NON-CONFIDENTIAL Infinite Styles Services Co. Ltd,1-2 Victoria Building, HaddingtonRoad, Dublin 4, Ireland 29 th August 2025 European CommissionDirector-General for Communications Networks,Content and Technology Digital Services Act Team51, Rue de la LoiEtterbek, 1040Belgium Coimisiún na Meán1 Shelbourne Buildings, Shelbourne Road,Dublin 4, D04 NP20Ireland By email only to: cnect-dsa-registry@ec.europa.eu and dsa@cnam.ie Dear DG CNECT DSA Team and Coimisiún na Meán, RISK ASSESSMENT REPORT Submission to the European Commission pursuant to Article 42(4) of the DigitalServices Act We refer to the European Commission (the "Commission") decision of 26 April 2024,addressed to Infinite Styles Services Co, Ltd ("ISSL"), designating the Shein online store asis accessible to users in the EU (the "service") as a very large online platform. Pursuant to Article 34 of the Digital Services Act ("DSA"), we have carried out our secondassessment of the risks potentially stemming from the design or functioning of the service,the methodology and results of which are described in the document attached to this letter(the "Risk Assessment"). We continue to believe that we have a unique opportunity, as an online marketplace, toconnect customers to products in a transformative way. Our mission therefore remainsfocused on building and maintaining user trust by providing a safe online marketplace for ourusers so that they may return to us in the future. We achieve this by assessing andunderstanding the systemic risks of our marketplace, ensuring that our users are presented withthe right content and products, and that we have in place appropriate mitigations for these SystemicRisks. In this second Risk Assessment, we have sought to build on our 2024 Risk Assessment byimproving our methodology and adopting matrices for assessing Systemic Risks’ severityand probability as well as the effectiveness of our mitigation measures in line with Article35(1) of the DSA. This Risk Assessment 2025 contains confidential and commercially sensitive information, aswell as trade secrets and information that could be exploited by bad actors to circumvent ourcontrols. It was prepared solely for the benefit of the European Commission and the NON-CONFIDENTIAL Coimisiún na Meán, in accordance with Article 42(4) of the DSA. It cannot be shared withthird parties and is protected by Regulation 1049/2001, as otherwise it would undermine ourcommercial interests. In accordance with Article 42 of the DSA, we will publish this RiskAssessment without confidential and commercially sensitive information following receipt ofthe audit report provided for in Article 37(4) of the DSA. We wish to reiterate our commitment to our continued engagement, and we look forward todiscussing any information in this Risk Assessment 2025 further if helpful. Sincerely, [Confidential]................................. [Confidential] Director,ISSL [Confidential]... General Counsel, EMEA ...[Confidential]................................. [Confidential]... Head of the DSA Compliance Function ......[Confidential] NON-CONFIDENTIAL 1 RISK ASSESSMENT REPORT 2025 Submission to the European Commission pursuant toArticle 42(4) of the Digital Services Act 2 Table of Contents 1. EXECUTIVE SUMMARY ............................................................................................. 32. INTRODUCTION ......................................................................................................... 43. HOW TO READ THIS REPORT .................................................................................. 54. OVERVIEW OF OUR MARKETPLACE ....................................................................... 65. OUR COMMITMENT TO USERS OF THE MARKETPLACE ................................... 86. GOVERNANCE FRAMEWORK ................................................................................... 97. CONSULTATION WITH STAKEHOLDERS ............................................................... 108. RISK ASSESSMENT METHODOLOGY .................................................................... 119. SCOPE AND CONSTRAINTS ................................................................................... 1510. RISK ASSESSMENT CONTEXT ............................................................................... 1711. ASSESSMENT OF SYSTEMIC RISK 1 – ILLEGAL CONTENT ................................. 2412. ASSESSMENT OF SYSTEMIC RISK 2 – FUNDAMENTAL RIGHTS......................... 3713. ASSESSMENT OF SYSTEMIC RISK 3 – DEMOCRATIC PROCESS AND SOCIETALRISK .......................................................................................................................... 54 14. ASSESSMENT OF SYSTEMIC RISK 4 – PUBLIC HEALTH...................................... 5715. CONCLUSION........................................................................................................... 61 3 1. EXECUTIVE SUMMARY 1.1 Who We Are Since 2012, Shein has been a global online fashion and lifestyle retail store ("Shein"or "We") offering primarily women's and men's apparel and accessories,childrenswear, and home decor. In August 2023, we launched the Sheinmarketplace in the EU (the "Marketplace"), selling products provided by third-partySellers ("Sellers"). Since then, we have operated as a single store, making productsfrom Sellers available to customers for purchase alongside Shein's own retailoffering. We were designated as a Very Large Online Platform ("VLOP") in April 2024. 1.2 Changes Since 2024 This is our second year as a marketplace and our first full year since our designation asa VLOP under the Digital Services Act ("DSA"). Since our first systemic risk assessment("Risk Assessment") report dated 26th August 2024, we have strengthened ourcompliance management approach. Key improvements include:  Improving our DSA Governance framework, including our DSA ComplianceFunction, and cross-functional working groups to ensure an effective systemic riskgovernance structure across the Platform.  Engaging with external stakeholders such as civil society organisations, consumergroups, EU regulators and the European Commission.  Leveraging the audit-readiness work from our 2024 DSA independent audit andaligning with our Transparency Report data to start building comparable metricsacross reporting cycles.  Enhancing our Risk Assessment methodology to apply a more robust assessmentof the risks’ probability, severity and mitigation measures’ effectiveness across allfour systemic risk categories identified in Article 34 ("Systemic Risks"). 1.3 Overall Risk Assessment Our assessment shows that all the key inherent risks to our Marketplace are effectivelyreduced by our existing mitigation measures ("Mitigation Measures"), which includeboth our first year’s Mitigation Measures as well as new ones put in place over the past12 months, ensuring that our actual risk ratings are all within the Low to Low-Mediumrange. 1.4 Next Steps and Continuous Improvement We are committed to continuing to review and strengthen our Mitigation Measuresacross six areas:  Legal Terms, Policies and Enforcement – ensuring clarity, fairness, andaccessibility.  Interface Design – advancing built-in controls, automation, transparency andinclusivity. L 4  User Controls – empowering users with stronger and accessible reporting andchoice mechanisms.  Organisational Structures – structuring teams and expanding internal resources.  Internal Processes – enhancing monitoring and enforcement actions.  Educational Initiatives – training our business teams, facilitating Sellers’understanding of our rules, as well as our users’ digital literacy and informed use ofour Marketplace. Beyond our measurable progress since our first Risk Assessment Report in 2024, weremain committed to transparency, accountability, and the continuous protection of ourusers’ rights. 2. INTRODUCTION 2.1 Scope This Risk Assessment Report 2025 (the "Report") has been prepared in accordancewith Articles 34, 35, and 42(4) of the DSA. It sets out the results of our second RiskAssessment as a VLOP, along with the Mitigation Measures we have implemented toaddress the identified risks. This Report covers the period from 27th August 2024 through 28th August 2025 ("Year2"). It assesses risks stemming from the design and functioning of our services and theways our users, i.e. Sellers and customers, interact with our Marketplace. It followsShein’s initial Risk Assessment Report submitted on 26th August 2024, four months afterour designation as a VLOP ("Year 1"). 2.2 Updated Methodology For Year 2, we updated our methodology with the following key features:  Adoption of matrices of risks’ Probability and Severity and Mitigation MeasuresEffectiveness to assess Systemic Risks.  Consideration of our Year 2 Transparency Reports to inform our understanding ofrisks and Mitigation Measures Effectiveness.  Reliance on the new matrices to evaluate inherent risk scores, correspondingMitigation Measures and actual risk ratings for accuracy and consistency.  Systematic review and rating of all potential Systemic Risks set out in Article 34 ofthe DSA across the full scope of the Marketplace, including platform features,functionalities, interface design, and recommender systems.  Supporting business questionnaires, attendance notes, and storage of all relateddocumentation and data for this Year 2 Report in a dedicated repository. Thisensures compliance with our record-keeping obligations under the DSA.  Pursuant to Article 35 of the DSA, we have assessed our current MitigationMeasures and mapped them against Systemic Risks. This enables us to evaluatetheir proportionality and effectiveness. 5 2.3 Commitment to Ongoing Controls Similarly to Year 1, we remain committed to implementing strong Mitigation Measuresdesigned to prevent and mitigate risks arising from the use of our Marketplace. We willcontinue to invest in human-led oversight, complemented by automated controls, toensure that the Shein Marketplace is a safe, transparent, and trustworthy environment. 3. HOW TO READ THIS REPORT 3.1 This Report has been prepared in compliance with Articles 34 and 35 of the DSA. It setsout the results of our Risk Assessment as a VLOP for Year 2, the Mitigation Measureswe have in place and the governance and consultation processes that support them. 3.2 The Report is structured to enable readers to understand:  Who is Shein and how our Marketplace functions.  Our governance framework and commitments to users.  The methodology we applied to identify, assess, and mitigate Systemic Risks.  The results of that assessment, setting out our Mitigation Measures, and actual risksratings. 3.3 Structure of the Report  Executive Summary – A high-level overview of improvements, key findings and nextsteps.  Introduction – Scope and changes from Year 1.  How to Read This Report – Guidance on how this document is organised and howreaders can navigate it.  Explanation of the Marketplace – Description of our Marketplace, services, andfunctionalities.  Our Commitment to Users of the Marketplace – Principles guiding user protection,rights, and trust.  Governance Framework – Oversight structures such as our DSA ComplianceFunction and cross-functional teams.  Consultations with Stakeholders – Internal and external engagements undertakenover the Year 2 period to inform this Risk Assessment.  Risk Assessment Methodology – Detailed description of how we identified andevaluated Systemic Risks.  Risk Assessment – Assessment for each Systemic Risk and sub-risk, with mappedMitigation Measures and Actual Risk Ratings (see Section 8.5.4) findings.  Conclusion – Overall findings and forward-looking commitments. 6 4. OVERVIEW OF OUR MARKETPLACE 4.1 How We Function 4.1.1 What makes Shein's position unique is our commitment to making fashionaffordable for all. By leveraging on-demand manufacturing technology, Sheinconnects suppliers to an agile supply chain, minimising inventory waste.Shein leverages a small-batch on-demand production model, which allowsfor more choice at more affordable prices while minimising waste. Thisapproach bridges the gap between customer demand and merchandisesupply, resulting in more accurate preferences, affordable prices and areduction of production waste at the source. It enables Shein to deliver a widevariety of products to a global audience. 4.1.2 Shein's model starts with the ability to measure demand signals accurately,from the way users engage with us and our products. These signals informdesigns so that we make products that we know our customers want. Ourdigital supply chain technology provides real-time insights into demand andinventory for us and our network of contract manufacturers. We produce just100 to 200 pieces of any Shein-branded product at initial launch. This enablesus to respond to increased demand or market changes with agility and speed– emerging trends can become Shein products quickly. By rethinking thetraditional fashion production model, Shein matches demand and supply,saving costs at various layers of the business, which we pass on to ourcustomers in lower prices. This means that customers can access what theywant, when they want it, and all at affordable prices. 4.1.3 The Marketplace is provided by ISSL in the European market. This is alocalised business in Europe, with our focus on localised consumer interestsand an efficient logistics chain. The Marketplace serves both Sellers andShein's direct retail activities provided via Shein Retail. 4.1.4 Shein is committed to managing our business responsibly. Our evoluSHEIN roadmap, launched in 2023, represents our comprehensive strategy fordelivering positive impacts across key social, environmental, and governanceissues, and making continual improvements across our value chain. Theroadmap is designed to address the critical challenges facing the widerfashion industry and builds on three strategic pillars: Equitable Empowerment(People), Collective Resilience (Planet) and Waste-Less Innovation(Process). It anchors our commitment to being a responsible corporatecitizen, improving lives in the communities we reach and protecting theenvironment we all share. 4.1.5 We have an international presence, serving customers in over 160 countrieswith 18,000 employees. Our global reach positions us as a major player in thefashion and lifestyle sector. In the EU, the Marketplace is accessible atshein.com o p e r a t e d t h r o u g h d igital and localised storefronts forcustomers, which are customised by language and currency. Our approachensures that our offering matches the risks and abuse vectors applicable tothe quality of the products sold on the Marketplace, are aligned with brick-and-mortar shops offering similar items. Whilst the ones applicable to theMarketplace’s functioning are similar to those that apply to any other onlinestore that offers third-party consumer products for sale. In line with our 7 mission to make fashion affordable to all and noting our popularity to date, wehave strived to ensure that we effectively prevent harm and maintain trust. 4.1.6 This is essential to Shein as we rely on user trust. Shein is thereforeincentivised to provide a high-quality customer experience, ensure theaccuracy of data and that only safe, age-appropriate and trustworthy contentis made available through our online store. For this reason, Shein takes RiskAssessments seriously and is continuously considering how MitigationMeasures work, and ways to adapt and improve their effectiveness. 4.2 Our customers’ experience and journey on the Marketplace 4.2.1 As the operators of a customer-centric service, we are focused on regularlytesting our service to review and evaluate our customers’ journey on theMarketplace and identify which parts of the interface may lead to a risk forour users. For example, assessing whether our legal terms are easilyaccessible from any page of our website. Shein identifies controls to managethose risk events and also implements Mitigation Measures to reduce theirpotential impact on users. 4.2.2 The customer journey involves the following steps: (a) the browsing phase, before a customer purchases any product.During this phase, the customer has accessed the Marketplace, startsbrowsing it and may add products to their shopping cart. Bothregistered and non-registered users are concerned by this phase. Weconsider the identification, analysis and assessment of FundamentalRights Risks, Minors Risks, and Illegal Content Risks ( as definedbelow) to be mainly relevant with respect to the design and functioningof our service allowing all users to access and browse theMarketplace; (b) the purchasing phase, once a customer starts the purchasing processon the Marketplace. During this phase, the customer selects a productand goes through the purchasing steps. ; and (c) the post-order phase, when the customer has completed the purchaseof a product on the Marketplace. During this phase, the customer mayask questions to, or request support from our customer service andsubmit a review of the product they have purchased. Only confirmedbuyers can publish reviews and only on the products purchased;however, all users may access published reviews. 4.3 Our Sellers’ journey on the Marketplace 4.3.1 The Marketplace allows products from professional Sellers to be listed forcustomers to purchase. We are committed to monitoring the Seller journey inorder to identify and mitigate any potential risk events. 4.3.2 The Seller journey involves the following steps from onboarding to continuousassessment and monitoring: (a) the onboarding and verification phase, before the Seller can be listedon the Marketplace. During this phase, prospective Sellers submit an 8 initial online application involving the sharing of detailed information tobecome a trader on the Marketplace. Our Seller Management teamconducts an initial screening of the application before issuingapproved Sellers with login credentials to become onboarded. Thisconsists of both verifying the information provided and reviewing theSeller's past activity. This is followed by a "Know YourCustomer" ("KYC") process. [Confidential]whichinvolves ensuring compliance with regulatory requirements andenhancing the security of financial transactions effected throughthe Marketplace. Once KYC has been passed, Sellers are then fullyonboarded and can start listing their products on the Marketplace. (b) the Seller product listing phase, post onboarding. During this phase,Sellers will be able to use Shein’s Seller interface, i.e. Global SellerPlatform, which allows Sellers to list products and to providecompliance and safety information on the Marketplace. The Seller canstart creating product listing by uploading the selected productcategory descriptions, IP information, safety information, pricing andphotos. (c) the continuous assessment and monitoring phase, after the Seller hasestablished its storefront. When a Seller makes any changes to itsinformation, company structure, or business scope, this informationwill be verified in real-time for accuracy, and if the Seller does not passKYC with the new information, it will be suspended until all necessaryinformation has been provided and verified. 