to save account information and reporting history to track and manage their reports more efficiently. Rights holders can report different types of content they identify on our platforms, ranging from individual posts, photos, videos, or advertisements to an entire profile, account, or event. Most reports submitted by a rights holder are processed by our IP Operations Team, which is a global team of trained professionals who provide coverage in multiple languages. If the report is complete and valid, the team will promptly remove the reported content and confirm that action with the rights holder or user that reported it. In specific instances, we use automation to close fraudulent reports or send correspondence. From an enforcement perspective, only rights holders know with complete certainty what content is or is not authorised. However, if 154 https://www.facebook.com/rights_manager 153 https://www.facebook.com/business/help/611786833293457 82 Meta has a strong basis to believe that something may be infringing, we take action—from removing or blocking the content, to disabling the responsible account, or removing it across all of our recommendation surfaces. Lastly, Meta provides users with guidance to choose the tools that fit their needs in a section of its Business Help Centre dedicated to Intellectual Property Tools. We also have a section dedicated to Intellectual Property in our Help Centre where we provide guidance related to copyright and trademarks. When we take down content, we provide links to the Help Centre to help educate the user and prevent recidivism. Additionally, under the DSA Trusted Flagger programme, we have onboarded 13 trusted flaggers with expertise in intellectual property. Each of them has access to a dedicated priority channel to report illegal content within their area of specialisation. 5.2.2.15 Misinformation Misinformation is different from other types of speech addressed in our Community Standard because thereis no way to articulate a comprehensive list of what is prohibited. With graphic violence or hateful conduct,our policies specify the speech we prohibit, and even persons who disagree with those policies can followthem. With misinformation, however, we cannot provide such a line. The world is changing constantly, andwhat is true one minute may not be true the next minute. Additionally, people have different levels ofinformation about the world around them, and may believe something is true when it is not. Misinformation is associated with the Deceptive and Misleading, Civic Discourse and Elections, Public Health,and Public Security Systemic Risk Areas in the DSA. This Problem Area relates to the risk of Instagram beingused to promote and distribute false or misleading content including false or harmful information, contentdigitally created or altered in order to deceive, defraud or mislead the public. As it relates to persistent,ongoing challenges and adversarial behaviour inherent to this Problem Area, there is no society-wideconsensus on what constitutes misinformation and how it should be addressed. User perspectives vary onwhat is false or misleading and similarly may differ as to whether enforcement is appropriate to safeguardinformation integrity versus the risk of limiting voice. Additionally, striking the right balance betweenprotecting user voice and ensuring safety remains a critical challenge, particularly when addressingmisinformation that poses an imminent risk of physical harm. We are continuously pursuing adjustments andimprovements to our policies and systems, in order to reduce the spread of misinformation, while ensuringthat we are not erroneously enforcing against users. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in Year 2. It was identified that the high number of elections in the EU, including the EU Parliamentary Elections, the use of generative AI, and crises in adjacent regions could increase the risk of misinformation on the platform. Additionally, with an increase in GenAI use, there is an increase in risk that more users may upload organic content with photorealistic video or realistic-sounding audio that was digitally created or altered. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. Our measures against state-controlled media, in-feed labelling, and targeted user notifications are designed to reduce the distribution of misinformation. For example, Meta continues to monitor and manage trends in GenAI and crises in adjacent regions. We have dedicated election teams, keyword detection for content related to the EU elections, and have a crisis management tool to help identify trends that should be mitigated when conflicts arise. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Specifically forMisinformation, in order to manage this 83 nuanced Problem Area, we apply our Remove, Reduce, Inform approach.155 We remove misinformation or unverifiable rumours that clearly violate our Community Standards. In many countries, our technology can detect posts that are likely to be misinformation based on various signals, including how people are responding and how fast the content is spreading. It also considers if users flag a piece of content as “false information”. As a result of our misinformation policies and measures for the June 2024 EU Parliamentary elections, we treated over 300,000 pieces of content on Instagram, with fact-checks in the month leading up to and including the electoral period. On average, 44% of people who started to share fact-checked content on Instagram did not complete this action after receiving a warning from Meta that the content has been fact-checked, demonstrating the impact of labelling efforts in reducing the spread of misinformation on both platforms. In addition, we removed over 3,000 ads for violating our misinformation policies.156 In May 2024, Meta began labelling a wider range of video, audio, and image content when we detect industry-standard AI-image indicators. If Meta determines that digitally created or altered image, video, or audio content creates a particularly high risk of materially deceiving the public on a matter of importance, we may add a more prominent label, so that people have more information and context. Throughout 2024, Meta launched a number of programme enhancements designed to improve our ability to combat misinformation in the paid advertising space. For example, we launched enhanced technical measures to detect and enforce against inauthentic accounts trying to run foreign-targeted political ads and compromised accounts trying to run targeted political misinformation ads. To better inform people, Meta also implements proactive mechanisms that connect users to reliable information from trusted experts with the goal of countering misinformation. This is done through centralised hubs like our Information Centre, or Voting Information Centre. Specifically for the June 2024 EU Parliamentary Elections, Meta launched an in-app Voter Information Unit and provided Election Day Reminders directing people to local authoritative sources and reminding people to vote. Meta may also place election-related notifications in user's feeds on Instagram, such as voting day reminders. Meta also launched a media literacy initiative in the EU to educate people on how to better vet the information found online. As a part of our effort to remove misinformation