Skip to main content
Home/Blog/X DSA Ad Repository Audit 2026: What Competitors Can See About Your Spend
Back to Intelligence Hub
regulationEuropean UnionRisk Level: high

X DSA Ad Repository Audit 2026: What Competitors Can See About Your Spend

The EU DSA ad repository for X is a free open competitive intelligence database. What competitors and researchers can see about your spend, and how to audit your own exposure.

May 21, 202612 min readAuditSocials Research
TweetShare
Quick Answer

The X DSA ad repository, published under Article 39 transparency obligations, exposes advertiser identity, ad creative, targeting parameters, reach metrics, and spend ranges for EU campaigns. Competitors and researchers can audit your spend, creative testing, and audience strategy without authorisation — advertisers should audit their own exposure proactively.

X DSA Ad Repository Audit 2026: What Competitors Can See About Your Spend

What the DSA Ad Repository Actually Exposes

The X DSA ad repository, published under Article 39 of the EU Digital Services Act, is the most consequential change to advertising transparency on the platform since the 2023 shift to the post-Twitter operating model. The repository is open, indexed, and free, which makes it a near-perfect competitive intelligence database. Most advertisers underestimate what their own repository profile reveals about strategy, creative testing, audience segmentation, and compliance posture, and the underestimation produces both missed competitive intelligence opportunities and avoidable exposure of the advertiser's own program.

The repository is not optional. Any advertising that reaches EU users on X is included in the repository under the platform's compliance program responding to the December 2025 enforcement decision that imposed a €120 million sanction for transparency failures. Advertisers cannot opt out, hide entries, or selectively expose campaigns. What advertisers can do is shape what the repository displays through campaign structure, creative discipline, identity consolidation, and compliance quality, in ways that reduce the competitive intelligence value of repository entries while maintaining or strengthening regulatory compliance.

Under Article 39 of the DSA, very large online platforms must compile and make publicly available repositories of advertisements served on the platform, with specified data fields; the obligation applies regardless of advertiser preference and is enforced against the platform.
— Paraphrase of DSA Article 39; not a verbatim quotation

This guide covers what the X repository specifically publishes, how competitors actually use the data, what scrutiny researchers and regulators apply, how to run a self-audit on your own repository profile, what defensive shaping is legitimate within the DSA framework, and how the X picture relates to Meta, TikTok, and Google repositories. For ongoing DSA-related policy tracking, see the Policy Change Tracker, and for broader regulatory posture, the EU DSA Compliance Guide.

Article 39 in Plain Language

Article 39 of the DSA establishes a positive obligation on every very large online platform to maintain a repository of advertisements served on the service, accessible through a documented interface, retained for one year after the advertisement last ran, and structured so that researchers and the public can query the dataset for a specific set of fields. The article does not give the platform discretion over inclusion, retention period, or field scope. Platforms must publish what the regulation enumerates. The supervisory framework in DSA Articles 49 through 56 then gives the Commission and Digital Services Coordinators direct authority to investigate non-compliance, to request information, and to impose sanctions up to six percent of global annual turnover. The combination of mandatory publication and unrestricted regulator access converts the repository from a transparency artifact into operational evidence used in enforcement. Advertisers should read Article 39 as describing not the platform's transparency posture but the advertiser's permanent visibility surface.

Treat every paid placement that reaches EU users as an entry in a public database that will be reviewable for at least twelve months after the placement ends. The regulation does not contain a small-advertiser carve-out, a sectoral exemption for non-political advertising, or a delay window for sensitive launches. The repository captures what was served, when it was served, and to whom in aggregate terms.

Why X Repository Quality Has Been Under Scrutiny

The €120 million sanction announced in December 2025 specifically named repository defects — incomplete entries, search interface friction, missing creative variants, and gaps between served advertising and published records — as evidence supporting the finding that the platform had failed its Article 39 obligations. The decision establishes that the Commission treats repository quality as substantively reviewable, not as a procedural formality discharged by publishing something nominally repository-shaped. The platform's compliance program responding to the decision involves measurable improvements to coverage, field completeness, and search reliability, and advertisers should expect that the repository they audit in 2026 will continue to evolve as the platform implements remediation. The relevant point for the advertiser is not the platform's enforcement risk in isolation but the operational fact that the repository will become more comprehensive over time, not less, and any current gaps should be treated as transient rather than as durable hiding places. For context on the underlying decision and its advertiser implications, see the cross-linked piece on X enforcement escalation patterns and the policy entry on X Ads policy.