4.3.3 Shein's ongoing enforcement activity, which is active throughout all thephases above, runs in parallel with both users’ journeys. This includes bothinternal enforcement and external actions involving relevant authorities, aswell as the continuous education provided to Sellers and customers. 5. OUR COMMITMENT TO USERS OF THE MARKETPLACE 5.1 We are committed to operating responsibly across every area of our business andhold ourselves to leading international standards. The trust of our users (includingcustomers and Sellers) and partners is paramount to what we do, so we strive toimplement leading industry practices and policies designed to protect those we workwith. 5.2 We have reimagined fashion by shifting from a traditional supply-driven model to anon-demand model. Our mission is to make the beauty of fashion more accessible toall, while remaining committed to continuing to support and empower designers,creators, suppliers and partners who use Shein. We are also evolving our productofferings to better meet our customers' needs, as part of the Marketplace. We areincreasing value and choices for customers, while also enabling local businesses togrow with us by bringing them onto our service as Sellers. 5.3 A critical part of our mission is earning and maintaining customers' trust. Safety isintegral to everything that Shein does. When customers make a purchase, they trustthat they will receive a safe product. Similarly, when businesses choose to sell, theytrust that Shein will provide a great selling experience free from illegitimatecompetition from fraudsters and bad actors. These customer and Seller expectations 9 drive us to continue to innovate to ensure a trustworthy shopping and sellingexperience every day for our customers and Sellers. To earn and keep this trust, wemanage our production in the following ways: 5.3.1 On-demand production. Shein responds to customer needs with a newlevel of precision and agility. This process begins with our capacity toenhance the efficiency and effectiveness of our product and inventorymeasurement and management strategies, based on an analysis of demandsignals. This informs our designs and production, allowing contractmanufacturers to make products that we know will meet the demands of ourcustomer community. 5.3.2 Reducing unsold inventory. Our technology-led on-demand production modelis designed to match our production with the levels of customer demand, onlyproducing greater volumes of those items that sell well. This supports Shein’sgoal of keeping our unsold inventory rate under 10% (considerably lower thanthe industry average of 20% to 40%). 5.3.3 Reimagining the supply chain. We have reimagined the supply chain,empowering thousands of small and medium-sized businesses, giving themfull insight into what customers want and need. We have built long-termrelationships, working with over 5,000 third-party contract manufacturers tomanufacture products for Shein brands and holding these partners to thehighest standards. 6. GOVERNANCE FRAMEWORK 6.1 To comply with Article 41 of the DSA, we have put in place a structured governanceframework to ensure Systemic Risks management and compliance oversight areanchored at the highest levels of our organisation. This framework integrates the DSACompliance Function and cross-functional working groups, supporting the DSACompliance Function, with regular reporting to our DSA Delegated Board composed ofsenior management members appointed to oversee Shein’s compliance with the DSA. 6.2 Our Risk Assessment methodology is integrated within the broader enterprise riskmanagement and compliance framework. This ensures alignment with existing riskgovernance, audit, and control processes across the business. 6.3 The DSA Compliance Function operates independently from operational teams and hasthe necessary authority and resources to:  coordinate Risk Assessments (Article 34),  oversee the implementation and monitoring of Mitigation Measures (Article 35),  organise and participate in independent audit processes (Article 37), and  report on DSA compliance to the DSA Delegated Board, European Commission andComisiún na Meán. 6.4 The Head of the DSA Compliance Function reports directly to the DSA Delegated Boardand ensures regular updates are communicated to management through structuredmeetings and reporting lines to review DSA compliance updates, Risk Assessments 10 findings and outcomes, Mitigation Measures effectiveness and implementation, asappropriate, and independent audit preparations. 6.5 Working Structure 6.5.1 Working groups composed of representatives from relevant functions support, ona day-to-day basis, the Head of the DSA Compliance Function in conducting theRisk Assessments, implementing Mitigation Measures, and monitoring DSAcompliance. These groups provide subject matter expertise and feed into theDSA compliance reporting cycle. 6.5.2 The Legal team also works closely with the DSA Compliance Function,translating regulatory requirements into operational guidance and monitoringevolving EU legal frameworks, to ensure that the Marketplace’s legal terms,policies and enforcement mechanisms remain aligned with DSA requirements. 6.5.3 In addition, the DSA Compliance Function maintains regular meetings anddistribution lists across multiple specialist teams, including MarketplaceGovernance, Seller Management, Internal Control \& Audit, and GovernmentRelations, to ensure that Shein’s DSA obligations are operationalised in a timelymanner across the Marketplace and that Shein can smoothly coordinate itsresponses to emerging risks. 7. CONSULTATION WITH STAKEHOLDERS 7.1 In preparation for this Year 2 Report, the DSA Compliance Function leading this RiskAssessment has engaged with a variety of stakeholders across the entire business,including Legal, Marketplace Governance, Product Compliance, Risk, ContentMonitoring, Seller Management, Government Relations, Marketing, Customer Serviceand IP teams. These engagements have facilitated the gathering of relevant information,data, and professional views to ensure that this Risk Assessment is based on accurate,up-to-date, and business-wide insights. 7.2 In addition to these consultations with internal stakeholders, we have endeavoured tomeet our due diligence obligations under Recital 90 of the DSA by consulting with a widerange of external stakeholders over Year 2. Their insights have supported ourcomprehensive assessment of Systemic Risks linked to the design and operation of theMarketplace. 7.3 External stakeholders have been grouped into two categories:  Civil society, industry associations, and consumer groups across the EU.  European Commission and national and regional regulatory authorities. 7.4 Throughout the Risk Assessment period, our Legal and Government Relations teamshave actively engaged with both groups, maintaining a structured log of meetings andconsultations. These interactions have informed our ongoing efforts to strengthen theMarketplace’s Mitigation Measures by incorporating stakeholder feedback,understanding and addressing emerging concerns, and overall enhancing theMarketplace’s safety and compliance. 11 8. RISK ASSESSMENT METHODOLOGY 8.1 Introduction 8.1.1 In line with Article 34 of the DSA, we identify, analyse, and assess Systemic Risksin the EU stemming from the design or functioning of our Marketplace, its systems(including algorithmic and recommender systems), and the use of our services. 8.1.2 Our Risk Assessment methodology, first established in Year 1, has been furtherrefined in Year 2 to take into account lessons learnt from the Year 1 RiskAssessment, Year 2 stakeholders’ meetings, our 2025 independent audit andlatest DSA guidelines to ensure that we have a robust methodology that we canre-use over the years establishing an upgraded standard, enabling consistentapplication across reporting cycles and measurable progress over time. 8.1.3 Our refreshed methodology relies on the assessment of the Systemic Riskcategories set out in Article 34 of the DSA, divided into further sub-categories ofrisks, each assessed individually in terms of their severity and probability,combined with the effectiveness of our Mitigation Measures to produce anestimation of the residual or actual risks that remain on our Marketplace. 8.2 Information Sources and Collection 8.2.1 For this Risk Assessment, we collected the necessary inputs from multiplesources, including audit pre-work and fact-finding conducted for our DSA audit;findings from stakeholder meetings with internal and external groups such as civilsociety, consumer groups, the European Commission, and regulators;questionnaires to business units, complemented by follow-up phone interviewswhere clarification was required; as well as Transparency Reports and otherrelevant business metrics. 8.2.2 Where possible, we have used data from our Transparency Reports to startbuilding year-on-year consistency, allowing for a review of the Marketplace’sSystemic Risk profile improvements throughout the coming years. 8.3 Year 2 Methodology Enhancements 8.3.1 Compared with our Year 1 Report, our methodology has been strengthenedthrough:  The adoption of matrices to support our rating of risks based on probabilityand severity, as well as the effectiveness of our Mitigation Measures and theirimpact on reducing the inherent risk level;  A more granular assessment of Systemic Risks and risk drivers, withcorresponding mapping to our Mitigation Measures; and  The centralisation of all 2025 Risk Assessment supporting documentation, inline with Article 34(3) DSA requirements. This repository will ensure continuityand serve as an objective baseline for the 2026 Risk Assessment. 12 8.4 Methodology Overview Phase Objective Key Inputs Outputs I. Risk Identification Defined SystemicRisks categories andtheir Sub-Risksaligned with Article34 Audit pre-work,questionnaires,interviews,stakeholder input Risk register alignedto 4 Systemic Riskswith several Sub-risks under eachcategory II. Inherent RiskAnalysis andAssessment Risk analysis basedon risk driversAssess probability \&severity as if theMarketplace wasoperated withoutmitigations Metrics, trends,judgment, andTransparency Reportinput Inherent risk matrixscores in aspreadsheet III. MitigationMeasuresAssessment Evaluate currentMitigation Measuresand assess theireffectiveness Questionnaires,interviews, policyreviews, metrics Mitigation Measureseffectiveness ratings IV. Actual (i.e.residual) Risk RatingCalculate the ActualRisk Rating andidentify gaps Mapping MitigationMeasures to inherentrisksUsing inherent riskscores combinedwith MitigationMeasureseffectiveness toreach an Actual RiskRating Actual Risk Ratings V. Future MitigationMeasures andMonitoring Consider futureMitigation Measuresneeded to keep therisk down andcontinuousmonitoringestablished torespond to evolvingrisks Interviews,transparency data,stakeholder inputand continuousmonitoring List of MitigationMeasures to beimplemented withinthe next RiskAssessment period 8.5 Five-Phase Process 8.5.1 Phase I – Risk Identification We mapped our four Systemic Risks categories to Article 34 and split those into15 sub-risks (“Sub-Risks”) set out in the table below. Sources included audit pre- 13 work, transparency reporting data, business questionnaires, stakeholderinterviews, and external consultations. SystemicRisk NumberSystemic RiskCategorySub-RiskNumberSub-Risk Title Risk 1 Illegal Content 1 Unvetted Sellers2 Illegal Products3 IP Infringement4 Unlawful BehaviourRisk 2 FundamentalRights5 Human Dignity6 Privacy and Data Protection7 Freedom of Expression andInformation8 Non-discrimination9 Children’s Rights10 Consumer ProtectionRisk 3 DemocraticProcess andSocietal Risk 11 Civic Discourse and ElectoralProcesses12 Public SecurityRisk 4 Public Health 13 Gender-based Violence14 Public Health and PhysicalHealth15 Mental Health 8.5.2 Phase II – Inherent Risk Analysis and Assessment In this phase, we conducted our risk analysis in line with the requirements ofArticle 34 (2) of the DSA, i.e. considering the design and functionalities of ourMarketplace, taking into account our user journeys, recommender systems, etc. Each Sub-Risk’s probability and severity were assessed under a hypothetical "nocontrols/mitigations" scenario, using available metrics or proxies where availableto reach their inherent risk ratings ("Inherent Risk Rating"). 8.5.3 Phase III – Mitigation Measures Review and Effectiveness Assessment In this phase, we aligned our Mitigation Measures against each Sub-Risk andevaluated their effectiveness ("Mitigation Measure Effectiveness") to assesshow significant and useful they are at reducing the Sub-Risk’s Inherent RiskRatings. 14 8.5.4 Phase IV – Actual Risk Calculation This stage involved the calculation of the actual risks on the Marketplace, havingtaken into consideration the effectiveness of relevant Mitigation Measures. We do so by combining each Sub-Risk’s Inherent Risk Ratings with theirMitigation Measures Effectiveness, to produce a residual (or actual) risk score foreach Sub-Risk from which we derive the Sub-Risk’s actual risk rating ("ActualRisk Rating"). 8.5.5 Phase V – Future Mitigation Measures and Monitoring Finally, we started the ongoing process of considering future Mitigation Measuresneeded to maintain low Actual Risk Ratings and adapt to evolving risks on ouronline landscape. 8.6 Calculation Methodology 8.6.1 To obtain the Inherent Risks Rating, we have used two key metrics:  Probability means the likelihood of a Sub-Risk materialising in respect of anactivity, such as the risk of a review containing hate speech or illegal productsappearing on the Marketplace. We use a scale ranging from 1 (Almost Impossible) to 5 (Almost Certain).  Severity takes into account (a) the potential reach or scale, (b) the gravity ofthe impact on users and (c) the remediability of such risk once it hasmaterialised. Our Severity ratings range from 1 (Insignificant) to 5 (Critical). 8.6.2 Inherent Risk Ratings Once we obtain the relevant Probability and Severity scores of a Sub-Risk, wecombine these scores to obtain its Inherent Risk Rating. 8.6.3 Mitigation Measure Effectiveness Further to identifying our Mitigation Measures and aligning them with the Sub-Risks, we assessed their Mitigation Measure Effectiveness, i.e. their impact onreducing the Inherent Risk Rating, in relation to each identified Sub-Risk. Mitigation Measure Effectiveness ranges from 1 (Negligible) to 5 (Very Effective). 8.6.4 Actual Risk Score and Rating After assessing the Inherent Risk Rating and current Mitigation MeasureEffectiveness as described above, we combined these scores to calculate theresidual/actual risk scores from which we derive the Actual Risk Rating. This enables us to identify which Sub-Risks require ongoing attention and toimplement new or enhanced Mitigation Measures, thereby progressivelyreducing the Actual Risk Rating. 15 Risk Rating Description of the Risk LOW Very unlikely to occur and would cause only minimal or negligibleharm if it did. No material impact on users, rights, or Marketplaceintegrity. LOW MEDIUM Unlikely but possible under specific conditions; harm would be limited or contained, such as service disruption or inconvenience tousers. MEDIUM Plausible and reasonably foreseeable. If it occurs, it could cause moderate harm (e.g., limited rights interference, minor financial loss,reputational damage). MED HIGH Likely to occur. Would result in significant harm to affected users,such as financial loss, exclusion, discrimination, or rights interference. HIGH Very likely or already occurring, with severe or systemic harm —including infringements on fundamental rights, child safety, publichealth, or Marketplace trust. 8.7 Commitment to a Standard Our updated methodology creates a repeatable framework that will be appliedconsistently in future years, providing:  A reliable baseline for measuring progress in risk scores;  A structure aligned with regulatory expectations; and  A robust foundation for supervisory review and external audits. 9. SCOPE AND CONSTRAINTS 9.1 Despite our best efforts, several constraints arose in carrying out this Risk Assessment,which we wish to highlight, including: 9.1.1 Regulatory Guidance At the time of this Risk Assessment, there remains limited regulatory guidance orofficial template on how to operationalise and present Article 34 DSA RiskAssessments. Our methodology, therefore, reflects our interpretation of the DSArequirements, informed by established risk management standards andemerging best trust and safety practices. We hope that guidance from theEuropean Commission or the European Board for Digital Services on this topicwill help create greater alignment and convergence across the industry. 9.1.2 Challenges with Inherent Risk Assessment Under Article 34, we must assess inherent Systemic Risks specific to ourMarketplace, while also ensuring that the assessment reflects the actual risks itpresents. Inherent risk scoring requires evaluating probability and severitywithout considering controls or mitigations. However, our Marketplace is 16 inseparable from the safeguards embedded in its design and day-to-dayfunctioning. Content moderation, interface design, and account verification havealways been integral features, meaning there is not always a clear "point zero"baseline. This creates a tension: the assessment requires consideration of ascenario without Mitigation Measures, yet in practice our Marketplace cannot bemeaningfully separated from them. To address this, we applied assumptions toapproximate a "no-controls" scenario, while recognising that some MitigationMeasures cannot realistically be removed. 9.1.3 Data Collection Process The information underlying this Report was collected through a combination ofaudit pre-work, structured questionnaires, and follow-up interviews withstakeholders across the business. The results were consolidated into a centralspreadsheet (capturing risk scores and matrices) preserved separately alongsidesupporting evidence in line with DSA requirements. While this process providesa structured evidence base, it is dependent on the interpretation of the dataobtained, which was not originally structured to match Article 34 requirements.We expect this data collection and analysis to be improved year-on-year to alignmore closely with the DSA requirements over the next Risk Assessment periods.Such data alignment will also help us to continue refining our matrices over thenext Risk Assessments. 