or unverifiable rumours that contribute to the risk of imminent physical harm or violence, we work with Trusted Partners with experience in social media monitoring, an interest in learning about our Content Policies, and a commitment to keeping online communities safe. Additionally, Meta has a Misinformation Repeat Offender (MRO) Programme which limits the distribution of accounts that repeatedly share or publish content that is determined by third-party fact-checkers to be false or altered for a period of 90 days or longer if the account continues to share misinformation.157 As part of EU Parliamentary Elections efforts in June 2024, Meta engaged in several media literacy efforts including two campaigns in France. One example was a collaboration with the local fact-checking partner Agence France-Presse (AFP) Fact Check and participation in a multi-platform campaign operated by the French partner NGO Génération Numérique, consisting of a series of educational short videos gathering tips and recommendations on avoiding becoming a victim of misinformation. Additional efforts included wider campaigns with the EFCSN on how to spot AI-generated and digitally altered media, with the European Disability Forum (EDF). 5.2.2.16 Privacy Violations Our services aim to protect the privacy and personal information of our users. We work hard to safeguard auser’s personal identity and information and we do not allow people to post certain types of personal orconfidential information about themselves or others. We provide people with ways to report imagery thatthey believe to be in violation of their privacy rights. We also remove content that shares, offers, or solicitspersonally identifiable information or other private information that could lead to physical or financial harm,as described in our Privacy Violations Community Standard. Privacy Violations is associated with the Protection of Minors and Fundamental Rights Systemic Risk Areas.This Problem Area relates to the risk of Instagram being misused to adversely impact a minor’s rights to theprotection of personal data and respect for private and family life, as enshrined in the EU Charter. This canmanifest on Instagram when the service is exploited by threat actors to search for and publish personallyidentifiable and private information without permission, a practice known as doxxing. This Problem Area also 157 https://socialmediaarchive.org/record/10/files/US2020_FB%26IG_Elections_External_Codebook.pdf 156 https://transparency.meta.com/sr/european-parliament-report-2024 155 https://transparency.meta.com/features/approach-to-misinformation 84 includes the risk of minors being exposed to threat actors attempting to access their data or target them withads using unapproved data. As it relates to persistent, ongoing challenges and adversarial behaviour inherentto this Problem Area, the associated risks can be challenging to manage, and while Meta has robustsafeguards in place for privacy, we also rely on user reporting to identify when a user's privacy may be at riskdue to an adversarial actor. Additionally, as the regulatory landscape is constantly evolving, Meta needs toconsistently monitor for changing or new laws. While Meta maintains safeguards to control what data isshared with third parties, it is difficult to control how data is used once shared, and threat actors may abuseMeta’s platforms to obtain data through scraping and malicious links. What are we doing to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, there were no new trends identified that could potentially impact the inherent risk exposure of risks within this Problem Area. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Specifically forPrivacy Violations, since 2019, we have invested over $8 billion in our Privacy Programme and related initiatives and have grown the teams focused on privacy to more than 3,000 people.158 We continue to keep the elements of our Privacy Programme up to date, by strengthening our governance and compliance functions, and leveraging our core technology expertise to address privacy at scale. We’ve continued to enhance the rigour and speed of our Privacy Review efforts which now cover review of an average of 1,400 products, features, and data practices every month.159 Furthermore, our Privacy Risk Management Programme enables us to identify and assess privacy risks related to how we collect, use, share, and store user data. We leverage this process to enhance our Privacy Programme and to prepare for future compliance initiatives. As part of our Privacy Programme, we have designed safeguards, including processes and technical controls, to address privacy risks and we conduct internal evaluations on both the design and effectiveness of the safeguards for mitigating privacy risk. To help us track and manage remediation of privacy issues, we have established a centralised Privacy Issue Management function that spans the privacy issue management lifecycle from intake and triage, remediation planning, and closure with evidence. We have also established a Privacy Red Team who proactively tests our processes and technology to identify potential privacy risks. Part of ensuring that everyone understands their role in protecting user privacy at Meta is driving continuous privacy learning and education. At Meta, we have developed foundational, required privacy training and also maintain a catalogue of all formal privacy training deployed across Meta, which we review annually and make regular updates to. We disseminate privacy-related content (i.e. relevant updates) through a variety of internal communication channels. This includes updates from our privacy leadership, interactive Q\&A sessions, and dedicated programming on Data Privacy Day. Furthermore, we have built tools to help users secure their information and make the right privacy choices, such as alerts and reminders to check safety and privacy settings, Two-Factor Authentication, and Why Am I Seeing This Ad, which provides more transparency about how user activity may inform the machine-learning models we use to shape and deliver ads. Meta has an Anti-Scraping Team dedicated to detecting, investigating, and blocking patterns of behaviour associated with scraping.160 To combat data-scraping on our platforms, we implement rate limits and data limits. Rate limits restrict the frequency of interactions with Meta’s services in a given amount of time, while data limits control the volume of data accessible to ensure it aligns with normal usage needs. Additionally, Meta’s Bug Bounty Programme engages external researchers to identify and report security vulnerabilities, enhancing the protection of user data and platform security. This proactive approach is complemented by ongoing reviews of any additional user profiles to maintain robust privacy and security standards.161 We also continuously work to improve and enhance our capabilities to implement further mitigations on Instagram, such as our Network Disruption approach, where we take down each 161 https://www.meta.com/en-gb/actions/privacy-progress/ 160 https://www.meta.com/en-gb/actions/privacy-progress/ 159 https://about.fb.com/news/2025/01/meta-8-billion-investment-privacy/ 158 https://about.fb.com/news/2025/01/meta-8-billion-investment-privacy/ 85 adversarial network of accounts, rather than removing them piecemeal. Lastly, our Privacy Centre has been designed to help users learn more about our approach to privacy across our apps and technologies so they can make better informed decisions about their privacy. 