Fields Visible in the X Repository

The repository structure publishes a defined set of fields per ad and explicitly excludes certain operational data. Understanding the precise list of published and absent fields is the basis for any audit, intelligence work, or defensive posture decision.

Published Fields

FieldGranularityIntelligence Value
Advertiser identityRegistered billing nameIdentifies the advertiser; reveals organizational structure where multiple entities exist
Campaign periodStart and end datesIndicates campaign cadence and duration; supports tactical timing analysis
Targeting parametersGeneralized (geography, age bands, interest categories)Reveals strategic audience choice without exposing user-level matching
Creative contentCopy, image, video, destination URLFull creative intelligence; messaging, value proposition, visual approach
Language coveragePer-language run periodsIndicates regional and language strategy
Estimated EU reachReach range within EUIndicates relative scale of the campaign; not absolute spend

Excluded Fields

  • Bid amounts and bid strategy: Operational pricing data is not published.
  • Optimization goals: Campaign objectives and optimization signals are not in the repository.
  • Conversion data: Performance metrics beyond reach estimate are absent.
  • Source audience lists: Match lists and lookalike sources are not published.
  • Internal campaign naming: Attribution and naming structure remain private.
  • Non-EU reach: The repository covers EU-facing reach; broader global reach data is absent.
  • Agency identity: Where billing identity differs from the executing agency, the agency relationship is not visible.

Source: EU DSA Transparency Database, Article 39 framework; published under CC BY 4.0.

API Access and Rate Limits

Article 39 obliges platforms to expose the repository through programmatic interfaces, not only a search UI. X publishes the repository through an API that supports query by advertiser name, time window, language, and content keywords, with pagination and bulk-export capabilities that align with researcher needs and competitive intelligence workflows. Documented rate limits sit in a range that supports sustained monitoring rather than only spot checks — competitive intelligence teams that build automated daily pulls have not been finding the limits binding in practice. The API surface returns the same fields enumerated above and applies the same one-year retention. Advertisers should assume that any technically competent third party can ingest the repository in bulk, normalize it across the major platforms, and build longitudinal databases that survive the platform's one-year retention through external storage. A repository entry should therefore be treated as effectively permanent from the advertiser's planning perspective even though the platform itself only retains for the regulated minimum.

Data Quality and Coverage Gaps

The repository is regulated for completeness but the platform's implementation has historically had measurable defects — entries missing creative variants, language metadata absent or incorrect, reach estimates with implausible distributions, and creative-asset links that resolved to deleted media. Civil society analyses through 2024-2026 documented gaps consistently enough that the December 2025 decision cited the pattern. The advertiser's exposure interacts with these defects in two opposite ways. First, a current gap does not protect future visibility — entries can be backfilled as platform compliance improves, and any campaign currently running with imperfect repository representation should be planned as if its eventual representation will be complete. Second, gaps that affect competitors equally do not reduce the advertiser's relative exposure — the comparative intelligence analysis still proceeds on whatever data is published, and competitive teams compensate for gaps with overlay data from third-party intelligence services. The strategic posture should therefore assume full visibility rather than rely on current implementation defects.

Competitor Intelligence Patterns

Competitor intelligence use of the X repository has matured over 2024-2026 into structured workflows across larger advertisers in regulated and competitive categories. The patterns now operate as a meaningful workstream within competitive marketing teams, and understanding them helps an advertiser audit its own exposure realistically.