9.1.4 Use of Metrics and Proxies Where possible, we tried to incorporate within our Risk Assessment the datapublished in our last two Transparency Reports. Where full-year data was notavailable, the closest available proxy was applied or pro-data calculated for RiskAssessment purposes. Also, not all risks nor Mitigation Measures lendthemselves to direct quantification. Where quantitative data could not fullycapture the probability or severity of risks, we supplemented metrics withprofessional judgment, qualitative evidence, and cross-functional expertise toproduce a balanced assessment, while remaining transparent that these parts ofthese assessments are necessarily hypothetical and not always data-centric. Inour view. this approach complies with Article 34 requirements while reflecting thereality that the Marketplace cannot be divorced from the controls built into itsarchitecture, nor that all Mitigation Measures’ effectiveness can be calculated,e.g., the effectiveness of a contractual commitment in isolation from otherMitigation Measures. 9.1.5 Risk Typology and Cross-References As set out in Section 8 (Risk Assessment Methodology), our Systemic Risks werecategorised in alignment with Article 34 and further divided into Sub-Risks forassessment purposes. In some cases, certain Systemic Risks categories andSub-Risks overlap, e.g., content that is both illegal and harmful to democraticprocesses. For ease of review, we have nonetheless maintained Article 34’s riskorder to maintain structural integrity and consistency, but provide, as necessary,cross-references to ensure there is no duplication. 9.1.6 Evolving Risk Landscape Systemic Risks are dynamic and continuously shaped by external developments(e.g., regulatory changes, technological innovation, societal trends, malicious 17 actor behaviour). This Report provides a snapshot of risks as assessed duringthe Year 2 reporting period but does not capture all possible future evolutions. 10. RISK ASSESSMENT CONTEXT 10.1 Introduction 10.1.1 The DSA applies to a wide range of platforms and services and imposes thesame obligations on all VLOPs and VLOSEs, irrespective of their businessmodel. There is no distinction between transaction-based online platforms oradvertising-funded, attention-based social media platforms. 10.1.2 These different business models do not create the same risks for users. Theexact nature of the identification, analysis, and assessment of a Systemic Riskunder the DSA varies depending on the type of business, the service, and thecontext of its implementation. In line with the DSA's aim of ensuring a safe andtransparent online environment and protecting the safety and trust of society atlarge (including consumers and other users), we have endeavoured to make ourRisk Assessment such that it is specific to our Marketplace which primarily aimsat allowing Sellers to sell their products directly to consumers and proportionateto the nature of the risk. In doing so, we assessed these Systemic Risks byfocusing on the overall causal context in which each risk arises, that may resultfrom the design or functioning of our service, as well as from abuse or misuse ofour Marketplace, in accordance with Articles 34(1)(a), (b), (c) and (d). 10.2 Scope 10.2.1 We aligned our Systemic Risks to the four categories set out in Article 34 of theDSA, which are as follows: (a) the risk of disseminating illegal content ("Illegal Content Risk"), pursuantto Article 34(1)(a) of the DSA; (b) any actual or foreseeable negative effects for the exercise of fundamentalrights, in particular the fundamental rights to human dignity enshrined inArticle 1 of the Charter, to respect for private and family life enshrined inArticle 7 of the Charter, to the protection of personal data enshrined inArticle 8 of the Charter, to freedom of expression and information,including the freedom and pluralism of the media, enshrined in Article 11of the Charter, to non-discrimination enshrined in Article 21 of the Charter,to respect for the rights of the child enshrined in Article 24 of the Charterand to a high-level of consumer protection enshrined in Article 38 of theCharter ("Fundamental Rights Risks"), pursuant to Article 34(1)(b) ofthe DSA; (c) any actual or foreseeable negative effects on civic discourse and electoralprocesses, and public security ("Democratic Process and SocietalRisks"), as anticipated by Articles 34(1)(c); and (d) any actual or foreseeable negative effects in relation to gender-basedviolence, the protection of public health and minors and serious negativeconsequences to the person’s physical and mental well-being ("PublicHealth Risk"), pursuant to Article 34(1)(d) of the DSA. 18 10.2.2 As stated in Section 9.1.5 (Risk Typology and Cross-References) above, there issome unavoidable overlap among certain Systemic Risks. For example, thePublic Health Risk is generally addressed under Illegal Content Risk, as this riskmainly arises in connection with content or a product that is dangerous or illegal,the Minors Risk is generally addressed as part of the Fundamental Rights Risk,i.e. Children's Rights assessment below and some of the risks such as Gender-Based Violence and Human Dignity have already been dealt with under UnlawfulBehaviour. We signpost these clearly when this is the case. We consolidatedthese overlaps within one risk and signposted these clearly when this is the casein the relevant Sub-Risk. 10.3 Key Considerations 10.3.1 Understanding the Marketplace: Our Risk Assessment involves understandingthe customers’ and Sellers’ journey, i.e. how the Marketplace is designed, itsfunctions, and uses, and how the service can be abused or misused. Article 34(1)and Recital 79 of the DSA identify certain factors and characteristics of theservice that need to be considered to assess the Systemic Risk Categories.Accordingly, these factors have been taken into account throughout thecustomers' and Sellers' journeys through the Marketplace. 10.3.2 Engagement: As part of our engagement efforts, we actively listen to customers,Sellers, brand owners and other third parties that interact and transact with theMarketplace, allowing us to identify when something is negatively affecting userexperiences. Our teams review data to track, improve and resolve areas of riskon the Marketplace. 10.3.3 Monitoring: Areas of risk can also be identified where we launch new features,where we consider potential new or altered risks and seek to implementproportionate Mitigation Measures in relation to the same. This process isconducted through several layers of business reviewers and other internal teamsin the risk function, among other mechanisms. These mechanisms allow us tocollect inputs, test solutions, and listen to feedback from users and otherstakeholders. 10.3.4 Content Amplification: We looked at the risk of people trying to misuse theMarketplace, for example, by using bots or faking activity to boost certain content.We found this risk to be very low. Unlike social media, marketplaces are notdesigned for content to go viral or spread quickly. Customer reviews and Sellerproduct descriptions are limited in length and screened by internal processes,thereby preventing such abuse. 10.3.5 Regional and Linguistic Specificities: We maintain internal teams proficient inseveral EU official languages and use, as needed, translation tools to assistcustomers in their preferred language. These resources ensure that usersreceive clear support and communicate with our teams effectively. That said,regional or linguistic aspects carry limited weight in the context of a transactionalmarketplace such as Shein’s. Unlike social media platforms, which disseminateexpressive content where language can convey political opinion, hate, or othersensitive meanings, marketplace interactions are purely functional and product-oriented. A listing for a "blue dress" or similar product does not require experttranslation or nuanced cultural interpretation, and there are very few opportunitiesfor secondary meanings to arise. For this reason, the impact of language or 19 regional specificities is materially lower than for platforms designed forexpression or discourse. 10.3.6 No advertising: A key consideration for this Risk Assessment is that ourMarketplace does not include seller advertising within the meaning of Article 3(r)of the DSA. As a result, Systemic Risks arising from advertising intermediation,such as amplification of illegal content, manipulation through opaque targeting,or infringements of users’ fundamental rights, are materially reduced. Theabsence of advertising means that Shein does not operate as an onlineadvertising intermediary within the meaning of the DSA, and related obligationsconcerning ad repositories, transparency of targeting, and accountability for third-party ad content are not applicable in this context. 10.4 Mitigation Measures applying to the Marketplace 10.4.1 Article 35 requires that we put in place reasonable, proportionate, and effectiveMitigation Measures to address Systemic Risks identified during the RiskAssessment. Most of these Mitigation Measures are key controls that have beenin place since the Marketplace was set up and on which we rely to provide a safe,predictable and trustworthy environment to our users. We outline these MitigationMeasures in relation to each Sub-Risk within their relevant risk assessmentssections below. However, where some Mitigation Measures reflect our overallMarketplace risk mitigation framework and apply across all identified risks, wehave set these out in this Section 10.4. In the interest of clarity and readability,we do not repeat them under each Sub-Risk assessment although they do applyto all identified risks. 10.4.2 Legal terms, policies and enforcement Customers: (a) Our customers are provided with easy access to our Terms andConditions which are made of: (i) Shein’s General Conditions of Use, which governs customers’ useof our European websites and app and users’ relationship withShein as operator of the Marketplace; (ii) The General Conditions of Sale, which apply to customers’purchases on the Marketplace and apply between customers andSellers; and (iii) Shein’s marketplace policies such as Coupon Policy, Bonus,Points Policy, Delivery Policy, Returns Policy, Reviews Policy andRanking Policy. (b) These Terms and Conditions set out very clear standards expected fromusers on the Marketplace, such as Shein’s reviews rules, what behaviouris expected regarding notifications as well as the standards Sheincommits to in terms of Marketplace safety, e.g., ease of access tocustomer service, explanation of how we operate ranking of products,provision of reporting portal for IP infringements. These Terms andConditions are supported by robust enforcement mechanisms to ensuretheir consistent application. Legal terms and policies without effective 20 enforcement lack impact, so by combining clear standards with strongenforcement, we create a strong Mitigation Measure by deterring illegalactivities and removing these promptly if they occur. Sellers (c) Sellers have to enter into a formal agreement with Shein, a MarketplaceService Agreement as part of their onboarding before they are allowed tolist and sell products on the Marketplace. For the EU, we also have anEU Appendix to the Marketplace Service Agreement (together the "MSA"), under which Sellers agree to comply with EU-specific rules whenoperating the Marketplace. Such EU-specific rules include Sellers’warranties about their status and the products they will list on theMarketplace, such as a self-declaration (in accordance with Article30(1)(e) of the DSA) that they will only provide products in compliancewith applicable European Union rules. (d) The MSA also contains explicit prohibitions related to acceptablebehaviour, illegal products and clearly states Shein’s right to removematerials and block or terminate Sellers where the materials uploadedviolate any of these prohibitions. These prohibitions unambiguouslycommunicate that illegal content (including illegal products) is nottolerated by Shein, and provide a clear contractual basis for Shein toenforce these rules and moderate Illegal Content uploaded by Sellers.The list of prohibitions is intended to be thorough and specific,underscoring the gravity with which illegal content is treated by Shein. (e) As part of the MSA, Sellers operating on the Marketplace also have toaccept detailed policies and guidelines relating to operational proceduresof the Marketplace, which can be accessed at any time by Sellers throughtheir accounts on the Global Seller Platform. These are regularly updatedby Shein to respond to market changes and include: (i) The General Marketplace Governance Rules for Sellers on SHEINEU Marketplace, which require Sellers to comply with allapplicable laws and Marketplace policies and set out clear rulesthat apply to violations of any such applicable laws and/orMarketplace policies. (ii) The Product Listing Rules, which contain the rules applicable toillegal or restricted products when listing a new product. (iii) The Global Platform Policy Seller Code of Conduct, whichrequires Sellers to act fairly and honestly and notably prohibitsSellers from "providing misleading or inappropriate information toSHEIN or customers on the SHEIN Global Platforms, such as bycreating multiple detail pages for the same product or postingoffensive product images". (iv) The Global Platform Policy Restricted Products, provides a list ofproducts that are either illegal (worldwide or in specific regions) ornot authorised on the Platform. With regard to illegal products, thelist is indicative and non-comprehensive but provides guidance to 21 Sellers to help them list products compliant with applicable lawsand our policies. (v) Therefore Sellers are under strict restrictions with regards thecontent they can upload or publish such as content that violatesor infringes third-party intellectual property rights; is libelous,threatening, defamatory, obscene, indecent, pornographic, couldbe considered illegal, offensive or restricted under applicable lawsor regulations; or could reasonably be considered to entail,contain, provide or promote unlawful behaviour such as sexuallyexplicit or pornographic content; profanity; harassment, bullying orderogatory, discriminatory or hateful comments or incitementsagainst any specific individuals or groups. All of which are strictlyenforced by Shein through a penalty point system under whichSellers’ account will be suspended or terminated in case ofbreaches of applicable law and/or our legal terms. 10.4.3 Educational Initiatives (a) We consider education and literacy a central component of our riskmitigation framework and therefore apply it to Marketplace as a whole.Through the layered measures listed below, we embed education andliteracy across all levels of operation, as one of Shein’s key preventiveMitigation Measures. Our approach combines user-facing and internalinitiatives, structured as follows: (i) Customer Education: We provide clear and accessible guidelinesthat inform our users of what they may and may not do on theMarketplace. To complement these measures, we actively workto raise customer awareness in line with Article 35(1)(i) of theDSA. For example, we inform customers of their rights and shareawareness initiatives related to IP rights and other complianceobligations. (ii) Seller Education: Shein has a process whereby the ProductGovernance team is tasked with the preparation of Guidelines andPolicies for Sellers on Product Compliance on which they alsodeliver training to Sellers to enhance their knowledge andpractices. Sellers have access to a designated "Seller EducationHub", which contains helpful information and guidance regardingproduct compliance. Regular training activities also keep Sellersinformed and up to date on regulatory changes, fosteringcontinuous learning and adherence to compliance standards. (iii) Expert Team Development: Specialist internal teams, including IPand Legal, Data Protection, participate in external training toremain up to date with regulatory and enforcement developments.These teams are then able to adopt a "train the trainer" approach,equipping moderators and other business functions with thenecessary knowledge to enforce compliance in practice andcontribute to the limitation of the relevant risks. (iv) Internal Training: Moderators and other internal team receivetargeted training to ensure they fully understand their mission and 22 can apply and enforce Shein’s Marketplace policies consistentlyand effectively. This ensures that moderation aligns with Shein’swider objectives of safeguarding users and maintainingcompliance. Shein’s training is designed for existing and newemployees, and more especially for employees responsible forproduct review during listing. Shein also provides DSA-relatedtraining to all business teams involved with content moderation.We tailor our training and illegal content review processes toaddress local legal requirements and cultural sensitivities bygeography if applicable. 10.4.4 User controls (a) Shein provides a structured notice and action mechanism ("Notice andAction") in line with Article 16 of the DSA. Each product listing and reviewcontains a reporting button through which users can flag individual listingsor reviews to Shein. Notifications concerning product listings may relateto a range of issues, including suspected prohibited goods, offensivecontent, IP infringements or data protection and privacy; whilst for reviewsusers can notify Shein of any misleading, abusive or illegal content. (b) When a notice is submitted, the user receives an acknowledgementconfirming receipt of their notification, as required under Article 16(2) ofthe DSA. All notifications are then assessed by Shein’s dedicated ContentModeration team, who review the reported content against applicable lawand Shein’s applicable legal terms. Where Shein determines that contentshould be removed, both the reporting user and the Seller are informedof this decision, including through Shein’s statement of reasons for suchdecision without undue delay ensuring transparency, accountability, andthe possibility of appeal, in line with Article 16(5) of the DSA. (c) This Notice and Action mechanism constitutes a key Mitigation Measureapplying across the Marketplace to ensure that potentially illegal contentor non-compliant products or reviews are flagged efficiently, reviewedconsistently, and addressed in compliance with the DSA. It also ensuresthat users have a clear, accessible, and reliable channel to report unlawfulproducts on the Marketplace. We also provide a user-friendly appealmechanism allowing both users who reported content or users whoposted the reported content to contest our decision. 