5.2.2.17 Restricted Goods and Services At Meta, we prohibit attempts by individuals, manufacturers, and retailers to purchase, sell, raffle, gift,transfer, or trade certain goods and services on our platform. We do not tolerate the exchange or sale of anydrugs that may result in substance abuse covered under our policies. Brick-and-mortar and online retailersmay promote firearms, alcohol, and tobacco items available for sale off of our services; however, we restrictvisibility of this content for minors. We allow discussions about the sale of these goods in stores or by onlineretailers, advocating for changes to regulations of goods and services covered in this policy, and advocatingfor or concerning the use of pharmaceutical drugs in the context of medical treatment, including discussionof physical or mental side effects as described in our Restricted Goods and Services Community Standard.Our Advertising Standard and Commerce Policy provides additional measures, which may limit the visibilityof this content on our platform. Restricted Goods and Services is associated with the Deceptive and Misleading, Civic Discourse andElections, Public Health, Public Security, and Protection of Minors Systemic Risk Areas. This Problem Arearelates to the risk of Instagram being used to purchase, sell, raffle, gift, transfer, or trade goods and servicesthat could impact public health, potentially including firearms; alcohol, tobacco, prescription drugs and drugparaphernalia; adult sexual businesses such as adult entertainment, sexual enhancement products; hazardousgoods and materials/explosives; gambling and games; and medical and healthcare products. As it relates topersistent, ongoing challenges and adversarial behaviour inherent to this Problem Area, this space can bechallenging to manage as threat actors continuously use new ways to evade detection to offer or solicitrestricted goods and services, and circumvent detection and enforcement methods. We consistently observethreat actors attempting to sell or solicit restricted goods and services in covert ways, such as using emojis,using slang in private, signposting leading users to harmful external sites, and posting branded content asorganic without paid / partnership labelling to circumvent our ad safeguards. Meta is continuously working toimprove and enhance our capabilities to implement further mitigations on Instagram. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in Year 2 Assessment. Meta continues to observe the trends of masking various scams as drug sales, increased risk of exposing minors to content related to alcohol, tobacco, and real money gambling, and threat actors targeting minors with weight loss products and cosmetic procedures. In addition, we observed the increase in videos, pictures, and ads sponsored by gambling companies featuring gambling branding in the background, but otherwise do not contain any gambling content (e.g., fortune tiger gambling ads, which don’t have money in and out signals but were actually real money gambling ads). Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. For minors, Meta applies age-gating restrictions to content related to cosmetic and weight loss products or services, real money gambling and games, social casino games, free-to-play 86 games with gambling context, alcohol, and tobacco, among others, and leverages age enforcement infrastructure to make this type of content less visible to them. Meta also has a long-term, age-appropriate content strategy to reduce minors’ exposure to harmful and age-inappropriate content, and has invested in classifiers and infrastructure to support this solution. In the EU, ads are not currently served to minors. This year, we have particularly focused on reducing the exposure of youth populations to restricted goods and services content on Instagram. Our efforts include automated review mechanisms that analyse ads, and other commerce listings before they go live. These mechanisms proactively block policy-violating content using keyword detection and machine-learning models. Furthermore, we block hashtags where the hashtag name represents or is consistently used to share violating content. As a result, we assess views of violating content that contain restricted goods and services are very infrequent, and we remove much of this content before people see it. We continue to invest in enhancing our automation efforts. We are focusing more on mitigating our highest risks in this area (e.g., high risk drugs and gambling). We’re also refreshing our models to ensure we keep performing at a high precision while reducing prevalence on the platform. Additionally, we deploy empty search results and enforcement interstitials for users searching restricted goods, such as high-risk drugs, guiding them to resources for reporting such content. In the first quarter of 2025, globally, 77% of violating content we actioned for Drugs and 99.2% for Firearms was detected and actioned on Instagram before users reported it. Additionally, in the first quarter of 2025, the upper limit for violations of our Restricted Goods and Services Policy for Instagram was 0.05%. This means that out of every 10,000 views of content on Instagram, we estimate no more than 5 of those views contained content in violation with our Restricted Goods and Services Community Standards.162 We are improving our human review capacity to support machine-learning training efforts and specialised workflows for drugs. We also work with external stakeholders to source information on coded keywords used in the drug space to inform our reviewer guidelines. Meta has also been exploring programmes with external stakeholders and other tech companies (e.g., a cross-industry collaboration on illicit drugs with Snap including sharing adversarial behaviour signals using Media Match Service and Cross Problem Multimodal Matching). We also provide blueprint training modules for advertisers on different topics, such as alcohol. Advertisers can also sign up for an online course that explains how ads work and the restrictions that apply. 5.2.2.18 Spam At Meta, we do not allow content that is designed to deceive, mislead, or overwhelm users in order toartificially increase viewership, as outlined in our Community Standard.163 This type of content detracts frompeople's ability to engage authentically on our platforms and can threaten the security, stability, and usabilityof our services. We also seek to prevent abusive tactics, such as spreading deceptive links to drawunsuspecting users in through misleading functionality or code, or impersonating a trusted domain. Spam is associated with the Deceptive and Misleading Systemic Risk Area in the DSA. This Problem Arearelates to the risk of Instagram being used to share deceptive or misleading content, artificially inflatingviewership through fake engagement, or sharing duplicative and unwanted material. As it relates topersistent, ongoing challenges and adversarial behaviour inherent to this Problem Area, online spam is alucrative industry, and our policies and detection must constantly evolve to keep up with emerging spamtrends and tactics. Management of spam reporting is also complex and challenging as it’s often a tacticutilised by threat actors to increase their likelihood of success by increasing the potential for human reviewerror. Additionally, in taking action to combat spam, we seek to balance raising the costs for its producers anddistributors on our platforms, with protecting the vibrant and authentic activity of our community. 