Pattern Map

  • Creative intelligence: Collecting and analyzing actual ad creative for messaging direction, value proposition emphasis, visual approach, and iteration rate. The repository provides higher fidelity than third-party ad intelligence services at no licensing cost.
  • Audience targeting reverse engineering: Inferring strategic targeting from published targeting parameters; identifying segments and geographies competitors prioritize and gaps competitors are not addressing.
  • Cadence and budget signaling: Without explicit budget data, campaign duration, frequency, and breadth signal relative scale of effort and tactical timing.
  • Regulatory and risk surveillance: Monitoring competitors for claims, disclosures, and compliance practice visible in creative; identifying market opportunity where competitor risk is high.
  • Creative variation analysis: Where multiple creative appears within a campaign window, inferring the testing program structure and creative strategy.

Workflow Maturity

The competitive intelligence workflow in 2026 typically includes a defined monitoring cadence (weekly to monthly depending on category dynamics), competitor identity tracking that handles parent-and-subsidiary structures, automated change detection on competitor creative, and structured intelligence outputs that feed strategic and tactical marketing decisions. Advertisers without an active repository monitoring program are leaving competitive intelligence value on the table relative to peers that have built the workflow.

For competitive compliance benchmarking use the AI Compliance Audit alongside repository monitoring.

Cross-VLOP Repository Comparison

Competitive intelligence work in 2026 is rarely platform-specific because every major paid environment for EU users now generates a repository entry under the DSA designations. Treating the X repository as the only monitoring surface misses material activity by the same competitors on Meta, TikTok, Google, and other DSA-designated platforms. The Meta ad library remains the deepest source of historical creative data and the most mature search interface; TikTok publishes a comparable field set with a younger query surface; Google distributes the repository across Search, YouTube, and Display product types, which raises ingestion complexity but preserves coverage. The X repository sits inside this cross-platform set with field parity to peers, scrutinized quality after the December 2025 decision, and an API surface that supports bulk competitive monitoring. The practical implication is that an advertiser auditing its own X exposure should expect competitors to be running parallel monitoring across all four major repositories, and any compliance issue visible on X is also presumed visible to competitors who watch the full set.

Inferring Budget and Spend Despite Excluded Fields

The repository excludes explicit budget and bid data, but competitive intelligence teams have developed reliable inference methods that work around the exclusion. Volume of distinct creative entries, breadth of language and geographic coverage, duration of continuous-running placements, and density of creative variation within campaign windows all correlate with spend in ways that produce useful relative estimates. Repository monitoring overlaid with third-party panel data and platform-reported reach ranges can support spend models with practical accuracy at the order-of-magnitude level for competitive purposes. Advertisers should not assume that the absence of explicit budget data hides spend posture — the strategic spend pattern is recoverable from the published surface by anyone willing to model it.

Researcher and Regulator Access

The repository creates a scrutiny layer beyond competitor use, because researchers and regulators have structured access channels that produce enforcement and reputational exposure independent of competitive intelligence.

Access Channels

ChannelAuthorityOutput Type
Vetted researcherDSA Article 40Academic and policy research that may identify advertisers
EU Commission and member-state regulatorsDSA enforcement and supervisory powersEnforcement actions; sectoral compliance investigations
Civil society organizationsPublic repository accessPublic analysis, advocacy reports, consumer protection focus
JournalistsPublic repository accessInvestigative reporting on advertiser practices
CompetitorsPublic repository accessCompetitive intelligence and benchmarking

Enforcement Precedent

The December 2025 EU Commission decision against X for €120 million addressed advertising transparency failures specifically, establishing the repository as primary evidence in DSA enforcement actions and confirming that advertiser compliance issues visible in repository data may be referenced in regulatory action even where the action's primary target is the platform.

Source: EU DSA Transparency Database; enforcement actions published under CC BY 4.0. For regulatory framework see the EU DSA Compliance Guide.

Regulator Inquiries Derived From Repository Data

The Commission and national Digital Services Coordinators have built investigative workflows that take the repository as an entry point. A typical pattern begins with a category-level review of creative across multiple advertisers in a regulated sector — medical advertising, gambling, financial services, food and dietary supplements — and identifies outlier patterns such as missing disclosures, ambiguous claim language, or targeting choices that engage sectoral rules. The outlier review then becomes the basis for a formal information request directed at the platform or, in coordination with national regulators, at named advertisers under sectoral law. Advertisers should expect that compliance defects visible in the repository can produce regulator contact even when the platform itself is not the subject of the underlying enforcement, because the repository is operating as a sectoral compliance surveillance surface in addition to a platform transparency tool. The defensive implication is direct — advertisers in regulated sectors should audit their repository profile against sectoral substantive requirements as well as against advertising policy.