10.4.5 Internal Processes – Continuous monitoring controls (a) We have continuous monitoring controls, systems and tools in place,notably to supervise our activities. If a negative event, such as the listingof an illegal product, occurs despite Shein's pre-emptive MitigationMeasures, we have tools and processes to identify the negative eventand address it without delay, notably in line with the measures mentionedin Article 35(1)(b), (c) and (f) of the DSA. (b) Dedicated teams and tools evaluate and monitor the Marketplace forfraud, abuse, and other types of negative experiences and work onremedying them. Every identified potential negative vector is reviewed byseveral layers of business reviewers and other internal teams, amongother mechanisms. Shein also engages and works with industry 23 associations and non-profit organisations across the EU and MemberStates to identify ways to improve our programs. 10.4.6 Internal Processes – Ensuring accountability (a) When Shein identifies an issue (whether through proactive or reactivemeasures), we hold bad actors accountable, notably through theenforcement of our terms and conditions, as mentioned in Article 35(1)(b)of the DSA. Shein not only acts quickly to protect customers and Sellers,e.g., by removing the problematic content or listing but, whereappropriate, also blocks bad actors' accounts, withholds funds, etc., andcooperates with law enforcement. (b) Bad actors continually deploy new tactics to attempt to evade detection,and Shein continues to innovate to stay ahead of new abuse vectors,including by working with Sellers and relevant third parties (such aspayment providers) to hold bad actors accountable. (c) We also implement practices that seek to improve the overall quality ofour systems by:  driving accountability for root causes to appropriate service owners;  documenting trigger events;  addressing root causes through trackable action items;  seeking to prevent the re-occurrence of the problem;  analysing the impact of the problem on our business and ourcustomers; and  capturing learnings and sharing those with relevant teams. 24 11. ASSESSMENT OF SYSTEMIC RISK 1 – ILLEGAL CONTENT 11.1 Definition of the Risk – What is Illegal Content "Illegal Content" is defined in the DSA as "any information that, in itself or in relation toan activity, including the sale of products or the provision of services, is not incompliance with Union law or the law of any Member State which complies with Unionlaw, irrespective of the precise subject matter or nature of that law". The DSA further explains in its Recital 12 that illegal content should broadly reflect theexisting rules in the offline environment and should be defined broadly to coverinformation relating to illegal content, products, services and activities. We have subdivided this Illegal Content Risk into 4 Sub-Risks: Unvetted Sellers, IllegalProducts, IP Infringing Products, and Unlawful Behaviour. 11.2 Sub-Risk 1 – Unvetted Sellers We have assessed that the risk of Sellers listing illegal products on the Marketplace isincreased when Sellers who have not been "vetted" are allowed to list products for sale.Our first Sub-Risk is therefore the potential of having Unvetted Seller on the Marketplace. Unvetted Sellers Risk Definition The risk of Sellers being permitted to create an accountand to sell products on the Marketplace, without anychecks and verifications. How this risk would applyto our Marketplace ifunmitigated This risk would apply if Shein allowed Sellers on theMarketplace without verification of their identity andcredentials, thereby creating more opportunities forfraudulent or low-quality Sellers. 11.2.1 Risk Analysis We have identified that the onboarding and verification of Sellers are pivotal inmitigating illegal content being offered on the Marketplace. Such processes allowShein to address the risk of Sellers listing illegal products, promote consumersafety, prevent Sellers’ anonymity, allow for product recalls if needed, and overallensure accountability of Sellers. In a hypothetical scenario where Shein would letanyone and everyone list products without proper checks and onboardingprocesses, we found that there would be an increased:  Probability of Illegal Content (illegal products, IP infringing products orunlawful behaviour) on the Marketplace;  Risk of restricted or dangerous products being listed with incompletedocumentation, bypassing compliance obligations;  Risk of Sellers committing fraud and/or selling counterfeit goods; 25  Lack of traceability and accountability of Sellers leading to breaches ofcustomers’ fundamental rights; and  Risk that Sellers from outside the EU would sell products without meeting EUproduct safety standards and consumer legislation. We have designed our system so that only verified Sellers can list products onthe Marketplace. This system design is reinforced by our human verification ofthe first layer of information required from Sellers and then by a second layer ofverification through external providers. In addition to our Sellers’ initial onboarding and verification processes, we haveconsidered the role of our legal terms in relation to this Sub-Risk. Our onboardingprocess requires that our Sellers enter into our MSA and EU Appendix, whichrequire Sellers to maintain their information and contact details up-to-date at alltimes. The collection of the Seller’s company and compliance information is thebackbone of this verification process, traceability and accountability. We havealso concluded that the risk of intentional manipulation of our services exists atthe point of onboarding, but we are confident that our dual-layer onboardingprocesses safeguard the Marketplace against such attempts, making it moredifficult for fraudulent actors to create inauthentic accounts. Some of Shein's most important Mitigation Measures, regarding the IllegalContent Risk, are captured in the process of catching malicious actors before they are granted access to the Marketplace. That is, before a Seller is permittedto set up a profile, set up product pages or otherwise input content for publication. 11.2.2 Current Risk Mitigations Mitigation type Mitigation measures InterfaceDesign Since the creation of the Marketplace and as part of our merchantgovernance process, we have required Sellers wishing to listproducts on the Marketplace to provide a list of mandatory detailedinformation about themselves. This includes information about theSeller's business, such as business registration documents, taxidentification numbers and contact details of its key management(and where relevant, key shareholders). Besides, the provision ofthis information being required under Article 30 of the DSA, it is alsohelpful at deterring potential malicious actors who may attempt toconceal their identities for illicit purposes.Such information must be added by prospective Sellers intoShein’s system before it is verified by our teams. Sellers cannotbypass this step and cannot create an account or list any productswithout having provided such information.On the Marketplace, if a Seller wants to change any verifiedinformation, the Seller's account is automatically put on hold untilnew KYC checks have been passed. User Controls Once a Seller has passed the first layer of verification, they are givenaccess to the Global Seller Platform through which they have accessto a dashboard allowing them to see which information is still 26 Mitigation type Mitigation measures required, have access to educational material, and their onboardingstatus. We have a dedicated Compliance team to manage Sellers’onboarding and the first layer of verifications. We also [Confidential] provide KYC services for our second layer of seller vetting. Internalprocesses Under Shein’s relevant onboarding Standard OperatingProcedure, our Compliance team has to conduct a KYC vettingon would-be Sellers, which is set up as follows:  Verification of the mandatory information provided by the Sellersagainst publicly available sources. This process helps Sheinidentify would-be Sellers who are not legitimate businesses. Forexample, if the business registration documents do not matchpublic records, this would suggest to the Seller Managementteam that the would-be Seller is not legitimate and that anycontent they upload presents an elevated illegal content risk.This part of the process also helps the Content Moderation teamprioritise their efforts according to any risks identified during thisreview; and  Review of the Seller's past activity. Shein also researcheswhether the Seller sells its products through other platforms. Ifso, Shein may look for customer reviews and/or seek outreferences from its own network about the Seller to better assessthe Seller. As part of Shein’s KYC process, Shein mandates the review ofa second layer of Seller information [Confidential]. All Sellers are required to go through Shein’s onboardingprocess, and those who fail our verifications are not permitted tolist products on the Marketplace. 11.2.3 Effectiveness of the Mitigation Measures As described above, we have continued operating strong Mitigation Measuresregarding Sub-Risk 1 (Unvetted Sellers) whilst constantly re-evaluating them toadapt to the fast-changing environment in which our Marketplace operates. It has, in practice, been relatively difficult to assess with metrics the effectivenessof some of these Mitigation Measures, as most have been in place since thecreation of the Marketplace. We therefore do not have a "point zero" to comparethem to. Furthermore, legal terms and their effectiveness cannot be assessed asa standalone Mitigation Measure, disregarding the application of complementaryinterface design. Nonetheless, we found through our assessment that if wecombine all our Mitigation Measures, these are Very Effective at keeping badactors off the Marketplace. Organisational 27 11.2.4 Actual Risk Rating Unvetted Sellers Low 11.3 Sub-Risk 2 – Illegal Products We consider illegal products as a subcategory of illegal content under Article 3(h) of theDSA. However, there is no single official definition of illegal products in the DSA, nor isthere a single definition of "illegal product" in EU or national EU member state law.Typically, an illegal product is a product that violates EU law or an EU member statenational law. Its application would take into account the nature of the product and deriveits legality or illegality from a combination of product safety, consumer protection, andother sectoral laws. For this Risk Assessment, we have used the risk definition below and have expresslyexcluded IP infringements, which are addressed separately under the dedicated Sub-Risk 3 (IP Infringing Products) and unlawful behaviours such as hate speech, bullying,or CSAM, which are covered under Sub-Risk 4 (Unlawful Behaviour). Illegal Products Risk Definition The risk of illegal, restricted and banned productsunder EU or member state law being present on theMarketplace. How this risk would apply toour Marketplace ifunmitigated The risk can materialise if users encounter on theMarketplace listings for products that are illegal, belowsafety standards, restricted or banned. For example,live animals, weapons, ammunition, hazardouschemicals, pesticides, explosives or unsafe electricalgoods that do not comply with EU safety standards. 11.3.1 Risk Analysis In this Sub-Risk 2 (Illegal Products), we have identified as relevant to ourMarketplace prohibited or restricted products that are banned outright, aredangerous to consumers, or require special certification, approvals, orcompliance with safety standards. These products may require meeting sector-specific requirements, e.g., licensing, safety standards certification requirementsor are simply illegal under EU or member state law. We also included in this Sub-Risk 2 products that may be legal, but that Shein’s internal rules do not allow,such as fresh meat or other products for which Shein has determined that theproducts’ safety standard cannot be verified or is too high to allow for properverifications. Overall, we refer to the products assessed under this Sub-Risk 2 asProhibited or Restricted Products. 28 The risk is that malicious Sellers could attempt to exploit the Marketplace’s Sellerfunctionalities to list, promote, or sell such Prohibited or Restricted Products.Without Mitigation Measures, the following misuse scenarios could occur:  Listing, publishing, and selling Prohibited or Restricted Products by using thelisting functionalities to add product names, descriptions, specifications,images, or videos that advertise illegal products;  Misrepresentation of listed products, seemingly offering a legal or compliantproduct, but in reality using the listing to facilitate the sale of a banned or non-compliant item; or  Mis-categorising products to bypass specific compliance or safety rules thatapply to certain categories. From a systems perspective, our Seller listing functionality imposes the selectionof a product category, depending on which, additional information andcertification may be required before a product can be listed on the Marketplace.Our system is then backed up by our content moderation processes, monitoringlistings and their associated product reviews, as well as our MSA, which explicitlyprohibits the sale of Prohibited or Restricted Products and imposes strictobligations on Sellers to comply with EU and national product safety laws andstandards. Enforcement actions are clear, and internal teams are trained to applya penalty point system, which may lead to product delisting or accountsuspension or termination as necessary. The primary risk remains the possibility of Sellers to bypass our controls by, forexample, misclassifying their products. However, this is actively mitigatedthrough thorough onboarding checks, category-specific compliancerequirements, and reporting mechanisms. Therefore, whilst we are aware that attempts to misuse our services to listProhibited or Restricted Products are a reality of online marketplaces, we believethat our Marketplace’s structure and Mitigation Measures, both pre-emptive andreactive, significantly reduce the risk of widespread dissemination of Prohibitedand Restricted Products. 11.3.2 Current Risk Mitigations Mitigation type Mitigation measures InterfaceDesignRequirement for Sellers to upload product complianceinformation onto the system: Depending on the regulatoryrequirements applicable to certain product categories, our productlisting feature may contain mandatory fields, such as a field requiringthe provision of a specific certificate where relevant, to ensure thatthe product meets the corresponding requirement. If the Seller failsto provide the required information, the product cannot be listed orwill be removed. For example, when Sellers fill in product informationfor new products, they are not authorised to use certain words ortypes of products listed on our Prohibited and Restricted list. Automatic blocking of products listed as Prohibited \&Restricted: We use continuous automated checks utilising technical 29 Mitigation type Mitigation measures tools like image recognition to spot prohibited or restricted products. Shein has developed and maintained an image search enginethat assists our Compliance team in identifying andremoving problematic products. If a product is flagged asprohibited or restricted with high confidence, it is promptlyremoved by the system or configured in accordance with thenecessary restrictions. Compliance review: The Marketplace adopts a risk‑basedapproach to validate submitted reports, to ensure adherence to theMarketplace's set standards and regulatory requirements.Compliance specifications are thoroughly examined for accuracyand completeness. Any deviations or non-compliance are promptlyflagged for further investigation and corrective action. As mentionedabove, once a product is listed, the Compliance team screens itthrough the system and conducts manual checks to identify anyprohibited words. If a prohibited word is used, the Compliance teamchecks to determine whether the product is indeed a Prohibited orRestricted Product. If so, the product is delisted. If the product is nota Prohibited or Restricted Product but only contains an incorrectwording, the corresponding description is corrected. Illegal content notices: Any product that is potentially a Prohibitedor Restricted Product may be reported to Shein through the Noticeand Action mechanism. The processing of illegal content notices andrelated investigations is led by the Content Moderation team, whichwill assign responsibilities as appropriate amongst differentteams, such as Compliance or Content Moderation. Each team isassigned specific workstreams based on the type of illegal contentreported. Upon receipt of an illegal content notice, each team followsprocedures of notification, review, investigation, and decision-making to ensure alignment with legal criteria, to address the notice.Shein tailors its training and illegal content review processes toaddress local legal requirements and local customs by geography.We have adopted a systematic approach to handling reports of illegalcontent on our Marketplace. Ongoing Monitoring: Shein conducts ongoing monitoring ofproducts to ensure applicable requirements are being met.Prohibited or Restricted Products are regularly checked, and if aproduct is identified as being on Shein’s Prohibited and RestrictedProduct list, it will be immediately delisted. Our system is alsodesigned to automatically flag products that have not been checkedfor a while. We use continuous automated checks utilising technicaltools like image recognition to spot Prohibited or RestrictedProducts. Shein has developed and maintained an image searchengine to assist in the identification and removal of problematicproducts. If a product is flagged as a Prohibited or Restricted Productwith high confidence, it is promptly removed by the system orconfigured in accordance with the necessary restrictions.Subsequently, human review acts as a secondary step to ensure theaccuracy and appropriateness of the automated determinations.This two-tiered approach of automated screening followed by human Organisational 30 Mitigation type Mitigation measures validation enhances the effectiveness and reliability of the productcompliance monitoring process. Recall of non-compliant products: As necessary, we apply ourProduct Recall Standard Operating Procedure, which includesremoving the relevant product from the Marketplace, notifying ourcustomers, and issuing refunds. In such cases, we may also takeaction against Sellers, where appropriate. 