163 https://transparency.meta.com/policies/community-standards/spam/ 162 https://transparency.meta.com/reports/community-standards-enforcement/regulated-goods/instagram/ 87 What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in Year 2 Assessment. One persistent trend is that threat actors repeatedly spam user reporting systems with false reports and appeals. These actors continuously evolve their methods to circumvent policies and detection. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Similar to other Problem Areas Meta manages, we launch SNDs to help manage adversarial spamming, which involves in-depth identification of key offenders and enables disabling of multiple threat-related accounts at once. This can address coordinated attacks deployed at global level or local level. For each type of content, we investigate the methods and behaviours conducted via adversarial spamming that attempt to abuse our systems, such as audio being created by models for spreading fake information. Enforcement remains the same irrespective of how content is generated, and trend-specific enforcements are proactively implemented using existing policies as a foundation. As a result of policy enforcement, globally, in the first quarter of 2025, 90.9 million pieces of spam content were actioned, with 100% of this content being found and actioned by us before users reported it.164 Lastly, we develop and provide resources within the Meta Help Centre to guide users with understanding and identifying phishing, approaches to when users believe they have been phished, and how to proactively avoid scams and phishing.165 5.2.2.19 Suicide, Self-Injury and Eating Disorders At Meta, we do not allow people to intentionally or unintentionally celebrate or promote suicide, self-injury, oreating disorders as described in our Suicide, Self-Injury, and Eating Disorders Community Standard. However,we allow people to discuss these topics because we want Instagram to be a space where people can sharetheir experiences, raise awareness about these issues, and seek support from one another, which createschallenges in managing and balancing voice and safety for this particular Problem Area. Suicide, Self-Injury and Eating Disorders is associated with the Public Health and Protection of MinorsSystemic Risk Areas in the DSA. This Problem Area relates to the risk of Instagram being used to promote,speak positively, encourage, coordinate, or provide instructions for SSIED, potentially including ads that couldimpact public health. In some instances, this can manifest on our platforms in the form of content thatcoordinates and encourages engagement in SSIED, which could result in viral trends that impact publichealth. This also potentially includes: depictions of graphic self-injury, suicide attempts, death by suicide,instructions for extreme weight loss, content admitting to extreme weight loss behaviour when sharedtogether with terms associated with eating disorders, depictions of body parts with terms associated witheating disorders, and content mocking victims or survivors of suicide, self-injury, and disordered eating. As itrelates to persistent, ongoing challenges and adversarial behaviour inherent to this Problem Area, this spacecan be difficult to manage as intent can be challenging to assess and we are unable to always intervene orapply interstitials due to our privacy protection safeguards. Additionally, SSIED content is nuanced, and it is 165 Avoid Scams and Phishing Attempts 164 https://transparency.meta.com/reports/community-standards-enforcement/spam/instagram/ 88 challenging to assess individual pieces of content without broader context and history, which limits theeffectiveness of automation at scale. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the assessment, there were no new trends identified that could potentially impact the inherent risk exposure of risks within this Problem Area. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. For example, to stay informed, we engage with experts to refine our understanding and adapt to changing circumstances, while also acknowledging cultural differences in the use of terms across jurisdictions, such as variations in terms or emojis used between regions. We continuously collaborate with our Suicide and Self-Injury Expert Advisory Group and Trusted Partners to gain deeper insights into complex issues ensuring our approach remains effective and responsive to the evolving needs of our community. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Specifically forSSIED, we have blocklists and banks of images that are regularly updated to help our detection and enforcement capabilities. As it relates to minors, in addition to ensuring SSIED content is not recommended to Teen Accounts, we remove this content from teen Instagram accounts, as well as other types of age-inappropriate content, even if it’s shared by someone they follow.166 When the content is not graphic or promotional but may still be upsetting (e.g., depicting healed cuts), we include a warning screen for sensitive content. To support addressing threats of real-world harm, we have an escalation pathway specific to this Problem Area called Credible Intent of Suicide (CIS), which sends resources to users who have posted content that is identified as being suicidal or self-harm related where we are able to, as well as shares information with Local Enforcement (LE) for welfare checks. This helps quickly identify and provide support to users who post content that indicates a CIS. Additionally, our Community Standards explicitly prohibit content that promotes or encourages SSIED. However, we allow content that discusses recovery and healing from self-injury, as it can be a supportive space for users to share their experiences and seek help. Our policy is flexible enough to handle both violating content and sensitive content. In particular, we have a specific approach for managing and identifying recovery content. In the first quarter of 2025, 9.9 million pieces of SSIED content were actioned globally, with 99.1% of this content being found and actioned by us before users reported it.167 Furthermore, Meta maintains a repository of in-app mental health resources, including “The World Health Organisation (WHO) Digital Stress Management Guide”, which provides easy-to-follow techniques designed to reduce stress and promote mental well-being. Our Emotional Health Hub offers an array of expert mental health tips and education related to suicide, anxiety, depression, and managing well-being.168 We also offer eating disorder resources in our Safety Centre. Meta’s resources have been updated to include more targeted country specific resources, including hotlines for SSIED. In addition, Meta partners with the Crisis Text Line to support SSIED crises. We have developed a resource that can be accessed via the Safety Centre called #Chatsafe which helps young users communicate safely online about SSIED and encourages awareness and reflection