The European Commission outlined the preliminary findings from its investigation into X, formerly known as Twitter, under the 27-nation bloc's Digital Services Act.
The rule book, also known as the DSA, is a sweeping set of regulations that requires platforms to take more responsibility for protecting users and cleaning up their sites, under threat of hefty fines.
Regulators took aim at X's blue ticks, saying they constitute "dark patterns" that are not in line with industry best practice and can be used by malicious actors to deceive users.
After Musk bought the site in 2022, it started issuing the verification marks to anyone who paid $US8 ($A12) a month for one.
Before Musk's acquisition, they mirrored verification badges common on social media and were largely reserved for celebrities, politicians and other influential accounts.
An email request for comment to X resulted in an automated response that said: "Busy now, please check back later."
Its main spokesman reportedly left the company in June.
"Back in the day, BlueChecks used to mean trustworthy sources of information," European Commissioner Thierry Breton said in a statement.
"Now with X, our preliminary view is that they deceive users and infringe the DSA."
The commission also charged X with failing to comply with requirements on ad transparency.
Under the DSA platforms must publish a database of all digital advertisements they have carried, with details including who paid for them and the intended audience.
But X's ad database had "design features and access barriers" that make it "unfit for its transparency purpose", the commission said.
The company also fell short when it came to giving researchers access to public data, as required by the DSA, the commission said.