11.3.3 Mitigation effectiveness In Year 2, we have continued operating our multi-layered Mitigation Measureswhilst always updating them to adapt to the fast-changing environment in whichour Marketplace operates. Whilst the impact of some individual MitigationMeasures may be difficult to assess, together they form an integrated mitigationframework that we have concluded to be Effective at preventing users fromencountering illegal products on the Marketplace. This area of MitigationMeasures is subject to continuous review to ensure alignment with the latesttechnological developments and evolving online scams or deceptive trends. 11.3.4 Actual Risk Rating Illegal Products Low Medium 11.4 Sub-Risk 3 – IP Infringing Products Under the previous Sub-Risk 2 (Illegal Products), we expressly carved out intellectualproperty (IP) Infringing Products. These products are dealt with under this Sub-Risk 3. IP Infringing Products Risk Definition The risk of products which infringe third parties’ intellectualproperty rights. How this risk wouldapply to ourMarketplace if un-mitigated This risk relates to customers encountering and purchasingcounterfeit or otherwise IP-infringing products. 31 11.4.1 Risk Analysis We have analysed the risk of IP infringing and counterfeit products being offeredon the Marketplace and found that if unmitigated, this risk would materialise ifSellers, for example:  Used the Marketplace to list, publish and sell products that infringesomeone’s IP, such as selling fake designer clothes or handbags (i.e.counterfeit) at the designer’s price or less; or  Used the Marketplace’s functionalities to list and publish products under thetrademark of a third party. As expected, our MSA and related policies prohibit the sale of counterfeit and IP-infringing products, providing Shein a contractual basis for enforcement actionsagainst Sellers, including removal of listings and account suspensions. We have also considered the impact of our Marketplace’s design on such riskand found that its combination of proactive detection tools, such as Seller vettingand IP database, effectively reduces the likelihood of users encounteringcounterfeit and other IP-infringing goods on the Marketplace. However, if,notwithstanding these measures, counterfeit products or other IP-infringinggoods appear on the Marketplace, our content moderation processes and teamswill take over, playing a key role in identifying and promptly removing counterfeitor IP-infringing listings from the Marketplace. 11.4.2 Current Risk Mitigations Mitigation type Mitigation measures Pre-Listing Intellectual Property Verification: The Marketplacerequires Sellers to submit proof of IP rights, such as trademarkregistration certificates, letters of authorization, patent or designcertificates, or brand authorization agreements, before listing aproduct, and the Legal Team will verify the authenticity andapplicability of the submitted materials; if the documentationis insufficient, the listing will be rejected and the Seller willbe required to provide complete proof. Automated monitoring to track IP infringement: Shein utilisesan automated system to enhance content moderation and ensurecontrol of content on the Marketplace, which also automaticallyscans product listing information for potential indicators of IPinfringement. Shein also utilises other monitoring tools that play acrucial role in the initial screening process, flagging listingsthat may contain elements requiring further review by the Compliance Team which is specially trained in IP issues. Thisproactive approach helps identify potential violations at an earlystage and facilitates timely mitigation actions. Interface Design 32 Mitigation type Mitigation measures User Controls IP infringement Portal: In addition to the Notice and Actionmentioned in Section 10.4.4(User Controls) above Shein offers areporting feature in the form of a dedicated IP Complaint Portalthat allows any IP owner or licensee to report a product which islisted on the Marketplace and which they believe infringes their IPrights. Organisational We have IP teams dedicated to reducing the risk of IPinfringement who maintain know-how, training and update ourdatabase tracking IP, brand or trademark infringement ("IPInfringement Element Database").Our Content Moderation team is also trained on spotting IPinfringements and coordinating their reviews with other businessteams, Legal or IP as necessary. InternalProcesses Documentation requirements: Shein also requires specificauthorisation documents from Sellers to verify their legal rightswith respect to IP. These documents are reviewed by the Legalteam, aiming to triage for potential IP infringements and otherlegal issues. Each Seller's name on the Marketplace is alsoverified against the IP Infringement Element Database, includingto confirm the authorised use of relevant trademarks,safeguarding against impersonation and unauthorised utilisation.Sellers are also required to adhere to Shein policies on IPInfringement. Upon approval, Sellers are officially linked to theirrespective brands in our systems, enabling them to list productsassociated with their authorised brands. IP Infringement Database: As noted above, the IP teamuses and maintains an internal IP Infringement ElementDatabase consisting of a repository and used to log andtrack various instances of IP infringements during productlisting and delisting procedures. The database serves as acentralised system to document and manage instances ofconfirmed copyright violations found in product listings andnotices. Moreover, it generally includes external information andreports and maintains comprehensive records of all IPinfringement incidents, verification, actions taken, andresolutions. Additional manual review of the listings: As forillegal products, as part of our processes, once a product islisted, the Compliance team screens it through the systemand conducts manual checks to identify any prohibitedwords and any potential infringement of trademark. Iftrademarks or other IP are used in the listing, the Compliance team checks to determine whether the use of the IP with thelisted product is indeed an infringement. If so, the product isdelisted. Reviewing IP Complaints/ IP Dispute Resolution teams: Once IP reports from IP owners or licensees that a product listed on the 33 Mitigation type Mitigation measures Marketplace infringes their IP rights are issued through our Complaint Portal feature, they are then escalated to Shein'sLegal team, which is responsible for assessing IP infringementreports and, where appropriate, taking down products. Response and turnaround: We aim to address IP infringementnotices as quickly as possible. Depending on the complexity ofthe case and the information provided by the reporting party, wegenerally address the IP infringement notices within 3 to 5 workingdays from the receipt of the notice. Initial responses are usuallyinitiated within 24 hours upon receipt of the information. Uponmaking a decision, Shein will then action (e.g., suspend) thecorresponding product and/or sanction the Seller. Notification Process: As for illegal products, if our processesidentify a product as requiring a customer notification, Shein willremove the product from sale, notify our customers, and issuerefunds. We also take action against Sellers, where appropriate. 11.4.3 Effectiveness of the Mitigation Measures Shein recognises that IP infringement has a significant global impact and cost,and that the risk of IP-infringing products being sold must be addressedthoroughly. We have therefore pro-actively implemented specific measures todetect and prevent IP-infringing listings on the Marketplace. By combiningpreventative Mitigation Measures pre-listing (Seller vetting, IP InfringementDatabase) with post-listing Mitigation Measures (automated and human contentmoderation, notice and action mechanism, enforcement of terms), wesubstantially reduce Systemic Risks linked to counterfeit and IP-infringingproducts. We assessed our Mitigation Measures as Effective at preventing users fromencountering counterfeit and IP-infringing products on the Marketplace. 11.4.4 Actual Risk Rating IP Infringement Low Medium 11.5 Sub-Risk 4 – Unlawful Behaviour We purposefully excluded all previously covered risks (i.e. illegal products and IP-infringing products) from this Sub-Risk 4. Unlawful Behaviour Risk Definition The risk that the Marketplace is misused to engage in unlawfulbehaviour such as sharing unlawful non-consensual private 34 images, unlawful online stalking, harassment and bullying, orrisk of users encountering CSAM or dissemination of hate ordefamatory speech. How this risk wouldapply to ourMarketplace if un-mitigated Considering that Shein is a marketplace rather than a socialmedia platform, the potential for users to use the Marketplacefor Unlawful Behaviours is extremely limited. The only way forusers to upload any type of user-generated content would bethrough "reviews" and potentially through a listing. Therefore,although unlikely, it would be theoretically possible for users touse the review/listing functionalities to upload graphics orimagery promoting hate or violence or hate-filled, or racially,sexually discriminatory messages. 11.5.1 Risk Analysis The risk of Unlawful Behaviour in an online environment is not very different fromthat in a physical environment, except that it may be amplified, as any abusivebehaviour could be witnessed by a number of people online. The primary vector for such risk on our Marketplace would be the review andlisting functionalities. We have reviewed this risk in terms of interface design andconcluded that opportunities for posting any type of user-generated content onthe Marketplace are extremely limited. Sellers, when uploading products, canonly make use of constrained listing features such as product titles anddescriptions. Similarly, customers can use the review feature in relation to averified purchase to upload a photograph of the product or themselves with theproduct. In both cases, although these fields could theoretically be misused todisseminate hateful or discriminatory speech, the reality is that the transactiondesign of our Marketplace makes this extremely unlikely. In addition, all listingsand reviews are monitored with automated tools and human reviewers, furtherreducing any potential abuse. Another key design element is that Sellers andcustomers cannot communicate directly (e.g., through direct messaging) witheach other. Therefore, harassment, bullying or stalking would be nearlyimpossible through our current interface. We also explored whether any user content, including Unlawful Behaviour, wouldlikely be amplified or promoted through our recommender system for productranking. However, this concern is unfounded because the Marketplace has verylimited features, allowing user-generated content in the first place. We have alsoconsidered the risk of bad actors misusing the Marketplace to distribute unlawfulcontent, but assessed it to be marginal as this type of behaviour tends to gravitatetowards social media platforms, where amplification and virality are facilitated. Notwithstanding the low level of risk due to our system design, our Terms andConditions also clearly prohibit any such Unlawful Behaviour and are strictlyenforced through a penalty point system, Seller suspensions, and accountterminations. Finally, as explained in more detail in Section 10.3.5 (Regional andLinguistic Specificities), we found that regional or linguistic specificities carry farless risk in this environment, as product listings and reviews are transactional innature and only exceptionally may contain secondary meanings or expressive 35 nuance requiring expert interpretation, unlike social media, where language iscentral to the dissemination of harmful content. Overall, given the limited opportunities for user-generated content, the design ofthe Marketplace’s system, and the strength of existing moderation andenforcement measures, the likelihood that the Marketplace would be used forUnlawful Behaviour is very unlikely. Nonetheless, strong Mitigation Measuresremain in place to ensure that abusers cannot exploit the Marketplace’s featuresfor such behaviour. 11.5.2 Current Risk Mitigations Mitigation type Mitigation measures InterfaceDesign As set out above, Shein operates a marketplace and not a socialmedia service, and as such, the design of the Marketplace only offersvery limited possibilities to post user-generated content such asverified purchase reviews for customers and product descriptions forSellers.Furthermore, our interface is set up to facilitate trustworthy reviewsas only verified purchasers can post reviews on the Marketplace. Wealso have an in-built automated screening process to block contentcontaining certain words or expressions before it is published. Thisprocess references a comprehensive database of restricted orprohibited terms deemed inappropriate (e.g., profanities, rude words,etc.). If a customer attempts to submit a review containing anyprohibited terms, the submission is automatically blocked. InternalProcessEffective review verification process: To be able to post a review,users must be registered with Shein and have purchased the productagainst which they wish to post a review. Reviews are always linkedto a specific purchased product.Reviews are then subject to verification to reduce the risk ofmanipulation or fake endorsements, such as customers who engagein fraudulent activities or fake orders. Unauthentic reviews will beremoved promptly. Such verifications consist of an initial automatedreview screening (as mentioned above) followed by a human reviewconducted in accordance with Shein's Reviews Policy.Our Content Moderation team also conducts continuous monitoringto ensure all reviews comply with our Terms and Conditions(including our Reviews Policy) and updates the database ofprohibited words to enhance automated detection of illegal reviews.In our continued effort to improve our screening process, we havebeen enhancing manual reviews through the recourse to moreoutsourced service providers, especially in line with activity on theMarketplace. We work closely with such providers and provide allmanual review teams with up-to-date review guidance and training.Shein’s Content Moderation team also reviews all notificationsreceived from the Notice and Action mechanism and acts upon themas further described below. 36 Our processes for product listings and cooperation with trustedflaggers are set out in Sub-Risk 2 (Illegal Content) above. 11.5.3 Effectiveness of the Mitigation Measures With respect to the risk of Unlawful Behaviour on the Marketplace, we found thatsuch risk is quite unlikely to occur on a large scale on the Marketplace. However,our Mitigation Measures demonstrate that we are aware of the potential risksassociated with reviews and listings and take them seriously. Overall, our Mitigation Measures have been assessed as Very Effective atpreventing users from encountering Unlawful Behaviour on the Marketplace. 11.5.4 Actual Risk Rating Unlawful Behaviour Low 37 12. ASSESSMENT OF SYSTEMIC RISK 2 – FUNDAMENTAL RIGHTS 12.1 Definition of the Risk – What are Fundamental Rights Risks "Fundamental Rights" is not defined in the DSA. However, Article 34 specifies anumber of rights that online platforms need to particularly pay attention to, in particular"human dignity (Article 1 of the Charter of Fundamental Rights of the European Union(the "Charter")), respect for private and family life (Article 7 of the Charter), protection ofpersonal data (Article 8 of the Charter), freedom of expression and information, includingthe freedom and pluralism of the media (Article 11 of the Charter), non-discrimination(Article 21 of the Charter), respect for the rights of the child (Article 24 of the Charter)and a high level of consumer protection (Article 38 of the Charter)". We subdivided this Systemic Risk into the following 6 Sub-Risks: Human Dignity,Privacy and Data Protection, Freedom of Expression and Information, Non-discrimination, Children’s Rights, and Consumer Protection. 12.2 Sub-Risk 5 – Human Dignity Human Dignity is one of the Fundamental Rights in the Charter, and the DSA specificallycalls for assessment of any potential negative impact of the Marketplace on such right.We note that Human Dignity, being a foundation right is not legally defined in the Charterand is therefore a broad concept. Our risk analysis is limited to its relevance on theMarketplace. Human Dignity Risk Definition The risk of users suffering degrading and exploitativetreatment impacting human dignity whilst on the Marketplace. How this risk wouldapply to ourMarketplace if un-mitigated This risk could hypothetically materialise on the Marketplacein a review containing either degrading and insultingmessages, or if a product listed is dehumanising andhumiliating, such as the sale of torture products or slaverymemorabilia. 12.2.1 Risk Analysis Similarly to Sub-Risk 4 (Unlawful Behaviour), it is very unlikely that ourMarketplace environment would host or disseminate content that adverselyimpacts human dignity. Our Marketplace is structurally and operationallydesigned for e-commerce, not sharing opinions or news, which makes such risksinherently limited. From a systems perspective, our interface design is set up for the listing ofgarments and home products. The Marketplace is not optimised to promotereviews as these are by-products of the listings which makes it an unattractiveoption for would-be perpetrators. Despite the relatively low probability of ourMarketplace being used for the dissemination of content impacting humandignity, we ensure that our Terms and Conditions, MSA and policies explicitlyprohibit both Sellers and customers from uploading such harmful content. Thesestandards are supported by Shein’s firm enforcement mechanisms, ensuring that 38 any such content is promptly removed by our Content Moderation team throughthe use of automated screening and human moderation. Therefore, although limited harmful content could in theory be uploaded onto theMarketplace, it is unlikely to pass our preventative Mitigation Measures, and if itdoes, it is swiftly removed through our Content Moderation team. Considering allthe above factors, we found that the probability that the Shein Marketplace wouldlist a product or publish a review that impacts human dignity is very unlikely. 