on difficult topics. We also have #Chatsafe for Educators to help them better equip young people to talk safely on social media about SSIED. Meta also collaborates with suicide prevention experts, via its Global Suicide and Self-Injury Expert Advisory Group, to seek input on current research and best practices related to suicide and self-injury. We use these collaborations to inform our safety work as we develop new services and resources to support users who may be experiencing challenges relating to suicide and self-injury. This collaboration alongside Meta’s external expert advisory group informs development of policies across our platform. Lastly, Meta partnered with the Mental Health Coalition to launch Thrive, a pioneering programme designed to enhance cross-platform collaboration in addressing suicide and self-harm content. Thrive enables participating tech companies to share signals about violating content, such as hashes of images and videos, to prevent its spread across different platforms.169 169 https://about.fb.com/news/2024/09/preventing-suicide-and-self-harm-content-spreading-online/ 168 https://about.meta.com/actions/safety/topics/wellbeing/emotionalhealth/ 167 https://transparency.meta.com/reports/community-standards-enforcement/suicide-and-self-injury/instagram/ 166 https://about.fb.com/news/2023/12/combating-online-predators/ 89 5.2.2.20 Violence and Incitement At Meta, we do not allow language that incites or facilitates violence and credible threats to public or personalsafety. This includes violent speech targeting a person or group of people on the basis of their protectedcharacteristic(s) or immigration status. We remove content, disable accounts, and work with lawenforcement when we believe there is a genuine risk of physical harm or direct threats to public safety. Weprovide further details regarding what content and activity is considered prohibited and the correspondingactions Meta may take against users in our Violence and Incitement Content Community Standard. Violence and Incitement is associated with the Civic Discourse and Elections, Public Security, andGender-based Violence Systemic Risk Areas in the DSA. This Problem Area relates to the risk of Instagrambeing used to incite violence, including against marginalised groups, promote kidnapping and abduction,disseminate instructions on how to use or make weapons or explosives, and promote or solicit services forhire to kill. As it relates to persistent, ongoing challenges and adversarial behaviour inherent to this ProblemArea, Meta’s policies are defined at a global level, which may result in complications for our contentmoderation mechanisms to understand the language and regional nuances in hostile and violent behaviour.Furthermore, threat actors circumvent detection and enforcement by using slang and emojis; therefore wemay require additional information and/or context to enforce. What are we doing to try to prevent and mitigate these risks? Considerations and Trends in 2025: During the Year 3 Assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in the Year 2 Assessment. The high number of elections in the EU, including the EU Parliamentary Elections, along with the increase in anti-semitism, Islamophobia, anti-immigrant, and anti-refugee sentiment in the EU could increase the risk of violence and incitement on the platform, particularly against marginalised communities. Another example to note is the potential risk of over-enforcement as it relates to interactions between opposing sports teams when they use certain words such as “kill [the enemy team]”. Additionally, younger users, such as Gen Z, may use terms or phrases that are not yet detectable by our systems. No net new trends or impacts have been identified since Year 2. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. For example, we continue to improve our detection and enforcement capabilities by identifying and documenting words and idioms commonly used as implicit threats to help manage the trends and limitations mentioned above accordingly. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, we have an extensive ecosystem of controls that work together to manage these Problem Area risks on Instagram. Specifically forViolence and Incitement, Meta has made changes to our Violence and Incitement Policy between August and September 2024, which includes an expanded definition of what is prohibited by our policy when we have additional information and/or context to enforce. We also clarified that in cases where threats are veiled or implicit, and the method of violence is not clearly articulated, the policy extends protection to situations where the target is a minor. Additionally, we updated our context-specific policies to allow threats of high- or mid-severity violence in the defence of self or another human when certain criteria are met. In the first quarter of 2025, globally, we have seen a decrease in actioned content for the Violence and Incitement Problem Area as a result of policy changes that allow for greater online discourse and actioned 4.9 million pieces of content related to violence and incitement, with 97.7% of this content actioned proactively before users reported.170 We have developed proactive detection and enforcement technology to help enforce our policies, such as Athena—a detection tool that provides a view of risks across our services before they become a bigger problem. The tool helps us take a proactive approach by highlighting early warning signs, such as unusually high classifier scores, accounts with multiple recent strikes, or an uptick in violent content. These signals are used by our Integrity Teams to craft proactive and reactive mitigations in response. 170 https://transparency.meta.com/reports/community-standards-enforcement/violence-incitement/instagram/ 90 We assess high risk events using our Crisis Policy Protocol to identify those likely to pose a heightened risk of on-platform challenges. If we designate an event, we conduct an operational assessment to determine the scale and complexity of these risks and whether additional levers are required. In terms of enforcement actions, we leverage a Strike System, where once the threshold for violating multiple policies is met, the user account will be removed. Additional enforcement actions include reducing visibility, device blocking, and account restrictions. Lastly, when a user’s content is reported as hostile or violent speech and found to be violating, the user is notified of which policy they violated and may be given the ability to edit the post for potential reinstatement. To help support users who may be experiencing abuse and/or violence, Meta has developed safety tools, such as the anonymous Domestic Violence Helplines in our Safety Centre where trained experts are available to offer support and specific guidance to create a safety plan. In addition, if Meta becomes aware of information giving rise to a suspicion that a threat to the life or safety of a person or persons exists, Meta promptly notifies the applicable authorities and provides relevant information in accordance with our Terms of Use, international standards, and applicable laws. In our Safety Centre under Crisis Support Resources, we provide a global directory of crisis support resources that was compiled in partnership with UN Women, the National Network to End Domestic Violence, and the Global Network of Women’s Shelters to provide more urgent and expert support. 