Article 26 Transparency Interaction

Article 26 of the DSA imposes a separate transparency obligation that interacts with Article 39 in ways that compound advertiser visibility. Article 26 requires platforms to label individual advertisements clearly when displayed, to identify the natural or legal person on behalf of whom the ad is presented, and to disclose the meaningful parameters used to determine the recipient. The Article 26 disclosure occurs at the moment of impression and is visible to the user receiving the ad; the Article 39 disclosure occurs in the repository and is visible to anyone querying after the fact. The two surfaces should be consistent — an advertiser whose Article 39 entries show targeting parameters that differ from what the Article 26 in-product disclosure surfaced to users is exposed both for the substantive practice and for the cross-surface inconsistency. The audit posture should therefore reconcile Article 26 disclosures and Article 39 entries as a single transparency program rather than as two unrelated obligations.

Self-Audit Workflow

A self-audit on the X repository produces a current view of the advertiser's own exposure, a competitive benchmark, and a remediation list. The workflow has four phases that should run quarterly.

Phase Sequence

  • Inventory: Every advertisement currently visible under the advertiser's identity, subsidiary identities, agency-of-record identities, and historical identity changes. Exhaustive across the time window the repository covers.
  • Content review: Per-entry compliance review covering advertising claims and substantiation, required disclosures, sensitive-category handling, and brand-voice consistency.
  • Comparative assessment: Benchmark against peer advertisers in the category on volume, targeting breadth, creative variation, and compliance posture.
  • Remediation planning: Prioritized action list — critical (regulatory exposure), important (competitive intelligence reduction), optional (general cleanup).

Audit Outputs

  • Compliance remediation list: Specific content requiring update, replacement, or removal from current campaigns.
  • Defensive shaping plan: Structural changes to reduce competitive intelligence value without reducing compliance.
  • Competitive benchmark: Position relative to category peers; identification of best-practice peer examples.
  • Compliance baseline documentation: Evidence of audit process for regulatory inquiry response.

For automated audit input on creative compliance use the AI Compliance Audit and the Keyword Risk Checker.

Brand-Owned Repository Visibility Posture

Brands that have not run a self-audit consistently discover three classes of finding when they begin. The first is unrecognized identity fragmentation — repository entries appearing under names that the central marketing team did not realize were active, often because regional teams, joint ventures, or product-line organizations have run their own campaigns under their own billing identity. The second is creative that no longer represents the current brand position — old taglines, deprecated claims, or product packaging that has been retired but is still appearing in repository entries for campaigns that have not been formally archived. The third is disclosure quality that varies across creative within the same campaign, where some variants include required regulatory disclosure language and others do not, producing a repository pattern that signals inconsistent compliance practice. None of these classes is an artifact of the repository — they reflect the underlying state of the advertiser's program, and the repository simply makes the state visible to anyone who looks. The audit should be scoped to capture all three classes as standard outputs.

Audit Cadence and Ownership

Quarterly cadence is the minimum responsible interval. Categories with high creative velocity, regulated sectoral pressure, or material competitive activity warrant monthly cadence. Ownership should sit with a named function — compliance, legal, or a dedicated DSA program owner — rather than being distributed across regional marketing teams, because the repository is a single surface and the audit needs a single view across the whole advertiser footprint. The audit outputs should feed into both the marketing decision loop (creative refresh, campaign retirement) and the compliance documentation loop (evidence of process for regulatory inquiry response). Both feeds are required for the audit to produce its intended risk reduction.

Defensive Posture Without Reducing Compliance

Defensive posture toward the repository operates through legitimate shaping levers that reduce competitive intelligence value while maintaining or strengthening compliance. Each lever is within the DSA framework and aligned with general best practice.