12.2.2 Current Risk Mitigations and Effectiveness of the Mitigation Measures See Sub-Risk 4 (Unlawful Behaviour) above. 12.2.3 Actual Risk Rating Human Dignity Low 12.3 Sub-Risk 6 – Privacy and Data Protection The Right to Privacy and Data Protection is one of the Fundamental Rights in theCharter, and as mentioned above, the DSA specifically calls for an assessment of anypotential negative effects on such right arising from the Marketplace. Privacy and Data Protection Risk Definition The risk that the Marketplace does not comply with applicabledata protection law, leading to negative impacts for data subjects. How this risk wouldapply to ourMarketplace if un-mitigated This risk could materialise, for example, if Shein (i) processedusers’ personal data without having legal basis for suchprocessing, (ii) failed to disclose how their personal data is beingprocessed, thereby failing to comply with transparencyrequirement and that its privacy policy failed to be transparent,intelligible and easily accessible to users or (iii) failed to fulfil datasubject rights under the General Data Protection Regulation("GDPR"). 12.3.1 Risk Analysis Providing an experience on the Marketplace that maintains the privacy of usersis fundamental to Shein's obligations, particularly under the GDPR. The GDPRcontributes to the global standard across the group for data and privacy principlesregarding data processing compliance. It enables us to effectively managecompliance and operational risks associated with implementing newfunctionalities and services. For this risk, we have therefore reviewed how Shein processes personal data ofits users in connection with the relevant services it provides on the Marketplace. 39 Clear and transparent privacy practices are at the core of Shein's approach toprotecting customers' and Sellers' privacy, and the Marketplace’s interface offersits users easy access to a Privacy Center, facilitating users’ access and controlof their personal data. We have also conducted a review of Shein’s dataprotection practices against its privacy management and compliance framework,which covers various data protection principles such as data minimisation,transparency, data subject rights and confidentiality obligations. Finally, weunderstand that beyond Shein’s compliance with the GDPR, one of the riskdrivers is cybersecurity and have put in place solid Mitigation Measures, set outbelow, to cater for that risk. Overall, the risk relating to the protection of personal data on the Marketplace islow based on the limited nature of Shein's processing activities in the context ofbeing a store, enhanced transparency measures described above, and theallocation of increased compliance resources, such as dedicated privacyoperations and legal support. Comprehensive training is provided to all relevantstakeholders, further minimising the risk involved across user journeys. 12.3.2 Mitigation Measures Mitigation type Mitigation measuresLegal Termsand Policies Our Privacy Policy is straightforward and easy to understand for ourusers. It plays a central role in informing users about how their datais processed by the Marketplace, complying with the GDPR andDSA transparency obligations. It is made easily available whenusers create an account but also on the Shein Privacy Centeravailable from any page on the Shein website.This Privacy Policy reflects Shein’s clear and transparent privacypractices at the core of Shein's approach to protecting customers'and Sellers' privacy. InterfaceDesign To facilitate users’ own control of personal data processing and alignwith our compliance with the DSA, we further provide an option forusers to adjust their personalised product display via theRecommender System and Personalised Settings page, which areeasily accessible on our interface at any time. We provide user-friendly controls on Shein’s PrivacyCenter, allowing data subjects to easily understand our privacypractices and exercise their rights. To reach Shein on any dataprotection query or request, the data subject can either go throughthe Privacy Center page or send an email to the DPO and Privacy team.The Privacy Center and Manage Cookies section of our interfaceprovide our users clear information regarding how to control theirdata-sharing preferences and update their default privacy settings. Investment in Privacy team: Over the past year, we haveinvested in and grown our Privacy team in order to match theactivities on the Marketplace and make sure privacy remains at thecore of what we do. User Controls Organisational 40 Mitigation type Mitigation measures Investment in third-party privacy resources: We have alsoinvested in third-party tools such as a management tool for IncidentResponse and subscriptions to privacy law updates, to helpour business and privacy teams be more efficient withprivacy compliance, including with our responses to incidents. Data Protection Committee: We have recently set up aspecific data protection committee, which meets at least one permonth to discuss and prioritise data protection issues and topics. Cybersecurity Center: To mitigate potential cybersecurity threats,we have formed a cybersecurity center which operates by testingvulnerability, ensuring the safety of Shein’s data. Investment in privacy certifications (ISO27001): We havebeen globally independently certified as compliant with anumber of security standards in the industry, such as ISO 27001. InternalProcesses Data Subjects’ Rights: Once a data subject sends a messageto the Privacy team (through the Privacy Center or by email), thedata subject will receive an acknowledgement of receipt. Alldata subject rights requests are dealt with promptly, and aresponse is sent as soon as possible. Where possible, Sheinalso assists the data subject with identifying the correct thirdparty if the request concerns another independent data controller. Data Processing: Our Privacy team conducts assessments such as Privacy Impact Assessments as requiredand Legitimate Interest Assessments as applicable to operatelawful data processing throughout its lifecycle andsafeguard the protection of our users' personal data.Before processing data, a number of mandatory preparatorysteps have to be taken at Shein. Our review processes areoutlined in policies for data processing activities. We carry outdata impact assessments where required, in accordance withGDPR. Subject to the risk identified, Shein wouldimplement necessary and proportionate mitigations andimprovements as a result of such assessment. Shein ensuresthat it has data processing agreements signed with Sellers orcontractors where this is required and carries out the necessarychecks to ensure their data protection compliance.When implementing a new data processing activity,where applicable, we: (1) confirm the implementation of the properconsent tools where required, (2) update our policies whererequired, (3) confirm the accuracy, quantity and quality of dataprocessed to identify any required adjustments, (4) begin the‘go live’ process once all identified mitigations have beendeployed, (5) obtain final sign off from the risk owner and (6)reconfirm functioning and/or updating of data subject rights andprivacy complaint channels where applicable.Shein also conducts regular monitoring of the relevantdata processing including through regular inspections, 41 Mitigation type Mitigation measures supplier management and monitoring of impacts of privacylegislation changes (including guidelines issued by competentData Protection Authorities). Ensuring security of personal data: Shein protects personal databy maintaining industry standard physical, technical, andadministrative security measures such as utilising encryption of dataat rest and in transit and role-based access control. We conductregular internal security audits to ensure the effectiveness of thesecurity measures. We also engage with external parties to auditand validate our security measures. We have been independentlycertified as compliant with a number of security standards asmentioned above. Standard Operating Practices and guidelines: We have clearinternal procedures in relation to global security and riskmanagement. Shein has also developed all relevant privacy andsecurity policies for its personnel to nurture a culture of privacycompliance. For example, Shein restricts the collection andprocessing of personal data in compliance with the principle ofminimisation, which is a core aspect of our compliance policy atShein. This is underpinned by a comprehensive privacy-relatedpolicy that governs all data handling practices. When designing anew feature that leads to data storage, data retention periods arereviewed during the Proof of Concept phase, as business designshould inherently integrate the concept of minimising data collectionand retention.When it comes to security review, reviewers consider factors suchas security measures, data incident management and data accesscontrol strategies. This applies to both internal system designs andreviewing data processing for business activities. Shein uses resultsfrom InfoSec and privacy assessments to ensure alignment withrequirements. In terms of marketing, data retention and deletionprotocols are outlined in the privacy policy and event/campaignterms \& conditions. Post-marketing events, our staff also conductsa review for compliance. Additionally, Shein integrates retentionrequirements as part of data processing agreements or data sharingagreements with third parties. In addition to our Shein-wide Educational Initiatives (set out in moredetail in Section 10.4.3 above), our Privacy team is trained andcertified with the internationally renowned IAPP organisation toensure a high quality of support. 12.3.3 Effectiveness of the Mitigation Measures We have continued to apply and improve our Year 1 Mitigation Measures inrelation to the protection of our users’ personal data and keep evaluating thosemeasures in light of changes to cybersecurity and the implementation of newtechnology. Educational 42 As with some of the other risks, some Mitigation Measures are difficult to assessindividually, but overall, we have found that they are Effective in minimising dataprotection breaches. 12.3.4 Actual Risk Rating Privacy and Data Protection Low Medium 12.4 Sub-Risk 7 – Freedom of Expression and Information Freedom of expression and information is a fundamental right under the Charter andcovers a broad spectrum. We defined it considering its impact for marketplaces such asours and addressed the linguistic element under Sub-Risk 8 (Non-Discrimination). Freedom of Expression and Information Risk Definition The risk that the Marketplace’s design and processes negativelyaffect users’ freedom of expression and information. How this risk wouldapply to ourMarketplace if un-mitigated This risk could apply to our Marketplace if Shein removedreviews or product listings arbitrarily without due process, i.e.without lawful reason nor notification or appeal rights, resultingin the users’ freedom of expression and information beingcurtailed. 12.4.1 Risk Analysis Shein aims to moderate the Marketplace in a manner that does not affect thefreedom of speech of genuine users. However, the risk relating to freedom ofexpression and information on an e-commerce platform is very limited,particularly when compared to other platforms. Unlike social media services,marketplaces do not host opinions, news, or views and any user-generatedcontent is restricted to product listings and scope-constrained reviews. However, as explained in other Sub-Risk 4(Unlawful Behaviour), our interfaceis not designed to allow opportunities for expressive content, nor doesour Recommender System amplify such content. Accordingly, the risk ofalgorithmic bias impacting freedom of expression and information is virtuallynon-existent. Nonetheless, we still took into consideration the fact that while reviewsare transactional in nature, some customers are likely to regard their reviews asan expression of their genuine opinion and freedom of expression. Therefore,our Content Moderation team and its enforcement of Shein’s legal terms andpolicies play an important role in relation to this fundamental right. This riskwould be likely to arise if Shein lacked clear policies on what constitutesacceptable reviews or disregarded such policies and proceeded arbitrarilyto content removal, i.e. without proper review, lawful justification, usernotification, or an opportunity to appeal Shein’s decision. 43 On that basis, we have considered our legal terms and concluded that theyclearly set out what is acceptable and what is not. We also found that these legalterms are enforced in a consistent and transparent manner by our ContentModeration team. Enforcement actions are taken only where there is a legitimatebasis to do so, and users are notified of such actions and provided with avenuesto challenge or appeal moderation decisions. The possibility of misuse of our Marketplace does not materially alter thisanalysis, as attempts to influence public discourse or suppress information aretypically made on platforms designed for communication and amplification. TheShein Marketplace does not provide an efficient way to do so. Therefore, the likelihood that our Marketplace would interfere with users’ freedomof expression and information is low and mitigated through our Notice and Actionmechanisms, steady enforcement of our legal terms and interface design. 12.4.2 Current Risk Mitigations Mitigation type Mitigation measures Organisational Shein has teams dedicated to content moderation who are trained toreview any user-generated content and apply Shein’s internalprocesses objectively.The Content Moderation team regularly works with the Legal team iffurther consultation is required before reaching a content moderationdecision. InternalprocessesReviews Policy: Shein accepts and publishes both positive andnegative reviews to support customers with their product purchasing,protecting users' freedom of speech. The Reviews Policy mentionsthat Shein welcomes all kinds of reviews, therefore promoting thefreedom of speech. However, since the Marketplace is not, unlikesocial media for instance, aimed at providing users a space toexpress themselves and share their ideas, our Reviews Policy clearlysets out the criteria for a review to be published. Shein employs anautomated review of customer reviews, alongside a review againstShein's Reviews Policy, to prevent the publication of offensive andinappropriate language. Problematic reviews are withheld or removedbased on Shein's Reviews Policy, and the Content Moderation teamis provided with training that includes non-discrimination rules. Notices: As and when a review is flagged by a user as potentiallyproblematic, Shein will assess the review against its Reviews Policyto ensure that it reaches an objective decision. It will then notify theuser who generated the content, as well as the one who reported it,of its decision, including its statement of reasons. Appeal: Shein also provides its users the right to appeal any contentmoderation decision, whether to keep content online or remove it,made by Shein. Out of Court Dispute Resolution: The user can also reach out toone of the accredited out-of-court\` dispute resolution bodies if theuser is unsatisfied with Shein’s moderation decision. In such cases, 44 Mitigation type Mitigation measures Shein will cooperate with the relevant accredited body in accordancewith Shein’s internal procedure on dispute resolution. 12.4.3 Effectiveness of the Mitigation Measures In Year 2, we have continued to strengthen our existing Mitigation Measures byreviewing our Notice and Action mechanisms and fine-tuning them to provide ourusers with increased transparency and assessed them as Very Effective. 12.4.4 Actual Risk Rating Freedom of Expression and Information Low 12.5 Sub-Risk 8 – Non-discrimination Under the Charter, the right not to be discriminated against is fairly wide. We concludedthat the relevant angle for a marketplace such as ours was an assessment of the risk ofusability of the Marketplace rather than the risk of dissemination of discriminatorycontent. Non-discrimination Risk Definition The risk that the Marketplace excludes minority users or userswith disabilities. How this risk wouldapply to ourMarketplace if un-mitigated. The risk could arise on the Marketplace if our website lackedthe required functionality to enable users with accessibilityrequirements to access it or if we only provide our Terms andConditions in limited languages, making it harder for theseusers to use our Marketplace. 12.5.1 Risk Analysis In the context of a transactional marketplace such as ours, the key risk in termsof discrimination is not the expression of discriminatory content, but the possibilitythat we could inadvertently exclude minority users or users with disabilities byfailing to provide a fully functional, understandable or accessible website. Wereached this conclusion based on the fact that our system is not optimised forexpressive content and therefore carries a low risk of discriminatory outcomescompared with social media or search engines. Nevertheless, risks could arise ifadaptive technologies (e.g., screen readers) were not fully supported for userswith disabilities or if we excluded some EU users by not providing them with ourunderstandable Terms and Conditions. 