5.2.2.21 Violent and Graphic Content At Meta, we are committed to preventing the dissemination of violent and graphic content that could lead tooffline harm. Our policies prohibit the most graphic violent content of people, living or deceased, innon-medical contexts and sadistic remarks that express joy or pleasure from the suffering or humiliation ofpeople or animals. We recognise that users may share this type of content in order to shed light on or condemn human rightsabuses, especially in the context of armed conflict. Our policies consider when content is shared in thiscontext and allow room for users to discuss and raise awareness accordingly. We add warning labels to othertypes of content so that people are aware it may be sensitive before they click through. Additionally, werestrict the ability for minors to see content that may not be suitable or age-appropriate for them. We providefurther details regarding what content and activity is considered prohibited and the corresponding actionsMeta may take against users in our Violent and Graphic Content Community Standard (and other applicablepolicies). Violent and Graphic Content is associated with the Public Security, Protection of Minors, and FundamentalRights Systemic Risk Areas in the DSA. This Problem Area relates to the risk of Instagram being used todisseminate, promote, or possess content depicting graphic imagery and or explicitly violent behaviour ofpeople and animals, violent acts, graphic violence, gore, or mutilation. This includes content depictingdismemberment, visible innards, or burning, which is flagged with a warning screen and restricted. As itrelates to persistent, ongoing challenges and adversarial behaviour inherent to this Problem Area, the Violentand Graphic Content Policy relies primarily on visual indicators to detect and enforce on potential violatingcontent. However, a small section of the policy relies on text based indicators whenever users post graphicimagery accompanied by sadistic remarks with humorous intent or showing enjoyment of human or animalsuffering. The detection and enforcement of this policy line is difficult as text based elements require a morenuanced and contextualised assessment based on marketised humour and cultural practices. 91 What are we doing to try to prevent and mitigate these risks? Considerations and trends in 2025: During the assessment, net new trends were identified that impact this Problem Area. An increase in violent and graphic content as a direct result of armed conflicts around the world emerged as a trend. In the past year, we have seen an uptick in graphic imagery of humans originating from conflicts in Gaza. Notably, a growing trend has emerged globally, where users are posting content related to Gaza-political discourse, often accompanied by imagery depicting violent death and mutilation. Meta's dedicated teams continuously monitor the evolving risk landscape and adapt our approaches as needed. For example, as a result of these emerging trends, we've developed internal protocols to prioritise content enforcement in high-risk situations, such as war zones, while respecting freedom of expression. We've also updated our policy definition of a "medical setting" to include medical tents, urgent care, and humanitarian aid. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, Meta has an extensive ecosystem of controls that work together to manage risks associated with this Problem Area on Instagram. For harms related to obscene content showing torture of humans and animals, mitigating controls include our global workforce of content reviewers and a variety of advanced detection tools for violent and or graphic content. Meta has been vigilant on periodically refreshing our automation detection and calibrating enforcements for animal abuse and animal rescue content. This includes integrating new data sources, refining our machine-learning models, and upgrading our infrastructure to improve detection and removal of graphic content. We've also optimised our image matching systems to ensure they align with our policies, enabling more effective protection for our users. We also encourage people to report such violating content. In conjunction, we leverage a Strike System, where once the threshold for violating multiple policies is met, the user account will be removed. Other enforcement actions include reducing visibility, device blocking, and account restrictions. 5.2.2.22 Voice and Free Expression At Meta, we are committed to respecting our users’ voices and helping them connect and share safely. OurCommunity Standard aims to create a place for expression and give people a voice. Voice and Free Expression is associated with the Civic Discourse and Elections and Fundamental RightsSystemic Risk Areas in the DSA. This Problem Area relates to the risk of Instagram adversely impacting users’fundamental rights, specifically the right to freedom of expression and information as enshrined in the EUCharter. This can manifest on Instagram through over-enforcement of non-policy-violating content,disproportionate enforcement of policy-violating content, language/dialect limitations of human reviewers orclassifiers, failure to take down policy-violating content, activity that limits or discourages a users’ freedom ofexpression, and the inherent difficulty in balancing freedom of expression and safety concerns. Additionally,Meta evaluates government takedown requests for consistency with our policies and complies with legalobligations to notify the appropriate authorities when required. As it relates to persistent, ongoing challengesand adversarial behaviour inherent to this Problem Area, cultural norms, behaviours, and politics arechallenging to navigate across regions as there may be different viewpoints and expectations to balance. Forexample, the European Human Rights Standard can, at times, be stricter than Meta’s policies which areglobally driven. Another challenge is how threat actors leverage product functionality to infringe on otheruser’s voices, such as adversarial spamming in comments, reporting, harassment, and intimidation. However,we have robust processes in place which help manage these challenges accordingly. What are we doing to try to prevent and mitigate these risks? 