Shaping Levers

  • Identity consolidation: Consolidate to a smaller number of clearly identified entities; reduce fragmentation across parent, subsidiary, and regional identities.
  • Creative testing discipline: Move high-volume creative testing to pre-launch environments; only validated creative goes to production paid distribution.
  • Targeting clarity: Concentrated targeting on clearly defined segments produces tighter repository entries than broad-segment campaigns.
  • Timing structure: Pulse campaigns concentrated in tactical windows produce cleaner repository entries than continuous-running campaigns.
  • Compliance quality: Strong compliance practice produces repository entries that demonstrate professional operation; the inverse of exposure.

What Does Not Work

  • Opt-out attempts: The repository inclusion is mandatory; no opt-out exists.
  • Entity obfuscation: Using ambiguous billing names to obscure identity creates regulatory exposure and does not effectively hide identity from competent intelligence work.
  • Targeting obfuscation: Excessively broad targeting to hide specific strategy degrades campaign performance and still reveals strategy through aggregate patterns.
  • Repository disclosure delay: Platform-side gaps in publishing timeliness are platform compliance issues, not advertiser-controllable defensive posture.

Source: EU DSA Transparency Database framework; CC BY 4.0. For audit and compliance tooling see the Legal Compliance Scan.

Aligning Article 26 and Article 39 Programs

The defensive program that produces the strongest repository profile is one that treats Article 26 in-product disclosure and Article 39 repository publication as a single coherent transparency surface rather than as two disconnected obligations. The advertiser should be able to demonstrate that the targeting parameters disclosed in-product to a user at the moment of impression are the same parameters reflected in the repository entry for the same creative. Internal documentation should map the campaign setup to both surfaces and reconcile any drift. Where third-party ad-server intermediation introduces complexity in the disclosure chain, the documentation should track which entity is responsible for each surface and how the chain produces a consistent advertiser-facing record. The reconciliation work is not visible to the public, but it produces a repository profile that does not contradict itself and that can be defended in regulator inquiry without procedural surprises.

Documenting the Defensive Posture

Each shaping lever should produce documentation that can be presented in regulator inquiry as evidence of a deliberate, compliance-aligned program. Identity consolidation produces an identity map with rationale. Creative testing discipline produces a pre-launch testing log that demonstrates validated-only production deployment. Targeting clarity produces a targeting methodology document. Timing structure produces campaign calendars with stated tactical rationale. Compliance quality produces sign-off records on creative. None of the documentation creates new obligations beyond what good marketing operations would already produce — the point is that the documentation makes the defensive posture inspectable, which is the posture's actual value to the advertiser facing scrutiny.

X Ad Repository Audit Checklist

  • [ ] Inventory every X repository entry under advertiser, subsidiary, and agency identities
  • [ ] Confirm registered advertiser identity matches verified brand handle
  • [ ] Review each entry for claim substantiation and required disclosures
  • [ ] Confirm sensitive-category creative complies with sectoral rules visible in repository
  • [ ] Benchmark against peer advertisers in category on volume, cadence, targeting breadth
  • [ ] Identify creative testing patterns visible in repository; move volume testing pre-launch
  • [ ] Consolidate fragmented identities where appropriate; document remaining structure
  • [ ] Document audit process and outputs for regulatory inquiry response
  • [ ] Schedule quarterly repository audit as part of DSA compliance program
  • [ ] Apply same audit framework to Meta, TikTok, Google repositories cross-platform
  • [ ] Confirm DSA disclosure on creative independent of repository visibility
  • [ ] Monitor competitor repository profile as ongoing competitive intelligence input

Source: EU DSA Transparency Database, CC BY 4.0.

Frequently Asked Questions

For ongoing tracking of DSA enforcement, ad repository policy, and competitor intelligence framework updates, see the Policy Change Tracker.

Source: EU DSA Transparency Database, CC BY 4.0.

Don't miss the next policy change.

Create a free account — track every policy change across 8 platforms, get instant alerts, and access every free compliance tool. Or try our Keyword Risk Checker first.

Create Free Account

Report Keywords — Run AI Compliance Audit

#X Ads#DSA#Ad Repository#Ad Transparency#EU Regulation#Competitive Intelligence#Ad Compliance#Brand Safety#Advertisers#Agencies#2026 Policy#Compliance Guide 2026

Share This Report

TweetShare

Related Posts

Related Resources