45 We have assessed that our content moderation systems play a limited role in thiscontext. A hypothetical risk would be for content moderation decisions to beapplied in a manner that indirectly discriminated against certain users bydisproportionately removing listings or reviews linked to products or servicesassociated with minority groups. However, we do not believe it to be fullyapplicable in this context as our moderation processes are structured aroundlegality and safety rather than subjective opinions and enforcement is appliedconsistently, with appeal rights in place, to safeguard against potential unequaltreatment. We also considered the possibility of external influence on our Marketplace fordiscrimination purposes, such as targeted exclusion of minority Sellers; however,we have found this possibility to be remote, especially considering that theonboarding process is managed internally. Regional and linguistic aspects arerelevant in terms of accessibility, although the transactional nature of ourMarketplace means that risks of exclusion based on language nuance are limitedcompared with social media platforms. That said, Shein provides its Terms andConditions in at least one of the official EU languages of the EU member state inwhich we are offering services, as well as multilingual support and translationtools to ensure accessibility across EU member states. Our risk analysis concludes that the likelihood that Shein’s systems or designwould infringe the right to non-discrimination by excluding minority users or userswith disabilities is low. 12.5.2 Current Risk Mitigations Mitigation type Mitigation measures Legal Termsand Policies Shein has translated its Terms and Conditions in at least one of theofficial EU languages of the EU member state in which we areoffering services.We also offer multilingual support and translation tools to ensureaccessibility, allowing our customers to communicate with us easily. InterfaceDesign Regarding the risk of discrimination against people with disabilities,we have conducted internal reviews of our website interface inaccordance with the European Accessibility Act ("EAA") and arecurrently updating our systems accordingly. Organisational Our Government Relations team works across the EU to understandand mitigate any risk of regional or cultural discrimination. Internalprocesses Shein works with website accessibility advisors on best industrypractices in terms of website accessibility and compliance with theEEA. 12.5.3 Effectiveness of the Mitigation Measures In addition to previous Mitigation Measures, we have in this Year 2 also launcheda dedicated accessibility programme to ensure that our Marketplace complies 46 with the requirements of the European Accessibility Act. The programme isalready well underway and is scheduled for completion within the second half of2025. As part of this initiative, we are undertaking a comprehensive review ofMarketplace functionalities to identify and address potential barriers for userswith disabilities, ensuring full alignment with EU standards. In addition, we are inthe process of engaging external advisors specialising in accessibility. Their roleis to provide expert input and independent validation of the programme, ensuringthat our Marketplace continues to meet compliance requirements. This initiative represents an additional and forward-looking Mitigation Measure tosafeguard the right to non-discrimination, which we believe is Effective inaddressing any potential for discrimination on the Marketplace. 12.5.4 Actual Risk Rating Non-discrimination Low 12.6 Sub-Risk 9 – Children’s Rights In line with our policies and for this Risk Assessment, we rely on Article 1 of the UNConvention on the Rights of the Child (CRC), which states that "A child means everyhuman being below the age of eighteen years unless under the law applicable to thechild, majority is attained earlier" as the Charter doesn’t define "child". Children’s Rights Risk Definition The risk that the Marketplace is misused in ways thatnegatively affect children’s rights, including exposure toharmful or inappropriate content, exploitation, or violations ofchild protection and safety standards. How this risk wouldapply to ourMarketplace if un-mitigated This risk could apply to our Marketplace if children were touse the Marketplace and encounter illegal content or age-inappropriate content, such as violence and pornography. 12.6.1 Risk Analysis The Rights of the Child, as recognised in the Charter, include the right to life,education, healthcare, protection from abuse and exploitation, and the right toexpress their views. Protection of minors also requires safeguarding them fromphysical, emotional, and psychological harm, ensuring that these rights areupheld in all environments, including online platforms. In the context of Shein, our Marketplace revolves around users searching for andpurchasing products. Transactions are of a financial nature, which minors do not 47 have the legal capacity to execute. Adults are Shein’s intended audience, andthe storefront is not designed to attract or retain minors, nor does Shein targetminors with products or marketing. The content and functionality of ourMarketplace are structured for commerce rather than entertainment. Unlike socialmedia platforms, where peer interaction and viral content dissemination createhigh exposure risks for minors, Shein’s environment is transaction-centric, withvery limited opportunities for harmful interactions. Any risk of intentionalmanipulation of our Marketplace to target minors is therefore low. That said, as with any store, minors may access Shein, which introduces aresidual risk. For this reason, Shein has adopted targeted measures to adapt thedesign and functioning of the Marketplace to ensure a high level of protection forchildren, in compliance with Article 28 of the DSA. These measures include: • Age restrictions in General Conditions of Sale. • Age verification processes for adult or age-sensitive products. • Enforcing our General Conditions and user-generated content rules topromptly identify and remove inappropriate content. • Implementing additional safety measures tailored to the risks minors mayface. These measures are tailored and proportionate to the risks relevant to atransactional platform. We note that children and young people are generallymore vulnerable to addictive aspects of online platforms and have consideredaddiction under Sub-Risk 15 (Mental Health), however, our Marketplace is notdesigned to be used by minors. 12.6.2 Current Risk Mitigations Mitigation type Mitigation measures Legal Terms,Policies andEnforcement Shein’s General Conditions of Sale are consistent with thebusiness’ approach and state that customers must be at least18 years old to place an order and enter a contract of sale.This helps to ensure that only adults make purchases, addinga first layer of safety and security for minors by not allowingthem to engage in financial transactions. The Shein accountis central to any interaction and a prerequisite for accessingthe full Shein service, to purchase goods. Creating anaccount is fundamental to placing an order, and ourConditions of Use and Sale require that a user must be atleast 18 years old to place an order. Both our Terms andConditions and the Privacy Policy are surfaced to a userwhen an account is created.Further, each account requires a valid payment method suchas a credit or debit card linked to the account. In many EUjurisdictions, an individual must be over the age of 18 to applyfor a credit card or a full-feature debit card, or have theoversight of a parent or guardian when applying for a debit 48 Mitigation type Mitigation measures card with limited functionality (such as withdrawing cash) atvarying ages under 18.Additionally, Shein’s Affiliate Program Terms of Serviceincorporates a minimum age requirement and explicitly statesthat an affiliate must be at least 18 years old to apply for andparticipate in the program.Finally, in compliance with our Reviews Policy, reviews mayonly be submitted by adults or with the parental consent sincereviews are limited to users who are logged into their account(and therefore verified users) and have successfully madepayment of the relevant order. Promotional features (games). We ensure through ourlegal terms that only users above 18 years old are allowed toaccess these features. Protecting children's privacy. Our Privacy Policy providesthat our services are not directed towards minors. OurPrivacy Policy specifies that in cases where personal datahas been shared by a minor, we request the parent orguardian to contact us immediately so that we can removethe personal data and avoid any further use of the minor'spersonal data. Interface Design Adult products and inappropriate content for minors. Toenhance our protection for minors, our algorithms andsystems are designed not to push advertisements ormarketing for adult toys to anyone or otherwise activelypromote adult products. Adult toys are limited to a specificsub-section of the Marketplace and include age verificationprompts to avoid mixing adult products with standardproducts that may be accessible to minors. Ourrecommender systems ensure that such products are notdisplayed unless specifically searched for by a user, and thecontent of the page will remain hidden until users confirm thatthey are above 18. We consider this to be an appropriatemitigation for the risk of minors inadvertently accessing suchcontent. We have also carried out a risk assessment inrelation to the Affiliate Program and identified measures to beput in place to protect minors. Internalprocesses The content moderation measures described in Sub-Risk 4(Unlawful Behaviour) above include the prevention of contentthat could be harmful to minors, such as violence andpornography.For completeness, we also note that any product content thatincludes minors as models is subject to a valid legalagreement (e.g., that was consented to or authorised by theirparent or guardian). 49 Mitigation type Mitigation measures We do not seek to provide services to children and our ageassurance measures act to mitigate any residual risk in thisregard. We have mechanisms in place to enable the exerciseof rights across the EU, and our Privacy team also supportsadditional reviews where required. Maintaining controls tominimise risk is crucial for Shein. We are therefore committedto keeping our practices in line with and up to date withindustry practices, in particular on age verification. In thisconnection, we are also aligning our practices with therequirements of the UK's Online Safety Act to mitigate anyresidual risks in this regard, following the guidance of the UKregulator (Ofcom) as the implementation of the Actprogresses. 12.6.3 Effectiveness of the Mitigation Measures We conclude that this Sub-Risk 9 is not fully relevant to our Marketplace for thereasons stated above. Nonetheless, we have put in place strong preventativeMitigation Measures that are Very Effective at reducing any potential risks tominors. We also monitor EU guidance on this topic and will continue reviewingmarket practice in this area to align our Mitigation Measures with evolvingregulatory expectations and industry standards. 12.6.4 Actual Risk Rating Children’s Rights Low 12.7 Sub-Risk 10 – Consumer Protection Consumer Protection Risk Definition Risk that unfair commercial practices take place on theMarketplace, that legal terms are not clear, that no Sellerinformation available, that various frauds take place etc. How this risk wouldapply to ourMarketplace if un-mitigated This risk would apply on the Marketplace when users areexposed to unfair commercial practices or unfair terms. Forexample, Sellers providing products that did not comply withEU safety standards and legislation, not vetting Sellers orenabling fraudulent practices. 50 12.7.1 Risk Analysis This Sub-Risk 10 overlaps with some of the previously mentioned Sub-Riskssuch as Illegal Products, vetting of Sellers, etc. and requires safeguardingconsumers against misleading, fraudulent, or unsafe practices and ensuring thattheir economic interests and fundamental rights are respected. In the context ofShein, a transactional marketplace connecting Sellers with customers, we haveassessed that the main risks to consumer protection stem from the potentialdissemination of misleading or unlawful information within product listings orreviews, or from Sellers attempting to market unsafe or non-compliant goods. We are conscious that fraud is inherent to any online business involving usertransactions. We manage this risk through several Mitigation Measures, includinga strong fraud detection system that monitors user activity on the Marketplace todetect patterns indicative of fraudulent behaviour or transactions for anyirregularities or signs of fraud. We have also reviewed potential misuse or manipulation of the Marketplace,such as the presence of so-called "hidden links" into product listings but havefound no evidence of such activity on the Shein Marketplace. Like any platform, we are conscious that recommender systems influence thecontent displayed to users. To address this, we have put in place an internal riskassessment process to analyse any risks associated with the design of newfeatures before their launch. Another potential risk driver is the risk pertaining to customer reviews. Althoughour Marketplace encourages genuine and trustworthy reviews so that our othercustomers can make informed purchases, we monitor these closely inaccordance with our Reviews Policy’s clear guidelines and restrictions. Managing the risks associated with respecting consumer rights is central to ourcore service. We are aware of the associated risks associated, and arecontinuously reviewing our Mitigation Measures to ensure they remain effective,proportionate, and aligned with evolving industry standards. 12.7.2 Current Risk Mitigations Mitigation type Mitigation measures Legal Terms andPoliciesClear Terms and Conditions:- As noted in Section 10.4.2 (LegalTerms, policies and enforcement) above, our users are providedwith our Terms and Conditions which are split between the (i)Conditions of Use (which govern customers’ use of our Europeanwebsites and app and users’ relationship with Shein as operatorof the marketplace), (ii) Conditions of Sale (which apply tocustomers’ purchases on the Marketplace between customersand Sellers) and (iii) Shein’s Policies, such as our Reviews Policy.We regularly review our legal terms to promote clarity and easeof understanding, and our most recent review in July 2025 has ledto additional enhancements.In addition, our MSA, EU Appendix, and related policies set outstrict obligations on Sellers, including requirements to comply with 51 Mitigation type Mitigation measures EU product safety rules and consumer protection laws.Consumers are provided with clear information about their rightsin our General Conditions.In accordance with the DSA, we provide our legal terms in allofficial EU languages, ensuring EU customers’ understanding ofour terms and policies. Similarly, we provide multilingual supportso that our customers can communicate with us easily. Clear Reviews Policy: Our Terms and Conditions and ReviewsPolicy set out very clearly the standards expected from userreviews on the Marketplace. It also helps users provideinformation as complete and accurate as possible, to ensure thatthe review is useful to other customers. Automated request of mandatory pre-contractualinformation: We aim to ensure that consumers are providedwith all the necessary information to conclude distance contractswith traders in an informed manner. When listing a product,Sellers are required, in accordance with Shein’s Global MarketPolicy Selling but also through mandatory fields in the interfacefor listing a product, to provide all necessary pre-contractual information. This ensures clear and unambiguousidentification of products offered to consumers. When conductingproduct reviews, Shein does not limit its review to contentmoderation measures described above, but also reviews theproduct against applicable legal requirements and industrystandards. The system is designed so that informationcollected from Sellers is automatically transferred to theinterface for users' visibility. Cost transparency: All fees and charges are disclosed toconsumers upfront. The consumer can see a detailed breakdownof all costs, including shipping and taxes, before completing apurchase. At this point, the final amount to be paid by theconsumer is clearly displayed, and further charges will not beapplied on top without the consumer having had sight of thoseadditional costs before purchase. User Controls Notice and Action: As mentioned in Sub-Risk 4 (UnlawfulBehaviour), as well as the illegal products and IP infringingproduct sections above, the Marketplace offers Notice and Actionfunctionalities allowing users to easily report illegal content,including unlawful behaviour. The Marketplace includes a Reportbutton that focuses on reviews where all users can notify Shein ofany misleading, abusive or illegal content within a review, as wellas a Report button next to each product. These easy reportingmechanisms are next to the products to ensure easy flagging ofany other potential breaches by users.The processing of these reports and related investigationsinvolves human review, which we are set up to deal in multiplelanguages. Interface Design 52 Mitigation type Mitigation measuresRecommender systems: Recommender systems on theMarketplace are deployed to enhance the experience of ourusers. The systems allow our customers to discover newproducts, which in turn supports our Sellers to reach a wideraudience on the Marketplace. Shein’s recommender systems aregenerally based on the performance of a product (e.g., best soldproducts) and/or customers' searches to support customers’navigation of the storefront. These systems may take into accountvarious objectives at the same time (e.g., maximising userfeedback or click-through rates of the product). Our sortingfeature allows users to easily select options to sort the productsdisplayed further to a search query, which allows the customer toinfluence the product ranking. Users can also easily update theirprofile to select their favourite categories and styles, suchmeasures contribute to mitigating residual risks. InternalprocessesEffective Complaints process: In case of complaints,customers can contact the Customer Service and file a complaintwhich is then efficiently reviewed within a reasonable amount oftime. Content Moderation: Our content moderation processes andteams are set up to detect and remove unlawful or misleadingproduct information, counterfeit items, fraudulent claims or fakereviews pre-listing. Automated tools, supported by human review,monitor listings for compliance with applicable law, Marketplacepolicies, and consumer protection requirements. Where issuesare detected, products are removed, and Sellers may facesuspension or account termination. For example, where a productmay be deemed as 'offensive' or 'controversial', these will bereviewed to ensure that non-compliant listings are removed. Thisis a nuanced area, and we review many products each day forthis purpose. Trader information verification: We structure our Marketplaceto vet Sellers from the outset and require mandatory informationabout their legal structure as well as their products by imposingextensive pre-listing requirements, compliance checks, andongoing monitoring of Seller activity. This allows us to check thatSellers only list relevant and lawful products to customers. Fraud Detection System: We have developed a fraud detectionsystem that monitors user activity on the Marketplace to detectpatterns indicative of fraudulent behaviour or transactions for anyirregularities or signs of fraud. The system is designed to detectpatterns indicative of fraudulent behaviour, such as unusualtransaction patterns, account activity, etc. It assesses userbehaviour to identify deviations from normal patterns to helpShein detect potentially fraudulent activities based on anomalies.Shein also monitors transactions for any irregularities or signs offraud. These systems enable Shein to promptly flag andinvestigate suspicious transactions to prevent fraudulent 53 Mitigation type Mitigation measures activities. Shein conducts regular reviews and fine-tuning of itssystem to adapt to evolving fraud trends and enhance itsperformance over time. Effective review verification process: To be able to post areview, a user must first be registered with Shein and havepurchased the product it wishes to review, as all reviews linked toa specific purchased product. Reviews are also subject toverification to reduce the risk of manipulation or fakeendorsements; Shein seeks to identify customers who engage infraudulent activities, such as fake orders, and will remove reviewsfrom these users. Launch of New Features: At Shein, the process behind thedesign and launch of a new feature is designed to prevent thecreation of any feature or sub-feature that could have negativeeffects on consumers, including distorting or impairing their abilityto make free and informed decisions. It is a multilayer processwhich involves several teams at different stages, based on theirdifferent skills and objectives. It notably takes into account thecustomer's journey on the Marketplace. This process helpsensure that the new feature and its mechanics do not mislead ormanipulate users in ways that could violate consumer protectionlaws or may distort or impair the ability of users to make free andinformed decisions. More generally, it aims to limit the risks ofnegative effects on consumers' rights as protected under EU law. Educational In addition to our Shein-wide training (see Section 10.4.3(Educational Initiatives)), we also provide a Ranking Policy whichoutlines the key factors that may affect the visibility and rankingof products. 