92 Considerations and Trends in 2025: During the Year 3 Assessment, it was identified that several trends continue to impact this Problem Area, similar to those observed in Year 2. The high number of elections in the EU, including the EU Parliamentary Elections, and crises in adjacent regions could increase the risk of voice and free expression on the platform, however it was determined that these factors do not impact inherent risk. In Year 3, we observed a change in the risk environment due to an increase in over-enforcement and false positives driven by the increasingly complex systems required to manage content. Meta has dedicated teams who continuously monitor the evolving risk landscape and work cross-functionally to adapt our approaches and implement necessary adjustments to our processes, as needed. For example, for elections, Meta put in place dedicated election teams to combat the likely increase in adversarial behaviour. Problem Area Mitigation Overview: As detailed in Section 5.2.1: Meta's Ecosystem of Controls, Meta employs an extensive ecosystem of controls to manage these Problem Area risks on Instagram. Specifically forVoice and Free Expression, the right to freedom of opinion and expression is fundamental to Meta’s mission. Meta maintains processes and systems to gather user feedback and regularly reviews its approaches against international Human Rights Standards, such as Article 19 of the International Covenant on Civil and Political Rights (ICCPR). We conduct human rights analyses on policy developments related to freedom of expression and prioritise input from marginalised communities by actively seeking feedback from diverse groups worldwide. This includes organising regional roundtables with representatives from marginalised communities and other stakeholders. Additionally, we apply an Inclusivity Framework to ensure diverse perspectives inform our policies and Community Standards. Meta's policies define what's allowed and not allowed on our platforms with freedom of expression as our north star. For example, Meta permits recovery content, such as healed wounds related to suicide and self-injury. Regarding minor voices, we collaborated with global data protection regulators and organisations—including the UN, the Organisation for Economic Co-operation and Development (OECD), and minors’ rights groups to develop Meta’s Best Interests of the Child Framework. This Framework outlines six key considerations for product teams during product development, including “empowering youth, parents, and guardians to understand and exercise their data rights”. This includes supporting minor’s autonomy, freedom of association and play, free expression, and identity exploration on Instagram. We monitor our content moderation enforcement to avoid unnecessarily restricting freedom of expression. We continuously improve AI models to detect hateful, violent and graphic content, and user enforcement technologies to determine whether to remove, demote, or escalate content for human review. When taking enforcement actions, we provide clear reasons and offer users the ability to appeal, except in cases involving severe safety concerns like child exploitation imagery. Appeals are reviewed through a combination of human and automated processes, with possible reinstatement if content complies with our Community Standards. If the original decision stands, users may further appeal to the Oversight Board, which helps balance free speech with policy enforcement. Consistent with our commitment to freedom of expression, in January 2025, Meta updated its Community Standards related to hateful conduct, formerly called hate speech, in order to enable more public debate and discussion about issues of political and social interest, political and social interest, such as immigration, gender identity, and gender as well as to reduce over-enforcement concerns. The changes aim to enable a user’s right to freedom of expression and information, and to better reflect user expectations, while continuing to maintain a safe and inclusive environment on our platforms that supports the right to non-discrimination. Meta provides dedicated reporting channels for users in the EU to submit legal removal requests to Instagram when they believe the content violates, for example, applicable hate speech laws in their jurisdiction.171 6. Risk Mitigation Enhancements As required by Article 35 of the DSA, Meta implements reasonable, proportionate, and effective mitigationmeasures to address Systemic Risks. We continuously evaluate our Integrity Ecosystem through variousmethods, including our DSA Systemic Risk Assessment Process, monitoring of controls, user feedback, andcollaboration with experts. In addition to our ongoing efforts to address Systemic Risks, we are also continuously enhancing ourmitigation measures. In our Year 2 report we shared several mitigations that were implemented following the 171 https://help.instagram.com/874680996209917/?helpref=hc_fnav 93 assessment. Below are some examples of enhancements implemented during the Year 3 assessment, whichis not an exhaustive list.172 Enhancement Name Enhancement Description Detection Meta refined classifiers with a high enforcement volume to optimise overall content moderation on the platform. In addition, Meta enhanced the HEx classifier by retraining it to improve detection of policy-violating content, including Organic and Ads across platforms, targeting violations such as Labour Exploitation and Human Smuggling. Recommendation Surfaces Meta has implemented automated keyword sourcing to identify for general search violations and improved enforcement on signposting accounts in Search and Recommendation surfaces, making it more difficult for bad actors to promote themselves. Strike Policy Scope Meta expanded the HEx Strike Policy to ensure that non-admin users can receive a strike or be disabled for any policy-violating content, regardless of whether they are an admin of the group. Prevalence Meta implemented a comprehensive framework to address emerging risks and protect user safety, including establishing a robust escalation process for drug-related content, enhancing enforcement of Deceptive Identity policies on Instagram to combat sextortion and online exploitation, and implementing targeted measures to reduce celebrity bait ads in its Ads Library. Support Functions Meta reduced compromised accounts for invested users and developed a defensible end-to-end last resort account recovery experience for account access recovery when accounts are hacked or compromised. Mistake Prevention Meta expanded Mistake Prevention systems to include additional user groups and surfaces, including expanded support for sensitive entities (i.e. high-profile individuals) as well as enhanced the overall effectiveness of these systems. Enhanced Escalation Meta has strengthened its approach to combatting sex trafficking by deploying engineering solutions that improve the escalation of sex trafficking-related cases. 172 EU Digital Services Act: Systemic Risk Assessment Results Reports, September 2023 – August 2024, Instagram 94 Enhancement Name Enhancement Description Processes Additionally, Meta has developed comprehensive guidelines to empower human reviewers to accurately identify, enforce policies, and monitor Minor Sex Trafficking content. This enables tailored interventions for both minor and adult sex trafficking cases. Research Meta strengthened its processes by introducing robust accountability and review protocols for Social Issues UX Research. These improvements ensure that clear action plans are developed to address any potential risks identified through this research, and that cross-functional teams are actively involved in the approval of relevant action plans. Transparency on Enforcement Policies In November 2024, Meta published an update in the Transparency Centre regarding its approach toDangerous Organisations and Individuals, detailing the criteria for designation. In December 2024, Meta announced an initiative to enhance transparency by better explaining its policies. Meta empowers users to deepen their understanding of our enforcement policies by enhancing transparency around account-level enforcement. Educational self-remediation features for first policy violation strikes have been launched, complementing existing information on strike severity available in the Transparency Centre. Meta expanded notifications related to content removals globally following the initial rollout to the EU. These notifications are shared with users when Meta restricts access to content in particular jurisdictions on the basis of formal government reports of alleged local law violations, except where we are legally prohibited from doing so. Cross-Check Policies As part of long term commitment, Meta will conduct periodic reviews of the cross-check system, including content with the longest time to resolution. We already conduct periodic sampling to determine where high-profile violating content is left on the platform. 