12.7.3 Effectiveness of the Mitigation Measures The Marketplace aims to be a storefront that protects and serves our customers.As demonstrated in the Mitigation Measures above, the Marketplace is designedto offer a high level of consumer protection at its core, in compliance with evolvingconsumer protection laws and regulations. Therefore, while the risk of attemptsto undermine consumer protection (e.g., through unsafe products, fraudulentlistings, or fake reviews) on the Marketplace does exist, our coordinatedMitigation Measures have proven Effective at protecting consumers and ensuringcompliance with EU consumer protection legislation, substantially reducing thisinherent risk. 12.7.4 Actual Risk Rating Consumer Protection Low Medium 54 13. ASSESSMENT OF SYSTEMIC RISK 3 – DEMOCRATIC PROCESS AND SOCIETALRISK 13.1 Definition of the Risk – What is Democratic Process and Societal Risk "Democratic Process and Societal Risk" is not such an expression used in the DSAbut it is how we summarise the Systemic Risk identified in Article 34(1)(c) of the DSA,being the risk of any actual or foreseeable negative effects on civic discourse andelectoral processes, and public security. Recital 69 of the DSA states that "When recipients of the service are presented withadvertisements based on targeting techniques optimised to match their interests andpotentially appeal to their vulnerabilities, this can have particularly serious negativeeffects. In certain cases, manipulative techniques can negatively impact entire groupsand amplify societal harms, for example, by contributing to disinformation campaigns orby discriminating against certain groups". Whilst Recital 79 of the DSA states that: "Very large online platforms and very largeonline search engines can be used in a way that strongly influences safety online, theshaping of public opinion and discourse, as well as online trade. The way they designtheir services is generally optimised to benefit their often advertising-driven businessmodels and can cause societal concerns. Effective regulation and enforcement isnecessary in order to effectively identify and mitigate the risks and the societal andeconomic harm that may arise." For our assessment, we have split this Systemic Risk into 2 Sub-Risks: Civic Discourseand Electoral Processes and Public Security. 13.2 Sub-Risk 11 – Civic Discourse and Electoral Processes The DSA requires assessment of risks to democratic processes and potential negativesocietal impacts, including the dissemination of disinformation, manipulation of publicopinion, or other activities that could undermine civic discourse. Civic Discourse and Electoral Processes Risk Definition The risk that the Marketplace will influence elections,democratic process and civil discourse by allowing politicaladvertising or promoting misinformation or disinformation. How this risk wouldapply to ourMarketplace if un-mitigated This risk could hypothetically materialise on theMarketplace if users were able to place advertising ormisuse the product listing or review functionality todisseminate political messaging, disinformation ormisinformation. 13.2.1 Risk Analysis The risk of negative effects on Civic Discourse and Electoral Processes asanticipated by Article 34(1)(c) is mainly a societal risk caused by thedissemination of speech, information and misinformation, and as a result, isprimarily applicable to social media, search engines and content-sharing 55 platforms. The Marketplace does not distribute content such as general speechor personal videos produced or shared by users and is not a forum for theexchange of civic discourse, democratic processes or other electoral activity. Asmentioned in Sub-Risk 2 (Illegal Products) and Sub-Risk 4 (Unlawful Behaviour)above, the content provided by third parties and displayed by Shein on theMarketplace is generally limited for Sellers to information about their productsand characteristics and for customers to reviews about products they havepurchased. We have nonetheless considered how this risk could theoretically arise on theMarketplace and concluded that this could potentially materialise in two ways: Firstly, with respect to unlawful behaviour, the main theoretical risk would be ifSellers attempted to use product listings (titles or descriptions) or if customersused reviews (limited to verified purchases) to insert political messaging,disinformation, or content designed to manipulate democratic debate. However,such behaviour would be atypical and inefficient on a transactional marketplace,which is designed for e-commerce and lacks the amplification mechanismsrequired to fulfil the goal of such a message. Users do not come to ourMarketplace to seek or consume political opinions, and there is very little spacewithin listings or reviews for political messaging. Secondly, in relation toadvertising. However, whilst some promotional activity takes place on theMarketplace, this relates exclusively to listed products as Shein does not allowthird-party advertising. In contrast to attention-based, advertising-funded socialmedia platforms, Shein does not monetise page views. Moreover, theMarketplace does not host advertising that could propagate messaging on issuessuch as politics or matters of concern to public security. We conclude that the potential manipulation and influence on public discoursedoes not apply to the Marketplace, but to the extent that it does, it is alreadycovered by Sub-Risk 4 (Unlawful Behaviour). To date, Shein has not identified orrecorded any attempts to misuse our Marketplace in this way. 13.2.2 Current Risk Mitigations and Effectiveness of the Mitigation Measures See Sub-Risk 4 (Unlawful Behaviour). 13.2.3 Actual Risk Rating Civic Discourse and Electoral Processes Low 13.3 Sub-Risk 12 – Public Security We have assessed the impact of the design or functioning of the Marketplace and relatedsystems on Public Security. 56 Public Security Risk Definition The risk that content posted on the Marketplace couldnegatively impact the safety and security of society bypromoting or inciting violence. How this risk wouldapply to ourMarketplace if un-mitigated This risk could potentially apply on the Marketplace if usersmisuse the listing or reviews’ functionalities to promoteviolence or threats such as criminal activity, terrorism orcoordinated efforts to undermine public order. 13.3.1 Risk Analysis In the context of Shein, the relevant risks overlap substantially with those alreadyanalysed under Sub-Risk 2 (Illegal Products) and Sub-Risk 4 (UnlawfulBehaviour), since both relate to the misuse of our Marketplace’s limited user-generated content features. Similarly to Sub-Risk 11 (Civic Discourse and Electoral Processes), the maintheoretical risk would arise if users attempted to misuse listing or reviewfunctionalities for illegal purposes. Such behaviour, however, would be atypical on a transactional marketplace,which is not designed nor optimised for expressive content and does not providethe amplification mechanisms available on social media. As such, the risks topublic security are the same as those already identified for Illegal Products andUnlawful Behaviour, and the corresponding Mitigation Measures apply directly.These include strict terms and conditions, proactive moderation (automated andhuman), enforcement actions, and reporting mechanisms. The probability that Shein would be misused in a way that threatens publicsecurity is therefore assessed as extremely unlikely. 13.3.2 Current Risk Mitigations and Effectiveness of the Mitigation Measures See Sub-Risk 4 (Unlawful Behaviour) and Sub-Risk 2 (Illegal Products). 13.3.3 Actual Risk Rating Public Security Low 57 14. ASSESSMENT OF SYSTEMIC RISK 4 – PUBLIC HEALTH 14.1 Definition of the Risk – What is Public Health Risk "Public Health" is not defined as such in the DSA, however it is referred to in Article34(1)(d) which broadly refers to the risk of having "an actual or foreseeable negativeeffect in relation to gender-based violence, the protection of public health and minorsand serious negative consequences to the person’s physical and mental well-being". Weuse the expression "Public Health" to refer to the risk to all of these. The DSA further explains in its Recitals that this risk may stem from coordinateddisinformation campaigns related to public health, or from online interface design thatmay stimulate behavioural addictions of recipients of the service (Recital 83). The risk ofa disinformation campaign leading to negative effects related to Public Health seemsmore relevant for a service where the business model consists of the dissemination ofdiscourse and information relevant to health topics, and therefore seems of limitedrelevance to our Marketplace that primarily sells clothing. We have divided this Systemic Risk into 3 Sub-Risks: Gender-based Violence, PublicHealth and Mental Health 14.2 Sub-Risk 13 – Gender-based Violence .Gender-based Violence Risk Definition The risk that the Marketplace’s use contributes to harmdirected at individuals based on their gender. How this risk would applyto our Marketplace if un-mitigated The risk of allowing gender-based violence, harassmentor abuse on the Marketplace could hypotheticallymaterialise on the Marketplace through the use of listingsor reviews:  featuring abusive messages, sexual harassmentagainst women or men, or gender slurs; or  promoting the sale of products explicitly glorifying orencouraging violence against women or menspecifically. 14.2.1 Risk Analysis As Shein is a marketplace and not a social media platform, it is not designed tohost nor amplify user-generated content. It offers only very limited means fortargeted abuse, such as abusive language or glorification of Gender-basedviolence ("GBV"). We conclude that GBV-related risks are largely irrelevant to our Marketplace.However, to the extent that some risk factors still exist, these are covered withinthe broader category of Sub-Risk 4 (Unlawful Behaviour). 14.2.2 Current Risk Mitigations and Effectiveness of the Mitigation Measures See Sub-Risk 4 (Unlawful Behaviour). 58 14.2.3 Actual Risk Rating Gender-based Violence Low 14.3 Sub-Risk 14 – Public Health and Physical Health Public Health and Physical Health Risk Definition The risk of the Marketplace being used to disseminatemisinformation or disinformation in health content or for thesale of dangerous products. How this risk wouldapply to ourMarketplace if un-mitigated This risk could apply to the Marketplace if users:  misused the listing or review functionalities to disseminatefalse or inaccurate health information such as messagesclaiming that "drinking bleach cures COVID-19"; or  list dangerous or prescription-only medicine or medicaldevice, for example slimming products with sibutramine;skin-lightening creams with mercury or counterfeit bloodpressure monitors. 14.3.1 Risk Analysis This Sub-Risk 14 is split between the risk to health caused by (a) thedissemination of health misinformation/disinformation on physical products and(b) the sale of dangerous or illegal products. As stated in earlier sections of this Report, our systems are not designed toamplify content and therefore the scope for dissemination is limited compared tohigh-interaction environments. Therefore, the risk analysis performed in relationto Sub-Risk 14 (Unlawful Behaviour) applies here as well. With regards to therisk of sale of dangerous or illegal products, the relevant risk analysis is the oneapplicable to Sub-Risk 2 (Illegal Products). The Mitigation Measures listed underthese risks therefore also apply to this Sub-Risk 14. 14.3.2 Current Risk Mitigations and Effectiveness of the Mitigation Measures See Unlawful Behaviour and Illegal Product Risks. 14.3.3 Actual Risk Rating Public Health and Physical Health Low 59 14.4 Sub-Risk 15 – Mental Health Mental Health Risk Definition The risk that the use of the Marketplace may have an adverseimpact on users’ mental health. How this risk wouldapply to ourMarketplace if un-mitigated This risk could apply on the Marketplace through the exposureof users to addictive design features that incentivise users tospend extended periods of time on the Marketplace, e.g.unlimited scrolling and spending money compulsively. 14.4.1 Risk Analysis Shein’s Marketplace focuses on e-commerce and presents a materially lower riskfor mental health than platforms designed for entertainment or social interaction.Other potential factors of risk, such as exposure to harmful or distressing content,are very unlikely in a marketplace setting. User-generated content is extremelylimited, and moderation systems are in place to prevent abuse. Therefore, in viewof the purpose and functioning of the Marketplace, we have determined that theonly potential mental health risk on the Marketplace consists of a risk of addictivebehaviours. The purpose of the Marketplace (i.e., looking for products to purchase)naturally limits the time spent on our platform, and its features (e.g., productcategories, filters, sorting tool) are designed to allow users to find suitableproducts as quickly as possible. The user experience is designed aroundproduct search, comparison, and purchase, which are finite and purpose-drivenactivities. As such, the probability and severity of developing an addictive behaviour onthe Marketplace, and therefore the risk of serious negative consequences tothe user's mental well-being stemming from our Marketplace, are deemedlow. 14.4.2 Current Risk Mitigations Mitigation type Mitigation measures Interface Design The Marketplace has not been designed as an addictive platformand does not feature unlimited downward scrolling.Our interface design facilitates the Users’ visit to the Marketplacewith clear headings and a search function, aligning with the users’specific purpose of making a purchase rather than seekingentertainment. InternalProcessesNew Features: As discussed in detail in Sub-Risk 10 (ConsumerProtection), Shein has put in place internal processes to validatethe design and launch of new features on the Marketplace, therebyensuring compliance by design with EU legislation. This multilayerprocess requires, amongst others, the Legal team to perform a 60 review of the feature at the design stage to ensure they do notcontain addictive features or distort or impair the ability of the usersof the Marketplace to make free and informed decisions. 14.4.3 Effectiveness of the Mitigation Measures We consider our pre-emptive Mitigation Measures, such as our new feature riskassessment, to be Very Effective in terms of mitigating any potential addictivefeature. 14.4.4 Actual Risk Rating Mental Health Low 61 15. CONCLUSION As a leading online marketplace, ensuring safety and trust is central to our operations. We arecommitted to providing a secure and reliable shopping and selling experience for both customersand sellers, supported by clear policies, effective monitoring and robust enforcement. For this 2025 Risk Assessment, we have conducted a thorough review of our marketplacesystems and practices and updated our risk assessment methodology. This has enabled us toidentify, assess and address the systemic risks relevant to our marketplace in line with Articles34 and 35 of the DSA. Our assessment confirms that while certain areas such as exposure to illegal content presentinherent risks to all online marketplaces, Shein has recognised these risks and built itsmarketplace on an effective and integrated risk management framework. This approach reducesinherent e-commerce risks to a low and manageable level. We are confident in our framework but recognise that systemic risks evolve rapidly with changesin technology and user behaviour. To address this, we maintain a strong DSA ComplianceFunction that coordinates our DSA compliance efforts, conducts continuous risk reviews anddrives ongoing mitigation improvements. Over the coming year, we will further strengthen our six areas of mitigation. These efforts will becomplemented by continuous monitoring of European Commission guidance and marketpractices to ensure our framework remains aligned with the evolving online environment andlegal requirements. Through these measures, we reaffirm our commitment to ensuring that ourmarketplace remains a safe and trustworthy environment for all users.