95 7. Conclusion This Report documents the findings of Instagram’s third annual Systemic Risk Assessment as required underArticles 34, 35, and 42 of the DSA. In Year 3, we assessed 71 risks across 22 Problem Areas through animproved methodology. Our risk management measures are effective, but we continue to refine and enhancethem. As part of our maturing Integrity GRC Programme, we are prioritising improvements in areas where risksremain elevated—focusing on targeted mitigation where needed. Looking ahead, we remain committed to transparency and continuous improvement. We will continue toevolve our risk governance practices, collaborate with the European Commission and other stakeholders, andwork toward the shared goals of minimising harm, protecting people’s rights, and strengthening public trustin digital services. 96 8. Appendix 8.1 Risk Assessment Process As part of Meta’s Integrity Risk Management Framework, Meta has a Risk Assessment Process andMethodology designed to enable Meta to operationalise Risk Assessments for multiple integrity ProblemAreas in a standardised and scalable manner. The Risk Assessment Process detailed below explains the stepsto conduct Risk Assessments at Meta, including the assessment of Systemic Risks that can materialise onMeta’s services. Our Risk Assessment Process consists of six steps and is used consistently to execute Risk Assessments,including our annual Systemic Risk Assessment. Outlined below is an overview of the annual Systemic RiskAssessment Process: ● Identify and Qualify: Meta leveraged a diverse set of signals and inputs to scope the RiskAssessment. These inputs were used to define the in-scope Problem Areas and the associated risksthat collectively create a systemic risk to users in the EU. ● Assess: Meta leveraged a combination of risk and control effectiveness signals including surveys,Problem Area workshops, questionnaire, documentation review, external input, Integrity Issues,Assurance Testing, CIRA, Metrics and Data, and Integrity Control Self-Assessment (ICSAs) tounderstand how the overall risk landscape, including current and emerging risks and the controlenvironment, changed over the last year using a standardised Risk Assessment framework. ● Measure: Using the results from the assess phase, Meta finalised the list of relevant in-scope risksand calculated the inherent risk and effectiveness of the controls in place to mitigate the risks using Meta’s Risk Measurement Framework. See Appendix 8.2 for more information on Meta’s risk and control measurement approach. ● Validate: Meta documented the results and engaged with stakeholders to validate the findings. ● Respond and Mitigate: In conjunction with inputs from other risk management efforts, Meta workedcross-functionally (and does so on a routine basis) to determine mitigation priorities and determinewhat is reasonable, proportionate and effective to reduce residual risk on Instagram. ● Report: Meta documented the findings and results in a detailed report. 97 8.2 Rubrics and Scoring 8.2.1 Inherent Risk Rubrics The following measurement approach is used to determine inherent risk. 8.2.1.1 Severity Rubrics The Severity Rubric is used to measure the level of impact the risk has on users and society. 98 8.2.1.2 Likelihood Rubrics The Likelihood Rubric is used to measure the possibility that a given risk will occur in a specified timeframe. The following limitations should be considered when evaluating the likelihood of a risk arising: ● Likelihood is a subjective, qualitative measure and does not guarantee a risk will occur; ● All users are not equally likely to be impacted by the same Problem Area; and ● Volume is primarily assessed from a qualitative perspective as indicated by the absence ofquantitative thresholds within the relevant tiers. The volume sub-category is designed to reflectanticipated frequency at which users may be impacted by a risk if it materialises on the platformwithout the application of controls, while taking into account that this cannot be definitely measuredas controls have been in place on Meta’s platforms for many years. Where available, validated datamay be used to help provide insight into the relative differences in volume at the risk or Problem Arealevel to ensure relative scores between these areas are sensible. However, it should be noted thatthere are a number of limitations with this data. 99 8.2.2 Control Effectiveness Rubric These questions aim to prompt the evaluator to enable a qualitative assessment of the effectiveness ofcontrols in place to manage a risk. 100 8.2.2.1 Control Effectiveness Calculation Once the effectiveness for each control is determined, the following measurement approach is used tocalculate the effectiveness of the control suite. 101 8.2.3 Residual Risk Calculation The following measurement approach is used to determine residual risk. 8.3 Principles for ensuring Reasonable, Proportionate, and Effective Mitigation Measures One way to approach making informed decisions to determine whether to invest in deploying a mitigatingmeasure or enhancement is by considering the principles below. When making such a determination, weconsider the impacts on fundamental rights. Criteria Mitigation Measure Further Details Reasonable ● Within Meta’s control to deploy with limited dependencies on external parties or non-Meta entities ● Appropriate, fair, and designed to address integrity risks or issues Due to the residual risk exposure and/or the extreme criticality of a control in managing a systemic risk, it is appropriate to make investments to adapt, test, reinforce, initiate, adjust, and/or make changes to our systems, processes, and/or activities. Proportionate ● Adequate, relevant, suitable and necessary to address specified systemic risks ● Not excessive in relation to a declared and specified purpose and residual risk exposure The investment needed from a financial, technical, and operational perspective is commensurate with the current risk exposure or the risk exposure that will be created if the investment is not made. Additionally, in instances where rights, including fundamental rights, are in tension with a potential mitigation measure, a decision about a mitigation measure is based on the correlative impact a risk could have on users within the EU and society. Effective ● Able to prevent, mitigate, or control the residual risk exposure as designed and intended ● Able to be monitored in order to measure its effectiveness The investment needed to adapt, test, reinforce, initiate, adjust, and/or make changes to our systems, processes, and/or activities will effectively reduce the residual risk exposure of a systemic risk. 102